Data Processing Agreement

This data processing agreement ("DPA") is incorporated into the Agreement between Hero Doctor Limited t/a Hero Health, of 256 Mayfield House, 3rd Floor, 256 Banbury Road, Oxford, United Kingdom, OX2 7DE ("Hero") and the Licensee in accordance with the Hero Licence Terms.


In this DPA, the following capitalised definitions have the following meanings, in addition to the definitions included in the Hero Licence Terms:

Applicable Laws means:

(a)     To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom.

(b)    To the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which Hero is subject.

Applicable Data Protection Laws means:

(a)     To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.

(b)    To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which Hero is subject, which relates to the protection of personal data.

Licensee Personal Data means any personal data which Hero processes in connection with this agreement, in the capacity of a processor on behalf of the Licensee.

EU GDPR means the General Data Protection Regulation ((EU) 2016/679).

Hero Personal Data means any personal data which Hero processes in connection with this agreement, in the capacity of a controller.

Purpose: means the purposes for which the Licensee Personal Data is processed, as set out in clause 1.8.1.

UK GDPR means has the meaning given to it in the Data Protection Act 2018.

1.              DATA PROTECTION

1.1            For the purposes of this clause 1, the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.

1.2            Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This clause 1 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Applicable Data Protection Laws.

1.3            The parties have determined that, for the purposes of Applicable Data Protection Laws:

1.3.1         Hero acts as controller in respect of the personal data and processing activities related to: (i) the negotiation of its agreements with licensees; (ii) the login details created (if any) by the Licensee's users; (iii) any queries received directly from patients or members of the public; and (iv) any analytical data associated with the Licensee or its users' use of the Services; and

1.3.2         subject to clause 1.3.1, Licensee acts as controller and Hero acts as the processor in respect of the personal data submitted to the Services by the Authorised Users. The categories of personal data are the name, age, address, telephone number, registered practitioner and other medical and health information relating to the data subject, and the categories of data subject are typically patients of the Licensee. The duration of the processing is for the duration of the DPA;

1.4            Should the determination in clause 1.3 change, then each party shall work together in good faith to make any changes which are necessary to this clause 1 or the related schedules.

1.5            Without prejudice to the generality of clause 1.2, the Licensee will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Hero Personal Data and Licensee Personal Data to Hero for the duration and purposes of the Agreement.

1.6            In relation to the Licensee Personal Data, Schedule 2 sets out the scope, nature and purpose of processing by Hero, the duration of the processing and the types of personal data and categories of data subject.

1.7            Without prejudice to the generality of clause 1.2 Hero shall, in relation to Licensee Personal Data:

1.7.1         process that Licensee Personal Data only on the documented instructions of the Licensee, which shall be to process the Licensee Personal Data to provide the Services, unless Hero is required by Applicable Laws to otherwise process that Licensee Personal Data. Where Hero is relying on Applicable Laws as the basis for processing Licensee Personal Data, Hero shall notify the Licensee of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Hero from so notifying the Licensee on important grounds of public interest. Hero shall inform the Licensee if, in the opinion of Hero, the instructions of the Licensee infringe Applicable Data Protection Laws;

1.7.2         implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Licensee Personal Data and against accidental loss or destruction of, or damage to, Licensee Personal Data, having regard to the state of technological development and the cost of implementing any measures;

1.7.3         ensure that any personnel engaged and authorised by Hero to process Licensee Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;

1.7.4         assist the Licensee insofar as this is possible(taking into account the nature of the processing and the information available to Hero), and at the Licensee's cost and written request, in responding to any request from a data subject and in ensuring the Licensee's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

1.7.5         notify the Licensee without undue delay on becoming aware of a personal data breach involving the Licensee Personal Data;

1.7.6         at the written direction of the Licensee, delete or return Licensee Personal Data and copies thereof to the Licensee on termination of the Agreement unless Hero is required by Applicable Law to continue to process that Licensee Personal Data. For the purposes of this clause 1.7.6 Licensee Personal Data shall be considered deleted where it is put beyond further use by Hero; and

1.7.7         maintain records to demonstrate its compliance with this clause 1 and allow for reasonable audits by the Licensee or the Licensee's designated auditor, for this purpose, on reasonable written notice.

1.8            The Licensee hereby provides its prior, general authorisation for Hero to:

1.8.1         appoint processors to process the Licensee Personal Data, provided that Hero:

(a)       shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on Hero in this clause 1;

(b)       shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of Hero; and

(c)       shall inform the Licensee of any intended changes concerning the addition or replacement of the processors, thereby giving the Licensee the opportunity to object to such changes provided that if the Licensee objects to the changes and cannot demonstrate, to Hero's reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Licensee shall indemnify Hero for any losses, damages, costs (including legal fees) and expenses suffered by Heroin accommodating the objection;

1.8.2         transfer Licensee Personal Data outside of the UK as required for the Purpose, provided that Hero shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Licensee shall promptly comply with any reasonable request of Hero, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time(where the UK GDPR applies to the transfer).

1.9            The current sub-processors used by Hero and approved by the Licensee are set out on this page

Automating appointment scheduling
© Hero Doctor Limited 2023