This policy defines the commitment of Affidea to respect Data Protection laws. Anyone who process personal data in Affidea needs to be clearly aware that personal data is only lent to us by the Data Subjects on trust, we do not own it. Data Subjects are patients, employees, vendors / partners.
This policy is designed to provide a frame of reference and is complemented by other Affidea policies and procedures (see Section 7) which go into more specific details of various topics. Employees shall seek further guidance, as it is the ultimate responsibility of each employee of Affidea Group to act in accordance with Data Protection laws, a responsibility that cannot be delegated.
The purpose of the policy is also to ensure that Affidea will facilitate the exercise of the Rights and Freedoms of the Data Subjects (as determined in Section No. 4.4. hereof) and enable Affidea to process personal data according to EU Regulations and local Member State laws.
The purpose of the Affidea Data Protection Policy is to set out the foundations of the Data Protection framework that will, with the invocation of the underlying Standard Operating Procedures:
· all Data Subjects understand why, how, where, and how long their personal data is processed in Affidea, and their Rights and Freedoms under the GDPR
· all staff, vendors and external partners working for Affidea processing personal data are fully aware of their obligations under the GDPR and applicable national laws
· Affidea can demonstrate and verify compliance with the GDPR
· Affidea to proactively detect, react and learn from data related incidents
· Affidea can comply with the six principles of the GDPR in all personal data processing activities within Affidea and demonstrate it complies with the GDPR ‘accountability’ principle
· Affidea to process personal data lawfully under the GDPR and applicable national laws, and fulfil obligations under professional medical codes of conduct
· the Data Subject and Affidea to clearly understand and be able to verify the lawful basis for personal data processing
· the delivery of the Data Subject’s Rights and Freedoms under the GDPR across Affidea
· the lawful transfer of personal data within and outside Affidea
· Affidea to carry out Data Protection Impact Assessments (DPIA)
· staff, vendors and third parties to request assistance when they believe processing may infringe the GDPR or when something out of pattern takes place with personal data processing.
Staff must adhere to this policy always and will be subject to internal disciplinary action if they do not.
This policy applies to:
· all employees, job applicants and workers under a contract other than employment, vendors, partners (workers acting on behalf of companies providing services for us), legal entities and business units belonging to the Affidea Group; and
· the processing of all personal data as defined in the GDPR. It extends to personal data processed outside the EU to enable transfer of personal data between Affidea companies.
This document should be read in conjunction with related Affidea Group regulating documents, including documents enlisted in Section 7. In the event of a discrepancy between this policy and above policies, the more restrictive requirements will apply.
This is a mandatory document that must be translated for each Affidea Country, under the responsibility of the Local Quality Manager and Local Top Management.
This policy and instructions included herein shall be followed unless more detailed or stricter legal regulations exist in the country. In such a case the policy and instructions shall be followed to the extent that is not contrary or more strictly regulated in the country’s local legislation.
|GDPR||The General Data Protection Regulation (2016/679) becomes applicable on the 25th of May 2018. It is directly applicable at national level and harmonizes data protection laws across the EU. It replaces the current 1995 Data Protection Directive (Directive 95/46/EC). The GDPR applies to Data Controllers and Data Processors established in the EU and becomes applicable to Data Controllers or processors offering goods or services to the EU or monitoring the behaviour of individuals in the EU.|
|Affidea||Includes every legal entity within Affidea Group.|
|Affidea Group||The group of companies directly or indirectly controlled by Affidea Group BV.|
|Data Controller||Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.|
|Data Privacy Notice||Informative notification to ensure that data privacy related information is clear and understandable for the Data Subjects and Affidea.|
|Data Processor||Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.|
|Personal Data||Personal data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data at Affidea includes but not limited to:
· Patient data: diagnostic images, medical reports, time – and location of the medical exam, patient characteristics for marketing campaigns,
· Employee data: personal data in employment contracts, monthly employee timesheets and payroll data, video surveillance recordings in medical centres and offices, access card details, employee email addresses,
· Vendor data: personal data in service contracts, partners’ email addresses, etc.
|Personal Data Processing||Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Personal Data Breach||A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.|
|Security of Personal Data Processing||The security of personal data processing is the appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by the processing of personal data to prevent: 1) a reduction to the Rights and Freedoms of natural persons and 2) prevent a Personal Data Breach. It includes the measures to recover from 1) and 2).|
|Anonymisation of Personal Data||Anonymisation of Personal Data is defined as the process to strip sufficient elements such that the Data Subject can no longer be identified by the Data Controller using data they process or have access to. It’s irreversible: if it can be reversed, it is not anonymised.|
|Profiling||Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.|
|Automated decision-making||Automated decision-making has a different scope to and may partially overlap with profiling. Solely automated decision-making is the ability to make decisions by technological means without human involvement. Often referred to as Artificial Intelligence.|
To best describe this Data Protection policy, the reader should understand that personal data must be processed according to the Affidea Personal Data Lifecycle. Section 4 details the lifecycle, the technical and organisational measures adopted by Affidea to process the personal data to comply with the GDPR, other EU Regulations, guidance and opinions of European Data Protection Regulators, the European Data Protection Board, and the objectives of the relevant EU Directives. Compliance with EU Directives enacted in EU Member State Law, and local Member State law are the responsibility of the local Affidea Country organisations. As a EU company we comply with EU laws as a minimum requirement and allow our non-EU operations to refer to their local regulations when those are stricter than the EU ones.
- Affidea personal DAta LIFECYCLE
Please see the stages of the Affidea personal data life cycle and their interpretation below.
Figure 1: Affidea Personal Data Lifecyle
- Obtain personal data and satisfy requirements to lawfully process personal data: personal data is either obtained directly from the individuals or is submitted to Affidea by another Data Controller.
- Classify data according to the Affidea data classification: all data processed on Affidea systems must be classified according to the Affidea data classification. This enables, amongst other activities, the implementation of proper organisational and technical measures.
- Assign responsibility and data stewardship: all data processed in Affidea is assigned to a steward who is responsible for the oversight and fitness for purpose of the data and will oversee adherence to this policy.
- Process the personal data securely to fulfil the purpose: the personal data must only be processed to fulfil the defined purpose in the Data Privacy Notice and in accordance with the Information Security policy.
- Access and maintain the personal data: Personal data will only be accessed and processed by staff who have a valid reason. The primary reason will be to fulfil its purposes as per the Data Privacy Notice.
- Retain and store the personal data: Personal data will be retained in accordance with the Data Retention schedule. At the end of the retained time period, the data will be securely erased.
- Anonymise the personal data, if required: Affidea may achieve the intended purpose by processing anonymised data. If the personal data is anonymised, it is significantly more secure in processing and can be shared with other parties much easier.
- Erase and cull the personal data: at the end of the retention period, the personal data (digital and physical) is erased using the most appropriate procedure. Intermediate culling of individual data fields or physical records may take place before that, as specified in the Data Retention schedule.
- Fulfil Data Subjects’ requests to their Rights and Freedoms: during the personal data processing, the Data Subject has the opportunity to exercise their Rights and Freedoms under the GDPR, which are detailed in Section 4.4.
- Ongoing review of the relevant DPIA: all existing high-risk personal data processing with a Data Protection Impact Assessment needs to be reviewed to confirm no changes are required to the initial results.
The ongoing validity of this lifecycle and appropriateness of technical and organisational measures in the Affidea legal entities is carried out by review and update of the relevant DPIA-s, which are core to Affidea building and verifying compliance with the GDPR and other EU Regulations.
Six Principles of the GDPR
Core to all Data Protection legislation is to comply with and be able to demonstrate the six principles listed below. All personal data shall be:
- processed lawfully, fairly and in a transparent manner – (‘lawfulness, fairness and transparency’)
- processed as per those purposes described in the Data Privacy Notice – (‘purpose limitation’)
- adequate, relevant and limited to fulfil the purposes in the Data Privacy Notice – (‘data minimisation’);
- accurate and, where necessary, kept up to date to fulfil the purposes in the Data Privacy Notice – (‘accuracy’)
- only processed for as long it is required to fulfil the purposes in the Data Privacy Notice and local EU Member States Laws – (‘storage limitation’)
- processed in a manner that ensures appropriate security of the personal data as per the Affidea Information Security Policy – (‘integrity and confidentiality’)
These principles must be incorporated into all personal data processing carried out by Affidea. Under the sanctions regime of the GDPR, the failure of more than one principle would have severe repercussions for Affidea, and adherence to these principles is mandatory.
Lawful processing of personal data is ensured by the selection of the appropriate lawful basis of processing. This selection shall be documented internally and explained to the Data Subject in the relevant Data Privacy Notice. The Data Privacy Notice provides transparent information of Affidea’s relevant data processing activity to the Data Subject.
- Data Privacy Notices
Every Data Privacy Notice shall contain the following information:
- Identity and contact details of the controller and if applicable, the controller’s local representative contact details of data protection officer;
- Purposes of processing;
- Legal basis of processing (and if relying on the “legitimate interest” ground for processing, identify the legitimate interest);
- Identify the recipients or categories of recipients to whom personal data will be disclosed, including any recipients located outside the European Economic Area (“EEA”);
- Confirm whether the information will be transferred to a third country or recipient outside the EEA and if so, details of the recipient and destination country and the level of protection that will be afforded to the data, the envisaged time limits for erasure of different categories of personal data or if not possible, the criteria used to determine this period;
- Data Subjects’ rights;
- When relying on the Data Subjects consent to process their data, their right to withdraw their consent at any time;
- Data Subjects’ rights to complain to a supervisory authority if there is a problem;
- Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as the possible consequences of failure to provide such data;
- Whether the provision of data is mandatory or voluntary;
- The possible consequences of failing to provide that data;
- If applicable, details of any automated decision making (particularly profiling), meaningful details of the logic involved and the potential consequences of such processing;
- when the data is not received directly from the Data Subject: Categories of personal data concerned and the source of the data and (where applicable), whether or not it came from publicly available sources.
Data Subjects Rights and Freedoms
All Data Subjects are informed of their Rights and Freedoms in the relevant Data Privacy Notice, which are:
- Right of access: The Data Subject can confirm we process their personal data and receive a copy of their personal data either electronically or physically i.e. on paper. All technical terms need to be explained. There are local EU Member State guidelines specifying what can be shared in healthcare and with employees. This right of access is known as a SAR – a Subject Access Request. These come with an inherent risk, failure to fulfil a SAR may result in the Data Subject lodging a complaint to the Supervisory Authority who must investigate. It is mandatory that these requests are fulfilled professionally and in accordance with the related procedure.
- Right to rectification: The Data Subject can request rectification of any inaccurate personal data and have incomplete personal data completed by supplying additional personal data.
- Right to erasure: The Data Subject can request erasure of their personal data. However, Affidea may be legally required to keep personal data for compliance with a legal obligation to which it is subject, and this is reflected in the Affidea Data Retention Schedule. If this is the case, Affidea will not be required to erase the personal data.
- Right to restriction of processing: The Data Subject can request that all processing except storage and access is halted. This is often when there is a dispute with the Data Subject, it is often a temporary state and will change when the dispute is resolved.
- Right to portability: The Data Subject may request an electronic copy of their personal data or request a copy to be transferred directly to another Data Controller.
- Right to object: Where the lawful basis for processing is legitimate interest, the Data Subjects can object to this processing and if they are successful, Affidea must cease processing their personal data.
- Right to object to automated individual decision-making: The GDPR makes a clear differentiation between profiling and automated decision making. Prior to any profiling or automated decision-making activities, consultation must take place with the DPO and a DPIA is to be carried out. The Data Subject will be notified and will have the right to object to this type of processing.
Rights and Freedoms of the Data Subject are not absolute rights, the request of the Data Subject requires the investigation of applicable regulations and laws. If the exercise of the Rights and Freedoms of the Data Subject is denied, the documented reasoning shall be made available for the Data Subject. Denial may only take place after authorisation of the Data Protection Officer (DPO).
When responding to Subject Access Requests, no fees or charge can be made to the Data Subjects under the GDPR, unless manifestly unfounded or excessive. It is key that identity verification takes place before any activity.
All communication with the Data Subject will be in concise, transparent, intelligible and easily accessible form, using clear and plain language explaining any medical terms. A Data Privacy Notice will be issued with all correspondence, so the Data Subject is aware of their rights. Where Affidea decline to exercise the specific right, we will inform them with the reasons why and the possibility of lodging a complaint with a Supervisory Authority and seeking a judicial remedy.
Affidea Patient portals will enable some of these Rights and Freedoms and give access to the patient of their personal data. In case Affidea have transferred the personal data to any other parties (Data Processors), Affidea shall inform these Data Processors in case the Data Subjects request to amend, restrict processing and erase their personal data.
- data processor Duties and Contracts
Data Processors acting on behalf of Affidea are required to enter into a contract with us. The data processing contract shall contain the elements required by the GDPR and local laws. The template agreement referred to in Section 7 of this policy shall be applied unless otherwise approved by the Data Protection Officer. Our Data Processors shall act in accordance with the technical and organisational measures required by us to ensure the security of processing.
- Transfer of Personal Data to other Parties
Transfer of personal data will take place with a valid contract in place and approved secure method for transfer. Where transfer is outside the EU, the latest EU standard contractual clauses from the European Data Protection Board should be used.
- Affidea to carry out Data Protection Impact Assessments (DPIA)
Data Protection Impact Assessment shall be performed before any data processing activity, if the data processing is likely to result in a high risk to the rights and freedoms of individuals.
Affidea appreciates high risk if the following data is processed:
- personal identity data,
- personal financial data,
- personal location data,
- personal device IDs,
Affidea appreciates very high risk if the following data is processed:
- personal special data, (including physical or mental health or medical condition of the Data Subject)
- personal biometric data,
- personal genetic data,
- children’s personal data,
- vulnerable individuals’ personal data.
A DPIA is a process for building and demonstrating compliance and is an Accountability Instrument. There is a DPIA process documented. All new types of high risk personal data processing require a DPIA before brought into production.
All existing high-risk personal data processing with a DPIA needs to be reviewed when there is a change in risk level to the Data Subject. The aim of the review is to confirm if changes in technical and organisational measures are required. Particular attention needs to be paid to profiling and automated decision making, Artificial Intelligence (AI), as it is required for these types of processing to have a DPIA demonstrating compliance and reducing the risks to the Rights and Freedoms of the Data Subject.
- Security Incidents and possible infringements of the GDPR
Whilst all personal data breaches (PDB) are security incidents, not all security incidents are necessarily personal data breaches. As a result, all security incidents are reported in accordance with SOP-IT-002-02 – Information Security Incident Management Procedure. The Information Security Incident procedure is linked with a procedure to receive, verify, assess, act on and report Personal Data Breaches to the Supervisory Authority. This reporting must be done within 72 hours from the time of Affidea as Data Controller being notified, and all staff and third parties must initiate a security review as soon as they become aware of a problem.
If a member of staff or third party believes they are about to infringe the GDPR, they must consult the DPO before they transfer or processing of personal data. Staff are reminded with attention, that consulting the DPO if there is a concern is required not only for regular business-related processing activities, but for one-off or out-of-pattern processing activities as well.
- Proactive detection, reaction and learning from data related incidents
Affidea is processing personal data in an ever-changing world where technology and security threats evolve 24/7. The DPO Team will review the security logs with the Chief Information Security Officer following a significant security incident to make recommendations to more secure personal data processing in response to the context of a changing threat landscape. In this way, learning will be incorporated to technical and organisational measures to improve proactive detection and reaction to security incidents.
- Training Requirements
All Affidea employees are in charge of Data Protection, and therefore are in scope for the general GDPR – and Information Security trainings. All employees are required to repeat general Data Protection training on an annual basis. Those whose activity incorporates processing of personal data, shall be trained with respect to their practice area.
Training records are maintained according to SOP-QM-003 – Quality Records Control.
The GDPR is one of several EU Regulations and Directives that govern and regulate the processing of personal data. These are the key documents that have been consulted to write the Data Protection Policy and are listed below. Some documents are included because they contain important definitions enshrined in EU law, and these documents impact the jurisdiction, material and territorial scope of our personal data processing.
|General Data Protection Regulation 2016/679||http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG|
|Criminal Data Directive (EU) 2016/680||http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0089.01.ENG&toc=OJ:L:2016:119:TOC|
|Patients’ rights in cross-border healthcare Directive 2011/24/EU||http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32011L0024|
|Data Protection Directive 95/46/EC||http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML|
|NIS (Network Information Security) Directive (EU) 2016/1148||http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC|
|Proposed Regulation to repeal Directive 2002/58/EC (Privacy and
|Privacy and Electronic Communications Directive 2002/58/EC||http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML|
|Art. 29 WP GDPR Guidance on Data Protection Impact Assessment’s (DPIA) and determining whether processing is “likely to result in a high risk” WP248 rev0.1, Adopted on the 4th of October, 2017||http://ec.europa.eu/newsroom/document.cfm?doc_id=47711|
|Art. 29 WP GDPR Guidance on Personal data breach notification WP250 rev.01, Adopted on the 6th of February, 2018||http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49827|
|Art. 29 WP GDPR Guidance on Automated individual decision-making and Profiling WP251 rev.01, Adopted on the 6th of February, 2018||http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49826|
|Art. 29 WP GDPR Guidelines of setting of administrative fines WP253, Adopted on the 3rd of October, 2017||http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889|
|Art. 29 WP GDPR Opinion 2/2017 on data processing at work WP249, Adopted on the 8th of June, 2017||http://ec.europa.eu/newsroom/document.cfm?doc_id=45631|