Data Controller ("Client")
Organisation Name: [CLIENT ORGANISATION NAME]
Registered Address: [CLIENT ADDRESS]
Company Number: [CLIENT COMPANY NUMBER]
Contact Person: [CLIENT CONTACT NAME & EMAIL]
Data Processor ("ClearMinds")
Organisation Name: ClearMinds Ltd
Registered Address: [CLEARMINDS ADDRESS]
Company Number: [CLEARMINDS COMPANY NUMBER]
ICO Registration: [ICO REGISTRATION NUMBER]
Contact Person: Data Protection Officer, dpo@clearmindseap.com
Important: This Data Processing Agreement (DPA) forms part of the main services agreement between the parties. In the event of any conflict between this DPA and the main agreement, this DPA shall take precedence in relation to data protection matters.
1. Definitions and Interpretation
1.1 Definitions
In this Agreement, unless the context otherwise requires:
- "Agreement" means this Data Processing Agreement together with all schedules and annexes
- "Applicable Data Protection Law" means the UK General Data Protection Regulation, the Data Protection Act 2018, and any other applicable data protection legislation
- "Controller" means the Client, who determines the purposes and means of processing Personal Data
- "Data Subject" means an identified or identifiable natural person
- "Wellness Services" means the workplace mental health and wellness support services provided by clear minds
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in UK GDPR
- "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data
- "Processing" has the meaning given in UK GDPR Article 4(2)
- "Processor" means ClearMinds, who processes Personal Data on behalf of the Controller
- "Services" means the Wellness Services as described in the main services agreement
- "Special Category Data" means Personal Data revealing health data, as defined in UK GDPR Article 9
- "Sub-processor" means any third party appointed by ClearMinds to process Personal Data
- "Supervisory Authority" means the Information Commissioner's Office (ICO)
1.2 Interpretation
- References to Articles or Chapters are to the UK GDPR unless otherwise stated
- Headings are for convenience only and do not affect interpretation
- Words in the singular include the plural and vice versa
2. Scope and Purpose of Processing
2.1 Processor Relationship
Under this Agreement:
- The Client is the Data Controller who determines the purposes and means of processing
- ClearMinds is the Data Processor who processes Personal Data on behalf of the Client
- ClearMinds shall only process Personal Data on documented instructions from the Client
2.2 Nature and Purpose of Processing
Purpose: To provide workplace mental health and wellness support services to the Client's employees, contractors, and their immediate family members as specified in the main services agreement.
Nature of Processing: clear minds will process Personal Data to:
- Verify eligibility for wellness services
- Provide mental health assessments and support
- Deliver counselling and therapeutic interventions
- Manage appointments and service access
- Provide anonymised usage statistics to the Client
- Maintain clinical records as required by professional standards
2.3 Types of Personal Data
Standard Personal Data:
- Name and contact details (email, phone number, address)
- Date of birth
- Employment reference or employee ID (for verification only)
- Communication records (emails, call logs, chat transcripts)
Special Category Data (Health Data):
- Mental health concerns and symptoms
- Clinical assessments and diagnoses
- Treatment plans and therapy notes
- Progress notes and outcomes
- Related health information affecting mental health treatment
2.4 Categories of Data Subjects
- Employees of the Client organisation
- Contractors and temporary workers (if specified in services agreement)
- Immediate family members of employees (typically spouse/partner and dependent children)
- Former employees (if specified in services agreement)
2.5 Duration of Processing
Processing shall continue for the duration of the main services agreement and for such additional period as necessary to fulfil legal obligations, including clinical record retention requirements as specified in ClearMinds' Data Retention Policy.
3. Processor Obligations
3.1 Processing Instructions
ClearMinds shall:
- Process Personal Data only on documented instructions from the Client, including with regard to transfers of Personal Data outside the UK (unless required by law to do otherwise)
- Immediately inform the Client if, in its opinion, an instruction infringes Applicable Data Protection Law
- Not process Personal Data for any purpose other than providing the Services
3.2 Confidentiality
ClearMinds shall:
- Ensure that all personnel authorised to process Personal Data are subject to a duty of confidentiality (whether contractual or statutory)
- Ensure all personnel have received appropriate data protection training
- Limit access to Personal Data to personnel who need access to perform the Services
3.3 Security Measures
ClearMinds shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
Technical Measures:
- Encryption of Personal Data in transit (TLS 1.3 minimum) and at rest (AES-256)
- Multi-factor authentication for all user accounts
- Regular security updates and patch management
- Intrusion detection and prevention systems
- Regular penetration testing and vulnerability assessments
- Secure backup and recovery procedures
- Anti-virus and anti-malware protection
Organisational Measures:
- Role-based access controls (principle of least privilege)
- Regular staff training on data protection and security
- Clear desk and clear screen policies
- Secure disposal procedures for physical and electronic records
- Incident response and business continuity plans
- Regular audits of security measures
ClearMinds maintains ISO 27001 certification for information security management [IF APPLICABLE - OTHERWISE REMOVE THIS LINE].
3.4 Sub-processing
3.4.1 General Authorisation
The Client provides general authorisation for ClearMinds to engage Sub-processors, subject to the conditions in this clause.
3.4.2 Current Sub-processors
The Client approves the Sub-processors listed in Schedule 1 attached to this Agreement.
3.4.3 New Sub-processors
ClearMinds shall:
- Notify the Client at least 30 days before engaging any new Sub-processor
- Provide details of the Sub-processor and the processing activities
- Allow the Client to object on reasonable grounds within 14 days
- Not proceed with the engagement if the Client objects on reasonable grounds
3.4.4 Sub-processor Requirements
ClearMinds shall:
- Impose data protection obligations on Sub-processors that are equivalent to those in this Agreement
- Ensure Sub-processors provide sufficient guarantees of appropriate security measures
- Remain fully liable to the Client for the performance of Sub-processors
- Conduct due diligence on Sub-processors before engagement
- Monitor Sub-processor compliance
3.5 Data Subject Rights
ClearMinds shall:
- Assist the Client in responding to requests from Data Subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection)
- Notify the Client immediately upon receiving a Data Subject request
- Not respond to Data Subject requests directly without the Client's authorisation, except as required by law
- Provide information and assistance within 14 days or such shorter period as required for the Client to meet statutory deadlines
- Implement appropriate technical measures to facilitate Data Subject rights
3.6 Personal Data Breaches
ClearMinds shall:
- Notify the Client without undue delay (and in any event within 24 hours) upon becoming aware of a Personal Data Breach
- Provide the following information:
- Nature of the breach and categories/approximate numbers of affected Data Subjects and records
- Contact details of ClearMinds' Data Protection Officer
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate adverse effects
- Cooperate with the Client's investigation and provide all reasonable assistance
- Implement immediate measures to contain and remediate the breach
- Document all Personal Data Breaches including facts, effects, and remedial actions
ClearMinds shall bear the costs of breach response unless the breach was caused by the Client's instructions or actions.
3.7 Data Protection Impact Assessments
ClearMinds shall provide reasonable assistance to the Client in conducting Data Protection Impact Assessments (DPIAs) where required, including providing:
- Information about processing operations
- Details of security measures in place
- Risk assessment information
- Other information reasonably necessary for the DPIA
3.8 Audits and Inspections
ClearMinds shall:
- Make available to the Client all information necessary to demonstrate compliance with this Agreement
- Allow for and contribute to audits, including on-site inspections, by the Client or an independent auditor appointed by the Client
- Provide reasonable cooperation and assistance during audits
Audit Terms:
- Client may conduct audits once per year unless there is reasonable cause for additional audits
- Client shall provide at least 30 days' notice for scheduled audits
- Audits shall be conducted during business hours
- Client shall minimise disruption to ClearMinds' operations
- Auditor must execute a confidentiality agreement before access
- Client shall bear costs of audits unless audit reveals material non-compliance
3.9 Record-Keeping
ClearMinds shall maintain records of processing activities in accordance with Article 30 UK GDPR, including:
- Name and contact details of the Processor and each Controller
- Categories of processing carried out on behalf of each Controller
- Transfers of Personal Data outside the UK (if applicable)
- General description of technical and organisational security measures
4. Controller Obligations
4.1 Lawful Processing
The Client warrants that:
- It has a lawful basis for processing Personal Data and instructing ClearMinds to process on its behalf
- It has obtained all necessary consents, provided appropriate privacy notices, and complied with transparency obligations
- Its instructions to ClearMinds comply with Applicable Data Protection Law
4.2 Instructions
The Client shall:
- Provide clear, lawful, and documented instructions to ClearMinds
- Ensure instructions are consistent with Applicable Data Protection Law
- Respond promptly to requests for clarification from ClearMinds
4.3 Data Accuracy
The Client shall ensure that Personal Data provided to ClearMinds is accurate and kept up to date.
5. International Data Transfers
5.1 General Principle
ClearMinds shall process Personal Data within the United Kingdom. Any processing outside the UK requires prior written approval from the Client.
5.2 Transfer Safeguards
If international transfers are approved, ClearMinds shall ensure appropriate safeguards are in place:
- Transfers only to countries with a UK adequacy decision, OR
- Use of UK-approved Standard Contractual Clauses (SCCs), OR
- Other approved transfer mechanisms under UK GDPR Chapter V
ClearMinds shall provide copies of transfer mechanisms to the Client upon request.
6. Return and Deletion of Personal Data
6.1 Upon Termination
Upon termination or expiry of the services agreement, ClearMinds shall, at the Client's election:
- Return all Personal Data to the Client in a structured, commonly used, machine-readable format, AND/OR
- Securely delete all Personal Data
Exception: ClearMinds may retain Personal Data to the extent required by law, including professional clinical record retention requirements, provided such Personal Data remains subject to confidentiality obligations and is not processed for any other purpose.
6.2 Retention for Legal Obligations
ClearMinds is subject to clinical record retention requirements under NHS guidance and professional standards. Clinical records must be retained for:
- 8 years from last contact (adults)
- Until 25th birthday or 8 years from last contact, whichever is longer (children/young people)
The Client acknowledges these retention requirements and agrees that clinical records shall be retained by ClearMinds for these periods, subject to continued compliance with this Agreement.
6.3 Deletion Method
Deletion shall be performed using secure methods including:
- Multi-pass overwriting for electronic data
- Destruction of physical records by cross-cut shredding to DIN P-4 standard
- Physical destruction of hardware containing Personal Data
- Certification of destruction provided upon request
7. Liability and Indemnity
7.1 Liability
Each party's liability under this Agreement shall be subject to the limitation of liability provisions in the main services agreement, except that:
- Liability for breach of data protection obligations under this DPA is uncapped
- Each party shall be liable for its own breaches of Applicable Data Protection Law
- ClearMinds shall be liable for Sub-processors as if they were ClearMinds' own actions
7.2 Regulatory Fines
- If ClearMinds is fined by the ICO due to its breach of this Agreement, ClearMinds shall bear the cost
- If ClearMinds is fined by the ICO due to the Client's unlawful instructions, the Client shall indemnify ClearMinds
- If a fine is imposed due to the actions of both parties, liability shall be apportioned based on respective fault
7.3 Claims by Data Subjects
Each party shall cooperate in defending claims by Data Subjects and shall indemnify the other party for losses arising from its own breach of this Agreement.
8. Duration and Termination
8.1 Duration
This Agreement shall commence on the date of signature and continue for the duration of the main services agreement.
8.2 Survival
The following clauses shall survive termination:
- Confidentiality obligations
- Return and deletion of Personal Data
- Liability and indemnity
- Retention for legal obligations
9. General Provisions
9.1 Amendments
This Agreement may only be amended by written agreement signed by both parties. However, ClearMinds may update Schedule 1 (Sub-processors) in accordance with clause 3.4.3.
9.2 Severability
If any provision of this Agreement is held invalid or unenforceable, that provision shall be enforced to the maximum extent possible, and the remaining provisions shall remain in full force and effect.
9.3 Governing Law
This Agreement shall be governed by and construed in accordance with the laws of England and Wales.
9.4 Jurisdiction
The parties submit to the exclusive jurisdiction of the courts of England and Wales.
9.5 Notices
Notices under this Agreement shall be in writing and sent to:
For the Client:
[CLIENT CONTACT NAME]
[CLIENT ADDRESS]
[CLIENT EMAIL]
For ClearMinds:
Data Protection Officer
ClearMinds Ltd
[CLEARMINDS ADDRESS]
dpo@clearmindseap.com
10. Schedules
The following schedules form part of this Agreement:
- Schedule 1: Sub-processors
- Schedule 2: Security Measures (optional detailed schedule)
- Schedule 3: Data Processing Details Summary
Signatures
The parties have executed this Data Processing Agreement as of the date set forth below.
For the Client:
Signature:
_________________________________________________
Name:
_________________________________________________
Title:
_________________________________________________
Date:
_________________________________________________
For ClearMinds Ltd:
Signature:
_________________________________________________
Name:
_________________________________________________
Title:
_________________________________________________
Date:
_________________________________________________
Schedule 1: Sub-processors
Important: This schedule lists all Sub-processors currently engaged by ClearMinds. Any changes will be notified to the Client 30 days in advance per clause 3.4.3.
| Sub-processor Name |
Service Provided |
Location |
Data Processed |
[CLOUD PROVIDER]
e.g., Amazon Web Services |
Cloud infrastructure hosting |
United Kingdom |
All Personal Data including Special Category Data |
[EMAIL PROVIDER]
e.g., Microsoft 365 |
Email and communication services |
United Kingdom / EEA |
Name, email address, communication content |
[VIDEO PLATFORM]
e.g., Secure telehealth provider |
Video counselling platform |
United Kingdom |
Name, session recordings (if enabled), connection metadata |
| [BACKUP PROVIDER] |
Encrypted backup services |
United Kingdom |
All Personal Data including Special Category Data (encrypted) |
|
[INSERT ADDITIONAL SUB-PROCESSORS AS APPLICABLE]
|
Last Updated: [DATE]
Schedule 3: Data Processing Details Summary
| Element |
Details |
| Subject Matter |
Provision of Employee Assistance Programme and mental health support services |
| Duration |
Duration of main services agreement plus clinical record retention period (up to 8 years post-service) |
| Nature and Purpose |
• Eligibility verification
• Mental health assessment and support
• Counselling and therapy delivery
• Appointment management
• Anonymised usage reporting
|
| Types of Personal Data |
Standard: Name, contact details, DOB, employee reference
Special Category: Mental health data, clinical assessments, treatment records
|
| Categories of Data Subjects |
Employees, contractors, family members (as per services agreement) |
| Processing Operations |
Collection, recording, organisation, structuring, storage, consultation, use, disclosure, deletion |