ISOSTOCK DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum (the Addendum) forms part of the agreement between you, the Service User (the Controller), and Gillett Limited (the Processor), in conjunction with the following documents:

• IsoStock (Cloud) Terms and Conditions Of Use
• IsoStock Privacy and Consent Statement
• Gillett Limited General Data Protection Regulation (GDPR) Statement

These documents may be updated or amended from time to time. This Addendum governs the processing of personal data in accordance with applicable Data Protection Law.

DEFINITIONS

In this Addendum and associated documents, the following terms have the meanings given in the UK General Data Protection Regulation (UK GDPR):

a) Controller, Processor, Data Subject, Personal Data, Processing (and Process), and Special Categories of Personal Data shall have the meanings defined in UK GDPR.

b) Data Protection Law means the UK GDPR and UK laws made under or pursuant to it.

RELATIONSHIP OF THE PARTIES

The Service User (Controller) subscribes to the IsoStock service and appoints Gillett Limited as a Processor to process Personal Data only on the Controller’s documented instructions, and in accordance with:

• this Addendum,
• IsoStock (Cloud) Terms and Conditions Of Use
• IsoStock Privacy and Consent Statement
• or other written agreements between the parties.

Each party shall comply with the obligations that apply to them under Data Protection Law.

CONFIDENTIALITY OF PROCESSING

The Processor shall ensure that all personnel authorised to process Personal Data are subject to confidentiality obligations consistent with those set out in the IsoStock Terms and Conditions and are bound by a duty of confidence.

SECURITY

The Processor shall implement appropriate technical and organisational measures to protect Personal Data against:

• accidental or unlawful destruction,
• loss, alteration, unauthorised disclosure of, or access to Personal Data (Security Incident).

The Processor maintains an internal Information Security Management System (ISMS) to manage its security obligations.

SUBCONTRACTING

The Processor does not engage third-party sub-processors to process Personal Data. If a sub-processor is engaged in the future, the Processor will:

• inform the Controller in advance,
• impose data protection terms on the sub-processor equivalent to those in this Addendum, ensuring compliance with Data Protection Law.

COOPERATION AND DATA SUBJECTS' RIGHTS

The Processor shall provide reasonable and timely assistance to the Controller to enable the Controller to:

(i) respond to requests from Data Subjects to exercise their rights under Data Protection Law, and

(ii) respond to any correspondence, enquiry or complaint from a Data Subject, regulator, or third party in relation to the Processing of Personal Data.

DATA PROTECTION IMPACT ASSESSMENT

If the Processor believes or becomes aware that its processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects, it shall inform the Controller and assist in any required Data Protection Impact Assessment (DPIA).

SECURITY INCIDENTS

In the event of a confirmed Security Incident, the Processor shall:

• inform the Controller without undue delay,
• provide reasonable cooperation and information to support the Controller in meeting any data breach notification obligations under Data Protection Law, and
• take necessary actions to mitigate the impact of the breach and keep the Controller informed of developments.

AUDIT

The Processor shall submit to audits and inspections and provide the Controller with the necessary information to demonstrate compliance with Article 28 of the UK GDPR.

SUMMARY OF DATA PROCESSING

Subject Matter

The processing of Personal Data entered into the IsoStock service by the Controller relating to employees, workers, and limited patient identifiers.

Duration

As defined in the "Retention of Data" section of the IsoStock Privacy and Consent Statement.

Nature and purpose of processing personal data

The nature and purpose of processing personal data is to enable the functionality of the iRota service.

Types of Personal Data involved

As described in the "Information Held within IsoStock" section of the IsoStock Privacy and Consent Statement.

This includes:

• Staff details
• Special category data limited to:
• Patient name
• Patient identifier
• Investigation/therapy
• Radionuclide administered

We don’t store clinical indications for investigations, results or diagnoses.

Categories of Data Subjects

• Employees of the Cotroller
• Patients of the Controller
• Students affiliated with the Controller

SPECIAL CATEGORY DATA AND APPROPRIATE POLICY DOCUMENT (APD)

In accordance with Schedule 1, Part 4 of the Data Protection Act 2018, this section constitutes the Appropriate Policy Document (APD) for the processing of special category personal data (SC data) carried out by the Processor on behalf of the Controller via the IsoStock service

Accountability

• The Processor maintains internal documentation of processing activities, including its obligations under Article 30 of the UK GDPR.
• Internal data protection and security policies are in place and regularly reviewed.
• The Processor supports DPIAs as required by the Controller.

Principle (a): Lawfulness, Fairness and Transparency

• The Controller ensures a lawful basis and Schedule 1 condition is identified.
• The Processor processes SC data only to provide IsoStock service and in accordance with the IsoStock Privacy and Consent Statement.
• No deceptive or misleading methods are used.

Principle (b): Purpose Limitation

• Processing is restricted to the specific purposes outlined in the relevant privacy documentation for the IsoStock service used by the Controller.
• Data is not reused for other purposes unless legally required or with explicit instruction.

Principle (c): Data Minimisation

• Only data strictly necessary for defined purposes is processed.
• SC data is reviewed periodically and removed when the IsoStock service ceases to be used.

Principle (d): Accuracy

• The Controller ensures reasonable accuracy of SC data, records data sources, and the process will support the Controller in managing data updates and rectification.

Principle (e): Storage Limitation

• Retention periods are defined by the Controller, who continues or ceases to use the IsoStock service, and are followed by the Processor.
• SC data is securely deleted or anonymised when no longer needed, unless lawfully required for longer retention.

Principle (f): Integrity and Confidentiality

• The Processor maintains an ISMS and regularly assesses risks associated with SC data.
• Appropriate security measures, including access control and encryption, are applied and reviewed.

Review of this Policy

This policy is reviewed at least annually and updated as necessary.