Acsel Health, an OPEN Health Company
The following terms have the definitions set out below when used in these supplier privacy and security requirement (these “Requirements”):
“Data Protection Legislation” means the Data Protection Act 2018, the General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) (when in force), the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner, and any similar legislation put in place as a result of the United Kingdom’s exit from the European Union. References in these Requirements to “data controller”, “data processor”, “processing”, “data protection officer” and “personal data” shall have the same meaning as defined in Data Protection Legislation.
“OH” means any member of the Open Health Group named here OPEN Health | Statutory Details that has entered into a Purchase Order with the Supplier.
“Parties” means OH and the Supplier.
“Personnel” means the Supplier and its personnel who are providing the Services.
Order” means the applicable purchase order entered into between OH and the Supplier pursuant to the terms and conditions of which these Requirements are incorporated.
"Regulator" means any regulatory body with responsibility for ensuring compliance with Data Protection Legislation.
“Security Breach” means accidental or deliberate, unauthorised or unlawful acquisition, destruction, loss, alteration, corruption, access, use or disclosure of personal data processed under the Purchase Order or breach of Supplier’s security obligations as set out in these Requirements and the Purchase Order.
“Services” means the Services set out in the relevant Purchase Order.
“Supplier” means the individual or entity that has entered into a Purchase Order.
In these Requirements, unless otherwise specified or the context otherwise requires
The Supplier agrees that with regard to the Supplier’s Personnel and the Supplier’s personal data:
The Supplier shall only permit personal data to be processed in locations expressly approved in writing by OH including those locations set out in Purchase Order. The Supplier shall not transfer the personal data outside the European Economic Area or the United Kingdom without the prior written consent of OH. OH acknowledges and agrees that personal data may be transferred to those locations set out in the Purchase Order in accordance with the transfer mechanisms set out in the Purchase Order (“Transfer Mechanism”) provided that the Supplier complies, or procures the relevant third party complies, with its relevant obligations under the relevant Transfer Mechanism. The parties agree that if the relevant Transfer Mechanism ceases to exist or are no longer considered by OH to be a lawful method of transferring personal data outside of the European Economic Area or the United Kingdom, the Supplier shall cease or procure that the relevant third party cease the processing of such personal data until such time as the Supplier has in accordance with OH’s instructions entered into an alternative transfer mechanism to enable the personal data to be transferred outside of the EEA or the United Kingdom in a compliant manner.
The Supplier shall return or destroy (as directed in writing by OH) all personal data it has in its possession and promptly delete existing copies unless applicable law requires storage of the personal data. If OH elects for destruction rather than return of the personal data, the Supplier shall as soon as reasonably practicable ensure that all personal data is destroyed and deleted from the Supplier systems and provide a certificate of destruction and /or written confirmation of compliance with this clause within 14 days of request.
The Supplier’s obligations and OH rights set forth in this Schedule shall continue as long as Supplier, or any third party acting on Supplier’s behalf, processes personal data, including after expiration of the Purchase Order. OH’s subsidiaries (and their Affiliates, subsidiaries, successors and assigns) are third party beneficiaries of this Schedule.