Controller/Processor Contract

Controller – Clinician
Processor – Invivo Clinical Ltd

This contract sets out, in accordance with the General Data Protection Regulation, the terms upon which Invivo Clinical Ltd. (the Processor) carries out its duties as a Processor on behalf of their registered practitioners (the Controller):

  • the subject matter and duration of the processing;
    laboratory diagnostics services, clinical education and nutraceutical supply. Duration is until service is complete.
  • the nature and purpose of the processing; laboratory diagnostics services, clinical education and nutraceutical supply.
  • the type of personal data and categories of data subject;
    Patient name, address, date of birth, email, phone number and medical information supplied.
  • the obligations and rights of the Controller: make patients aware that they are passing on name and address to Invivo Clinical Ltd in order to provide services as above, who may pass such data onto their third-party laboratory as required in order to provide the service. These third parties can be viewed in our Privacy Policy.


The Processor hereby agrees to:

  • only act on the written instructions of the Controller;
  • ensure that people processing the data are subject to a duty of confidence;
  • take appropriate measures to ensure the security of processing;
  • only engage sub-processors with the prior consent of the Controller and under a written contract;
  • assist the Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • assist the Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • delete or return all personal data to the Controller as requested at the end of the contract;
  • submit to audits and inspections, provide the Controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the Controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

For any queries relating to this contract, please contact us on 0333 241 2997 or by emailing

We keep our privacy notice under regular review. This notice was last updated on 16th July 2019.