This document is an integral part of the normative body for the protection of personal data of the Health Market Research international companies (hereinafter HMR), considering the General Data Protection Regulation (2016/679), henceforth GDPR.
Whenever this document is updated, a new version will be available immediately after its approval.
Compliance with this regulation shall be monitored by measuring control indicators and/or audits (internal or external) at regular intervals or when significant changes occur.
Scope and Objective
HMR is committed to complying with best practices in the field of security and protection of personal data. For this purpose, HMR has approved a program capable of protecting the data that is provided to us by all those who are related to HMR in any way.
- All organisation employees; and
- Data Protection Officer and Chief Security Officer as the persons responsible for reporting non-compliance with privacy and data protection matters.
Any information relating to an identified or identifiable individual; an identifiable person is one who can be identified, directly or indirectly, by reference to an identification number (e.g. social security number) or one or more factors specific to their physical, physiological, mental, economic, cultural or social identity (e.g. name, date of birth, biometrics data, fingerprints, DNA, etc.);
Special categories of personal data
Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; the processing of genetic data and biometric data for the purpose of uniquely identifying an individual person; data concerning health; and data concerning an individual person’s sex life or sexual orientation.
Any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Individual or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Personal Data Breach
Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Individual or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Individual or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Independent public authority which is established by a Member State.
Personal Data collection, access, recording, organisation, storage, use, sharing and consultation activities are within the scope of HMR employee’s functions. Additionally, other activities that, under the terms of the GDPR, are called “processing of personal data” may also occur.
The personal data collected concerns not only employees but also suppliers, candidates and customers.
When collecting Personal Data, companies belonging to the HMR Group provide data subjects with detailed information on the nature of the data collected and purpose and processing to be carried out in relation to such personal data, as well as the right of access to personal data.
These subcontracted entities will not be able to transmit the data concerning the data subjects to other entities without prior written authorisation of HMR and are also prevented from hiring other entities for this purpose without permission.
HMR commits to subcontract only entities that have sufficient guarantees that they carry out the appropriate technical and organisational measures to ensure the protection of the data subject’s rights. All subcontracted entities are bound by a written agreement which governs the subject matter, duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the rights and obligations of the Parties.
When collecting personal data, HMR will provide data subjects with information on the categories of subcontracted entities that may, in that specific case, process data on behalf of HMR.
HMR may collect personal data directly (i.e. directly from the data subjects) or indirectly (i.e. through partner entities or third parties). This collection may be performed through the following channels:
- Direct: in person, by phone, by e-mail or via the internet; and
- Indirect: through partners, external and/or Group companies or official entities.
In terms of general principles regarding the personal data processing, HMR is committed to ensuring that they are:
- The subject of a legal, fair and transparent processing concerning the data subject’s rights;
- Collected for specified, explicit and legitimate purposes and not subsequently processed in a manner incompatible with those purposes;
- Appropriate, relevant and limited to what is necessary concerning the purposes for which they are processed;
- Accurate and up to date, making sure all appropriate measures are being taken to ensure that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;
- Preserved in a way which allows the data subject to be identified only in the period necessary for the purposes for which the data are processed; and
- Processed in a manner that ensures their safety, including the protection against unauthorised or unlawful data processing, accidental loss, destruction or damage, meaning that the appropriate technical or organisational measures are taken.
Data processing performed by HMR is legal when at least one of the following situations occurs:
- The data subject has given his explicit consent of their personal data for one or more specific purposes;
- The processing is necessary for the execution of a contract in which the data subject is an integral part or for pre-contractual arrangements at the request of the data subject;
- The processing is necessary to fulfil a legal obligation to which HMR is subject;
- The processing is necessary to ensure the defense of the data subject or any other individual’s, vital interests; and
- The processing is necessary for the legitimate interests pursued by HMR or by third parties (unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail).
HMR undertakes to ensure that the personal data of the data subject are only processed in the above-listed conditions and with respect for the principles mentioned above.
When personal data are processed by HMR based on the data subject’s consent, the data subject has the right to withdraw their consent at any time. The withdrawal of consent, however, does not compromise the lawfulness of the processing performed by HMR based on the data subject’s prior consent.
The retention period, during which the data are stored and maintained, varies with the purpose for which the information is processed.
Effectively, there are legal requirements that require you to retain the data for a minimum period of time. Thus, and where there is no specific legal requirement, the data will be stored and kept only for the minimum period necessary for the purposes that led to their collection or subsequent processing, after which they will be eliminated.
In general terms, HMR uses the personal data of the data subject for various purposes, namely billing and collection, marketing purposes and human resources management, as well as employee recruitment, among others.
The personal data collected by HMR are not shared with third parties without the explicit consent of the data subject, except for the situations mentioned in the following paragraph. In case the data subject contracts services from HMR that are provided by other entities responsible for the processing of personal data, these data may be consulted or accessed by those entities to the extent necessary for the provision of such services.
Under the applicable legal terms, HMR may transmit or communicate the personal data of the data subject to other entities in cases where such transmission or communication is necessary for the execution of the contract established between the data subject and HMR, for pre-contractual arrangements at the request of the data subject, for the fulfilment of a legal obligation to which HMR is subject or in case it is necessary for pursuing the legitimate interests of HMR or a third party.
To guarantee the appropriate security and maximum confidentiality of the personal data of the data subject, HMR processes the personal information in an absolutely confidential way, in accordance with its internal security and confidentiality policies and procedures, which are updated periodically according to the necessities and to the terms and conditions legally established.
Depending on the nature, scope, context and purpose of the data processing, as well as the risks to the data subject’s rights and freedoms that arise from this processing, HMR commits to apply all the technical and organisational measures necessary and adequate for data protection and compliance with legal requirements.
HMR is also committed to ensure that only data that are necessary for each specific processing purpose are processed and that such data are not made available to an indeterminate number of people.
HMR adopts the following general measures:
- Regular audits to assess the effectiveness of the technical and organisational measures implemented;
- Awareness-raising and training of personnel involved in data processing operations;
- Pseudonymization and encryption of personal data, when and where justified;
- Mechanisms capable of ensuring the permanent confidentiality, availability and resilience of information systems;
- Mechanisms to ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident.
Personal data collected and used by HMR are not made available to third parties established outside the European Union. Should this transfer take place in the future, HMR undertakes to ensure that the transfer complies with the applicable legal provisions, in particular regarding the determination of the suitability of such country in terms data protection and the requirements applicable to such transfers.
Information provided by HMR to the data subject (when data are collected directly from the data subject):
- The identity and contacts of HMR, as well as the responsible for the data processing and, if applicable, of its representative;
- The Data Protection Officer contacts;
- The purpose of the processing for which the personal data are intended and, where applicable, the legal basis for this processing;
- If the personal data processing is based on HMR’s legitimate interests or a third party’s legitimate interests, an indication of such interests;
- Where applicable, the recipients or categories of recipients of personal data;
- Where applicable, an indication that personal data will be transferred to a third country or an international organisation, and whether or not there is a compliance decision adopted by the Commission or reference to appropriate transfer guarantees;
- The time limit for the retention of personal data or the criteria used to define the same;
- The existence of the right to ask HMR for access to personal data, as well as its rectification, erasure or limitation, the right to object to the processing activities and the right to portability;
- Where the data processing is based on the data subject’s consent, the right to withdraw consent at any time without compromising the lawfulness of the processing carried out based on the consent previously provided;
- The right to lodge a complaint with the supervisory authority.;
- An indication of whether or not the communication of personal data constitutes a legal or contractual obligation or a requirement to conclude a contract, and whether the data subject is obliged to provide the personal data and the possible consequences of not providing such data;
- Where applicable, the existence of automated decisions, including profiling, and information on the underlying logic, as well as the importance and expected consequences of such processing for the data subject;
- In the event that the personal data is not collected directly by HMR from the data subject, in addition to the information referred to above, the data subject is also informed about the personal data categories that are under processing, as well as the origin of the data and if these are normally accessible to the public;
- If HMR intends to process the personal data of the data subject for a purpose other than that for which the data was initially collected, , HMR shall provide the data subject all the information on that purpose and any additional relevant information such as described in the above terms before such processing.
Procedures and measures implemented to fulfill the right to information:
The abovementioned information is provided in writing (including by electronic means) by HMR to the data subject before the processing of their personal data. Under applicable law, HMR is not required to provide the data subject with this information when and to the extent that the data subject is presumed to have knowledge of them.
The information is provided by HMR for free.
HMR guarantees the means of access by the data subject to their personal data.
The data subject has the right to obtain confirmation from HMR that the personal data concerning them are processed and, if applicable, the right to access their personal data and the following information:
- The purposes for processing the data;
- The personal data categories in question;
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular, the recipients established in third countries or belonging to international organisations;
- If possible, the retention period for personal data;
- The existence of the right to request HMR to rectify, erase or limit the processing of personal data, or the right to object to such processing;
- The right to lodge a complaint with the supervisory authority;
- If the data has not been collected from the data subject, the available information on the origin of the data;
- The existence of automated decisions, including profiling, and information on the underlying logic, as well as the importance and expected consequences of such processing for the data subject;
- The right to be informed of the appropriate safeguards attached to the transfer of data to third countries outside the EU or to international organisations.
Upon request, HMR will provide a copy of the data that is being processed to the data subject, free of charge. The supply of other copies requested by the data subject may entail administrative costs.
The data subject has the right to request, at any time, the rectification of their personal data and also the right to have incomplete personal data completed, including using an additional declaration.
When the rectification of the data is verified, HMR will inform each recipient to whom the data has been forwarded to of the respective correction, unless such communication proves impossible or involves a disproportionate effort for HMR.
The data subject has the right to obtain from HMR the erasure of his data when one of the following reasons applies:
- The information concerning the data subject is no longer required for the purpose for which it was collected or processed;
- The data subject withdraws the consent on which the data processing is based, and there is no other legal basis for such processing;
- The data subject opposes processing under the right of opposition, and there are no other prevailing legitimate interests that justify the processing activities;
- When the data concerning the data subject are treated unlawfully;
- In case the data concerning the data subject has to be erased to fulfil a legal obligation to which HMR is subject.
Under the applicable legal terms, HMR is not required to erase the data concerning the data subject to the extent that the processing activities prove necessary to fulfil a legal obligation to which HMR is subject to, or for the purposes of declaration, exercise or defence of a right in legal proceedings.
In case the data concerning the data subject is deleted, HMR shall notify each recipient/entity to whom the data have been transmitted of deletion unless such communication proves impossible or entails a disproportionate effort to HMR.
If HMR has made the data concerning the data subject publicly available and is obliged to delete it under the right to erasure, HMR undertakes to take reasonable measures, including technical measures in view of available technology and application costs, to inform those responsible for the effective processing of personal data that the data subject asked them to erase the links to these personal data, as well as copies or reproductions thereof.
The data subject has the right to limit the processing of his data by HMR if one of the following situations applies (the limitation may be to insert a mark in the personal data preserved to limit the processing in the future):
- If you challenge the accuracy of personal data, for a period that allows HMR to verify its accuracy;
- If the processing is unlawful and the data subject opposes the erasure of the data, requesting, however, the limitation of its use;
- If HMR no longer requires the data concerning the data subject for processing purposes, but such data is required by the data subject for the purposes of declaration, exercise or defence of a right in a legal proceeding; and
- If the data subject has objected to processing pending the verification whether the legitimate reasons of HMR prevail over those of the data subject.
When the data concerning the data subject are subject to limitation, they can only be processed after the data subject’s consent or for the purposes of declaring, exercising or defending a right in a judicial process, defending the rights of another natural or legal person, or for reasons of public interest, except for the purpose of its conservation.
The data subject that has obtained the limitation of processing of their personal data, as mentioned in the above cases, will be informed by HMR before the processing limitation is annulled.
In the event of the limitation of data processing, HMR shall communicate to each recipient to whom the data has been transmitted the respective limitation unless such communication proves impossible or involves a disproportionate effort for HMR.
The data subject has the right to receive the personal data concerning them and which they have provided to HMR in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, if:
- The processing is based on the consent or a contract of which the holder is a party; and
- The processing is carried out by automated means.
The right to portability does not include inferred data or derived data, i.e. personal data that is generated by HMR as a consequence or result of the analysis of the data being processed.
The data subject has the right to have the personal data transmitted directly between those responsible for the processing, whenever this is technically possible.
The data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on the exercise of legitimate interests pursued by HMR or when processing is carried out for purposes other than those for which the personal data have been collected, including profiling, or where personal data are processed for statistical purposes.
HMR shall cease the processing of the data concerning the data subject unless HMR demonstrates compelling and legitimate reasons for such processing that prevail over the interests, rights and freedoms of the data subject or to declare, exercise or defend HMR’s rights in a judicial proceeding.
When the data concerning the data subject are processed for direct marketing purposes (marketing), the data subject has the right to object to processing of data that concern them for such marketing purposes at any time, including profiling insofar as it relates to direct marketing. Where the data subject opposes the processing of their data for direct marketing purposes, the data will no longer be processed by HMR for such purpose.
The data subject also has the right not to be subject to any decision taken exclusively based on automated processing, including profiling, which has legal effects or significantly affecting them similarly, unless the decision:
- Is necessary for the signature or execution of a contract between the data subject and HMR;
- Is authorized by the legislation to which HMR is subject; or
- is based on the data subject’s explicit consent.
The right of access, right of rectification, right of erasure, right of limitation, right of portability and right to object can be exercised by the data subject through contact with the HMR Data Protection Officer or Chief Security Officer, as well as with the representative of the unit responsible for the processing, taking into account the processing in question, through the following email firstname.lastname@example.org
HMR will respond in writing (including by electronic means) to the data subject’s request within a maximum of one month from the receival of the request, except in cases of special complexity, where this period can be extended to two months.
If the requests made by the data subject are manifestly unfounded or excessive, in particular, because of their repetitive character, HMR reserves the right to charge administrative costs or refuse to comply with the request.
In the event of a data breach and to the extent that such breach is liable to entail a high risk to the rights and freedoms of the data subject, HMR commits to notify the personal data breach to the data subject concerned, without undue delay.
Under legal terms, notification of the data subject is not required in the following cases:
- If HMR has implemented appropriate technical and organisational protection measures and these measures have been applied to personal data affected by the personal data breach, in particular measures that make the personal data incomprehensible to any person who is not authorised to access such data, such as encryption;
- If HMR has taken subsequent action to ensure that the high risk to the data subject’s rights and freedoms is no longer likely to materialise; or
- If the communication to the data subject implies a disproportionate effort for HMR. In this case, HMR will make public communication or take a similar action through which the data subject will be informed.