Data Processing Agreement

1. Definitions

“Data Protection Laws” means the GDPR, the UK GDPR, the Data Protection Act 2018, and any other applicable legislation regulating the Processing of Personal Data. Capitalised terms not defined here have the meanings given in the Data Protection Laws or the MSA.

2. Subject‑Matter, Nature, Purpose and Duration

• Subject‑Matter: Processing of health‑care referral data and related information via SAMSA’s clinical decision‑support platform.
• Nature & Purpose: Structured triage support, audit logging, security monitoring, and ancillary services described in the MSA.
• Duration: From the Effective Date of the MSA until deletion or return of Personal Data in accordance with Clause 11.

Detailed particulars are set out in Annex I.

3. Roles of the Parties

Controller is a Data Controller; Processor is a Data Processor within the meaning of Article 4 GDPR / UK GDPR. Nothing in this DPA re‑characterises those roles.

4. Processor Obligations

Processor shall:

1. Process solely on documented instructions from Controller, unless EU/UK law requires otherwise (Art 28 §3 (a)).
2. Ensure confidentiality, imposing legally‑binding duties of confidentiality on all authorised personnel (Art 28 §3 (b)).
3. Implement Technical & Organisational Measures (“TOMs”) meeting Art 32 GDPR; see Annex II.
4. Sub‑Processing.
   • Use only sub‑processors listed in Annex III or later approved in writing.
   • Conclude written contracts with sub‑processors imposing the same data‑protection obligations (Art 28 §4).
5. International Transfers. Apply the safeguards in Annex IV before any transfer outside the EEA or UK.
6. Assist Controller in:
   • responding to Data Subject requests (Art 28 §3 (e));
   • data‑protection impact assessments and prior consultations (Art 28 §3 (f)).
7. Breach Notification. Notify Controller without undue delay (and no later than 24 hours) after becoming aware of a Personal‑Data Breach.
8. Audit & Inspection. Allow reasonable audits (max once per year, or following a breach) and provide all information necessary to demonstrate compliance (Art 28 §3 (h)).
9. Record‑Keeping. Maintain records required by Art 30 GDPR and make them available to the competent Supervisory Authority on request.

5. Controller Obligations

Controller shall:

• Ensure it has a valid legal basis for all Personal Data supplied to Processor.
• Provide Processor with documented instructions that comply with Data Protection Laws.
• Cooperate with Processor in the fulfilment of Data Subject rights and supervisory‑authority investigations.
• Not instruct Processor to perform any processing that would infringe Data Protection Laws.

6. Sub‑Processors

Controller hereby authorises the sub‑processors enumerated in Annex III. Processor shall give at least 30 days’ prior notice of any intended addition or replacement, during which Controller may object on reasonable, data‑protection grounds.

7. International Transfers

Where Processor or an authorised sub‑processor transfers Personal Data outside the EEA or UK, Processor shall ensure one of the following is in place:

• Standard Contractual Clauses (Commission Decision 2021/914/EU); and/or
• The UK International Data Transfer Agreement (“IDTA”) or Addendum; and/or
• Adequacy regulations or an approved certification scheme (e.g. EU–US / UK–US Data‑Privacy Framework).

8. Liability & Indemnity

Each Party’s liability under this DPA is subject to the limitations and exclusions set out in the MSA, save that nothing limits either Party’s liability for breaches of Data Protection Laws where such limitation is prohibited by law.

9. Governing Law & Jurisdiction

This DPA is governed by Irish law. The courts of Ireland have exclusive jurisdiction, save that Processor may, at its discretion, bring proceedings in the jurisdiction of Controller’s establishment.

10. Order of Precedence

In the event of conflict: (i) Data Protection Laws; (ii) this DPA; (iii) the MSA.

11. Return & Deletion of Data

Upon termination of the MSA, Processor shall, at Controller’s choice, return all Personal Data and copies thereof or securely delete them, unless EU or UK law requires storage.

12. Signatures

Annex I – Details of Processing

Annex II – Technical & Organisational Measures (Art 32 GDPR)

• Encryption in Transit and at Rest (TLS 1.2+, AES‑256).
• Zero‑trust network segmentation and firewalling.
• Role‑based access control with enforced MFA.
• Immutable audit logs stored separately from primary data.
• Regular vulnerability scanning and annual CREST‑aligned penetration testing.
• 24×7 security monitoring and automated anomaly detection.
• Business‑continuity & disaster‑recovery plan with RPO < 12 h, RTO < 4 h.
• ISO/IEC 27001‑aligned ISMS with annual management review.

Annex III – Authorised Sub‑Processors (as at 13 June 2025)

Annex IV – International Transfer Mechanisms

1. EEA–US Transfers: Processor enters into Module 2 SCCs with each US sub‑processor.
2. UK–US Transfers: The UK IDTA (or Addendum to SCCs) applies.
3. Onward Transfers: Sub‑processor must impose equivalent safeguards on any further recipient.