DATA POLICY
CIDP takes its responsibilities concerning the requirements of local data protection laws and the GDPR (General Data Protection Regulations) very seriously. While carrying out personal data processing activities/operations, CIDP complies with the following principles:
1.Principles for Data Processing
(1) Lawfulness, fairness and transparency – Personal Data is processed lawfully, fairly and in a transparent manner;
(2) Purpose limitation – Personal Data is collected for specified, explicit and legitimate purposes;
(3) Data minimisation – Personal Data is adequate, relevant and limited to what is necessary;
(4) Accuracy – Personal Data must be kept accurate and, where necessary, kept up to date;
(5) Storage limitation – Personal Data is kept in a form which permits identification of data subjects for no longer than necessary;
(6) Integrity and confidentiality – Personal Data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.;
(7) Accountability – CIDP is responsible for compliance with data protection laws.
2.Information Notice
In order to comply with the principle of fair and transparent processing, the CIDP informs Data Subjects about the processing of their personal data, unless already informed.
The Information communicated includes all the information provided under data protection laws, as follows:
- the identity and the contact details of CIDP
- the contact details of the Data Protection Officer
- the purposes of the processing for which the Personal Data are intended as well as the legal basis for processing
- categories of the personal data concerned
- legitimate interests pursued by the CIDP or by a third party
- the recipients or the categories of recipients of the Personal Data
- information on potential transfer of Personal Data to a third country or international organisation
- the period for which the Personal Data will be stored or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from CIDP access to and rectification or erasure of Personal Data or restriction of processing concerning the Data Subject or to object to processing as well as the right to data portability;
- the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on the consent before its withdrawal
- the right to lodge a complaint with the Data Commissioner’s Office
- where the provision of Personal Data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as where the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;
- the existence of automated decision-making where applicable, including profiling
3.Data Subject Rights
GDPR (General Data Protection Regulations) provide a set of rights that may be exercised by Data Subjects:
Right to access (Article 15 of GDPR)
The Data Subject has the right to obtain from CIDP confirmation as to whether or not Personal Data concerning him/her are being processed, and where that is the case, access to the Personal Data.
Right to rectification (Article 16 of GDPR)
The Data Subject has the right to obtain from CIDP without undue delay the rectification of inaccurate personal data concerning him/her. Taking in account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure – right to be forgotten (Article 17 of GDPR)
The Data Subject has the right to obtain from CIDP, without undue delay, the erasure of his/her Personal Data in the following cases:
- the Personal Data are no longer necessary for the purposes for which they were collected or processed
- the Data Subject withdraws consent on which the processing is based and there is no other legal ground for processing
- the Data Subject objects to the processing based on legitimate interest and CIDP cannot demonstrate that there are overriding legitimate grounds for the processing
- Personal Data have been unlawfully processed
- Personal Data have to be erased for complying with a legal requirement which applies to the CIDP
Nevertheless, following the Data Subject request, exercising the right to be forgotten before the expiring of the retention period, CIDP shall examine on a case by case basis the grounds for Data Subject Request, and implement measures so as to be able to selectively delete those Personal Data that the CIDP has no further right or obligation to process.
The CIDP may reject the request of the Data Subject, if:
- the request is received after the expiration of the retention period and the personal data is already deleted
- CIDP has a legal obligation, contractual obligations or another relevant overriding legal ground, to keep/process the personal data
- the personal data has to be processed for pre-litigation/litigation/any other legal dispute
- CIDP is requested to fulfil a requirement from an regulatory authority
- the personal data has to be processed for investigations/audits performed internally/externally or by an authority, started before the request was received
Right to restriction of processing (Article 18 of GDPR)
Data Subject may ask to limit the processing of his/her Personal Data where one of the following applies:
- the accuracy of the Personal Data is contested
- the processing of the Personal Data is unlawful
- CIDP no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims
- the Data Subject has objected the processing, pending the verification whether the legitimate grounds of CIDP override those of the Data Subject
Where processing has been restricted, the Personal Data shall, with the exception of storage, only be processed by CIDP for:
- the exercise or defence of legal claims
- protecting the rights of another person or entity
- purposes that serve an important public interest
- other purposes that the Data Subject consents to
CIDP shall communicate any rectification or erasure of Personal Data or restriction of processing to each recipient to whom the Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort. The CIDP shall inform the Data Subject about those recipients if the Data Subject requires it.
Right to data portability (Article 20 of GDPR)
The Data Subject has the right to receive his/her Personal Data in a structured, commonly used and machine-readable format and to transmit those data to another CRO without hindrance from CIDP.
The Personal Data subject to portability have to be adequately secured and protected by the implementation of necessary technical means as to ensure the correct and secure transfer, as well as confidentiality and integrity of the transferred data.
The right to data portability shall not adversely affect the rights and freedoms of other rights.
Right to object (Article 21 of GDPR)
The Data Subject may object to the processing of his/her Personal Data in the following cases:
- direct marketing, including profiling that is related to direct marketing;
- processing based on legitimate interests, including profiling that is related to such;
- processing for purposes of scientific or historical research and statistics.
In case of objection to processing, the CIDP must cease the processing, unless it can demonstrate that:
- it processes the Personal Data on the grounds of legitimate interests which override the fundamental rights and freedoms of the Data Subject (e.g. reasons of public interest) – such processing must be thoroughly documented;
- the processing is necessary for the establishment, exercise or defence of a legal claim.
- Automated decision – making including profiling (Article 22 of GDPR)
The Data subject has the right not to be subject to a decision based solely on automated processing, including profiling, except when the processing is:
- necessary for entering into, or performance of, a contract between the Data Subject and CIDP
- authorized by EU or Member State Law to which CIDP is subject
- is based on Data Subject explicit consent
4. Retention period
Personal Data shall not be retained for longer than necessary in relation to the purposes for which they are further processed.
In pursuance of the afore mentioned principle, CIDP establishes the maximum period of time to lawfully retain Personal Data. Such retention periods are established in accordance with the legal requirements applicable to the CIDP, as well as in accordance with the best practices existing on the relevant market.
Beyond the retention periods, the Personal Data shall be erased or pseudonymised in an irreversible way in such a manner that the Data Subject can no longer be identified. Archiving shall not be considered erasure of Personal Data.
The principle of storage limitation shall also apply to Personal Data which are kept on paper. Such shall be erased by destruction of the paper support using for instance shredder devises which do not allow the reconstruction of the document which contains Personal Data unless an alternative destruction method was agreed.
5.Data Protection Officer
If you have any questions, you may contact the Data Protection Officer by writing to the dpo : dpo@cidp-cro.com
DATA PRIVACY POLICY DATED 08 MAY 2019 VERSION 01(MR)