PACSMail Network Terms and Conditions of Use
(Version 2.0.3 Last updated 25/09/2023)
§1. PACSMail Site
THESE TERMS AND CONDITIONS APPLY TO THE USE OF THE PACSMAIL AND PACSMAIL CLOUD WEBSITES AND ASSOCIATED DATA TRANSMISSION SERVICES “this Resource”. BY USING THIS RESOURCE AND/OR PLACING AN ORDER FOR PACSMAIL PRODUCTS AND SERVICES YOU AGREE TO BE BOUND BY THESE TERMS AND CONDITIONS.
USING THIS RESOURCE INDICATES THAT YOU ACCEPT THESE TERMS REGARDLESS OF WHETHER OR NOT YOU CHOOSE TO REGISTER WITH US OR ORDER FROM US. IF YOU DO NOT ACCEPT THESE TERMS, DO NOT USE THIS RESOURCE.
NOTE: PACSMail is a medical image management platform that is registered for use as a medical device within the UK, It is prohibited to access this Resource from territories where its contents are illegal or unlawful. Users outside the UK who place an order for PACSMAIL products and services do so entirely at their own risk and should do so only if downloading the software complies with applicable laws and the user has obtained all necessary permissions, authorisations, consents and approvals prior to downloading and using the PACSMAIL products and services. In particular, PACSMail is not licensed for use in the United States of America (USA). You may not use this Resource if you are located in the USA and any attempt to purchase PACSMAIL products and services from the USA will be rejected in accordance with clause 2.3 below.
This Resource is operated by:
Sybermedica Limited, a company registered in England and Wales, whose registered office is at 50-60 Station Road, Cambridge CB12JH. Our company registration number is 04417743. Our VAT registration number is 799 5962 35
Our contact details are as follows:
Address: St John's Innovation Centre, Cowley Rd Cambridge, CB4 OWS
Tel: 01223 421 996
Email: info @ sybermedica.com
- INTRODUCTION
1.1 You will be able to access some areas of this Resource without registration. Certain areas of this Resource are only open to registered PACSMail users.
1.2 Upon registration and payment of the appropriate fee, you may publish your details in the PACSMail Practitioner Directory. You will have editorial control over this listing and you may choose to delist your account from this directory at any time. See Listing Policy for details.
1.3 We may revise these terms and conditions at any time by updating this posting. You should check this Resource from time to time to review the then current terms and conditions, because they are binding on you. Certain provisions of these terms and conditions may be superseded by expressly designated legal notices or terms located on particular pages of this Resource. If you do not wish to accept any new terms and conditions after we have given notice, you should not continue to use this Resource.
1.4 These terms and conditions apply to the contract between us and you for the supply of the Resource to the exclusion of any other terms that you or your representative may seek to impose or incorporate, or which are implied by law, trade custom, practice or course of dealing.
1,5 These terms and conditions (including Part 2 and 3 as applicable) are the entire agreement between us in relation to the subject matter. You acknowledge that you have not relied on any statement, promise or representation or assurance or warranty that is not set out in these terms and conditions.
1.6 We only supply the Resource for internal use by your business or in a professional capacity, and you agree not to use the Resource for personal use or any resale purposes.
- ORDERING THE RESOURCE
2.1 You may order the Resource and any additional Data Archiving Services via e-mail, post or via our online checkout process. If you have been provided with a quotation the reference number of the quotation must be given with your order. If you place an order via our on-line store you will be given the opportunity to check your order and to correct any errors; you will then be sent an acknowledgement, detailing the products you have ordered. Your order is an offer by you to purchase a subscription to the Resource or additional Data Archiving Services subject to these terms and conditions.
2.2 Unless we have notified you that we do not accept your order (see 2.3) the purchase contract will be made either when we confirm receipt of your order or when we issue an invoice for the order concerned.
2.3 We may refuse to accept an order for any reason, including:
(a) where we are not able to supply the goods concerned;
(b) where we cannot obtain authorisation for your payment; or
(c) if there has been a pricing or product description error.
- PRICING
3.1 Use of the Resource is subject to payment of an annual account fee which will be communicated to you before or at the time you submit your order. These will be levied at the appropriate current rate which may change from time to time.
3.2 Additional fees apply for file transmission services and the Data Archiving Services. Prices for any of our other products and services will be at the appropriate current rate and may change from time to time.
3.3 Current rates are reviewed periodically and are available on application.
3.4 All prices are exclusive of VAT (where applicable) at the current rate. If the rate of VAT changes during the term of your subscription, we will adjust the VAT, unless you have already paid the fee in full before the change in VAT takes effect.
3.5 We reserve the right to change our prices without notice. Such changes will not affect fees which you have already paid in full.
3.6 It is always possible that, despite our best efforts, the pricing of the Resource may be incorrectly priced on our website or on other materials. If we discover an error in the price we will contact you to inform you of this error and we will give you the option of continuing to purchase the Resource at the correct price or cancelling your order.
- CANCELLATION AND RETURNS POLICY
4.1 Users may cancel their accounts at any time.
4.2 No refund of accounts fees or file transfer credits will be made, unless terminated by us in accordance with clause 15.
4.3 We reserve the right to cancel accounts that have not been used for a continuous period in excess of six months and no refund will be made in these circumstances.
4.4 The provisions of this clause 4 do not affect your statutory rights.
- USE OF RESOURCE EXTRACTS
5.1 You are permitted to print and download extracts from this Resource for your own internal use on the following basis:
(a) no documents or related graphics on this Resource are modified in any way;
(b) no graphics on this Resource are used separately from accompanying text; and
(c) any of our copyright and trade mark notices and this permission notice appear in all copies.
5.2 We, and our licensors, are the owners of all copyright and other intellectual property rights in all material on this Resource (including without limitation photographs and graphical images). For the purposes of these terms and conditions, any use of extracts from this Resource other than in accordance with clause 5.1 above for any purpose is prohibited. If you breach any of the terms in these terms and conditions, your permission to use this Resource automatically terminates and you must immediately destroy any downloaded or printed extracts from this Resource.
5.3 Subject to clause 5.1, no part of this Resource may be reproduced or stored in any other website or included in any public or private electronic retrieval system or service without our prior written permission.
5.4 Any rights not expressly granted in these terms are reserved.
- SERVICE ACCESS
6.1 In consideration of payment of the appropriate fees to us, we grant you a non-exclusive licence for the applicable annual subscription term to use the Resource.
6.2 Registered users may either:
6.2.1 download and use the Software for the secure transmission and receipt of data via the Resource subject to Part 2 of these terms and conditions; or
6.2.2 access the Resource online via our website, subject to Part 3 of these terms and conditions.
6.3 Users may also opt to securely backup your data on our cloud based servers (Data Archiving Services) for an additional fee, terms for which will be subject to this agreement and our Privacy Policy. You are responsible for keeping your own additional copies and ensuring the long-term security of any data you transmit to or via the Data Archiving Services.
6.4 While we make all reasonable endeavours to ensure that this Resource is normally available 24 hours a day, we will not be liable if for any reason this Resource is unavailable at any time or for any period.
6.5 Access to this Resource may be suspended temporarily and without notice in the case of system failure, maintenance or repair or for reasons beyond our control.
- VISITOR MATERIAL AND CONDUCT
7.1 Other than files sent via the Resource or any personally identifiable information, which is covered under the Privacy Policy , any visitor material you transmit or post to this Resource (using, for example blogs or other community networking resources that we may offer from time to time) will be considered non-confidential and non-proprietary. We will have no obligations with respect to such material. You grant us and our nominees a license to store, copy, disclose, distribute, incorporate and otherwise use such material and all data, images, sounds, text and other things embodied therein for any and all commercial or non-commercial purposes.
7.2 You are prohibited from posting or transmitting to or from this Resource any material:
(a) that is threatening, defamatory, obscene, indecent, seditious, offensive, pornographic, abusive, liable to incite racial hatred, discriminatory, menacing, scandalous, inflammatory, blasphemous, in breach of confidence, in breach of privacy or which may cause annoyance or inconvenience;
(b) for which you have not obtained all necessary licences and/or approvals;
(c) which constitutes or encourages conduct that would be considered a criminal offence, give rise to civil liability, or otherwise be contrary to the law of or infringe the rights of any third party, in the UK or any other country in the world; or
(d) which is technically harmful (including, without limitation, computer viruses, logic bombs, Trojan horses, worms, harmful components, corrupted data or other malicious software or harmful data).
7.3 You may not misuse the Resource (including, without limitation, by hacking).
7.4 We will fully co-operate with any law enforcement authorities or court order requesting or directing us to disclose the identity or locate anyone posting any material in breach of clauses 7.2 or 7.3. We also have the right to disclose your identity to any third party who is claiming that material you have submitted to the Resource violates their intellectual property rights or their rights to privacy.
7.5 Use of this resource is subject to the acceptance of the use of essential cookies as part of our Multi Factor Authentication process. Further details are available at this link to the Cookie Policy.
7.6 We have the right to remove any material you submit if, in our opinion, such material does not comply with clauses 7.2 or 7.3.
7.7 You are solely responsible for securing and backing up your content.
7.8. You shall not conduct, facilitate, authorise or permit any text or data mining or web scraping in relation to the Resource or any services provided via, or in relation to, the Resource. This includes using (or permitting, authorising or attempting the use of):
7.8.1 Any "robot", "bot", "spider", "scraper" or other automated device, program, tool, algorithm, code, process or methodology to access, obtain, copy, monitor or republish any portion of the site or any data, content, information or services accessed via the same.
7.8.2 Any automated analytical technique aimed at analysing text and data in digital form to generate information which includes but is not limited to patterns, trends and correlations.
The provisions in this clause should be treated as an express reservation of our rights in this regard, including for the purposes of Article 4(3) of Digital Copyright Directive ((EU) 2019/790). This clause shall not apply insofar as (but only to the extent that) we are unable to exclude or limit text or data mining or web scraping activity by contract under the laws which are applicable to us.7.9 We may suspend your use of the Resource immediately without notice or liability to you if, inour reasonable opinion, you have or are likely to materially or repeatedly breach any provision in this clause 7.
- LINKS TO AND FROM OTHER WEBSITES
8.1 Links to third party websites on this Resource are provided solely for your convenience. If you use these links, you leave this Resource. We have not reviewed all of these third party websites and do not control and are not responsible for these websites or their content or availability. We therefore do not endorse or make any representations about them, or any material found there, or any results that may be obtained from using them. If you decide to access any of the third party websites linked to this Resource, you do so entirely at your own risk. We have no control over the contents of those sites or resources.
8.2 If you would like to link to this Resource, you may only do so on the basis that you do not do so in a way that damages our reputation or takes advantage of it. You may link to, but not replicate, the home page of this Resource, and subject to the following conditions:
(a) you must not establish a link in such a way as to suggest any form of association, approval or endorsement on our part where none exists or otherwise misrepresent your relationship with us or present any false information about us.(b) you do not remove, distort or otherwise alter the size or appearance of the Sybermedica Limited logo;
(c) you do not create a frame or any other browser or border environment around this Resource and you may not create a link to any part of the Resource other than the home page;
(d) you do not in any way imply that we are endorsing any products or services other than our own;
(e) you do not otherwise use any Sybermedica Limited trademarks displayed on this Resource without our express written permission;
(f) you do not link from a website that is not owned by you; and
(g) your website does not contain content that is distasteful, offensive or controversial, infringes any intellectual property rights or other rights of any other person or otherwise does not comply with all applicable laws and regulations.
We expressly reserve the right to revoke the right granted in this clause 8.2 for breach of these terms and to take any action we deem appropriate. We reserve the right to withdraw linking permission without notice.
8.3 You shall fully indemnify us for any loss or damage we or any of our group companies may suffer or incur as a result of your breach of clause 8.2.
- REGISTRATION
9.1 To register as a user of the Resource you must be over eighteen years of age.
9.2 Each registration is for a single user only. We do not permit you to share your user name and password with any other person nor with multiple users on a network.
9.3 Responsibility for the security of any passwords issued rests with you and if you know or suspect that someone else knows your password, you should contact us immediately. At registration the default setting is for passwords changes to be made manually by the account owner. Optional automated password refresh is available to users on request.
9.4 We may suspend or cancel your registration immediately at our reasonable discretion or if you breach any of your obligations under these terms and conditions.
- DISCLAIMER
10.1 While we endeavour to ensure that the information on this Resource is correct, we do not warrant the accuracy and completeness of the material on this Resource. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content on our site. We may make changes to the material on this Resource, or to the products and prices described in it, at any time without notice. The material on this Resource may be out of date, and we make no commitment to update such material.
10.2 The material on this Resource is provided “as is” and “as available” without any conditions, warranties or other terms of any kind. Accordingly, to the maximum extent permitted by law, we provide you with this Resource on the basis that we exclude all representations, warranties, conditions and other terms (including, without limitation, the conditions implied by law of satisfactory quality, fitness for purpose (even if the purpose was made known to us) and the use of reasonable care and skill) which but for these terms and conditions might have effect in relation to this Resource.
- LIABILITY
11.1 We, any other party (whether or not involved in creating, producing, maintaining or delivering this Resource), and any of our group companies and the officers, directors, employees, shareholders or agents of any of them, exclude all liability and responsibility for any amount or kind of loss or damage that may result to you or a third party (including without limitation, any direct, indirect, punitive or consequential loss or damages, or any loss of income, profits, goodwill, data, contracts, use of money, or loss or damages arising from or connected in any way to business interruption, and whether in tort (including without limitation negligence), contract or otherwise) in connection with this Resource or any additional Data Archiving Services in any way or in connection with the use, inability to use or the results of use of this Resource or any additional Data Archiving Services, any websites linked to this Resource or the material on such websites, including but not limited to loss or damage due to viruses that may infect your computer equipment, software, data or other property on account of your access to, use of, or browsing this Resource or your downloading of any material from this Resource or any websites linked to this Resource.
11.2 Nothing in these terms and conditions shall exclude or limit our liability for any liability which cannot be excluded or limited under applicable law. This includes death or personal injury caused by our negligence or the negligence our employees, agents or subcontractors and for fraud or fraudulent misrepresentation.
11.3 We exclude all implied conditions, warranties, representation or other terms that may apply to the Resource or the Data Archiving Services and any related content.
11.4 If your use of material on this Resource results in the need for servicing, repair or correction of equipment, software or data, you assume all costs thereof.
11.5 We accept no liability for ensuring that the computer hardware and display device(s) used to access and/or display information transmitted via this resource are of an adequate quality for the purpose in question. You accept that this is your responsibility, notably where this involves viewing of images for diagnostic purposes where specific regulatory and/or professional body rules may apply according to the use in question.
11.6 You agree to indemnify us fully, defend and hold us, and our officers, directors, employees and agents, harmless from and against all claims, liability, damages, losses, costs (including reasonable legal fees) arising out of:
11.6.1 loss or misuse of patient data that occurs as a result of your use of this Resource or the Data Archiving Services,
11.6.2 any advice or information you provide as a result of your use of this Resource, irrespective of its nature or accuracy, including claims for any resulting injury that may arise therefrom,
11.6.3 any breach of these terms and conditions by you, or your use of this Resource, or the use by any other person using your registration details.
- GOVERNING LAW AND JURISDICTION
These terms and conditions are governed by and construed in accordance with English law and each party irrevocably agrees to submit all disputes arising out of in connection with these terms and conditions to the exclusive jurisdiction of the English courts.
- DATA PROTECTION
13.1 In this clause 13, the following words and phrases shall have the following meanings
13.1.1 “Applicable Data Protection Laws” means:
a) to the extent the UK GDPR applies, the law of the United Kingdom or a part of the United Kingdom which relates to the protection of personal data.
b) to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which we are subject, which relates to the protection of personal data.
13.1.2 “EU GDPR” the General Data Protection Regulation ((EU) 2016/679)).
13.1.3 “UK GDPR” has the meaning given to it in the Data Protection Act 2018
13.2 Both parties will comply with all applicable requirements of the Applicable Data Protection Laws in so far as they apply to them and their obligations under these terms and conditions, including but not limited to, the data protection provisions in the attached schedule (Data Protection). This clause 13.2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under Applicable Data Protection Laws. For the purposes of these terms and conditions you are the Data Controller and we are the Data Processor.
13.3 The parties will enter into all agreements and documents as are necessary to comply with 13.2, including entering into the data processing clauses set out in the attached schedule (Data Protection).
- MISCELLANEOUS
14.1 You may not assign, sub-license or otherwise transfer any of your rights under these terms and conditions
14.2 If any provision of these terms and conditions is found by any court of competent jurisdiction to be invalid, the invalidity of that provision will not affect the validity of the remaining provisions which shall continue to have full force and effect.
14.3 Only the parties to these terms and conditions may seek to enforce them under the Contracts (Rights of Third Parties) Act 1999.
14.4 Any variation to these terms and conditions is only valid if it is in writing and signed by you and us (or our respective authorised representatives).
14.5 If we do not insist that you perform any of your obligations under these terms and conditions, or if we do not exercise our rights or remedies against you, or if we delay in doing so, that will not mean that we have waived our rights and remedies against you or that you do not have to comply with those obligations. If we do waive any rights or remedies, we will only do so in writing, and that will not mean that we will automatically waive any right or remedy related to any later default by you.
- TERMINATION
15.1 Without affecting any other right or remedy available to us and notwithstanding any other right to terminate or suspend expressly referred to herein, we may terminate this purchase contract on giving not less than two months’ notice to you and subject to a proportionate reduction or refund of fees in relation to the period of usage prior to termination which shall be your sole remedy.
15.2 On termination for any reason, we will delete all data stored on the Resource or held in connection with the Data Archiving Services.
- NOTICES
16.1 Any notice to be given under this purchase contract shall be in writing and shall be delivered: (i) personally; or (ii) by pre-paid registered or recorded delivery to the other party at its address as set out in the purchase contract or as may otherwise be specified by such party by notice in writing to the other party; or (iii) by email.
16.2 Any notice shall be deemed to have been duly received: (a) if delivered personally, when left at the relevant address; (b) if delivered by pre-paid registered or recorded postage, 48 hours after posting; and (c) if delivered by email, at the time of transmission, or if this time falls outside business hours in the place of receipt, when business hours resume. In this clause 16.2, business hours means 9.00 am to 5.00 pm Monday to Friday on a day that is not a public holiday in the place of receipt. This clause 16.2 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
§2 PACSMail Software (Installed applications for PC, Mac and iPad)
READ THIS. This Part 2 applies where you access the Resource via the PACSMail client software (“Software”) which you have downloaded and installed on your device. This Part 2 applies in addition to the main body of the terms and conditions.
- License Grant
We grant to you (either an individual or entity) a nonexclusive license to access and download one copy of the Software solely for your own professional or business purposes. We reserve all rights not expressly granted herein.
- Ownership
We or our licensors are the owner of all right, title, and interest, including copyright, in and to the Software. Copyright to the Software is owned by us or other authorized copyright owner of each program. Ownership of the Software and all proprietary rights relating thereto remain with us and our licensors.
- Restrictions On Use and Transfer
(a) You may not (i) rent or lease the Software, (ii) copy or reproduce the Software through a LAN or other network system or through any computer subscriber system or bulletin-board system, or (iii) modify, adapt, or create derivative works based on the Software.
(b) You may not reverse engineer, decompile, or disassemble the Software. You may transfer the Software and user documentation on a permanent basis, provided that the transferee agrees to accept these terms and conditions and you retain no copies. If the Software is an update or has been updated, any transfer must include the most recent update and all prior versions.
(c) You may only use the Software in object code form for normal business purposes (which shall not include allowing the use of the Software by any person other than you or your employees).
- Restrictions on Use of Individual Programs
You must follow the individual requirements and restrictions detailed in the individual license agreements recorded on the Software. These limitations may include a requirement that after using the program for a specified period of time, the user must pay a registration fee or discontinue use. By accessing the Software, you will be agreeing to abide by the licenses and restrictions for these individual programs that are detailed in the Software. None of the material on the Software may ever be redistributed, in original or modified form, for commercial purposes.
- Limited Warranty
(a) WE AND OUR LICENSORS DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE SOFTWARE, THE SOURCE CODE CONTAINED THEREIN, AND/OR THE TECHNIQUES DESCRIBED IN THE SOFTWARE. WE DO NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE SOFTWARE WILL BE ERROR FREE.
(b) This limited warranty gives you specific legal rights, and you may have other rights that vary from jurisdiction to jurisdiction.
- Remedies
(a) ’Our entire liability and your exclusive remedy for defects in materials and workmanship shall be limited to replacement of the Software, which may be obtained by contacting us.
(b) In no event shall we or our licensors be liable for any damages whatsoever (including without limitation damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising from the use of or inability to use the Licensed Materials or the Software, even if Sybermedica has been advised of the possibility of such damages.
(c) Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation or exclusion may not apply to you.
- U.S. Government Restricted Rights
Use, duplication, or disclosure of the Software for or on behalf of the United States of America, its agencies and/or instrumentalities "U.S. Government" is subject to restrictions as stated in paragraph(c)(1)(ii) of the Rights in Technical Data and Computer Software clause of DFARS 252.227-7013, or subparagraphs (c) (1) and (2) of the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19, and in similar clauses in the NASA FAR supplement, as applicable.
§3 Cloud image viewer software (zero footprint viewer for PACSMail Cloud)
READ THIS. This Part 3 applies where you access the Resource via the Cloud image viewer software (‘Third Party Software’) which you access online. This Part 3 applies in addition to the main body of the terms and conditions.
- Third Party Software
1.1 The Third Party Software is licensed from and is maintained by a third party supplier, details of which are available at this link,
1.2. You agree to be bound by the terms of the Third Party Software, which can be found here.
- Liability
2.1 We exclude all liability and responsibility for any amount or kind of loss or damage that may result to you or a third party (including without limitation, any direct, indirect, punitive or consequential loss or damages, or any loss of income, profits, goodwill, data, contracts, use of money, or loss or damages arising from or connected in any way to business interruption, and whether in tort (including without limitation negligence), contract or otherwise) in connection with the Third Party Software in any way or in connection with the use, inability to use or the results of use of the Third Party Software.
2.2 You agree to indemnify us fully, defend and hold us, and our officers, directors, employees and agents, harmless from and against all claims, liability, damages, losses, costs (including reasonable legal fees) arising out of your breach of the Third Party Software terms.
§4 Schedule : Data Protection (“DP Schedule”)
1 DEFINITIONS AND INTERPRETATION
The following definitions and rules of interpretation apply in this DP Schedule.
1.1 Definitions:
“Business Purposes” the software licence and services to be provided by Sybermedica to the Licensee as described in the Licence and any other purpose agreed by the parties in writing.
“Commissioner” the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
Controller, Processor, Data Subject, Personal Data, Special Category Personal Data, Personal Data Breach and Processing: each have the meanings given to them in the Data Protection Legislation.
“Data Protection Legislation” all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
“Data Subject” the identified or identifiable living individual to whom the Personal Data relates.
“EEA” the European Economic Area.
“Standard Contractual Clauses (SCCs)" the ICO’s International Data Transfer Agreement for the transfer of personal data from the UK Term: the term of the Licence.
“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 This DP Schedule is subject to the terms of the Licence and is incorporated into the Licence. Interpretations and defined terms set forth in the Licence apply to the interpretation of this DP Schedule.
1.3 The Annex forms part of this DP Schedule and will have effect as if set out in full in the body of this DP Schedule. Any reference to this DP Schedule includes the Annex.
1.4 A reference to writing or written includes faxes and email.
1.5 In the case of conflict or ambiguity between:
1.5.1 any provision contained in the body of this DP Schedule and any provision contained in the Annex, the provision in the body of this DP Schedule will prevail;
1.5.2 the terms of any accompanying invoice or other documents annexed to this DP Schedule and any provision contained in the Annex, the provision contained in the Annex will prevail;
1.5.3 any of the provisions of this DP Schedule and the provisions of the Licence, the provisions of this DP Schedule will prevail; and
1.5.4 any of the provisions of this DP Schedule and any executed SCC, the provisions of the executed SCC will prevail.
2 PERSONAL DATA TYPES AND PROCESSING PURPOSES
2.1 The Licensee and Sybermedica agree and acknowledge that for the purpose of the Data Protection Legislation:
2.1.1 the Licensee is the Controller and Sybermedica is the Processor.
2.1.2 the Licensee retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents or indicating alternative legal bases for the processing of the Personal Data, and for the written processing instructions it gives to Sybermedica.
2.1.3 The Annex describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Sybermedica may process the Personal Data to fulfil the Business Purposes.
2.1.4 The parties agree that the Personal Data will include Special Category Personal Data and that the Licensee has ensured the any additional protections and additional legal bases that may be required for the processing of such Special Category Personal Data compliantly under Data Protection Legislation have been observed and duly complied with.
3 SYBERMEDICA’S OBLIGATIONS
3.1 Sybermedica will only process the Personal Data (including the Special Category Personal Data) to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Licensee’s written instructions. Sybermedica will not process the Personal Data for any other purpose or in a way that does not comply with this DP Schedule or the Data Protection Legislation. Sybermedica must promptly notify the Licensee if it becomes aware that the Licensee’s instructions do not comply with the Data Protection Legislation.
3.2 Sybermedica must comply promptly with the Licensee’s written instructions requiring Sybermedica to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 Sybermedica will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Licensee specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires Sybermedica to process or disclose the Personal Data to a third party, Sybermedica must first inform the Licensee of such legal or regulatory requirement and give the Licensee an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
3.4 Sybermedica will reasonably assist the Licensee with meeting the Licensee’s compliance obligations under the Data Protection Legislation, taking into account the nature of Sybermedica’s processing and the information available to Sybermedica.
3.5 Sybermedica must promptly notify the Licensee of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting Sybermedica’s performance of the Licence or this DP Schedule.
4 SYBERMEDICA’S EMPLOYEES
4.1 Sybermedica will ensure that all of its employees:
4.1.1 are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
4.1.2 are aware both of Sybermedica’s duties and their personal duties and obligations under Data Protection Legislation and this DP Schedule.
5 SECURITY
5.1 Sybermedica must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in the Annex.
5.2 Sybermedica must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
5.2.1 the pseudonymisation and encryption of personal data;
5.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
5.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
5.2.4 a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
6 PERSONAL DATA BREACH
6.1 Sybermedica will without undue delay notify the Licensee if it becomes aware of:
6.1.1 the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. Sybermedica will restore such Personal Data at its own expense as soon as possible.
6.1.2 any accidental, unauthorised or unlawful processing of the Personal Data; or
6.1.3 any Personal Data Breach.
6.2 Where Sybermedica becomes aware of 6.1.1,6.1.2 or 6.1.3 above, it shall, without undue delay, also provide the Licensee with the following information:
6.2.1 description of the nature of 6.1.1,6.1.2 or 6.1.3 , including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
6.2.2 the likely consequences; and
6.2.3 a description of the measures taken or proposed to be taken to address 6.1.1,6.1.2 or 6.1.3 , including measures to mitigate its possible adverse effects.
6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, Sybermedica will reasonably co-operate with the Licensee at no additional cost to the Licensee, in the Licensee’s handling of the matter, including but not limited to:
6.3.1 assisting with any investigation;
6.3.2 making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Licensee; and
6.3.3 taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.
6.4 Sybermedica will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Licensee’s written consent, except when required to do so by domestic law.
6.5 Sybermedica agrees that the Licensee has the sole right to determine:
6.5.1 whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Licensee’s discretion, including the contents and delivery method of the notice; and
6.5.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
6.6 Sybermedica will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Licensee’s specific written instructions, negligence, wilful default or breach of this DP Schedule, in which case the Licensee will cover all reasonable expenses.
7 CROSS-BORDER TRANSFERS OF PERSONAL DATA
7.1 Sybermedica as a data processor (together with any sub processors) shall not transfer or otherwise process the Personal Data outside the EEA without obtaining the Licensee’s prior written consent.
7.2 Where such consent is granted, Sybermedica may only process, or permit the processing, of the Personal Data outside the EEA under the following conditions:
7.2.1 Sybermedica is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
7.2.2 Sybermedica participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Sybermedica (and, where appropriate, the Licensee) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR; or
7.2.3 the transfer otherwise complies with the Data Protection Legislation.
7.3 If any Personal Data transfer between the Licensee and Sybermedica requires execution of SCCs in order to comply with the Data Protection Legislation (where the Licensee is the entity exporting Personal Data to Sybermedica outside the EEA), the parties will complete all relevant details in, and execute, the SCCs, and take all other actions required to legitimise the transfer.
7.4 For the avoidance of doubt, the obligations on the Processor under this clause shall not apply to any transfers of Personal Data undertaken by the Controller directly when the Controller transfers personal data to recipients or registered users who may be located in territories outside the UK and EEA.
8 SUBCONTRACTORS
8.1 Sybermedica may only authorise a third party (subcontractor) to process the Personal Data if:
8.1.1 the Licensee is provided with an opportunity to object to the appointment of each subcontractor within ten (10) working days after Sybermedica supplies the Licensee with full details in writing regarding such subcontractor; and
8.1.2 Sybermedica enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DP Schedule, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Licensee’s written request, provides the Licensee with copies of the relevant excerpts from such contracts; and
8.1.3 Sybermedica maintains control over all of the Personal Data it entrusts to the subcontractor; and
8.1.4 the subcontractor’s contract terminates automatically on termination of this DP Schedule for any reason.
8.2 Those subcontractors approved as at the commencement of this DP Schedule are as set out in the Annex.
8.3 Where the subcontractor fails to fulfil its obligations under the written agreement with Sybermedica which contains terms substantially the same as those set out in this DP Schedule, Sybermedica remains fully liable to the Licensee for the subcontractor’s performance of its agreement obligations.
8.4 The Parties agree that Sybermedica will be deemed to control legally any Personal Data controlled practically by or in the possession of its subcontractors.
9 COMPLAINTS, DATA SUBJECT REQUESTS AND THIRD-PARTY RIGHTS
9.1 Sybermedica shall take such technical and organisational measures as may be appropriate, and promptly provide such information to the Licensee as the Licensee may reasonably require, to enable the Licensee to comply with:
9.1.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
9.1.2 information or assessment notices served on the Licensee by the Commissioner under the Data Protection Legislation.
9.2 Sybermedica must notify the Licensee without undue delay if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
9.3 Sybermedica must notify the Licensee within three (3) days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
9.4 Sybermedica will give the Licensee its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.5 Sybermedica must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with the Licensee’s written instructions, or as required by domestic law.
10 TERM AND TERMINATION
10.1 This DP Schedule will remain in full force and effect so long as:
10.1.1 the Licence remains in effect; or
10.1.2 Sybermedica retains any of the Personal Data related to the Licence in its possession or control (“Term”).
10.2 Any provision of this DP Schedule that expressly or by implication should come into or continue in force on or after termination of the Licence in order to protect the Personal Data will remain in full force and effect.
10.3 Sybermedica’s failure to comply with the terms of this DP Schedule is a material breach of the Licence. In such event, the Licensee may terminate the Licence or any part of the Licence involving the processing of the Personal Data effective immediately on written notice to Sybermedica without further liability or obligation of the Licensee.
10.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Licence obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation, either party may terminate the Licence immediately on written notice to the other party.
11 DATA RETURN AND DESTRUCTION
11.1 At the Licensee’s request and at their cost (which shall be determined at the time of request), Sybermedica will give the Licensee, or a third party nominated in writing by the Licensee, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Licensee.
11.2 On termination of the Licence for any reason or expiry of its term, Sybermedica will securely delete or destroy or, if directed in writing by the Licensee, return and not retain, all or any of the Personal Data related to this DP Schedule in its possession or control.
11.3 If any law, regulation, or government or regulatory body requires Sybermedica to retain any documents or materials or Personal Data that Sybermedica would otherwise be required to return or destroy, it will notify the Licensee in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
12 RECORDS
12.1 Sybermedica will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data.
12.2 Sybermedica will ensure that the Records are sufficient to enable the Licensee to verify Sybermedica’ s compliance with its obligations under this DP Schedule and Sybermedica will provide the Licensee with copies of the Records upon request.
13 AUDIT
13.1 On the Licensee’s written request and subject to Data Protection Legislation, Sybermedica will make all of the relevant audit reports available to the Licensee for review (for the purpose of the Licensee’s audit obligations). The Licensee will treat such audit reports as Sybermedica’ s confidential information under the Licence.
13.2 Sybermedica will promptly address any exceptions noted in the audit reports with relevant sub processor(s).
ANNEX : Personal Data processing purposes and details
Subject matter of processing: electronic transfer of medical images and medical information relating to data subjects by secure messaging and transfer software from the Licensee to a registered user;
Duration of Processing: for the Term of the Licence;
Nature of Processing: uploading, storing, cataloguing, processing, transferring, retrieving, deleting;
Business Purposes: for the purpose of providing the services set out in the Licence to the Licensees;
Personal Data Categories: medical practitioner name, contact details, email addresses, telephone numbers, organisation/ employer, patient name, medical imaging (a scan) and any associated clinical information;
Special Category Personal Data : clinical information, medical history, medical imaging and associated clinical notes, CAT scan images, MRI scan images, medical opinions and requests for review;
Data Subject Types: patients of the Licensees, staff of Licensees and medical practitioners receiving email;
Approved Subcontractors: Rackspace as hosting providers
Security measures: Personal data held by Sybermedica in the Rackspace environment is accessible through secure online protocols only, overlain by live threat management software provided by Rackspace and their subcontractors.
End of Document
© Sybermedica 2023