Home | Contact Us | Newsletter | Usersclub | Books | Audio Seminars

 

General Data Protection Regulation

 Implementation at Labcompliance

 

Introduction

Thanks for visiting our website. The protection of personal data of persons visiting our websites and subscribing to our newsletters or purchasing products and services is very important for us. It is our goal to provide a attractive products and services through our website while maintaining personal rights of our website visitors. Legal basis of our data processing approach is the EU General Data Protection Regulation EU GDPR from 2016, to be fully implemented in May 2018 which means it became immediately enforceable as law in all member states
This document provides an overview on how Labcompliance complies with requirements of the General Data Protection Regulation.
A description of definitions used in this document can be found at the end.


Reason for acquisition and use of personal data

We acquire and process personal data for being able to offer and deliver our clients suitable products and services

Acquisition sources

We acquire personal data through our online newsletter and contact forms on our website. The online newsletter is being sent regularly. It includes information on our services and products, but also information on new regulations and guidelines from the US Food and Drug Administration and equivalent international healthcare administrations. Contact forms include order forms and forms to request information on products and services and for subscription of our online newsletter.

Examples of Personal Data

For newsletter subscription: the persons e-mail, first name, last name, company name, job title, country. The newsletter will only be received by the data subject if  the data subject has a valid e-mail address and  the data subject registers for the newsletter distribution
For product orders we require the title, the e-mail address, first name, last name, company, department, address, city, state (if applicable) zipcode, and the phone number.
For technical questions: we acquire the requesters e-mail, title, first and last name, company, department, country, department

Information for data subjects

Data subjects are informed how personal data are handled, processed and used. In addition they are informed that by requesting the newsletter and other information they agreed that personal data are stored. They are also informed that they can withdraw the permission to collect information in an easy way. For example, each newsletter includes a link at the end where subscribers can unsubscribe. Within 5 business days the personal data related to the newsletter subscription will be deleted. Data subjects can request to get information about the type of personal data that are stored at any time.

Handling and processing of data

Because of the nature of the data there is no need for sophisticated data processing. Data processing typically includes: Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, use, disclosure by transmission, restriction, erasure or destruction. As the main operation personal data are copied or transferred onto a computerized data base.

Duration of data storage

Personal data are store for as long as they are needed to fulfill the requests of the data subjects. For newsletter subscribers this would be termination of the newsletter subscription either initiated by the newsletter subscribers or by Labcompliance.

Short term storage of other data

Other data like the IP address or the browser, date and time of server request, time zone difference to Greenwich Mean Time (GMT), operating system and access status / HTTP status code, data volume transmitted, website from which the request comes, internet browser, language and version of browser software may also be collected.
We understand that such information is collected and can be used for statistical reasons. However, as we don’t need this information to fulfill the requests of our website users, we don’t actively collect and evaluate this information. These data are stored in log files to guarantee the website’s functionality. In addition, we use the data to optimize our website and to ensure the security of our information technology systems. Information in the log files is stored for security reasons (e.g. to investigate misuse or fraudulent activity) for a maximum of seven days and is then deleted. Data that must be retained as evidence is not deleted until the incident has been definitively clarified.

Handling credit card information when used for payment of products

Even though we allow our customers to pay by credit card and credit card numbers are personal data, we don’t acquire and process credit cards, this is handled by a professional credit card processing company. We work with Concardis, Eschborn Germany, represented by its managing directors Mark Freese, Jens Mahlke and Luca Zanotti (as of August 2018). In this context information on type and amount of payment, as well as customer’s e-mail and full name and address are transferred to and collected by Labcompliance, card information such as credit card numbers are transferred directly to the above company in addition to the purchase amount.
For the purpose of setting credit card transactions Concardis GmbH acts as a controller as defined in Art 4 no. 7 GDPR
https:/www.concardis.com/de-en/protecting-your-data

Sharing personal data with other companies?

Personal data may be shared with other companies but only if there is a need to fulfill requests of our website visitors. For example we use the infrastructure and the application of a 3rd party to distribute our newsletters. Privacy of such data is covered through a related service agreement. We are not sharing of the personal data for marketing reasons.

Awareness in the company that data protection is management responsibility

Our employees are aware that the company management is responsible for data protection. E.g., management has identified a responsible person for data protection, and management has created definitions for the scope, objectives and goals for the data protection program.

Appointment of a data protection officer

As our organization has less than nine employees dealing with the General Data Protection Regulation we don’t have and we don’t need such a person. We have identified a person who is managing all aspects of the data protection program, he will also be the contact to competent supervisory authority according to Art. 37 paragraph 7 GDPR.

Working with of 3rd Parties

For specific services we involve 3rd parties (processors). Examples are Centron for distribution of our newsletter and Concardis for accepting payments through credit cards. All selected 3rd parties must provide sufficient guarantees to implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of the General Data Protection Regulation and ensure the protection of the rights of the data subject.

Handling requests for access to the personal data by the data subject

We have established a procedure in order to promptly and completely satisfy data subject requests requests for access to the personal data by the data subject according to Art. 15 GDPR

Data protection management system

We plan to install a data protection management system in order to ensure and be able to prove that our processing is in compliance with the GDPR (Art. 24 para.1 GDPR)

Adaption of the existing security review processes to the new requirements of Art. 32 GDPR?

We have adapted our existing security review processes to the new requirements of Art. 32 GDPR

Communication of a personal data breach to the data subject

We have a procedure to communicate a personal data breach to the data subject when the personal data breach is likely to adversely affect the protection of the personal data or the privacy of the data subject. The procedure requires that the controller will, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.

Definitions (Derived from chapter four of the General Data Protection Regulation GDPR)

(1) 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
(2) 'personal data' means any information relating to a data subject;
(3) 'processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction;
(4) 'filing system' means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
(5) 'controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
(6) 'processor' means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
(7) 'recipient' means a natural or legal person, public authority, agency or any other body to which the personal data are disclosed;
(8) 'the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;