Initial version published: 27th February 2026
This Data Sharing Agreement is entered into between:
OWLSTONE MEDICAL LIMITED, a company incorporated and registered in England and Wales with company number 04955647 whose registered office is at 183 Cambridge Science Park, Milton Road, Cambridge, CB4 0GJ, United Kingdom (“Owlstone”, “us”, “our”); Owlstone comprises OMED Health, as the registered brand providing healthcare services to patients; and
YOU, a healthcare organisation or a registered healthcare professional with a legitimate interest in the provision and/or oversight of the medical care relating to the Relevant Patient (“you”, “your”), when you refer the Relevant Patient to OMED Health. “Relevant Patient” shall mean a patient registered with OMED Health as the end-user of our OMED Health products and services, who has consented to the sharing of their medical records with you.
You and Owlstone shall be referred to each as a “party” and together as “parties”.
Owlstone requires your acceptance of the terms set out in this Data Sharing Agreement (“DSA” or “Agreement”) to ensure that any personal data shared in relation to the Relevant Patient is adequately protected.
By clicking “I accept”, when registering your account with us or placing an order (on behalf of a patient), a legally binding agreement is formed between you and us incorporating the terms set out below.
AGREED TERMS
1. Interpretation
The following definitions and rules of interpretation apply in this Agreement.
1.1 Definitions:
Agreed Purpose: has the meaning given to it in clause 2 of this Agreement.
Agreement: this Data Sharing Agreement.
Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
Commencement Date: means the date of your acceptance of this Agreement (recorded through our systems).
Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder); and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other relevant data protection or supervisory authority and applicable to a party.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
Shared Personal Data: the Personal Data and Special Categories of Personal Data to be shared between the parties under clause 3 of this Agreement.
Special Categories of Personal Data: the categories of Personal Data set out in the Data Protection Legislation.
Subject Rights Request: the exercise by a data subject of their rights under the Data Protection Legislation.
Term: the duration of this Agreement subject to the provisions of clause 11.
1.2 Controller, Processor, Information Commissioner, Data Subject and Personal Data, Personal Data Breach, Processing and appropriate technical and organisational measures shall have the meanings given to them in the Data Protection Legislation.
2. Purpose
2.1 This Agreement sets out the framework for the sharing of Personal Data when either party, each acting as an independent Controller discloses Personal Data (“Discloser”) to the other party (“Data Receiver”). There may be circumstances when the parties are acting as Joint Controllers (“JC”), if they jointly determine any outcomes or medical care of the Relevant Patient. It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other.
2.2 The parties consider this data sharing initiative necessary and proportionate in order to (i) support individuals with their immediate digestive health needs, (ii) enable individuals receive higher quality care by allowing you as their referring healthcare provider to view the Relevant Patient’s test results and diagnosis. This data sharing initiative is considered fair by the parties as it will benefit individuals, the parties and society at large for the aforementioned reasons, and not unduly infringe the Data Subjects’ fundamental rights and freedoms and interests.
2.3 The parties agree to only Process Shared Personal Data, as described in clauses 3.1 and 3.2 to (a) deliver to the Relevant Patient essential OMED Health equipment and any products purchased by or for them, (b) assist with or provide test results and diagnosis relating to their digestive health condition (“Agreed Purpose”). The parties shall not Process Shared Personal Data in a way that is incompatible with the Agreed Purpose, save that a party may retain a copy of the Shared Personal Data for its own regulatory or legal filings, in accordance with its data retention policy.
2.4 Each party shall appoint a single point of contact (“SPoC”) who will work together to reach an agreement with regards to any issues arising from the data sharing and to improve actively the effectiveness of the data sharing initiative.
3. Shared Personal Data
3.1 The following types of Personal Data will be shared between the parties during the Term of this Agreement:
(a) Identity data: patient’s first and last name, age;
(b) Contact data: postal address, email address.
3.2 Owlstone will enable sharing with you, via the Relevant Patient’s OMED Health mobile app, the following types of Special Categories of Personal Data, during the Term of this Agreement:
(a) hydrogen and methane gas concentrations measured on breath using the OMED Health Breath Analyzer;
(b) symptoms (such as information relating to their stool, and associated bodily symptoms);
(c) SIBO test results and diagnosis.
3.3 The Shared Personal Data must not be irrelevant or excessive with regard to the Agreed Purposes.
4. Lawful, fair and transparent processing
4.1 Each party shall ensure that it Processes the Shared Personal Data fairly and lawfully in accordance with clause 4.2 during the Term of this Agreement.
4.2 Each party shall ensure that it has legitimate grounds under the Data Protection Legislation for the Processing of Shared Personal Data.
4.3 The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Subject Rights Requests within the time limits imposed by the Data Protection Legislation.
4.4 The Data Discloser shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their Personal Data, the legal basis for such purposes and such other information as is required by the Data Protection Legislation.
4.5 The Data Receiver undertakes to inform the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their Personal Data, the legal basis for such purposes and such other information as is required by the Data Protection Legislation.
5. Data quality
5.1 Subject to clause 5.3, the Data Discloser shall ensure that Shared Personal Data is accurate and that it has appropriate internal procedures in place for the Data Receiver to access the Shared Personal Data prior to the Commencement Date and it will update the same if required prior to transferring the Shared Personal Data.
5.2 Shared Personal Data must be limited to the Personal Data described in clause 3.1 and clause 3.2. of this Agreement.
5.3 The Data Receiver acknowledges and accepts that the Data Discloser is not able to control or influence data inputs provided by the Relevant Patient, and as such the Data Discloser does not accept any responsibility for the Data Receiver’s reliance on data provided by the Relevant Patient.
6. Data subjects’ rights
The SPoC for each party is responsible for maintaining a record of Subject Rights Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request. The SPoC for each party are detailed in clause 2.4.
7. Data retention and deletion
7.1 The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purpose, or earlier if Relevant Patient withdraws their consent. In the event that patient consent is withdrawn or modified in any way, the party in receipt of any such communication shall inform the other party without delay. Accordingly, if the Relevant Patient withdraws their consent to the sharing of Shared Personal Data with the Data Receiver, Data Discloser will cease all relevant data sharing as soon as practically possible following receipt of the consent withdrawal.
7.2 The Data Receiver shall ensure that any Shared Personal Data is returned to the Data Discloser or securely deleted in the following circumstances: (a) on termination of its involvement in this Agreement; (b) on expiry of the Term of this Agreement; or (c) once Processing of the Shared Personal Data is no longer necessary for the purposes it was originally shared for, as set out in clause 2.3.
7.3 Data Receiver shall notify the Data Discloser that the Shared Personal Data in question has been deleted in accordance with this clause.
7.4 Notwithstanding any other provisions in this clause 7, parties may retain one copy of Shared Personal Data in accordance with any statutory or professional retention periods applicable in their country and/or industry.
8. Transfers
8.1 For the purposes of this clause 8, transfers of Personal Data shall mean any sharing of Personal Data by the Data Receiver with a third party, and shall include the following: (a) subcontracting the processing of Shared Personal Data; (b) granting a third-party Controller access to the Shared Personal Data.
8.2 If the Data Receiver appoints a third-party Processor to Process the Shared Personal Data it shall comply with the relevant provisions of the Data Protection Legislation and shall remain liable to the Data Discloser for the acts and/or omissions of the Processor.
8.3 The Data Receiver may not transfer Shared Personal Data to a third party located outside the UK unless it:
(a) complies with the provisions of the Data Protection Legislation in the event the third party is a joint controller; and
(b) ensures that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferee otherwise complies with the Data Receiver’s obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Shared Personal Data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer.
9. Security and training
9.1 The Data Discloser shall only provide the Shared Personal Data to the Data Receiver by using adequate technical and organisational security measures (“Security Measures”).
9.2 The parties undertake to have in place throughout the Term of this Agreement Security Measures to:
(a) prevent: (i) unauthorised or unlawful processing of the Shared Personal Data; and (ii) the accidental loss or destruction of, or damage to, the Shared Personal Data; and
(b) ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the Shared Personal Data to be protected.
9.3 The level of Security Measure adopted by the parties as appropriate as at the Commencement Date having regard to the state of technological development and the cost of implementing such measures shall be kept under review. If and to the extent necessary, the parties shall carry out such updates as they agree are appropriate throughout the Term of this Agreement.
9.4 It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the Security Measures together with any other applicable Data Protection Legislation and guidance and have entered into confidentiality agreements relating to the Processing of Personal Data.
9.5 The level, content and regularity of training referred to in clause 9.4 shall be proportionate to the staff members’ role, responsibility and frequency with respect to their handling and Processing of the Shared Personal Data.
10. Personal data breaches and reporting procedures
10.1 The parties shall each comply with its obligation to report a Personal Data Breach to the Information Commissioner or appropriate Supervisory Authority and (where applicable) Data Subjects under the Data Protection Legislation and shall each inform the other party of any Personal Data Breach irrespective of whether there is a requirement to notify the Information Commissioner or any Supervisory Authority or Data Subject(s).
10.2 The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.
11. Review and termination of this Agreement
11.1 This Agreement shall continue in full force and effect from the date when either party shares or makes available the Shared Personal Data with/to the other party, for as long as and until the parties continue to share the Shared Personal Data. Without affecting any provisions that are designed to remain in force after termination or expiry of this Agreement, this Agreement will come to an end upon one or more of the following events:
(a) Relevant Patient withdraws their consent to the sharing of their Personal Data;
(b) The Relevant Patient’s clinical pathway (such as provision of a diagnostic test) has been completed;
(c) Either party or the Relevant Patient has terminated their relevant contractual arrangements underpinning the Agreed Purpose; or
(d) Either party is in a material breach of this Agreement.
11.2 The parties shall review the effectiveness of this data sharing initiative as they deem necessary having regard to the Term, having consideration to the aims and purposes set out in clause 2.2 and clause 2.3. The parties shall continue, amend or terminate this Agreement depending on the outcome of this review.
11.3 The review of the effectiveness of the data sharing initiative will involve: assessing whether the purposes for which the Shared Personal Data is being processed are still the ones listed in clause 2.3 of this Agreement; assessing whether the Shared Personal Data is still as listed in clause 3.1 and clause 3.2 of this Agreement; assessing whether the legal framework governing data quality, retention, and data subjects’ rights are being complied with; and assessing whether Personal Data Breaches involving the Shared Personal Data have been handled in accordance with this Agreement and the applicable legal framework.
11.4 Each party reserves its rights to inspect the other party’s arrangements for the Processing of Shared Personal Data and to terminate its involvement in this Agreement where it considers that the other party is not Processing the Shared Personal Data in accordance with this Agreement.
12. Resolution of disputes with data subjects or the Supervisory Authority
12.1 In the event of a dispute, complaint or claim brought by a Data Subject or the Information Commissioner concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes, complaints or claims, and will cooperate with a view to settling them amicably in a timely fashion.
12.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Information Commissioner. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
12.3 Each party shall abide by a decision of a competent court of the Data Discloser’s country of establishment or of the Information Commissioner.
13. Warranties
13.1 Each party warrants and undertakes that it will:
(a) Process the Shared Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its Personal Data processing operations.
(b) Make available on request to the Data Subjects who are third party beneficiaries a copy of this Agreement, unless the Agreement contains confidential information in which case an extract can be provided.
(c) Respond within a reasonable time and as far as reasonably possible to enquiries from the Information Commissioner or relevant Supervisory Authority in relation to the Shared Personal Data.
(d) Respond to Subject Rights Requests in accordance with the Data Protection Legislation, including where necessary (i) advising the other party of any step(s) it should reasonably take in this regard; and (ii) where the legitimate ground relied upon is a Data Subject’s consent, the timely operation of an effective procedure if such consent is withdrawn.
(e) Where applicable, maintain registration with the Information Commissioner and to process all Shared Personal Data for the Agreed Purpose.
(f) Take all appropriate steps to ensure compliance with the security measures set out in clause 9 above.
13.2 The Data Discloser warrants and undertakes that it is entitled to provide the Shared Personal Data to the Data Receiver and it will ensure that the Shared Personal Data is accurate.
13.3 The Data Receiver warrants and undertakes that it will not disclose or transfer the Shared Personal Data to a third party Controller located outside the UK unless it complies with the obligations set out in clause 8.3 above.
13.4 Except as expressly stated in this Agreement, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the greatest extent permitted by law.
14. Indemnity
14.1 The Data Discloser and Data Receiver undertake to indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss which they cause each other as a result of their breach of any of the provisions of this Agreement, except to the extent that any such liability is excluded under clause 16.2.
14.2 Indemnification hereunder is contingent upon:
(a) the party to be indemnified (the indemnified party) promptly notifying the other party (the indemnifying party) of a claim,
(b) the indemnifying party having sole control of the defence and settlement of any such claim, and
(c) the indemnified party providing reasonable co-operation and assistance to the indemnifying party in defence of such claim.
15. Allocation of cost
Each party shall perform its obligations under this Agreement at its own cost.
16. Limitation of liability
16.1 Neither party excludes or limits liability to the other party for:
(a) fraud or fraudulent misrepresentation;
(b) death or personal injury caused by negligence;~
(c) any matter for which it would be unlawful for the parties to exclude liability.
16.2 Subject to clause 16.1, neither party shall in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:
(a) any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;
(b) loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time); or
(c) any loss or liability (whether direct or indirect) under or in relation to any other contract.
16.3 Clause 16.2 shall not prevent claims, for:
(a) direct financial loss that are not excluded under any of the categories set out in clause 16.2(a); or
(b) tangible property or physical damage.
17. Third party rights
A person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.
18. Variation
No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
19. Waiver
No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
20. Severance
20.1 If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this Agreement.
20.2 If any provision or part-provision of this Agreement is deemed deleted under clause 20.1, the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
21. Changes to the applicable law
If during the Term of this Agreement the Data Protection Legislation change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the parties agree that the SPoCs will negotiate in good faith to review the Agreement in the light of the changes.
22. No partnership or agency
22.1 Nothing in this Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.
22.2 Each party confirms it is acting on its own behalf and not for the benefit of any other person.
23. Entire agreement
23.1 This Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
23.2 Each party acknowledges that in entering into this Agreement it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
24. Further assurance
At its own expense, each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this Agreement.
25. Force majeure
Neither party shall be in breach of this Agreement nor liable for delay in performing, or failure to perform, any of its obligations under this Agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the affected party shall be entitled to a reasonable extension of the time for performing such obligations. If the period of delay or non-performance continues for 12 months, the party not affected may terminate its involvement this Agreement by giving 7 days’ written notice to the affected party.
26. Notice
26.1 Any notice given to a party under or in connection with this Agreement shall be in writing, addressed to the SPoCs and shall be:
(a) delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or
(b) sent by email to the SPoC.
26.2 Any notice shall be deemed to have been received:
(a) if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address; and
(b) if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service; and
(c) if sent by email, at the time of transmission, or if this time falls outside business hours in the place of receipt, when business hours resume. In this clause 26.2(c), business hours means 9:00 am to 5:00 pm Monday to Friday on a day that is not a public holiday in the place of receipt.
26.3 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution
27. Governing law
This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
28. Jurisdiction
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this Agreement or its subject matter or formation.
This Agreement has been entered into on the date your acceptance marked with a “tick” (through the OMED mobile app) has been recorded by us. A log of all acceptances shall be retained by us.
Take control of your health through simple at-home tests.
