Medi-stats’s Commitment to the Protection of Personal Information
Introduction
Medi-stats respects the privacy rights of individuals and is committed to handling Personal Information responsibly, in accordance with applicable law, applicable contractual obligations, and Medi-stats’s Commitment to the Protection of Personal Information (the Commitment), described below. The Commitment sets out Medi-stats’s principles for the processing of Personal Information by and on behalf of Medi-stats.
The Commitment establishes a legal basis for cross-border transfers of Personal Information within the Medi-stats Group (all wholly or majority-owned divisions of Medi-stats Company and its subsidiaries), including where Medi-stats Group members adhere to relevant parts of the Commitment as data processors. Additionally, Medi-stats may carry out cross-border transfers of Personal Information to third parties outside the Medi-stats Group in accordance with applicable law. Medi-stats will handle Personal Information in accordance with the Commitment where applicable, unless in conflict with stricter requirements of local law, in which case local law will prevail.
Scope
The Commitment is designed to ensure that Personal Information will be protected regardless of geography or technology, when used within the Medi-stats Group, and applies to Medi-stats’s processing of Medi-stats Personal Information and Medi-stats Customer Personal Information.
Processing Personal Information
Medi-stats observes the following principles when processing Personal Information:
Fairness: Medi-stats will process Personal Information fairly and lawfully.
Purpose: Medi-stats will limit the processing of Personal Information to the fulfilment of Medi-stats’s specific, legitimate purposes. Medi-stats will only carry out processing that is compatible with such purposes unless Medi-stats, or its Customer where Medi-stats is a processor, has unambiguous consent for unrelated purposes.
In general, Medi-stats will process Personal Information:
where Medi-stats has a legitimate interest that, on balance, justifies the processing;
where necessary for the maintenance or the performance of a legal relationship between Medi-stats and the individual;
where necessary for complying with an obligation imposed on Medi-stats by applicable law, regulation, or governmental authority;
where there are exceptional situations that threaten the life, health or security of the individual or of another person;
after obtaining the individual’s freely given, explicit and informed consent where required by applicable law;
where the processing is in connection with a Customer service agreement.
Where consent has been obtained directly by Medi-stats, Medi-stats will provide a process to allow individuals to withdraw their consent to the extent required under applicable law, at any time and without charge.
Proportionality: Medi-stats will limit the processing of Personal Information to that which is adequate, relevant and not excessive in relation to the purposes for which Medi-stats collects and uses it.
Information Quality: Medi-stats will take reasonable steps to, and where Medi-stats is a processor provide Customers with a means to, ensure that Personal Information is accurate and kept up to date, to keep Personal Information only for as long as necessary for the purposes for which it is collected and used, and to delete or to render it anonymous after such retention requirements have been met.
Transparency: Where required by applicable law, Medi-stats will make available to individuals at the point of collection, or within a reasonable period of collection, information about Medi-stats’s identity; the purposes and legal basis of processing their Personal Information; intended recipients and cross-border data transfers; source(s) of Personal Information; how individuals may exercise their rights regarding Personal Information; contact details for the Data Protection Officer where applicable; and additional explanations as needed to ensure fair processing. Where Medi-stats collects Personal Information through the Internet or other electronic means, Medi-stats will post an easily accessible privacy notice that meets these transparency requirements.
Confidentiality: Medi-stats will maintain the confidentiality of Personal Information it processes, except where disclosure is required by an applicable operational or legal requirement. This obligation will continue even after the relationship with the individual, or Customer where Medi-stats is a processor, has ended.
Security: Medi-stats strives to protect Personal Information with appropriate technical and organizational measures to ensure its integrity, confidentiality, security and availability. Medi-stats will inform individuals of a security breach affecting their Medi-stats Personal Information that could pose a high risk to their individual rights and freedoms. In accordance with applicable law, Medi-stats will provide reasonable assistance to Customers, where Medi-stats is a processor, to ensure the security of their processing and will inform Medi-stats Customers of a security breach of Medi-stats Customer Personal Information as required under such laws.
Sharing and/or Transferring Personal Information
Medi-stats may share or transfer Personal Information in the following circumstances:
Personal Information may be shared within the Medi-stats Group for the purposes specified above, provided the Medi-stats Group entity processing Personal Information adheres to this Commitment.
Medi-stats may provide Personal Information to selected suppliers or service providers hired to perform certain processing or other services on its behalf. Medi-stats will strive to ensure that new supplier engagements provide for processing of Personal Information in a manner consistent with this Commitment and applicable law by means of a legal relationship established through a contract or other legally permissible means. Under such contracts, suppliers must implement adequate security measures and may only process Personal Information in accordance with Medi-stats’s instructions.
Medi-stats may disclose certain Personal Information to other third parties where required by law, to protect Medi-stats’s legal rights, or in connection with any Medi-stats merger or acquisition activity or the insolvency or re-organization of any part of Medi-stats.
Processing of Sensitive Personal Information
Where Medi-stats processes and/or transfers Sensitive Personal Information Medi-stats will inform the individual of the processing and/or transfer and obtain explicit consent for such processing and/or transfer when Medi-stats is required to do so by applicable law. Appropriate security measures will be provided depending upon the nature of this information and the risks associated with its intended uses.
Accountability
Medi-stats is accountable for fulfilling the requirements sets out in the Commitment and under applicable law. In particular, Medi-stats will:
take the necessary measures to observe the requirements of the Commitment and applicable law; and
have the necessary internal mechanisms in place to demonstrate such observance, including maintaining a record of its processing activities in accordance with applicable law.
Privacy Program
Medi-stats employs privacy practices designed to support its compliance with the Commitment and applicable law, including the appointment of a network of privacy leaders, education and awareness programs, incident response protocols, privacy impact assessments, audit routines and a Privacy by Design approach to process and system development.
Individual Rights
In accordance with applicable law, an individual who has satisfactorily established his or her identity to Medi-stats may exercise the following rights in relation to Personal Information Medi-stats has collected directly from him or her; where Medi-stats is a processor, Medi-stats will assist the Customer in meeting its privacy obligations toward individuals:
Access: Where required by applicable law, Medi-stats will provide an individual Personal Information about him or her that Medi-stats holds, including information concerning the source of the Personal Information, the purposes of any processing by Medi-stats and the recipients, or categories of recipients, to whom such Personal Information is disclosed.
Correction and Deletion: Valid requests for correction or deletion of Personal Information which is incomplete, inaccurate or excessive will be respected, and confirmed as such, except that deletion will not be performed where retention is required by the contractual relationship between Medi-stats and the individual, in the context of a legal dispute or other legal retention requirement, or as otherwise required by applicable law.
Objection: Medi-stats will cease processing Personal Information where an individual’s objection is justified under applicable law, for example where the individual’s life or health is at risk due to the processing. An individual also has the right to object to decisions based solely on automated processing of Personal Information that produce legal effects which significantly affect the individual involved, except where the individual requested the processing, or when necessary for the legal relationship between Medi-stats and the individual. In the latter case, the individual may give his or her views on the automated decision. An individual has the right to object to processing of Personal Information by Medi-stats for marketing purposes where allowed by applicable law. The exercise of this right to object may be superseded where Medi-stats can demonstrate that its compelling legitimate interest in continuing the processing overrides the interests or fundamental rights and freedoms of the individual.
Restriction: An individual also has the right to request the restriction of any processing of his or her Medi-stats Personal Information by Medi-stats, to the extent such right is provided for under applicable law, for example where the accuracy of the Medi-stats Personal Information is contested. Medi-stats will cease processing such information where the restriction is justified, with the exception of storage and other permitted continued processing under applicable law.
Complaints: Any individual who claims to have suffered damage as a result of non-compliance by a Medi-stats Group entity with the Commitment may file a complaint with the applicable Medi-stats Group Privacy Leader or Compliance Officer, or with Medi-stats’s Complaint Handling Processes available on Medi-stats’s websites if other channels are unavailable or exhausted:
Internal concern reporting: compliance@medi-stats.com
External concern reporting: privacy@medi-stats.com
If Medi-stats considers the complaint to be justified, it will take reasonable steps to resolve the complaint to the reasonable satisfaction of the individual. Medi-stats endeavours to respond to complaints within thirty days of receipt.
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
Visit the The Information Commissioner Office (ICO) websitefor further details (https://ico.org.uk/)
The Information Commissioner Office regulates data protection.
You can contact them by calling 0303 123 1113 or visit the website directly
Enforcement: An individual who has suffered damage as a result of a breach of the Commitment may be entitled to receive compensation for such damages in accordance with applicable law and as provided in the Commitment. An individual who is entitled to receive compensation may enforce his or her rights as provided in the Commitment by direct recourse to the courts or other judicial authority in accordance with applicable law.
Cooperation with Supervisory Authorities
Medi-stats will cooperate with any competent national or regional supervisory authority responsible for supervising applicable privacy law that has good cause to question any processing of Personal Information by Medi-stats and will comply with such competent supervisory authority’s decisions on any issue related to the Commitment.
Changes to the Commitment
Medi-stats reserves the right to modify the Commitment. Any material changes will be submitted to Medi-stats’s lead Data Protection Authority and/or its trustmark agent, where appropriate, and will be notified on Medi-stats’s website.
Definitions
Personal Information is any information relating to an identified or identifiable natural person.
Medi-stats Personal Informationis any Personal Information that is obtained in the context of an individual’s relationship with Medi-stats and which Medi-stats processes for its own purposes. Such Medi-stats Personal Information may include, for example, employment data obtained in the context of an employment relationship with Medi-stats, customer data obtained in the context of a customer relationship with Medi-stats and supplier data obtained from Medi-stats’s suppliers.
Medi-stats Customer Personal Informationis any Personal Information that is obtained in the context of the provision of services by Medi-stats to a Customer under a service agreement and which Medi-stats processes on behalf of the Customer.
Customeris a person or entity that enters into a service agreement with Medi-stats.
Sensitive Personal Information, a special category of Personal Information, is information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation.