1 About this GDPR policy
2 About GDPR
GDPR is an EU law to safeguard personal data on the internet for citizens and legal residents of the EU and European Economic Area (EEA). The law was approved in 2016 with full compliance enforced starting 25-May-2018 and addresses targeting or collection of personal data within and outside EU and EEA. GDPR gives individuals control over their personal data, and how that personal data is collected and used. Failure to comply with GDPR can result in harsh fines and penalties. While GDPR is an EU law, it is administered by individual member states (see Appendices A and B below).
3 GDPR definitions
Personal Data – Personal data is any information that relates to an individual who can be directly or indirectly identified. Examples include names and email addresses. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.
Data Processing – Any action performed on data, whether automated or manual, including collecting, recording, organizing, structuring, storing, using, and erasing.
Data Subject – The person whose data is processed. These include customers or website visitors.
Data Controller – The person who decides why and how personal data will be processed. This may be any employee in the organization who handles data.
Data Processor – An employee that processes personal data on behalf of a Data Controller.
Data Protection Officer (DPO) – Senior member of the organization responsible for overseeing the implementation of GDPR at Immunologix. Additional details can be found below.
4 GDPR Data Protection Principles
5 GDPR Accountability
Data Controllers must demonstrate that they are GDPR compliant. The Data Controller may delegate data protection responsibilities to Data Processors. Immunologix should maintain detailed documentation on the data that is being collected, how it is used, where it is stored, and which employees are responsible for the data. The DPO must ensure that staff that handle confidential data are trained in the handling of data subject to GDPR. Immunologix, generally, does not share confidential private information outside of the company. However, should sharing data with a third-party organization be necessary, a data processing agreement should be put in place to govern how the third-party handles personally identifiable data.
6 GDPR Breaches and Potential Penalties
Breaches to GDPR should be reported within 72 hours to the appropriate Data Protection Authority (See Appendices A and B below). For the EU, fines up to €10 million, or 2% of worldwide annual revenue (whichever is higher) are possible for breaches due to conduct of controllers and processors. Fines of up to €20 million, or 4% of worldwide annual revenue (whichever is higher), may be levied for violating basic principles of processing, conditions of consent, the data subjects’ rights, or transfer to a third-party without a data processing agreement and disclosure to the data subject. Fines for or other Supervisory Authorities, such as the United Kingdom, Switzerland, or California, are unique to each locale. In the event of a breach, the DPO will serve as the point of contact for data protection supervision authorities.
7 GDPR Responsibilities for the Data Protection Officer (DPO)
While Immunologix does not technically need a DPO because all operations reside within the state of Florida, USA, the role is assigned to ensure proper handling of private data of citizens and residents of the EU and other locations (see Appendices). The DPO is identified in the Immunologix Laboratories Organization Chart under the Critical Roles section.
The Data Controller and Data Processor must ensure that the DPO is involved and informed of any issues that relate to the protection of personal data. The DPO must report to the highest levels of management in the organization and is bound by confidentiality. The DPO has six main tasks:
- Receive comments and questions from Data Subjects regarding the processing of their personal data
- Inform employees of their obligations under GDPR
- Monitor compliance to GDPR, train staff, and perform annual compliance reviews
- Perform data impact assessments (if necessary)
- Cooperate with data protection supervision authorities, when appropriate
- Be point of contact in the event of a breech
8 GDPR Complianace Annual Review
An annual review of data collection practices should be performed and should ensure the following:
- This GDPR Policy is up to date
- A senior member of staff has been assigned the role of Data Protection Officer
- Clear information has been provided to the data subject
- Proper protections are in place
- Processes exist for informing the EU authorities should a breech occur
- An easy process exists for Data Subjects to request removal of their data
- Processing agreements exist for third-party processors (if applicable)
The Immunologix Laboratories GDPR Policy will be reviewed at least annually to ensure compliance with EU regulations. Updates will be published and available on the Immunologix website (www.immunologixlabs.com/GDPR-policy/).
10 Legal Status of the Immunologix Laboratories GDPR Policy
GDPR is designed to protect the privacy of Data Subjects who are citizens and legal residents of the EU. All of Immunologix Laboratories operations reside within the United States, and therefore operating outside the direct regulatory authority of the EU. However, Immunologix may, occasionally, collect and handle data from EU citizens and residents and is therefore making necessary efforts to comply with GDPR. Additionally, many of the concepts contained within the GDPR apply to the California Consumer Privacy Act (CCPA) of 2018, which is a US state level regulation regarding data protection for residents of California. The Immunologix Laboratories GDPR Policy is not a contract, and it does not create any legal rights or obligations. Immunologix reserves the right to modify or amend this policy at any time.
General inquiries regarding the processing of personal data should be submitted in writing to firstname.lastname@example.org. To withdrawal consent for Immunologix Laboratories to use personal data and have any personal data stored at Immunologix Laboratories deleted, contact GDPR@immunologixlabs.com. A reply will be sent with a summary outlining the data stored and the final data disposition.
Appendix A: EU Data Protection Authorities
European Data Protection Supervisor
Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA)
Rue de la Presse 35 – Drukpersstraat 35
1000 Bruxelles – Brussel
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
Website: https://www.autoriteprotectiondonnees.be/ – https://www.gegevensbeschermingsautoriteit.be/
Commissioner for Personal Data Protection
1 Iasonos Street,
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456
Fax +357 22 304 565
Commission Nationale de l’Informatique et des Libertés – CNIL
3 Place de Fontenoy
TSA 80715 – 75334 Paris, Cedex 07
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Graurheindorfer Straße 153
Tel.: +49 228 997799 0
Fax: +49 228 997799 5550
Hungarian National Authority for Data Protection and Freedom of Information
Office of the Information and Data Protection Commissioner
Second Floor, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100
Fax +356 2328 7198
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
Urząd Ochrony Danych Osobowych (Personal Data Protection Office)
ul. Stawki 2
Tel. +48 22 531 03 00
Fax +48 22 531 03 01
email: email@example.com; firstname.lastname@example.org
The National Supervisory Authority for Personal Data Processing
B-dul Magheru 28-30
Sector 1, BUCUREŞTI
Tel. +40 31 805 9211
Fax +40 31 805 9602
Office for Personal Data Protection of the Slovak Republic
820 07 Bratislava 27
Tel.: + 421 2 32 31 32 14
Fax: + 421 2 32 31 32 34
Appendix B: EEA Supervisory Authorities
Appendix C: GDPR Outside of EU/EEA
Switzerland (Swiss FDAP)
Federal Data Protection and Information Commissioner
CH - 3003 Bern
Tel +41 058 462 43 95
Website: Data protection (admin.ch)
Water Lane, Wilmslow, Cheshire SK9 5AF
Tel +44 1625 545745
State of California, Office of the Attorney General
Attn: Public Inquiry Unit
P.O. Box 944255
Sacramento, CA 94244-2550
Tel (800) 952-5225
Fax (916) 323-5341