THIRD PARTY DATA PROCESSING

This Third-Party Data Processing Agreement is made this …1st …… day of ………July …..
2022 and forms an integral part of the [Health Management Organisation (HMO) Agreement]
(hereinafter referred to as Principal Agreement) between ……………………… (hereinafter
referred to as “Controller” and […………………..] (hereinafter referred to as “Processor”).
For the purposes of this Agreement (the “Agreement"), the Controller and the Processor are
hereinafter individually referred to as a "Party" and collectively as the "Parties".
WHEREAS
a) The Controller and Processor have entered into an Agreement for the provision of
[Healthcare and medical services] by the Processor to Controller.

b) Based on the above, certain Personal Data and information relating to an identified or
identifiable natural person (‘Data Subject’) collected by the Controller may be transferred to
the Processor for processing.

c) These Personal Data will be processed for purposes of providing the Services set out under
the Principal Agreement

d) This Agreement is intended to govern the transfer and processing of Personal Data of the
Data Subjects from the Controller to the Processor in line with the Nigerian Data Protection
Regulation, 2019 (NDPR).

The Parties hereby agree to the terms as reproduced below:

1. Definitions

“Agreement” means this Third-Party Data Processing Agreement and its Appendix

“Controller” means …………………………………

“Instruction” means any written instruction from the Controller to the Processor as
regards specific action pertaining to the personal data disclosed to the Processor.

“NDPR” means The Nigerian Data Protection Regulation, 2019.

“Principal Agreement” means the [Reference Agreement]

“Processor” means [……………………..]

"Services" means the services the Processor provides to the Controller under the
Principal Agreement.
 “Sub Processor’’ means any third-party processor appointed by and on behalf of the
Processor in connection with this Agreement.

Data, Data Subject, Data Transfer, Personal Data, Personal Data Breach,
Processing, Third Party shall have the meaning attached to them in the NDPR.

2. Commencement and Durations

This Agreement shall commence from the date of its execution and shall be in force until
[30th April 2024]

3. Obligations of the Data Controller

The Data Controller provides assurance and warrants that–

3.1.1 the Personal Data of data subjects was collected and will be collected,
processed, stored, and transferred to the Processor in line with the provisions
of the NDPR.

3.1.2 It has applied the correct basis for the collection and processing of the
personal data of the data subjects.

3.1.3 It complied and will continue to comply with the provisions of the NDPR in the
discharge of its obligations under the NDPR.

4. Obligations of the Processor

4.1 The Processor shall ensure full compliance with the NDPR and other Data
Protection Laws in processing the Personal Data disclosed by the Controller or
collected on behalf of the Controller.

4.2 The Processor shall ensure that Personal Data is only processed and stored as
necessary for the purpose(s) specified in the Principal Agreement and under
Applicable Laws.

4.3 The Processor shall only process Personal Data in accordance with the
Controller's instruction and shall not make any independent decision in respect of
processing the provisions of personal data for any other purpose not specified in
the NDPR.

4.4 The personal data to be processed by the Processor on behalf of the Controller
shall remain the property of the Controller and/or the relevant data subjects.

4.5 The Processor shall keep and maintain a record of processing activities in line
with the Nigerian Data Protection Regulation, 2019.

4.6 The Processor shall process the personal data only on documented instructions
from the Controller including with regard to transfer of personal data to another
country or an international organization.
 4.7 The Processor shall ensure that persons authorized to process the personal data
within its organization have committed themselves to confidentiality or are under
appropriate statutory obligation of confidentiality.

4.8 The Processor shall maintain adequate physical, technical, and administrative
security measures to safeguard and ensure the protection and security of all
personal data transferred and disclosed to it by the Controller from loss, misuse,
unauthorized access, alteration, accidental or unlawful destruction and
unauthorized disclosure. Such measures and safeguards may include but are not
limited to the following:

 developing organizational policies for handling Personal Data;

 protecting systems from hackers;
 setting up firewalls;
 storing Personal Data securely with access only to specific authorized
individuals strictly on a need to know or need to access basis;
 employing data encryption technologies;
 ensuring that Personal Data cannot be read, copied, modified or deleted
without a prior written consent of the Data Controller; and
 putting in place a proper data mapping system.

5. Types of Personal Data

The Personal Data transferred and/or to be transferred by the Controller to the

Processor under this Agreement are:

a. Registered employees’ names, date of birth, gender, telephone numbers, e-mail

addresses, locations etc

b. Registered dependants of employee’ names, date of birth, gender, telephone

numbers, e-mail addresses, locations etc

c. Medical records and information of registered employee

6. Confidentiality

6.1 The Processor will ensure that anyone who has access to the Personal Data
disclosed by the Controller is subject to a duty of confidentiality by putting in place
a confidentiality agreement or acceptable use policies. The undertaking to
confidentiality shall continue after the termination of this Agreement.

6.2 The confidential information must not be disclosed to a third party except:

a) the prior written consent of the Controller has been sought and obtained;
b) the disclosure is required by law; or
c) the relevant information is already in the public domain.

7. Personal Data Breaches

7.1 All suspected, actual, threatened or potential Data Breaches must be reported
immediately it is identified by the Processor to the Controller within 12 hours of its
occurrence and with sufficient information to allow the Controller meet any
 required obligation to report to the Regulator or inform the Data Subjects of the
Personal Data Breach under the NDPR.

7.2 The Processor shall assist the Controller and take reasonable and diligent steps
as are directed by the Controller, in the investigation and take steps to manage,
mitigate and remediate the Personal Data Breach.

7.3 Examples of data privacy breaches include but are not limited to
a) transmission of Personal Data across borders without requisite consent or
approvals;
b) loss or theft of data or equipment on which data is stored;
c) accidentally sharing data with someone who does not have a right to access
the information;
d) inappropriate access controls allowing unauthorized use;
e) equipment failure;
f) human error resulting in data being shared with someone who does not have a
right to know; and
g) a hacking attack.

8. Deletion and Return of Personal Data

8.1 The Processor shall at the end of the data processing activities (termination of
the Agreement) or at the written request of the Controller promptly and in any
event within [ number of days] business days, delete all Personal Data in line
with the NDPR.

8.2 The Controller may require the Processor to return all Personal Data in its
possession to the Controller by secure file transfer or other means
communicated by the Controller.

8.3 The Processor shall within [30] days of the cessation of the Principal Agreement
provide written certification to Controller that it has complied with the provisions
of this Clause 5.

9. Data Transfer to Foreign Jurisdiction

9.1 The Processor may not transfer, disclose or authorize the transfer of Personal
Data within or outside Nigeria without the prior written consent of the Controller.

9.2 If Personal Data processed under this Agreement is transferred to a foreign

jurisdiction upon written consent of the Controller, the Processor shall ensure that
the Personal Data is adequately protected and the requirements set by the
NDPR, including obtaining the approval of the National Information Technology
Development Agency NITDA and the Attorney General of the Federation (where
required) are met.

9.3 Any transfer of Personal Data out of Nigeria not in accordance with the
provisions of the NDPR will be a breach of this Agreement and the Processor
shall indemnify the Controller for any loss, claim or damage suffered by the
 Controller as a result of this breach in line with the terms and conditions of this
Agreement.
10. Subject Access Request

10.1 By virtue of the provisions of the NDPR, a Data Subject is entitled to request for
confirmation of his/her information held by the Controller through a subject access
request. Where a Data Subject makes a Data Subject Access Request to the
Processor, the Processor must within 5 working days of the receipt of such
request, notify the Controller of the request and obtain prior authorization of the
Controller before responding.

10.2 Where the Controller makes a Data Subject Access Request to the Processor, the
Processor shall within 5 working days take appropriate measures to respond to
the request or meet any required obligations.

10.3 In addition to the rights of Data Subjects to request for access to Personal Data
collected and stored by the Controller, the Data Subjects are also entitled to the
following rights:

a) Request for objection or restriction of processing of Personal Data.

b) Right to information on your data collected and stored.
c) Right to object to automated decision making and profiling.
d) Right to withdraw consent at any time.
e) Right to request rectification and modification of your data which we keep.
f) Right to request for deletion of your data.
g) Right to request the movement of data from us to a Third Party; this is the right
to the portability of data.

11. Audit

8.1 The Controller has the right to carry out an audit on the processing operations of
the Processor to determine the compliance level of the Processor with this
Agreement and the NDPR.

8.2 The Processor will be given 30 days’ written notice in advance for the audit.

8.3 The Processor undertakes to give the Controller the necessary support and
information during the audit or inspection, in particular, to demonstrate the
implementation of the organizational and technical measures put in place by the
Processor.

8.4 The Processor shall notify the Controller of any inability to disclose such
information, if precluded by any law or any other obligation under the NDPR.

8.5 Without prejudice to the right of the Controller to conduct an audit of the
Processor’s data processing activities, the Processor shall carry out its annual
data protection and compliance audit in line with the provisions of the NDPR.

12. Sub-Processor(s)
 9.1 The Processor shall not transfer or disclose the Personal Data to a third-party Sub
Processor unless required and on the written authority of the Controller. This
obligation shall continue even upon termination/cessation of this Agreement.

9.2 Where the Processor engages a Sub-Processor with the written authority of the
Controller, the Processor will enter into a Data Protection Agreement with the
Sub-Processor that imposes on the sub-processor the same obligations that apply
to Processor under this Agreement.

9.3 The Processor shall ensure the Sub-Processor fulfills its data protection and
processing obligations. Provided always that the Processor will remain liable to
the Controller for all acts and or omissions of the Sub-Processors, as if those acts
or omissions were that of the Processor.

13. Liability and Indemnity

The Processor shall indemnify the Controller and hold the Controller, its Directors,
Employees, Officers and its affiliates harmless from all damages, penalties, claims, costs
(including without limitation attorney’s costs) and any third party claims arising from or in
connection with any breach of the provisions of this Agreement or the provisions of the
NDPR.
14. Severability

If any provision of this Agreement is declared by any judicial or other competent

authority to be void or otherwise unenforceable, that provision shall be severed from this
Agreement and the remaining provisions shall remain in force and effect.

15. Termination

15.1 In the event that either Party commits an action or omission that constitutes a breach of
the provisions of this Agreement, then the other Party shall be entitled to temporarily
suspend the transfer or processing of personal data (as the case may be) until the
breach is remedied or the Agreement is terminated.

15.2 Unless extended by mutual written Agreement of the Parties in line with the Agreement
herein, this Agreement shall immediately expire and terminate on the happening of any
of the following events, whichever shall occur first -
i. the Parties agree in writing to terminate the contract;

ii. any Party issues a one month notice of termination.

16. Governing Law and Dispute Resolution

This Agreement shall be governed by and construed in accordance with the laws and
regulations of the Federal Republic of Nigeria and the Nigerian Courts shall have
jurisdiction to hear and determine any dispute arising from this Agreement.
IN WITNESS WHEREOF, the Parties have entered into this Agreement the day and year first
above written.

Signed and Delivered by the within named Controller, ……………………………

Signature:

Name: ________________________________

Title:

Date:

Signed and Delivered by the within named Processor …………………………..

Signature:

Name:

Title:

Date: