GDPR POLICY

1 About this GDPR policy

This policy outlines an individual’s rights under the European Union (EU) General Data Protection Regulation (GDPR). For additional details regarding the types of personal information that Immunologix Laboratories (Immunologix) collects and processes and how this information is used and disclosed, see the Immunologix Laboratories Privacy Policy (www.immunologixlabs.com/privacy-policy/).

2 About GDPR

GDPR is an EU law to safeguard personal data on the internet for citizens and legal residents of the EU and European Economic Area (EEA). The law was approved in 2016 with full compliance enforced starting 25-May-2018 and addresses targeting or collection of personal data within and outside EU and EEA. GDPR gives individuals control over their personal data, and how that personal data is collected and used. Failure to comply with GDPR can result in harsh fines and penalties. While GDPR is an EU law, it is administered by individual member states (see Appendices A and B below).

3 GDPR definitions

Personal Data – Personal data is any information that relates to an individual who can be directly or indirectly identified. Examples include names and email addresses. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.

Data Processing – Any action performed on data, whether automated or manual, including collecting, recording, organizing, structuring, storing, using, and erasing.

Data Subject – The person whose data is processed. These include customers or website visitors.

Data Controller – The person who decides why and how personal data will be processed. This may be any employee in the organization who handles data.

Data Processor – An employee that processes personal data on behalf of a Data Controller.

Data Protection Officer (DPO) – Senior member of the organization responsible for overseeing the implementation of GDPR at Immunologix. Additional details can be found below.

4 GDPR Data Protection Principles

Processing of data must be lawful, fair, and transparent to the data subject. Data must be processed for the legitimate purposes detailed in the Immunologix Laboratories Privacy Policy and/or other documents, as appropriate. Immunologix will only collect the minimum amount of personal data necessary for the specified purpose. Whenever possible, personal data should be kept accurate and up to date. Data should only be stored for the length of time for the specified purpose. Processing of personal data must be done in a way that ensures security, integrity, and confidentiality. Data Subjects have the right to withdraw consent to use their data and may ask that any personal data stored at Immunologix be erased.

5 GDPR Accountability

Data Controllers must demonstrate that they are GDPR compliant. The Data Controller may delegate data protection responsibilities to Data Processors. Immunologix should maintain detailed documentation on the data that is being collected, how it is used, where it is stored, and which employees are responsible for the data. The DPO must ensure that staff that handle confidential data are trained in the handling of data subject to GDPR. Immunologix, generally, does not share confidential private information outside of the company. However, should sharing data with a third-party organization be necessary, a data processing agreement should be put in place to govern how the third-party handles personally identifiable data.

6 GDPR Breaches and Potential Penalties

Breaches to GDPR should be reported within 72 hours to the appropriate Data Protection Authority (See Appendices A and B below). For the EU, fines up to €10 million, or 2% of worldwide annual revenue (whichever is higher) are possible for breaches due to conduct of controllers and processors. Fines of up to €20 million, or 4% of worldwide annual revenue (whichever is higher), may be levied for violating basic principles of processing, conditions of consent, the data subjects’ rights, or transfer to a third-party without a data processing agreement and disclosure to the data subject. Fines for or other Supervisory Authorities, such as the United Kingdom, Switzerland, or California, are unique to each locale. In the event of a breach, the DPO will serve as the point of contact for data protection supervision authorities.

7 GDPR Responsibilities for the Data Protection Officer (DPO)

While Immunologix does not technically need a DPO because all operations reside within the state of Florida, USA, the role is assigned to ensure proper handling of private data of citizens and residents of the EU and other locations (see Appendices). The DPO is identified in the Immunologix Laboratories Organization Chart under the Critical Roles section.

The Data Controller and Data Processor must ensure that the DPO is involved and informed of any issues that relate to the protection of personal data. The DPO must report to the highest levels of management in the organization and is bound by confidentiality. The DPO has six main tasks:

  1. Receive comments and questions from Data Subjects regarding the processing of their personal data
  2. Inform employees of their obligations under GDPR
  3. Monitor compliance to GDPR, train staff, and perform annual compliance reviews
  4. Perform data impact assessments (if necessary)
  5. Cooperate with data protection supervision authorities, when appropriate
  6. Be point of contact in the event of a breech

8 GDPR Complianace Annual Review

An annual review of data collection practices should be performed and should ensure the following:

  1. This GDPR Policy is up to date
  2. A senior member of staff has been assigned the role of Data Protection Officer
  3. Clear information has been provided to the data subject
  4. Proper protections are in place
  5. Processes exist for informing the EU authorities should a breech occur
  6. An easy process exists for Data Subjects to request removal of their data
  7. Processing agreements exist for third-party processors (if applicable) 

9 Review and Changes to this Privacy Policy

The Immunologix Laboratories GDPR Policy will be reviewed at least annually to ensure compliance with EU regulations. Updates will be published and available on the Immunologix website (www.immunologixlabs.com/GDPR-policy/).

10 Legal Status of the Immunologix Laboratories GDPR Policy

GDPR is designed to protect the privacy of Data Subjects who are citizens and legal residents of the EU. All of Immunologix Laboratories operations reside within the United States, and therefore operating outside the direct regulatory authority of the EU. However, Immunologix may, occasionally, collect and handle data from EU citizens and residents and is therefore making necessary efforts to comply with GDPR. Additionally, many of the concepts contained within the GDPR apply to the California Consumer Privacy Act (CCPA) of 2018, which is a US state level regulation regarding data protection for residents of California. The Immunologix Laboratories GDPR Policy is not a contract, and it does not create any legal rights or obligations. Immunologix reserves the right to modify or amend this policy at any time.

General inquiries regarding the processing of personal data should be submitted in writing to info@immunologixlabs.com. To withdrawal consent for Immunologix Laboratories to use personal data and have any personal data stored at Immunologix Laboratories deleted, contact GDPR@immunologixlabs.com. A reply will be sent with a summary outlining the data stored and the final data disposition.

 

Appendix A: EU Data Protection Authorities

European Data Protection Supervisor

Rue Wiertz 60
1047 Bruxelles/Brussel
Office: Rue Montoyer 30, 6th floor
Tel. +32 2 283 19 00
Fax +32 2 283 19 50
email: edps@edps.europa.eu
Website: http://www.edps.europa.eu/EDPSWEB/

 

Austria

Österreichische Datenschutzbehörde

Barichgasse 40-42
1030 Wien
Tel. +43 1 52152 2550
email: dsb@dsb.gv.at
Website: http://www.dsb.gv.at/

 

Belgium

Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA)

Rue de la Presse 35 – Drukpersstraat 35
1000 Bruxelles – Brussel
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
email: contact@apd-gba.be
Website: https://www.autoriteprotectiondonnees.be/ – https://www.gegevensbeschermingsautoriteit.be/

 

Bulgaria

Commission for Personal Data Protection
2, Prof. Tsvetan Lazarov blvd.
Sofia 1592
Tel. + 359 2 915 3580
Fax +359 2 915 3525
email: kzld@cpdp.bg
Website: https://www.cpdp.bg/

 

Croatia

Croatian Personal Data Protection Agency
Selska Cesta 136
10000 Zagreb
Tel. +385 1 4609 000
Fax +385 1 4609 099
email: azop@azop.hr
Website: http://www.azop.hr/

 

Cyprus

Commissioner for Personal Data Protection
1 Iasonos Street,
1082 Nicosia
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456
Fax +357 22 304 565
email: commissioner@dataprotection.gov.cy
Website: http://www.dataprotection.gov.cy/

 

Czech Republic

Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444
email: posta@uoou.cz
Website: http://www.uoou.cz/

 

Denmark

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Tel. +45 33 1932 00
Fax +45 33 19 32 18
email: dt@datatilsynet.dk
Website: http://www.datatilsynet.dk/

 

Estonia

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39
10134 Tallinn
Tel. +372 6828 712
email: info@aki.ee
Website: http://www.aki.ee/

 

Finland

Office of the Data Protection Ombudsman
P.O. Box 800
FI-00531 Helsinki
Tel. +358 29 56 66700
Fax +358  29 56 66735
email: tietosuoja@om.fi
Website: http://www.tietosuoja.fi/en/

 

France

Commission Nationale de l’Informatique et des Libertés – CNIL
3 Place de Fontenoy
TSA 80715 – 75334 Paris, Cedex 07
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
contact: https://www.cnil.fr/en/contact-cnil
Website: http://www.cnil.fr/

 

Germany

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Graurheindorfer Straße 153
53117 Bonn
Tel.: +49 228 997799 0
Fax: +49 228 997799 5550
email: poststelle@bfdi.bund.de
Website: http://www.bfdi.bund.de/

 

Greece

Hellenic Data Protection Authority
Kifisias Av. 1-3, PC 11523
Ampelokipi Athens
Tel. +30 210 6475 600
Fax +30 210 6475 628
email: contact@dpa.gr
Website: http://www.dpa.gr/

 

Hungary                                   

Hungarian National Authority for Data Protection and Freedom of Information

Falk Miksa utca 9-11
H-1055 Budapest
Tel. +36 1 3911 400
email: privacy@naih.hu
Website: http://www.naih.hu/

 

Ireland

Data Protection Commission
21 Fitzwilliam Square
Dublin 2
D02 RD28
Ireland
Tel.  +353 76 110 4800
email: info@dataprotection.ie
Website: http://www.dataprotection.ie/

 

Italy

Garante per la protezione dei dati personali
Piazza Venezia, 11
00187 Roma
Tel. +39 06 69677 1
Fax +39 06 69677 785
email: protocollo@gpdp.it
Website: http://www.garanteprivacy.it/

 

Latvia

Data State Inspectorate
Blaumana str. 11/13-15
1011 Riga
Tel. +371 6722 3131
Fax +371 6722 3556
email: info@dvi.gov.lv
Website: http://www.dvi.gov.lv/

 

Lithuania

State Data Protection Inspectorate
L. Sapiegos str. 17
LT-10312 Vilnius
Tel. +370 5 271 2804 / +370 5 279 1445
Fax +370 5 261 9494
email: ada@ada.lt
Website: http://www.ada.lt/

 

Luxembourg

Commission Nationale pour la Protection des Données
15, Boulevard du Jazz
L-4370 Belvaux
Tel. +352 2610 60 1
Fax +352 2610 60 6099
email: info@cnpd.lu
Website: http://www.cnpd.lu/

 

Malta

Office of the Information and Data Protection Commissioner
Second Floor, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100
Fax +356 2328 7198
email: idpc.info@idpc.org.mt
Website: http://www.idpc.org.mt/

 

Netherlands

Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
Contact: https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/informatie-en-meldpunt-privacy
Website: https://autoriteitpersoonsgegevens.nl/nl

 

Poland

Urząd Ochrony Danych Osobowych (Personal Data Protection Office)
ul. Stawki 2
00-193 Warsaw
Tel. +48 22 531 03 00
Fax +48 22 531 03 01
email: kancelaria@uodo.gov.plzwme@uodo.gov.pl
Website: https://uodo.gov.pl/

 

Portugal

Comissão Nacional de Protecção de Dados – CNPD
Av. D. Carlos I, 134, 1º
1200-651 Lisboa
Tel. +351 21 392 84 00
Fax +351 21 397 68 32
email: geral@cnpd.pt
Website: http://www.cnpd.pt/

 

Romania

The National Supervisory Authority for Personal Data Processing
B-dul Magheru 28-30
Sector 1, BUCUREŞTI
Tel. +40 31 805 9211
Fax +40 31 805 9602
email: anspdcp@dataprotection.ro
Website: http://www.dataprotection.ro/

 

Slovakia

Office for Personal Data Protection of the Slovak Republic
Hraničná 12
820 07 Bratislava 27
Tel.: + 421 2 32 31 32 14
Fax: + 421 2 32 31 32 34
email: statny.dozor@pdp.gov.sk
Website: http://www.dataprotection.gov.sk/

 

Slovenia

Information Commissioner of the Republic of Slovenia
Dunajska 22
1000 Ljubljana
Tel. +386 1 230 9730
Fax +386 1 230 9778
email: gp.ip@ip-rs.si
Website: https://www.ip-rs.si/

 

Spain

Agencia Española de Protección de Datos (AEPD)
C/Jorge Juan, 6
28001 Madrid
Tel. +34 91 266 3517
Fax +34 91 455 5699
email: internacional@aepd.es
Website: https://www.aepd.es/

 

Sweden

Datainspektionen
Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Tel. +46 8 657 6100
Fax +46 8 652 8652
email: datainspektionen@datainspektionen.se
Website: http://www.datainspektionen.se/

 

Appendix B: EEA Supervisory Authorities

Iceland

Persónuvernd
Rauðarárstígur 10
105 Reykjavík
Tel: +354 510 9600
email: postur@dpa.is
Website: https://www.personuvernd.is or https://www.dpa.is

 

Liechtenstein

Data Protection Authority, Principality of Liechtenstein
Städtle 38
9490 Vaduz
Principality of Liechtenstein
Tel. +423 236 6090
email: info.dss@llv.li
Website: https://www.datenschutzstelle.li

 

Norway

Datatilsynet
Tollbugata 3
0152 Oslo
Tel +47 22 39 69 00
email: postkasse@datatilsynet.no
Website: www.datatilsynet.no

 

Appendix C: GDPR Outside of EU/EEA

Switzerland (Swiss FDAP)

Federal Data Protection and Information Commissioner

Feldeggweg 1

CH - 3003 Bern

Tel +41 058 462 43 95

Website: Data protection (admin.ch)

 

United Kingdom

Wycliffe House

Water Lane, Wilmslow, Cheshire SK9 5AF

Tel +44 1625 545745

Website: https://ico.org.uk/

 

California (CCPA)

State of California, Office of the Attorney General

Attn: Public Inquiry Unit

P.O. Box 944255

Sacramento, CA 94244-2550

Tel (800) 952-5225

Fax (916) 323-5341

Website: https://oag.ca.gov/privacy