CARE, as Data Controller, processes personal data, including sensitive and health data. CARE therefore gives the utmost importance to the compliance with privacy laws and requirements.
1. Introduction, context and scope
CARE is committed to maintaining the privacy of personal data obtained or used in the course of its business activities and complying with applicable laws and regulations regarding the processing of Personal and Sensitive Personal Data.
This policy aims at ensuring that Personal Data is managed in accordance with:
- The General Data Protection Regulation (“GDPR”);
- The Belgian statutes applicable on processing activities (including the Statute of 31st July 2018) ;
- The general instructions and advices of the Belgian Data Protection Authority.
This policy has been defined by the CARE’s DPO and has been validated and adopted by CARE’s management. CARE’s DPO shall ensure that this policy is kept up to date and shared with the relevant stakeholders within CARE and third parties.
CARE’s activities include processing activities. As part of these activities, CARE is required to process Personal Data and is compelled to process them in accordance with applicable data protection laws and regulations. For this purpose, CARE has implemented different policies and procedures in order to manage and secure the Personal Data and to protect the rights of the Data Subject.
This policy summarizes all of the documents and principles set up to ensure compliance with data protection laws and regulations within CARE.
Hence, this document describes:
- The data protection principles that CARE undertakes to comply with;
- The data privacy governance set up within CARE;
- The documents defined to ensure compliance with the data protection laws and regulations;
- The notification requirement in case of breach of Personal Data.
1.2. Application scope
This policy applies to each of CARE’s activities, when CARE collects, stores, uses personal or sensitive data.
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Thus Personal Data can:
- Concern customers, users of CARE’s applications and solutions, physicians, third parties or employees (internal or external), contractors ;
- Be structured or not structured;
- Be physical or numeric.
Personal Data is processed notably when CARE makes the application available to users and physicians, when it collects Personal Data for conducting scientific researches or statistical analyses.
2. Personal Data Principles
In accordance with the GDPR, CARE is required to apply data protection principles throughout the lifecycle of the Personal Data, including the collection, processing, storage, transfer and deletion.
Personal Data must be:
- processed lawfully, fairly and in a transparent manner in relation to the Data Subject;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed;
- accurate, and where necessary kept up to date;
- kept in a form which permits identification of Data Subjects for no longer that is necessary for the purposes for which the Personal Data are processed;
- processed in a manner that ensures appropriate security of Personal Data.
3. Data Governance Model
CARE has set up a data governance operating model in order to correctly process and manage the Personal Data. This governance includes the identification of the key actors and responsibilities regarding the privacy of data.
3.1. Key actors:
- CARE’s DPO
- Security Officer
3.2 Roles and responsibilities of main actors
i. CARE’s DPO
CARE’s DPO is in charge of privacy matters. His tasks and responsibilities have been defined in the Mission Letter dated of 15th of March 2019.
I.a. CARE’s DPO :
- Is the key contact for the Data Subject’s issues, including the exercise of the Data Subject’s rights, at central level;
- Monitors compliance with the GDPR;
- Provides guidance and support on specific items for CARE’s activities;
- Develops global procedures, guidelines and templates for CARE’s activities;
- Raises awareness and trains most exposed staff involved in data processing operations, at central level;
- Supports and controls a general data protection register (which has to be created by each Data Controller, containing all data processing applications in use and current information about purpose);
- Acts as the point of contact for the Belgian Data Protection.
ii. Nature of interventions of CARE’s DPO:
The DPO is involved in several data privacy matters. The nature of his/her intervention may vary depending on the topic:
- Be included in project deployed locally involving personal data processing;
- Provide sign-off on projects including Data Privacy to ensure that each project or process is compliant with the Policy and applicable local requirements;
- Conduct and advise on Data Protection Impact Assessments (DPIA);
- Ensure, with the support of the CAREs Group DPO, execution of a privacy control plan, to ensure on a regular basis that data processing applications and processes are compliant with local Data Privacy legislation;
- Maintain a register of the local data processing;
- Ensure appropriate collection of personal data destruction certificate.
iii. CARE’s Security Officer
CARE’s Security Officer is appointed by CARE’s management. He accounts for GDPR implementation and for checking the existence of data privacy controls by Data Owners. CARE’s Security Officer acts as a first line of defence. He coordinates, designs, implements and checks controls. CARE’s Security Officer is the leader of the data transformation and the single point of contact for all data initiatives.
In particular, CARE’s Security Officer is responsible for:
- Promoting and implementing security measures (organisational or technical measures) ;
- Promoting and implementing general data management principles (including assessments) and documenting related procedures.
Works lead by CARE’s Security Officer and DPO are complementary in order to fully address data management issues. Synergies between the two roles have to be created to conduct an efficient data approach.
The Data Owner is CARE’s business expert in charge of one or several data domains within CARE’s organization. He has an excellent understanding of data management requirements. The Data Owner must be informed about GDPR works in order to take into account potential impacts on his data sets. It includes that the Data Owner:
- Contributes to data privacy actions when his or her Personal data sets are concerned.
- Ensures that data processing activities under his or her responsibility are properly referenced and documented;
- Ensures that the data privacy policies and procedures are properly implemented within CARE’s organization;
More precisely, Data Owner’s obligations include the following topics:
- Personal Data retention periods and data deletion:
- Contribute, following a DPO request, to identify business data retention period and identify conservation rules that have to be applied
- Security of personal data
- Inform immediately the DPO about incidents or data breaches identified or suspected
- Contribute to the remediation and securing plans in case of a data breach on personal data
- Training & Awareness
- Be informed about new obligations, decisions or projects concerning personal data protection
- Diffuse the culture of “personal data protection” within CARE’s organization;
- Raise awareness among all new collaborators (internal and external) on its perimeters about GDPR regulation
- Privacy by design / Privacy by default
- Contribute to identify if new projects comply with GDPR principles in terms of data retention management, securing, data collection, etc.
1. List of data privacy policies and procedures
CAREs has set out a complete documentation to ensure compliance with the GDPR within CAREs entities. The different documents must be adapted locally in order to ensure compliance with local data protection laws and regulations.
|Name of the document||Purpose of the document|
|Data Subject’s rights procedure||Procedure to manage all of the Data Subject’s requests (exercise of rights, including right to receive compensation)|
|Data transfer policy||Policy that describes how to ensure protection of personal data when transferred outside of the EU/EEA|
|Data retention policy||Policy that describes the data retention principles and how to manage the deletion of personal data|
|Data breach procedure||Procedure that describes how to manage a breach of personal data; how to address the breach and how to communicate about the breach to the data subjects and the Data Protection Authority when necessary|
|Consent policy||Policy that describes when the consent is required, how to collect and keep record of it.|
|Minimization policy & procedure||This document aims to ensure that the minimization principle has properly been integrated in all CAREs’ processing of Personal Data.|
2. List of Templates
|Name of the document||Purpose of the document|
|Record of processing activities||This document lists all of the processing carried out by CAREs, both acting as Data Controller & Data Processor|
These documents will be regularly reviewed by the DPO, with the collaboration of the relevant departments, including Risk Management, Compliance and Security, in order to ensure that the documents are correctly implemented and fully aligned with the regulatory environment and Group requirements.
4. Controls & Assessment
4.1. Maturity level assessment
CARE’s management shall regularly charge the CARE’s DPO to conduct maturity level assessment.
4.2 Data Protection Impact Assessment (DPIA)
DPIA must be carried out when required by the applicable laws and regulations. Each new activities or processing shall be subject to prior checks by the DPO and, where applicable, shall be subject to a DPIA.
5. Management of a Personal Data Breach and reporting of the Breach
A Personal Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Any breach of Personal Data shall be managed following the CARE’s Personal Data breach procedure.
In some situations the breach must be notified internally and externally:
- Every breach of Personal Data shall be notified without undue delay to CARE’s DPO.
- Where there is likely a high risk to the rights and freedoms of Data Subjects, the Data Protection Authority must be informed, not later than 72 hours after becoming aware of it;
- Where there is likely a high risk to the rights and freedoms of Data Subjects, the Data Subjects shall be directly informed of the breach.
Contact: DPO : email@example.com