Privacy Policy

LOTTIE ORGANISATION LTD “FOUNDCRM” DATA PROTECTION AGREEMENT

Last Updated: January 2023

This Data Protection Agreement and its Appendix ("DPA") forms part of the agreement between Found and its Customer for Found's provision of services to the Customer ("Terms").

1 Definitions and Interpretation

1.1 In this DPA:

Adequacy Decision: a decision of the UK Government or, where the GDPR applies, the European Commission made pursuant to the Data Protection Laws that the laws of a third country ensure an adequate level of protection for personal data or any other decision or position adopted to govern the Restricted Transfers as published and agreed by the respective territories', governments, supervisory authorities' or other relevant decision-making bodies.

Agreement Personal Data: means the personal data of the Customer (including the personal data of Authorised Users) and any other personal data which is collected or otherwise processed by Found in the provision of, or in connection with, the Services.

consent: shall have the meaning given to it in the Data Protection Laws.

data controller: shall have the meaning given to it in the Data Protection Laws.

data processor: shall have the meaning given to it in the Data Protection Laws.

data subject: shall have the meaning given to it in the Data Protection Laws.

Data Protection Laws: means all applicable data protection and privacy legislation in force from time to time including where relevant, the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder); Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (commonly known as "GDPR"); the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to Found and/or the Customer relating to the use of personal data.

Restricted Transfer: means a transfer of Agreement Personal Data from within the UK to a territory that is outside the UK and/or the EEA (where the GDPR applies) that is not otherwise subject to an Adequacy Decision.

personal data shall have the meaning given to it in the Data Protection Laws.

process and processing: shall have the meaning given to them in the Data Protection Laws.

Sub-Processor: means any sub-contractor, supplier or other third party engaged by Found that will process the Agreement Personal Data.

UK GDPR: means the GDPR as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020.

1.2 In this DPA, expressions defined in the Terms and used in this DPA have the meaning set out in the Terms.


2 Compliance with Data Protection Laws

2.1 Each of the Customer and Found shall at all times comply with all applicable requirements of the Data Protection Laws. This clause 2 is in addition to and does not relieve, remove or replace, either party's obligations or rights under the Data Protection Laws.

2.2 For the purposes of the Data Protection Laws, the parties agree that the Customer is the data controller and Found is the data processor of the Agreement Personal Data.


3 The Customer's Warranties and Obligations

3.1 Without prejudice to the generality of clause 2.1, the Customer shall be responsible for determining the lawful basis on which it and Found can process the Agreement Personal Data for the purposes of providing and receiving the Services in accordance with this Agreement prior to (i) providing the personal data to Found and/or (ii) issuing instructions to Found to collect or otherwise process the personal data. The Customer shall be responsible for ensuring that it has a lawful basis for processing the Agreement Personal Data and for providing such personal data to Found for processing in connection with Found's provision of the Services, including but not limited to Customer's use of the Software.

3.2 Without prejudice to the generality of clause 2.1, where the lawful basis on which the Customer relies is consent, the Customer shall ensure that it has valid consent from each data subject to the collection, processing and transfer of their personal data to Found as required to enable Found to provide the Services. In the event that a data subject withdraws their consent to such processing at any time, the Customer shall promptly inform Found.


4 Found's Obligations

4.1 The parties agree that the scope, nature and purpose of processing, the duration of the processing and the types of personal data and categories of data subject are as set out at Appendix 1 of this DPA.

4.2 When processing Agreement Personal Data on behalf of the Customer, the parties agree that Found shall:

a. only process the Agreement Personal Data in accordance with the Customer's documented instructions from time to time (including for the purposes of Found fulfilling its obligations under this Agreement), unless; i. required to do so by law, in which case Found shall inform the Customer of the relevant legal requirement before processing (unless that legal requirement prohibits such information being provided to the Customer on the grounds of public interest); or ii. in its opinion, an instruction given by or on behalf of the Customer infringes the Data Protection Laws, in which case it shall promptly inform the Customer of that opinion;

b. ensure that access to Agreement Personal Data is limited to persons who need access it in order to provide the Services and that those persons authorised to process the Agreement Personal Data are subject to obligations of confidentiality;

c. implement and maintain appropriate technical and organisational measures to protect the Agreement Personal Data against unauthorised or unlawful processing or accidental loss or damage (ensuring in each case a level of security appropriate to the risk);

d. only make a Restricted Transfer if Found has entered into an agreement with the relevant importing entity in a form approved by the UK Government (or where applicable the EU Commission) or has otherwise complied with another approved data transfer mechanism;

e. in the event that any data subject informs Found that it wishes to exercise any rights in respect of the Agreement Personal Data, promptly notify the Customer and, to the extent that any action is required, provide reasonable assistance to the Customer in the fulfilment of the relevant request (such assistance to be at the Customer's cost with such costs to be agreed with the Customer in advance (with both parties acting reasonably and in good faith));

f. provide reasonable assistance to the Customer in meeting its obligations under the Data Protection Laws with respect to data security, breach notification, data protection impact assessments and prior consultation with, or notification to, a competent data protection supervisory authority (such assistance to be at the Customer's cost with such costs to be agreed with the Customer in advance (with both parties acting reasonably and in good faith));

g. on termination or expiry of this Agreement, at the discretion of the Customer, return, or in accordance with clause 16.4 of the Agreement permanently delete the Agreement Personal Data, unless Found (i) is required by applicable law to continue to process that Agreement Personal Data or (ii) anonymises the Agreement Personal Data (and Found shall be permitted to process the Agreement Personal Data for the purposes of anonymisation);

h. at the reasonable request of the Customer, make available to the Customer all information necessary to demonstrate Found's compliance with this DPA;

i. on providing Found with at least 30 calendar days' written notice (or a reasonable notice period where such audit is requested by a competent data protection authority), permit the Customer and/or the Customer's representatives to inspect and audit Found's premises and data processing activities (limited to such activities regarding the Agreement Personal Data) and comply with all reasonable requests to enable the Customer to verify and/or procure that Found is complying with the provisions of this DPA. The scope of any such audit shall be agreed by the parties in advance and shall last no longer than five working days (unless required to comply with the requirements of a competent data protection authority) and the Customer shall (and shall ensure its representatives shall) take all reasonable steps to ensure that any such audit will not interfere with Lottie's day to day business practices. Audits shall take place no more than once in any calendar year; and

j. promptly (and in any case within 48 hours of becoming aware) notify the Customer of the loss, compromise or any unauthorised access to, or breach of the security of any Agreement Personal Data of which it becomes aware and provide Customer with reasonable assistance in relation to the same.

4.3 Found has the Customer's general authorisation for the engagement of Sub-Processor(s). Lottie's Sub-Processor(s) at the date of this Agreement are available on request. Found shall notify the Customer in writing in relation to the appointment of any new or replacement Sub-Processors. In each case Found shall ensure that prior to the Sub-Processor processing any Agreement Personal Data, terms materially the same as this DPA are included in a written contract between Found and the Sub-Processor. Notwithstanding the engagement of any Sub-processors, Lottie shall remain liable to the Customer for the acts and omissions of such third parties as if they were acts and omissions of Lottie.


Appendix 1

Processing, personal data, data subjects and Sub-Processors

Nature and purpose of processingThe processing of Agreement Personal Data for the purposes of Found providing the Services to the Customer.
Duration of processingThe Term of the Agreement.
Types of personal dataFound will process the Agreement Personal Data on behalf of the Customer, which shall include (but not be limited to)
  • The name, job role, qualifications, shift pattern, salary, hours worked etc. of the Customer's employees and/or Authorised Users and (in a limited extent as applicable) medical professionals and other care contacts
  • The name, care requirements, next of kin, service history and account details of the care recipients
  • The name, contact details and care requirements of prospective care recipients.
Categories of data subjectThe employees, Authorised Users, care recipients, prospective care recipients and the relatives (or those otherwise with powers of attorney or making a request on behalf of a care recipient or prospective care recipient) of care recipients or prospective care recipients as well as medical professionals and other care contacts.