/
PKB Third Party Data Processing Agreement

Patients Know Best Resource Hub | Deploy | Developer | Trust Centre | Manual | Research | Education | Release Notes

PKB Third Party Data Processing Agreement

DATED: 2026

 

Patients Know Best, 

of St John's Innovation Centre, Cowley Road, Milton, Cambridge, CB4 0WS.

–and –

    Third Party Organisation

Insert Registered Address

_______________________________________

DATA PROCESSING AGREEMENT

_______________________________________

INDEX

Part 1 – Definitions and clauses 

Part 2 – Data Processing specific clauses

Part 3 - Further Contractual Clauses including

Schedules – Applicable to all scenarios

 

Private and Confidential Third-Party-DPA v1.0 January 2026

 

PART 1 - DEFINITIONS AND CLAUSES

This Agreement is dated [00 Month ] 2026.

  1. PARTIES

  2. Patients Know Best (“PKB”); and

  3. [Third Party], with its registered office at [Address] (“Third Party”); each a “Party” and together the “Parties”. 

 

  1. BACKGROUND

  2. This Agreement sets out the terms under which the Third Party may access PKB Data based on the Patient’s explicit instruction to share such data (“Patient Preference”).

 

  1. PKB operates a patient-held record platform enabling patients to manage and share their health information.

 

  1. Data received by PKB from the Third Party forms a category of data within the Patient Record (referred to herein as Third Party Data), for which PKB is a Processor.

 

  1. Patient-entered data forms the Patient Account, for which PKB is a Controller with the Third Party.

 

  1. When the Third Party accesses Patient Account data, PKB and the Third Party act as Independent Controllers in respect of those processing activities.

 

  1. PKB may, under the Commercial Contract, present opportunities for patients to participate in Third Party services or activities.

 

  1. DEFINITIONS AND INTERPRETATION

 

  1. Unless specifically provided for in this Agreement, the following terms shall have the following meanings: 

 

“Agreed Purposes”

has the meaning given in clause 6;

“Commencement Date”

has the meaning given in clause 4.1;

“Controller”, “Joint Controllers”, “Personal Data”, “Personal Data Breach”, “Processing” (including “Process” and “Processed”), and “Special Categories of Personal Data” 

have the meaning given in the DPA 2018;

“Commercial Contract”

means the commercial arrangement between the Parties under which the PKB Platform is made available to the Third Party;

“Data Protection Law”

means, for the periods in which they are in force in the United Kingdom, the DPA 2018, the GDPR, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to Processing of Personal Data and privacy;

“Data Subject” or “Patient”

means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person in any PKB Data;

“Data Subject Access Request”

means a request from a Data Subject under Data Protection Law in respect of PKB Data;

“DPA 2018”

means the Data Protection Act 2018;

“GDPR”, “UK GDPR”

 

means the General Data Protection Regulation (Regulation (EU) 2016/679) and the GDPR as implemented into UK law by the DPA 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419);

“Patient Account”

means Personal Data entered by a patient into PKB;

“Patient Preference”

means the patient’s explicit instruction within PKB to allow the Third Party to access selected PKB Data; this is not UK GDPR consent.

"Patient Record"

means data received by PKB from the Third Party;

  “PKB data”

means all personal data held on the PKB platform, both patient Record and Patient Account;

“Services”, “Platform”, “Solution”

means the PKB software and architecture, infrastructure and operations;

 

“Third Party Consent”:

means consent collected by the Third Party directly from the patient for the Third Party’s own purposes; PKB has no role in this;

“Third Party Communication”

has the meaning given in clause 18.3;

  1. Interpretation:

    1. Clause and Schedule headings do not affect interpretation.

    2. Reference to a person includes natural and legal persons.

    3. Schedules form part of this Agreement.

    4. Singular includes plural and vice-versa.

    5. References to statutes include amendments and re-enactments.

    6. “Including” means “including without limitation.”

 

  1. In the event of conflict:

    1. The main body of this Agreement prevails over the Schedules unless expressly stated otherwise.

 

  1. SCOPE AND APPLICATION                                                                                                                 

    1. This Agreement governs the Processing of PKB Data on or through the PKB Platform.

    2. It prevails over the Commercial Contract and any previous agreements regarding PKB Data.

    3. When PKB Data is accessed by the Third Party, the Third Party acts as an independent Controller.

  2. COMMENCEMENT AND DURATION

    1. This Agreement commences on the date stated at its head (“Commencement Date”).

    2. It continues for the duration of the Commercial Contract unless terminated earlier under clause 19.

    3. Clauses that must continue after termination (including clauses 13, 14, 18, 20, 21, 28 and Schedules 1 and 2) survive termination.

  3. TRANSPARENCY AND REGULATORY ENGAGEMENT

    1. Each Party is responsible for regulatory compliance and transparency for the processing activities for which it is Controller.

    2. Each Party shall ensure its transparency information does not contradict or mislead patients and shall notify the other Party of material changes at least 14 days in advance.

    3. The Parties may cooperate on transparency materials relating to the Agreed Purposes but are not obliged to conduct wider engagement beyond legal requirements.

  4. AGREED PURPOSES

    1. The Parties agree that PKB Data may be Processed for the following purposes:

      1. Facilitating patient access to, and addition of data into, their PKB record;

      2. Enabling patient choice over which organisations—including the Third Party—may access their PKB record;

      3. Displaying Third Party banners or opportunities to patients via PKB;

      4. Processing Third Party data incorporated into the Patient Record where PKB acts as Processor;

      5. Maintaining and securing the PKB Platform and all PKB Data.

 

PART 2 – DATA PROCESSING SPECIFIC CLAUSES

  1. ROLES AND DATA FLOWS

    1. PKB Processes PKB Data as:

      1. Processor for Third Party data;

      2. Controller for Patient Account data;

      3. Independent Controller for platform operations.

    2. Roles and data flows are detailed in Schedule 1.

  2. THIRD PARTY OBLIGATIONS

    1. The Third Party shall access and use PKB Data strictly in accordance with the Patient’s Preference.

    2. The Third Party is solely responsible for obtaining and managing any Third Party Consent required for its own purposes; PKB has no responsibility for such consent.

    3. The Third Party shall:

      1. Provide transparency to patients consistent with Data Protection Law;

      2. Access only the minimum PKB Data necessary;

      3. Ensure security appropriate to the risks.

    4. The Third Party shall not subcontract access or use of PKB Data without PKB’s prior written consent.

    5. The Third Party shall not further disclose or onward share PKB Data unless required by law or where the patient has provided a valid UK GDPR‑compliant consent for such disclosure. The Third Party shall document and maintain evidence of any such consent.

  3. PKB RESPONSIBILITIES

    1. PKB’s roles as Controller and Processor are those defined in clause 7 and Schedule 1.

    2. PKB shall maintain a designated Data Protection Officer.

    3. PKB shall comply with Data Protection Law in all Processing for which it is Controller or Processor.

  4. PROCESSOR TERMS

    1. PKB shall Process Third Party-controlled Personal Data only on documented instructions from the Third Party unless legally required otherwise.

    2. PKB shall notify the Third Party if an instruction appears unlawful.

    3. PKB shall implement the Technical and Organisational Measures in Schedule 2.

    4. PKB shall assist the Third Party with:

      1. DPIAs;

      2. Data Subject rights;

      3. Breach Notifications.

    5. PKB shall make available to the Third Party all information necessary to demonstrate compliance with Article 28 of the UK GDPR and shall allow for and contribute to audits or inspections conducted by the Third Party or an auditor mandated by the Third Party, provided that such audits do not compromise PKB’s platform security, confidentiality of other customers’ data, or system integrity.

    6. PKB shall ensure that all staff, contractors, and persons authorised to process Third Party Personal Data are subject to enforceable confidentiality obligations under contract or statute.

    7. PKB shall not process Third Party Personal Data for any purpose other than the provision of PKB services to the Third Party and shall not determine purposes or means in respect of such data.

  5. OTHER CONTROLLING PROCESSING

    1. PKB Processes certain PKB Data as an independent Controller for platform operations, including:

      1. Logging for security and audit;

      2. Pseudonymised feasibility and system performance analytics.

 

  1. INTERNATIONAL DATA TRANSFERS

    1. PKB shall not transfer Personal Data outside the UK, EEA, or an adequate country except:

      1. Where expressly instructed by the Third Party; and

      2. where necessary for PKB to perform its Processor activities listed in Schedule 1.

    2. Where PKB is instructed to make such a transfer, the Third Party warrants that it has:

      1. Determined the appropriate transfer mechanism;

      2. Executed and maintains that mechanism;

      3. Conducted a documented Transfer Risk Assessment.

  2. DATA SUBJECTS RIGHTS AND WITHDRAWAL

    1. The Third Party is responsible for managing withdrawals of Third Party Consent and informing PKB where this affects PKB’s Processing.

    2. Where a Party receives a Data Subject rights request relating to data for which the other Party is Controller it shall forward the request within two business days.

    3. Where a patient submits a request for data portability relating to processing activities for which the Parties act as independent Controllers, the Parties shall cooperate as necessary to ensure compliance with Article 20 UK GDPR, including the provision of structured, commonly used, machine‑readable data formats.

 

PART 3 - FURTHER CONTRACTUAL CLAUSES

  1. RECORDS

The Parties shall review this Agreement periodically to ensure compliance and maintain appropriate procedures for incident and breach management.

  1. WARRANTIES AND NOTIFICATIONS

    1. Each Party warrants it has authority to enter into this Agreement and will comply with Data Protection Law.

    2. Each Party shall notify the other within five business days of any regulatory communication or third-party request relating to PKB Data.

  2. LIMITATION AND LIABILITY

    1. Each Party is liable only for the Processing activities for which it is Controller or Processor under Data Protection Law.

    2. Liability is limited to direct losses arising from breaches of this Agreement or negligence.

  3. TERMINATION

    1. Either Party may terminate this Agreement immediately upon:

      1. A material breach;

      2. Insolvency of the other Party;

      3. A change of control.

    2. This Agreement terminates automatically when the Commercial Contract terminates.

  4. CONSEQUENCES OF TERMINATION

    1. For Processor data, PKB shall delete or return all Third Party Personal Data within 30 days unless legally required to retain it.

    2. PKB shall retain Patient Account data in accordance with PKB’s Controller obligations.

  5. FORCE MAJEURE

    1. A Party is not liable for delays caused by events outside its reasonable control.

    2. If such an event continues for more than 90 days, either Party may terminate.

  6. ASSIGNMENT

Neither Party may assign this Agreement without written consent except to affiliates or group companies under common control.

  1. VARIATION, NOTICES, SEVERANCE, RELATIONSHIP

    1. Variations require a written agreement.

    2. Notices must be in writing and sent to the registered address.

    3. Invalid provisions are severed; the remainder stays in effect.

    4. The Parties are independent contractors.

  2. RIGHTS AND REMEDIES; WAIVER; COUNTERPARTS; THIRD PARTY RIGHTS

    1. Rights are cumulative.

    2. Failure to enforce a right is not a waiver.

    3. This Agreement may be executed in counterparts.

    4. No third party has rights under the Contracts (Rights of Third Parties) Act 1999.

  3. FURTHER ASSURANCE AND COSTS

    1. Each Party shall take necessary steps to give effect to this Agreement.

    2. Each Party bears its own costs.

  4. ENTIRE AGREEMENT

This Agreement supersedes all prior agreements concerning the Processing of PKB Data.

  1. GOVERNING LAW AND DISPUTE RESOLUTION

    1. This Agreement is governed by English law.

    2. Disputes are resolved per the escalation procedure in the Commercial Contract.

  2. SURVIVAL

Clauses relating to confidentiality, liability, retention, audit, and Schedules 1 and 2 survive termination.

 

  1. SCHEDULE 1: DATA PROCESSING PARTICULARS

    1. Personal Data to be Processed

      1. This Schedule describes the types of PKB Data that may be Processed under this Agreement. The Parties may agree to amend the descriptions in this clause at any time with the approval of the Parties.

      2. For clarity, PKB Data Processed under this Agreement shall be subject to the data minimisation measures described in clause 9.3.2, 

    2. Providers applying data minimisation measures prior to sharing any data with PKB; and 

    3. the Parties continuing to review the data minimisation measures to ensure the minimisation of Personal Data within PKB Data as may be required by Data Protection Law.

      1. PKB Data to be Processed under this Agreement may include data from the following sources: 

 

Providers Electronic Patient Record (structured coded data only)

Patient Inputted Data

Third Party Partners and Integrations (for purposes of care provision)

 

  1. The inclusion of personal data of any natural person under the age of 13 should be considered on a case by case basis.

 

SCHEDULE 2A: PROCESSING OPERATION A

MAINTAINING THE PATIENT ACCOUNT

Processing Operation: The storage, security, availability, and management of data entered directly by the Patient (Patient-Contributed Data) and PKB’s associated audit logs.

Performed by: PKB

Classification of Parties: PKB – Sole Controller

Lawful Bases for Processing: Article 6(1)(f) and Article 9(2)(h)

Data Subject Rights Fulfilment:

 

Right to be informed

PKB provides transparency via its Privacy Notice and User Agreement.

Right to Access/Portability

PKB provides the platform for the individual to directly access and export this data in a readable and clear format (Access) and structure (Portability) via the PKB interface.

Right to Correction

PKB enables the individual to directly correct or update their Patient-Contributed Data via the PKB interface.

Right to Restriction

The right to request restriction of processing applies. PKB is responsible for implementing technical measures to restrict the processing of data upon instruction where legally required.

Right to Erasure/Objection

The right to erasure is restricted. PKB will honour deletion requests for data that has not been shared. Data that has been shared or is required for PKB's audit trails will be retained based on its necessary retention schedule. 

ADM/Profiling

Automated Decision Making (ADM) and profiling resulting in legal or significant effect are not performed under this operation.

 

SCHEDULE 2B: PROCESSING OPERATION B

DISPLAYING THIRD PARTY OPPORTUNITIES (Screening/Banners)

 

Processing Operation: Internal screening of PKB Data against Third Party inclusion/exclusion criteria for the purpose of displaying a specific opportunity/banner to a suitable data subject.

Performed by: PKB

Classification of Parties: PKB - Independent Controller

Lawful Bases for Processing: Article 6(1)(f) and Article 9(2)(h)

Data Subject Rights Fulfilment:

 

Right to be informed

PKB provides transparency about this screening process within its Privacy Notice and via in-banner explanations.

Right to Access/Portability

The individual has the right to access the eligibility criteria applied to their record, which will be provided upon formal Subject Access Request (SAR).

Right to Correction

The right to correction applies to the source data (Operation 2A), not the resulting audit log.

Right to Restriction

The right to restriction applies and PKB is responsible for implementing technical controls to comply with a lawful restriction request.

Right to Erasure/Objection

The technical logs recording this processing are retained for a minimum of twenty (20) years for regulatory defense purposes overriding the right to erasure for the log data.

ADM/Profiling

Automated Decision Making (ADM) resulting in legal or significant effect is not performed. The screening only determines the content displayed.

 

SCHEDULE 2C: PROCESSING OPERATION C

EXECUTING PATIENT-DIRECTED SHARING

Processing Operation: The technical enablement for the execution of the Patient’s Preference to share their PKB Record with the Third Party following the patient’s decision to engage.

 

Performed by: PKB (under patient instruction)

 

Classification of Parties: Third Party: Independent Controller (of received data)

 

Lawful Bases for Processing: PKB: This is a patient-initiated disclosure

 

Principles and Roles

 

  1. Legal Basis for Access: Access is enabled solely through Patient Preference, which is not UK GDPR consent; the Third Party must still have its own lawful basis.

  2. Data Protection Principles: The Third Party is solely responsible for meeting all controller obligations (Articles 5, 6, 9, 12–22, 25, 30, 32, 33–34) for the received data.

  3. PKB Responsibilities: PKB provides only the technical mechanism for access and does not determine purposes or means for the Third Party’s subsequent processing.

 

Data Subject Rights Fulfillment:

PKB Responsibilities

PKB fulfills rights requests (Access, Correction, Restriction) relating only to the sharing transaction log and its execution of the transfer.

Third Party Responsibilities

The Third Party is responsible for all subsequent rights fulfillment (Access, Erasure, Correction, Restriction, Portability) for the data once it has been received, as they are the Controller of that data copy.

ADM/Profiling

ADM and profiling are not performed by PKB during the technical execution of the transfer.

 

SCHEDULE 2D: PROCESSING OPERATION D

PROCESSING THIRD PARTY DATA IN THE PATIENT RECORD

Processing Operation: Storage, display, and availability of data sent from the Third Party to PKB.

 

Performed by: PKB

 

Classification of Parties: Third Party: Controller; PKB: Processor

 

Lawful Bases for Processing: Determined by the Third Party (PKB as processor does not determine lawful basis).

 

Data Subject Rights Fulfillment:

 

Rights Fulfillment

PKB shall provide full assistance to the Third Party to comply with all Data Subject rights requests (Access, Correction, Restriction, Portability, and Erasure) within required timescales.

Right to Erasure

PKB will only delete this data upon the documented instruction of the Third Party (the Controller).

ADM/Profiling

ADM and profiling are not performed by PKB in its capacity as Processor for this data.

 

SCHEDULE 2E: PROCESSING OPERATION E

SERVICE EVALUATION AND IMPROVEMENT

Processing Operation: Research and development using pseudonymised and aggregated PKB data to improve platform safety, reliability, and outcomes.

 

Performed by: PKB

 

Classification of Parties: PKB - Independent Controller

 

Lawful Bases for Processing: Article 6(1)(f) and Article 9(2)(h)

 

Data Subject Rights Fulfillment:

 

 

Right to be informed

PKB provides transparency about this activity via the Privacy Notice.

 

 

Right to Access/Correction

Since the datasets are pseudonymised and aggregated, the rights of access and correction must be fulfilled at the source record (Processing Operation 2A), not the derived dataset.

Right to Restriction

The right to restriction applies. PKB is responsible for ensuring that restricted source data is not subsequently used in ongoing processes.

Right to Erasure

The processing is limited to necessity. Any Personal Data used for this specific purpose will be destroyed in line with PKB’s necessary retention schedules once no longer required.

ADM/Profiling

ADM and profiling are not performed using this dataset.

 

  1. SCHEDULE 3 - TECHNICAL AND ORGANISATIONAL MEASURES

    1. INFORMATION SECURITY MANAGEMENT

      1. PKB shall maintain an information security management framework that is consistent with the NHS Data Security and Protection Toolkit (DSPT), ISO 27002, and any successor standards or equivalent recognised security controls. PKB shall ensure that technical and organisational measures are appropriate to the risks associated with the processing of PKB Data and Third Party Data.

      2. PKB shall implement a structured programme of risk assessment, mitigation, monitoring, and continuous improvement. This shall include:

        1. Routine assessment of threats, vulnerabilities, and control effectiveness;

        2. Documented risk treatment plans;