Data Processing Agreement.

The organisation is the controller of its staff's CPD data. KurdCPD is the processor and processes data only on documented instructions.

Processing is for the duration of the subscription and limited to delivering the KurdCPD service.

• Data subjects: the organisation's clinical and CPD-bearing staff.
• Data: identity, contact, professional registration, CPD records and uploaded evidence.

KurdCPD implements appropriate technical and organisational measures. See our Security Statement.

The organisation authorises the sub-processors listed here. KurdCPD will give notice of changes and offer a right to object.

Where transfers occur outside the UK, KurdCPD relies on UK adequacy regulations or the UK Addendum to the EU SCCs.

KurdCPD will notify the organisation without undue delay and in any event within 48 hours of becoming aware of a personal data breach.

KurdCPD will assist with DSARs, DPIAs and regulator queries. The organisation may audit compliance, on reasonable notice and at its cost.

On termination, KurdCPD will return or delete personal data within 30 days, save where retention is required by law.