Overview
This Data Processing Agreement ("DPA") forms part of the agreement between Lola Dispatch (operated by Lola Health Ltd, the "Processor") and the Client (the "Controller") for the provision of phlebotomy booking and management services. This DPA is entered into in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Definitions
- Controller: The Client organisation that determines the purposes and means of processing personal data through the Lola Dispatch platform.
- Processor: Lola Dispatch (Lola Health Ltd), which processes personal data on behalf of the Controller.
- Personal Data: Any information relating to an identified or identifiable natural person, as defined under UK GDPR Article 4(1).
- Special Category Data: Personal data revealing racial or ethnic origin, health data, or other categories defined under UK GDPR Article 9. In the context of Lola Dispatch, this includes health information such as blood test types and medical requirements.
- Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
- Data Subject: The individual whose personal data is being processed (e.g., patients, phlebotomists).
2. Scope of Processing
Lola Dispatch processes personal data on behalf of Clients (the Controller). Lola Dispatch acts as a data processor when handling personal data submitted by Clients for the purposes of appointment scheduling and phlebotomy service delivery.
The Processor shall only process personal data in accordance with the Controller's documented instructions, unless required to do so by applicable law.
3. Categories of Data Processed
The following categories of personal data are processed through the Lola Dispatch platform:
Patient Data
- Patient names and contact details (phone number, email address)
- Home addresses and appointment locations
- Appointment date, time, and scheduling preferences
- Health information including blood test types and special requirements
- Special instructions for appointments (e.g., access codes, mobility notes)
Phlebotomist Data
- Name, contact details, and professional qualifications
- DBS certificate details and verification status
- Location data during active appointments (for ETA and tracking)
- Performance and completion records
4. Processing Purposes
Personal data is processed for the following purposes:
- Appointment scheduling: Creating, managing, and fulfilling blood collection appointments
- Phlebotomist matching and assignment: Matching qualified phlebotomists to appointments based on location, availability, and qualifications
- Real-time tracking: Providing location-based ETA updates and appointment status notifications
- Invoicing and billing: Generating invoices and processing payments for completed services
- Compliance and audit logging: Maintaining records required for healthcare regulatory compliance and audit purposes
5. Security Measures
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption at rest and in transit: All data encrypted using TLS 1.2+ in transit and AES-256 at rest
- Access controls: Role-based access control (RBAC) with principle of least privilege
- Audit logging: Comprehensive logging of all data access and modifications
- Regular security reviews: Periodic vulnerability assessments and security audits
- Incident response procedures: Documented procedures for identifying, containing, and reporting security incidents
- Secure authentication: Password hashing with bcrypt, JWT-based session management, and support for multi-factor authentication
- Data segregation: Client data is logically separated to prevent unauthorised cross-access
6. Sub-processors
The Processor engages the following sub-processors for the delivery of services. The Controller is deemed to have given general written authorisation for the use of these sub-processors:
| Sub-processor | Purpose | Location |
|---|
| Amazon Web Services (AWS) | Cloud hosting and data storage | EU (Frankfurt) / UK |
| Stripe | Payment processing | UK / US (PCI DSS compliant) |
| Resend | Transactional email delivery | US (UK adequacy decision) |
The Processor shall notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object to such changes.
7. Data Retention
The Processor retains personal data in accordance with the following schedule:
- Active data: Retained while the Client's account remains active and for the duration of the service agreement
- Completed job data: Retained for 7 years in accordance with NHS record-keeping requirements and HMRC financial record obligations
- Deleted data: Purged from all systems within 30 days of a deletion request, except where retention is required by law
- Backup data: Removed from backup systems within 90 days of deletion from primary systems
8. Data Subject Rights
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under UK GDPR, including:
Right of Access
Providing copies of personal data held about the data subject
Right to Rectification
Correcting inaccurate or incomplete personal data
Right to Erasure
Deleting personal data where no lawful basis for retention exists
Right to Portability
Providing data in a structured, machine-readable format
Right to Restriction
Limiting processing of personal data in specified circumstances
Right to Object
Objecting to processing based on legitimate interests or direct marketing
The Processor shall respond to the Controller's assistance requests within 5 business days to enable the Controller to meet the 30-day statutory response deadline.
9. Data Breach Notification
In the event of a personal data breach, the Processor shall:
- Notify the Controller within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33
- Provide sufficient information to enable the Controller to fulfil its own breach notification obligations to the ICO and affected data subjects
- Document the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach
- Co-operate with the Controller and take reasonable steps to mitigate the effects of the breach
10. International Transfers
Personal data is primarily processed within the UK and EEA. Where transfers to countries outside the UK/EEA are necessary (e.g., for sub-processor services), the Processor ensures that:
- Transfers are made to countries covered by a UK adequacy decision
- Appropriate safeguards are in place, such as the International Data Transfer Agreement (IDTA) or Standard Contractual Clauses
- Sub-processors are certified under applicable data protection frameworks
11. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audit requests shall be made with reasonable notice (minimum 30 days) and conducted during normal business hours. The Processor may charge reasonable fees for time spent assisting with audits beyond the initial annual audit.
12. Termination
Upon termination of the service agreement, the Processor shall, at the Controller's choice:
- Return all personal data to the Controller in a structured, commonly used format
- Delete all personal data and certify deletion in writing
Except where retention is required by applicable law, all personal data shall be deleted or returned within 30 days of termination.
13. Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
14. Contact
For any questions regarding this Data Processing Agreement or data protection matters: