Data Processing Schedule – UK & EU Customers
1. Definitions
1.1 Agreement: the contract between Psychology Tools and the Customer for the provision of the Services, which may be a bespoke Service Agreement or a contract incorporating Psychology Tools’ standard Terms and Conditions.
1.2 Customer: the customer to whom Psychology Tools provides Services under the Agreement.
1.3 Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.
1.4 Data Protection Legislation: (a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data; and (b) to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Psychology Tools is subject, which relates to the protection of Personal Data.
1.5 Domestic Law: the law of the United Kingdom or a part of the United Kingdom.
1.6 EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
1.7 EU Law: the law of the European Union or any member state of the European Union.
1.8 Psychology Tools: Psychology Tools Limited, a company registered in England and Wales under company number 10810854 with its registered office at Reading Bridge House, Fourth Floor, Suite 3, George Street, Reading, England, RG1 8LS.
1.9 Services: the services to be provided by Psychology Tools to the Customer as described in the Agreement.
1.10 UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
2. Data protection
2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2.1 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
2.2 The Customer and Psychology Tools Limited acknowledge that for the purposes of the Data Protection Legislation:
(a) the Customer is the Controller, and Psychology Tools Limited is the Processor;
(b) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents to enable lawful transfer of the Personal Data to Psychology Tools Limited and lawful collection of the Personal Data by Psychology Tools Limited for the duration and purposes of the Agreement;
(c) the Customer remains responsible for the written processing instructions it gives to Psychology Tools Limited; and
(d) clause 7 sets out the scope, nature and purpose of processing by Psychology Tools, the duration of the processing and the types of Personal Data and categories of Data Subject.
3. Processor's obligations
3.1 Psychology Tools will process the Personal Data only in accordance with the written instructions of the Customer unless Psychology Tools is required by Domestic Law or EU Law to otherwise process that Personal Data. Where Psychology Tools is relying on Domestic Law or EU Law as the basis for processing Personal Data, Psychology Tools shall promptly notify the Customer of this before performing the processing required by the Domestic Law or EU Law unless the Domestic Law or EU Law prohibits Psychology Tools from so notifying the Customer.
3.2 Psychology Tools will ensure that all personnel who have access to and/or process Personal Data are obliged to maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Customer authorises the disclosure, or as required by Domestic Law, court or regulator (including the UK Information Commissioner’s Office (or ICO)).
3.3 Psychology Tools will assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or relevant regulators under the Data Protection Legislation.
3.4 Psychology Tools will notify the Customer without undue delay on becoming aware of a Personal Data Breach.
3.5 Psychology Tools will maintain complete and accurate records and information to demonstrate its compliance with this clause 3.
3.6 Psychology Tools will delete Personal Data and copies thereof belonging to the Customer within 30 days of termination of the Agreement unless required by Domestic Law or EU Law to store the Personal Data.
4. Security
4.1 Psychology Tools will ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
5. Cross-border transfers of personal data
5.1 Psychology Tools will not transfer any Personal Data outside of the UK or EEA unless prior written consent of the Customer has been obtained and the following conditions are fulfilled:
(a) the Customer or Psychology Tools has provided appropriate safeguards in relation to the transfer;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) Psychology Tools complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(d) Psychology Tools complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data.
6. Subprocessors
6.1 The Customer consents to Psychology Tools appointing the subprocessors listed on the Psychology Tools Subprocessors page at https://www.psychologytools.com/subprocessors as third-party processors of Personal Data under this Schedule.
6.2 Psychology Tools will maintain an up-to-date list of its subprocessors on that Subprocessors page.
6.3 Psychology Tools may update its list of subprocessors from time to time.
6.4 Psychology Tools confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement substantially on (i) the third party's standard terms of business or (ii) bespoke terms which in either case reflect and will continue to reflect the requirements of the Data Protection Legislation.
6.5 As between the Customer and Psychology Tools, Psychology Tools shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6.
7. Details of the processing
| Category | Details |
|---|---|
| Scope | Psychology Tools is the Processor of the Personal Data in accordance with the Services it provides under the Agreement. |
| Nature and purpose of processing | As part of the Services the Customer will be able to grant users access to Psychology Tools’ Platform so that they may access and use Psychology Tools’ resources (Resources). This will involve users inputting Personal Data into the Platform which Psychology Tools will process to assist the Customer to provide services to their patients.
Psychology Tools will collect payment data in the first instance to facilitate payment of services, which is enacted by our payment processor. |
| Duration of the processing | The term of the Agreement or such longer term as may otherwise be agreed by the parties. |
| Types of Personal Data | • Identity Data – includes name. • Contact Data – includes email address. • Payment Data – includes payment card details. • Technical Data – includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices used to access the Platform. • Profile Data – includes username and password. • Usage Data – includes information about how users interact with and use the Platform and the Resources. • Special Category Data – data relating to physical and mental health which, along with other Personal Data, may be inputted into the Platform in the course of using the Resources. |
| Categories of Data Subject | The Customer, the Customer’s employees where applicable, and the Customer’s patients. On occasion data subjects may also include the Customer’s supervisees and students, and family members/carers of the Customer’s patients. |