This Data Processing Agreement ("Agreement") forms part of the Terms & Conditions between GP Ratings and the GP Practice using the GP Ratings platform.
This Agreement governs the processing of personal data by GP Ratings on behalf of GP Practices and ensures compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Controller means the GP Practice that determines the purposes and means of processing personal data.
Processor means GP Ratings, which processes personal data on behalf of the GP Practice.
Personal Data means any information relating to an identified or identifiable individual.
Processing means any operation performed on personal data including collection, storage, analysis, or deletion.
Applicable Data Protection Law refers to the UK GDPR, Data Protection Act 2018, and any related legislation.
The GP Practice acts as the Data Controller and determines the purposes for which personal data is processed.
GP Ratings acts as a Data Processor and processes personal data only on documented instructions from the GP Practice.
GP Ratings provides a platform that allows GP Practices to analyse patient feedback, monitor patient experience insights, and generate reports related to service quality.
Processing activities may include the storage, aggregation, analysis, and presentation of feedback data through the GP Ratings dashboard.
The types of personal data processed may include:
GP Ratings does not request or intentionally process clinical records or sensitive medical information.
GP Ratings agrees to:
GP Ratings implements technical and organisational safeguards designed to protect personal data. These measures may include:
GP Ratings may engage trusted third-party service providers to assist with hosting, infrastructure, analytics, or platform operations.
Where subprocessors are used, GP Ratings will ensure that they are subject to appropriate contractual obligations that meet the requirements of UK GDPR.
GP Ratings will ensure that any transfer of personal data outside the United Kingdom complies with applicable data protection laws and appropriate safeguards are in place.
Where a data subject exercises their rights under UK GDPR, GP Ratings will assist the GP Practice where reasonably necessary in responding to such requests.
This may include requests for access, rectification, restriction, or deletion of personal data.
GP Ratings will notify the GP Practice without undue delay after becoming aware of a personal data breach that affects personal data processed on behalf of the GP Practice.
GP Ratings will provide reasonable assistance in investigating and responding to the incident.
Upon termination of services, GP Ratings will delete or return personal data processed on behalf of the GP Practice unless retention is required by law.
Backup systems may retain limited data for security and recovery purposes for a limited period.
The GP Practice may request reasonable information to verify that GP Ratings complies with its data protection obligations under this Agreement.
This Agreement remains in effect for as long as GP Ratings processes personal data on behalf of the GP Practice.
This Agreement is governed by the laws of England and Wales.
If you have questions regarding this Data Processing Agreement, please contact GP Ratings support.