Data Processing Agreement

Carolan Chartered Physiotherapy (“the Company” & “Controller”) provides physiotherapy services to members of the public, in order to provide this service the Company engages with Data Processors in the form of self-employed physio therapists (“Clinicians”).  Customers in this document shall mean patients of Carolan Chartered Physiotherapy and of the Clinicians who are working on behalf of or in Carolan Chartered Physiotherapy clinics.  For the purposes of providing the services Clinicians are Data Processors as described in Data Protection Law (Data Protection Act 1988 amended 2003 and EU Regulation 2016/679 also known as the GDPR).  The Clinicians acknowledges that in providing services it will process personal data on behalf of the Controller and the parties agree to the terms of this Agreement in respect of the processing of personal data.

  1. The Clinician acknowledges that in providing the physiotherapy services it will process personal data on behalf of Carolan Chartered Physiotherapy. Categories of data subjects include members of the public.  Categories of personal data which is processed in accordance with this agreement include: name, address, medical history, email and phone number.  On occasion work details may be gathered.  The Clinician acknowledges that it is the data processor and agrees that:
  • The Clinician processes data with respect of the services as they are described above, this includes the provision of a managed service, on behalf of the Controller in the context of providing these services under the Agreement, for the duration of time which the Controller is in receipt of the services. The obligations and rights of the Controller with regards to those services are set out in that agreement;
  • The Clinician will only process such personal data in accordance with the documented instructions of the Controller, including with regards to the transfers of data to third countries outside of the European Economic Area whereby a separate specific instruction must be provided by the Controller to the Processor;
  • The Clinician shall ensure that only persons so authorised by Carolan Chartered Physiotherapy to process the personal data of Customers and they are bound by a confidentiality agreement. Other persons cannot process personal data on behalf of the Controller without prior written permission from the Controller or the customer;
  • Clinicians shall implement such technical and organisational security measures as required in order to comply with the principles of data protection namely the principle of integrity and confidentiality. Evidence of such measures can be made available to the Controller upon request.  Carolan Chartered Physiotherapy shall work with the Clinicians to help implement such technical and organisational measures as deemed necessary;
  • The Clinician will not engage with sub-processors without prior and express permission from the Controller. The Clinician shall work with Carolan Chartered Physiotherapy to help ensure that the sub-processor complies with Data Protection Laws prior to any engagement and shall present evidence upon reasonable request from the Customer. Sub-processors which may be engaged as part of providing the service are limited to the manufacturers of the products in question.  It is not envisaged that any sub processors will be engaged;
  • The Clinician shall inform Carolan Chartered Physiotherapy immediately and no longer than 48 hours from receiving a request from a data subject pursuant to their rights under the Data Protection Laws. The Clinician will not communicate with the data subject other than to inform them that their request is being processed until the Controller has reviewed the request and given permission for further contact.  The Clinician will assist the Controller where possible to deal with such access requests as relate to the Services being provided under this Agreement;
  • The Clinician shall assist the Controller by implementing internal technical and organisational measures enabling the compliance with such requests which are made pursuant to Data Protection Law by data subjects. Carolan Chartered Physiotherapy will work in conjunction with the Clinician to ensure that the technical and organisational measures are in place;
  • The Clinician will assist the controller in complying with security measures in respect to the protection of personal data, data protection impact assessments and prior consultation requirements under Data Protection Law in so far as they relate to the services being provided under this agreement;
  • Upon termination of the Agreement and at the choice of the Controller the Clinician shall: i) delete such personal data which has been collected with the exception of such data which must be held to comply with another legal obligation. ii) return all personal data which has been collected.
  • The Clinician shall inform the Controller immediately if it receives instruction from the Controller that is believed to be in contradiction to the Data Protection Laws with regards to the processing of personal data under this Agreement;
  • The Clinician shall notify the Controller without undue delay and before 24 hours from the time a data breach has been detected. The Clinician and Carolan Chartered Physiotherapy relies on the definition of data breach as described by the Article 29 Working Party, 17/EN WP250.  The Clinician will offer such cooperation to the Controller including where necessary contact with the Supervisory Authority as well as assistance as may be required to mitigate against the effects of the breach insofar as it relates to the processing of data under this Agreement;


  1. Indemnity clause / liability
  • Subject to the exclusions set out in 2(b) below, the total liability of the Processor to the Controller for any losses, damages, costs, fines and/or expenses (“Losses”) arising out of or in connection with this Agreement shall not exceed the aggregated amount of income paid to the Processor by the Controller in relation to the services provided in the immediately preceding twelve-month period.
  • The Parties agree that the Processor shall not be liable for any Losses to the extent they are in respect of
  • any Processing by the Clinician in accordance with the instructions of the Controller;
  • any breach by the Controller of their obligations under the Data Protection Laws or any other breach by the Controller of applicable law.
  • The Parties further agree and acknowledge that neither of the Parties hereto is acting as a consumer in connection with the matters set out herein, that each is acting in the course of business, and that the provisions of this Clause 2 are fair and reasonable in all respects.
  • Each Party shall be solely liable to the other Party, for and on behalf of itself, its employees, servants or agents, under or in relation to this Agreement and each Party shall assume all rights and remedies for and on behalf of its employees, servants or agents, against the other Party under or in relation to this agreement.
  • The Parties expressly agree that should any limitation or provision contained in this Clause 2 be held invalid under any applicable statute or rule of law it shall to that extent be deemed omitted but if any Party thereby becomes liable for loss or damage which would otherwise have been excluded or limited such liability shall be subject to the other limitations and provisions set out herein.