1. ABOUT THIS GDPR POLICY
2. ABOUT GDPR
GDPR is an EU law to safeguard personal data on the internet for citizens and legal residents of the EU and European Economic Area (EEA). The law was approved in 2016 with full compliance enforced starting 25-May-2018 and addresses targeting or collection of personal data within and outside EU and EEA. GDPR gives individuals control over their personal data, and how that personal data is collected and used. Failure to comply with GDPR can result in harsh fines and penalties. While GDPR is an EU law, it is administered by individual member states (see Appendices A and B below).
3. GDPR DEFINITIONS
Personal Data – Personal data is any information that relates to an individual who can be directly or indirectly identified. Examples include names and email addresses. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.
Data Processing – Any action performed on data, whether automated or manual, including collecting, recording, organizing, structuring, storing, using, and erasing.
Data Subject – The person whose data is processed. These include customers or website visitors.
Data Controller – The person who decides why and how personal data will be processed. This may be any employee in the organization who handles data.
Data Processor – An employee that processes personal data on behalf of a Data Controller.
Data Protection Officer (DPO) – Senior member of the organization responsible for overseeing the implementation of GDPR at Immunologix. Additional details can be found below.
4. GDPR DATA PROTECTION PRINCIPLES
5. GDPR ACCOUNTABILITY
Data Controllers must demonstrate that they are GDPR compliant. The Data Controller may delegate data protection responsibilities to Data Processors. Immunologix should maintain detailed documentation on the data that is being collected, how it is used, where it is stored, and which employees are responsible for the data. The DPO must ensure that staff that handle confidential data are trained in the handling of data subject to GDPR. Immunologix, generally, does not share confidential private information outside of the company. However, should sharing data with a third-party organization be necessary, a data processing agreement should be put in place to govern how the third-party handles personally identifiable data.
6. GDPR BREACHES AND POTENTIAL PENALTIES
Breaches to GDPR should be reported within 72 hours to the appropriate Data Protection Authority (See Appendices A and B below). Fines up to $10 million, or 2% of worldwide annual revenue (whichever is higher) are possible for breaches due to conduct of controllers and processors. Fines of up to $20 million, or 4% of worldwide annual revenue (whichever is higher), may be levied for violating basic principles of processing, conditions of consent, the data subjects’ rights, or transfer to a third-party without a data processing agreement and disclosure to the data subject. In the event of a breach, the DPO will serve as the point of contact for data protection supervision authorities.
7. GDPR RESPONSIBILITIES FOR THE DATA PROTECTION OFFICER (DPO)
While Immunologix does not technically need a DPO because all operations reside within the United States, the role is assigned to ensure proper handling of private data of EU citizens and residents. The DPO is identified in the Immunologix Laboratories Organization Chart under the Critical Roles section.
The Data Controller and Data Processor must ensure that the DPO is involved and informed of any issues that relate to the protection of personal data. The DPO must report to the highest levels of management in the organization and is bound by confidentiality. The DPO has six main tasks:
a) Receive comments and questions from Data Subjects regarding the processing of their personal data
b) Inform employees of their obligations under GDPR
c) Monitor compliance to GDPR, train staff, and perform annual compliance reviews
d) Perform data impact assessments (if necessary)
e) Cooperate with data protection supervision authorities, when appropriate
f) Be point of contact in the event of a breech
8 GDPR COMPLIANACE ANNUAL REVIEW
An annual review of data collection practices should be performed and should ensure the following:
a) This GDPR Policy is up to date
b) A senior member of staff has been assigned the role of Data Protection Officer
c) Clear information has been provided to the data subject
d) Proper protections are in place
e) Processes exist for informing the EU authorities should a breech occur
f) An easy process exists for Data Subjects to request removal of their data
g) Processing agreements exist for third-party processors (if applicable)
The Immunologix Laboratories GDPR Policy will be reviewed at least annually to ensure compliance with EU regulations. Updates will be published and available on the Immunologix website (www.immunologixlabs.com/GDPR/).
10. LEGAL STATUS OF THE IMMUNOLOGIX LABORATORIS GDPR POLICY
GDPR is designed to protect the privacy of Data Subjects who are citizens and legal residents of the EU. All of Immunologix Laboratories operations reside within the United States, and therefore operating outside the direct regulatory authority of the EU. However, Immunologix may, occasionally, collect and handle data from EU citizens and residents and is therefore making necessary efforts to comply with GDPR. Additionally, many of the concepts contained within the GDPR apply to the California Consumer Privacy Act of 2018, which is a US state level regulation regarding data protection for residents of California. The Immunologix Laboratories GDPR Policy is not a contract, and it does not create any legal rights or obligations. Immunologix reserves the right to modify or amend this policy at any time.
General inquiries regarding the processing of personal data should be submitted in writing to email@example.com. To withdrawal consent for Immunologix Laboratories to use personal data and have any personal data stored at Immunologix Laboratories deleted, contact GDPR@immunologixlabs.com. A reply will be sent with a summary outlining the data stored and the final data disposition.
APPENDIX A: EU SUPERVISORY AUTHORITIES
Austria – http://www.dsb.gv.at/
Belgium – http://privacycommission.be
Bulgaria – http://www.cpdp.bg/
Croatia – http://www.azop.hr/
Cyprus – http://www.dataprotection.gov.cy/
Czech Republic – http://www.uoou.cz/
Denmark – http://www.datatilsynet.dk/
Estonia – http://www.aki.ee/en
Finland – http://www.tietosuoja.fi/en/
France – http://www.cnil.fr/
Germany – http://www.bfdi.bund.de/
Note: Germany manages complaints among a number of local and state agencies, and contacting additional entities may be required to identify the proper regional authority.
Greece – http://www.dpa.gr/
Hungary – http://www.naih.hu/
Ireland – http://www.dataprotection.ie/
Italy – http://www.garanteprivacy.it/
Latvia – http://www.dvi.gov.lv/
Lithuania – http://www.ada.lt/
Luxembourg – http://www.cnpd.lu/
Malta – http://www.dataprotection.gov.mt/
Netherlands – https://autoriteitpersoonsgegevens.nl/nl
Poland – http://www.giodo.gov.pl/
Portugal – http://www.cnpd.pt/
Romania – http://www.dataprotection.ro/
Slovakia – http://www.dataprotection.gov.sk/
Slovenia – https://www.ip-rs.si/
Spain – https://www.agpd.es/
Sweden – http://www.datainspektionen.se/
United Kingdom – https://ico.org.uk
APPENDIX B: EEA SUPERVISORY AUTHORITIES
Iceland – firstname.lastname@example.org
Liechtenstein – email@example.com
Norway – firstname.lastname@example.org
Switzerland – email@example.com