Controller/Processor Contract


“Our mission is to ensure that privacy lives at the very heart of our business; that we build and maintain trust and confidence with our customers, internal team and all stakeholders. We strive to ensure that all in our company understand our commitment to keep personal data safe and secure, comply with all relevant data protection regulations and respect the rights of our data subjects whoever they may be.”
Invivo Healthcare Privacy Mission Statement

Data Sharing Agreement

Controller – Healthcare Provider
Processor – Invivo Clinical Ltd T/A Invivo Healthcare

This contract sets out, in accordance with the UK General Data Protection Regulation, the terms upon which Invivo Clinical Ltd T/A Invivo Healthcare (the Processor) carries out its duties as a Processor on behalf of our registered Healthcare Provider(s) (the Controller(s)).

  • The subject matter and duration of the processing;
    Laboratory testing services, clinical education and nutraceutical supply. Duration of processing is as long as needed to complete the service.
  • The nature and purpose of the processing;
    Laboratory testing services, clinical education and nutraceutical supply.
  • The type of personal data and categories of data subject;
    Patient name, address, date of birth, email, phone number and additional medical/health data as required for the purposes of the processing.
  • The obligations and rights of the Controller;
    Controllers should make clients aware that their data will be passed onto Invivo Clinical Ltd to provide the services as set out above, who may pass their data onto other third party service providers such as laboratories or couriers as required in order to complete the service.

The Processor hereby agrees to:

  • Act strictly on written or verbal instruction of the Controller;
  • Ensure that people processing the data are subject to a duty of confidentiality;
  • Take appropriate measures to ensure the security of processing;
  • Only engage sub-processors with the prior consent of the Controller and under a written contract;
  • Assist the Controller in Data Subject Access Requests, and providing access to Data Subjects who wish to exercise their rights under the UKGDPR;
  • Assist the Controller in meeting it’s UKGDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • Delete or return all personal data to the Controller at the end of the contract, or as requested and;
  • Submit to audits and inspections, provide the Controller with any information needed to ensure they are meeting their obligations under Article 28 and tell the Controller immediately if it is asked to do anything that may infringe the UKGDPR or other Data Protection law of the UK, EU or other member state.

Data Subject Rights

As the Processor, Invivo will abide by its duty to assist the Controller with any Data Subject Access Request, or other Data Subject Rights under the UKGDPR.

Where a client (Data Subject) requests their information directly from Invivo, it is our responsibility to first report this to the Controller and allow adequate time for the Controller to action the request.

Invivo will notify the Controller of the Data Subject(s) Request(s) and allow 3 business days for a response before taking any further action. All requests shall be made in writing to ensure traceability.

If the Controller asks that Invivo does not action the request of the Data Subject, the Data Subject must contact the Controller directly. Invivo will not proceed with the request until further instruction from the Controller is received.

If the Controller gives permission for Invivo to proceed, Invivo will action the request of the Data Subject within 2-5 business days of the permission being granted in writing.

If the Controller does not respond to Invivo’s notification within 3 business days, Invivo will action the request within their remit, and notify the Controller of their actions in writing.

We keep our privacy notice under regular review. This notice was last updated on 21st April 2023.