Skip to main content

Data Processing Agreement - Ireland

This Data Processing Agreement (“Agreement”) is published by OneTouch Telecare Limited t/a OneTouch Health (“Data Processor”) and forms part of the Master Services Agreement or any other written agreement for the provision of services (“MSA”) entered into between OneTouch Health and the client entity that has executed the MSA (“Data Controller”).

By signing the MSA, the Data Controller agrees to be bound by the terms of this Agreement as published and maintained.

PARTIES

Data Controller:

The client entity that has executed the MSA with the Data Processor. For the avoidance of doubt, references in this Agreement to the “Data Controller” mean the contracting client identified in the MSA.

Data Processor:

OneTouch Telecare Limited t/a OneTouch Health, a company incorporated under the laws of the Republic of Ireland, having its registered office at Howley Square, Oranmore, County Galway, H91 XDC2, Ireland, with company registration number 543914. This company provides the following software services under this brand:

  • OneTouch Health
  • OneTouch Recruitment
  • OneTouch Staffing
  • OneTouch Learning

The Data Controller and Data Processor are hereinafter collectively referred to as the “Parties.”

THE PARTIES HEREBY AGREE AS FOLLOWS:

1. Subject matter of this Data Processing Agreement

1.1. The term EU GDPR shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.2. This Data Processing Agreement applies to the processing of personal data subject to EU GDPR in the scope of this agreement between the parties for the provision of rostering and care management software services (“services”) (hereinafter to be referred to as: the “Master Services Agreement”).

1.2.1. Any agreements noted in the Master Services Agreement that differ from this Data Processing Agreement shall take priority over the clauses noted in this Data Processing Agreement.

1.3 Any capitalised terms not otherwise defined in this Data Processing Agreement shall have the meaning given to them in the Master Services Agreement. Except as modified below, the terms of the Master Services Agreement shall remain in full force and effect. Other terms used in this Data Processing Agreement that have meanings ascribed to them in the EU GDPR, including but not limited to “Processing”, “Personal Data”, “Data Controller” and “Processor,” shall carry the meanings set forth under EU GDPR.

1.4. Insofar as the Data Processor will be processing Personal Data subject to EU GDPR on behalf of the Data Controller in the course of the performance of the Master Services Agreement with the Data Controller, the terms of this Data Processing Agreement shall apply. An overview of the categories of Personal Data, the categories of Data Subjects, and the nature and purposes for which the Personal Data are being processed is provided in Annex 1.

2. The Data Controller and the Data Processor

2.1. Subject to the provisions of the Master Services Agreement, to the extent that the Data Processor’s data processing activities are not adequately described in the Master Services Agreement, the Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by the Data Processor. The Data Processor will process the Personal Data only as set forth in Data Controller’s written instructions and no Personal Data will be processed unless explicitly instructed by Authorised Persons on behalf of the Controller.

2.2. The Data Processor will only process the Personal Data on documented instructions of the Data Controller to the extent that this is required for the provision of the Master Services Agreement. Should the Data Processor reasonably believe that a specific processing activity beyond the scope of the Data Controller’s instructions is required to comply with a legal obligation to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal obligation and seek explicit authorisation from the Data Controller before undertaking such processing. The Data Processor shall never process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. The Data Processor shall immediately notify the Data Controller if, in its opinion, any instruction infringes this Regulation or other Union or Member State data protection provisions. Such notification will not constitute a general obligation on the part of the Data Processor to monitor or interpret the laws applicable to the Data Controller, and such notification will not constitute legal advice to the Data Controller.

2.3. The Parties have entered into a Master Services Agreement in order to benefit from the capabilities of the Processor in securing and processing the Personal Data for the purposes set out in Annex 1. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, provided that all such discretion is compatible with the requirements of this Data Processing Agreement, in particular the Data Controller’s written instructions. The Data Controller warrants that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the Master Services Agreement, and that one or more lawful bases set forth in EU GDPR support the lawfulness of the Processing. To the extent required by EU GDPR, the Data Controller is responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in EU GDPR supports the lawfulness of the processing, that any necessary data subject consents to the Processing are obtained, and for ensuring that a record of such consents is maintained. Should such consent be revoked by a data subject, the Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and the Data Processor remains responsible for implementing Data Controller’s instruction with respect to the processing of that Personal Data.

3. Confidentiality

3.1. Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as confidential and it shall inform all its employees, agents and/ or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.

4. Security

4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate technical and organisational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures shall include, at a minimum, the security measures agreed upon by the Parties in Annex 2.

4.2. Both the Data Controller and the Data Processor shall maintain written security policies that are fully implemented and applicable to the processing of Personal Data. At a minimum, such policies should include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to the Personal Data, conducting appropriate background checks, requiring employees, vendors and others with access to Personal Data to enter into written confidentiality agreements, and conducting training to make employees and others with access to the Personal Data aware of information security risks presented by the Processing.

4.3. At the request of the Data Controller, the Data Processor shall demonstrate the measures it has taken pursuant to this Clause 4 and shall allow the Data Controller to audit and test such measures. Unless otherwise required by a Supervisory Authority of competent jurisdiction, the Data Controller shall be entitled on giving at least 30 days’ notice to the Data Processor to carry out, or have carried out by a third party who has entered into a confidentiality agreement with the Data Processor, audits of the Data Processor´s premises and operations as these relate to the Personal Data. The Data Processor shall cooperate with such audits carried out by or on behalf of the Data Controller and shall grant the Data Controller´s auditors reasonable access to any premises and devices involved with the Processing of the Personal Data. The Data Processor shall provide the Data Controller and/or the Data Controller´s auditors with access to any information relating to the Processing of the Personal Data as may be reasonably required by the Data Controller to ascertain the Data Processor´s compliance with this Data Processing Agreement, and/or to ascertain the Data Processor’s compliance with any approved code of conduct or approved certification mechanism referenced in Clause 4.4.

4.4. The Data Processor’s adherence to either an approved code of conduct or to an approved certification mechanism recognised under EU GDPR may be used as an element by which the Data Processor may demonstrate compliance with the requirements set out in Clause 4.1, provided that the requirements contained in Annex 2 are also addressed by such code of conduct or certification mechanism.

5. Improvements to Security

5.1. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Clause 4 on an on-going basis in order to maintain compliance with the requirements set out in Clause 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in EU GDPR or by data protection authorities of competent jurisdiction.

5.2. Where an amendment to the Master Services Agreement is necessary in order to execute a Data Controller instruction to the Data Processor to improve security measures as may be required by changes in EU GDPR from time to time, the Parties shall negotiate an amendment to the Master Services Agreement in good faith.

6. Data Transfers

6.1. The Data Processor shall promptly notify the Data Controller of any planned permanent or temporary transfers of Personal Data to a third country, including a country outside of the European Economic Area without an adequate level of protection, and shall only perform such a transfer after obtaining authorisation from the Data Controller, which may be refused at its own discretion. The Sub-processors Register provides a list of transfers for which the Data Controller grants its authorisation upon the conclusion of this Data Processing Agreement.

6.2. To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalise international data transfers and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

7. Information Obligations and Incident Management

7.1. When the Data Processor becomes aware of an incident that has a material impact on the Processing of the Personal Data that is the subject of the Master Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.

7.2. The term “incident” used in Clause 7.1 shall be understood to mean in any case:

a) a complaint or a request with respect to the exercise of a data subject’s rights under EU GDPR;

b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;

c) any unauthorised or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data;

d) any breach of the security and/or confidentiality as set out in Clauses 3 and 4 of this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data, or any indication of such                   breach having taken place or being about to take place;

e) where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject.

7.3. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under EU GDPR, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller without undue delay after the Data Processor becomes aware of such an incident.

7.4. Any notifications made to the Data Controller pursuant to this Clause 7 shall be addressed through the available customer support channels or directly to the DPO, who’s details are published alongside this agreement on the company website, in order to assist the Data Controller in fulfilling its obligations under EU GDPR, should contain:

a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

b)the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained;

c) a description of the likely consequences of the incident; and

d) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

8. Contracting with Sub-Processors

8.1. The Data Processor shall not subcontract any of its Service-related activities consisting (partly) of the processing of the Personal Data or requiring Personal Data to be processed by any third party without the prior written notification to an Authorised Person on behalf of the Data Controller.

8.2. The Data Controller authorises the Data Processor to engage the sub-processors listed in the Sub-processors Register for the service-related Data Processing activities described in Annex 1. Data Processor shall inform the Data Controller of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes. If the Data Controller timely sends the Processor a written objection notice, setting forth a reasonable basis for objection, the Parties will make a good-faith effort to resolve Data Controller’s objection. In the absence of a resolution, the Data Processor will make commercially reasonable efforts to provide Data Controller with the same level of service described in the Master Services Agreement, without using the sub- processor to process Data Controller’s Personal Data. If the Data Processor’s efforts are not successful within a reasonable time, each Party may terminate the portion of the service which cannot be provided without the sub-processor, and the Data Controller will be entitled to a pro-rated refund of the applicable service fees.

8.3. Notwithstanding any authorisation by the Data Controller within the meaning of the preceding paragraph, the Data Processor shall remain fully liable vis-à-vis the Data Controller for the performance of any such sub-processor that fails to fulfil its data protection obligations.

8.4. The Data Processor shall ensure that the sub-processor is bound by data protection obligations compatible with those of the Data Processor under this Data Processing Agreement, shall supervise compliance thereof, and must in particular impose on its sub- processors the obligation to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of EU GDPR.

8.5. The Data Controller may request that the Data Processor audit a Third Party Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist customer in obtaining a third-party audit report concerning the Third Party Sub-processor’s operations) to ensure compliance with its obligations imposed by the Data Processor in conformity with this Agreement.

9. Returning or Destruction of Personal Data

9.1. Upon termination of this Data Processing Agreement, upon the Data Controller’s written request, or upon fulfilment of all purposes agreed in the context of the Master Services Agreement whereby no further processing is required, the Data Processor shall, at the discretion of the Data Controller, either delete, destroy or return all Personal Data to the Data Controller and destroy or return any existing copies.

9.2. The Data Processor shall notify all third parties supporting its own processing of the Personal Data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller.

10. Assistance to Data Controller

10.1. The Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the EU GDPR.

10.2. Taking into account the nature of processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in ensuring compliance with obligations pursuant to Annex 3 (Security), as well as other Data Controller obligations under EU GDPR that are relevant to the Data Processing described in Annex 1, including notifications to a supervisory authority or to Data Subjects, the process of undertaking a Data Protection Impact Assessment, and with prior consultations with supervisory authorities.

10.3. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

11. Liability and Indemnity

11.1. Liability and Indemnity are governed by the terms agreed in the Master Services Agreement.

12. Duration and Termination

12.1. This Data Processing Agreement shall come into effect on the effective date of the Master Services Agreement.

12.2. Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its confidentiality obligations pursuant to Clause 3.

12.3. The Data Processor shall process Personal Data until the date of expiration or termination of the Master Services Agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on instruction of the Data Controller.

13. Miscellaneous

13.1. This Data Processing Agreement is governed by the laws of Republic of Ireland. Any disputes arising from or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of the Republic of Ireland.

Annex 1: Details of Personal Data

Scope of the Data Processing:

One Touch Health provides a Care Delivery Management SaaS product to its clients, who in turn provide Care Services to its service users. The data processed by the Data Controller will include the Master Services Agreement Users personal data and may include health data.

Description of the Categories of Data Subjects:

The Data Subjects will be the Data Controllers Employees, their Clients and in some cases, their Client’s families/next of kin.

Types of Personal Data that will be processed:

Category of Personal DataWill be Processed?
(Yes / No)
General Personal DataYes
Details of Criminal OffensesPossible
Sensitive Personal Data / Special Categories of Personal Data
·        Personal data revealing racial or ethnic originPossible
·        Political opinionsNo
·        Religious or philosophical beliefsPossible
·        Trade union membershipNo
·        Genetic data and biometric data processed for the purpose of uniquely identifying a natural personNo
·        Data concerning healthYes
·        Data concerning a natural person’s sex life or sexual orientationPossible

The subject matter and purpose of the Processing is the provision by the Data Processor of the Master Services Agreement, namely the rostering and care management software services pursuant to the Master Services Agreement.

Where marked ‘Possible’

If the Data Controller or its users upload information into the platform within care plans, care records or other notes that disclose the information, then in this case, it is processed. One Touch Health have no means to check, screen, prevent or otherwise know if such data has been uploaded into the system.

Nature and purpose of the Data Processing:

The nature of the Processing involves the collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, making available, restriction and erasure and destruction of Personal Data.

Annex 2: Security Measures

The Data Processor, as appropriate for the processing stated in Annex 1, shall:

  1. Implement and maintain an Information Security Management System certified to ISO 27001.
  2. Maintain certification to Cyber Essentials Plus.

At a minimum and in line with the requirements of the above certifications, the Data Processor shall:

  1. ensure that the Personal Data can be accessed only by authorised personnel for the purposes set forth in Annex 1 of this Data Processing Agreement;
  2. take all reasonable measures to prevent unauthorised access to the Personal Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;
  3. build in system and audit trails;
  4. use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and virus protection;
  5. account for all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorised or unlawful storage, processing, access or disclosure of Personal Data;
  6. ensure pseudonymisation and/or encryption of Personal Data, where appropriate;
  7. maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  8. maintain the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  9. implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data;
  10. monitor compliance on an ongoing basis;
  11. implement measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Data Controller;
  12. provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.

Annex 3: AI Feature

Definitions

  • AI Feature refers to any artificial intelligence or machine learning-powered functionality made available within the Processor’s platform, including but not limited to document generation, summarisation, analysis, compliance support, and related capabilities.
  • AI Sub-Processor refers to any third-party provider used to deliver the AI Feature (e.g., OpenAI).

Optional Use of AI Feature

  • The AI Feature is optional and enabled solely at the discretion of the Controller. The Controller is responsible for determining whether to activate and use the AI Feature within the platform.
  • The AI Feature is disabled by default. No data is processed via AI unless and until the Controller explicitly enables the feature(s) within the platform.
  • By enabling the AI Feature, the Controller instructs the Processor to process relevant data via the AI Sub-Processor, solely for the purpose of delivering the selected functionality.

Data Categories and Processing Activities

The AI Feature may involve processing of the following categories of data:

  • Text-based content entered by the Controller or its users
  • Metadata associated with those inputs (e.g., time, location, user)

The AI Feature will analyse specific fields or content submitted via the platform to provide responses or feedback. The Processor will take reasonable steps to minimise the likelihood that personally identifiable information (PII) is included in data sent to the AI Sub-Processor. This includes restricting fields known to typically contain PII from being submitted to the AI Feature by default.

However, free-text fields such as case notes, care records, assessments, or other user-generated content may contain personal or special category data — including health information — if input by platform users. In such cases, the data may be pseudonymised rather than fully anonymised, meaning it could still be indirectly linked to an individual.

The Controller acknowledges and agrees that where its users include personal or special category data in content submitted to the AI Feature, the Controller remains solely responsible for ensuring that:

  • the processing of such data is lawful and in compliance with GDPR, UK GDPR, or other applicable data protection legislation
  • a valid legal basis (e.g. explicit consent or substantial public interest) has been established
  • appropriate safeguards (such as a Data Protection Impact Assessment) are implemented
  • users of the system under the Controller’s authority (e.g., employees, contractors) are informed of their obligations and receive appropriate training and guidance on use of the AI Feature.

This clause does not prohibit the processing of special category data, but reinforces that such use is enabled by the Controller’s choice and must be governed by appropriate internal controls, policies, and assessments.

Security and Confidentiality

  • The Processor shall implement appropriate technical and organisational measures to protect data submitted via the AI Feature.
  • The AI Feature shall not be used to process highly sensitive or confidential personal data unless explicitly agreed in writing.

Audit and Records

  • Use of the AI Feature shall be logged and monitored. Logs are available to the Controller upon request as part of its audit rights under the DPA.

Termination of AI Feature Use

  • The Controller may disable the AI Feature at any time, in which case no further data will be processed through the AI Sub-Processor.
  • If the Controller disables the AI Feature, any data previously submitted for processing will be retained only in accordance with existing platform data retention policies and will not be reused or reprocessed.