Embedded Files
DH Research Data Protection & Privacy Policy (effective 25 May 2018)
DH Research Data Protection & Privacy Policy (effective 25 May 2018)
1. Introduction
As part of its social responsibility, DH Research is committed to compliance with data protection laws, regulation and rules. This Policy adopts the fundamental principles of the EU’s General Data Protection Regulation (“GDPR”) as the minimum standard to which DH Research, its employees and suppliers will have to adhere.
DH Research depends on the collection and analysis of information about living individuals (“Data Subjects”) to carry out its market research and associated business. Maintaining respondents’ and the public’s confidence requires that respondents do not suffer direct adverse consequences, risk or harm as a result of providing DH Research with their information or their Personal Data being processed for DH Research’s business purposes. The information may be obtained from any kind of individual or organisation.
To conduct its business, DH Research also needs to collect and process certain types of information about people with whom DH Research deals. These include current, past and prospective employees, suppliers, clients and others with whom it might communicate. In addition, DH Research may occasionally be required by law to process certain types of Personal Data to comply with the certain legal requirements.
This Policy describes the minimum standards of how Personal Data must be processed, collected, handled and stored to meet DH Research’s data protection standards. Data Users are obliged to comply with this Policy when processing Personal Data on DH Research’s behalf. Any breach of this Policy may result in disciplinary action, up to and including dismissal from DH Research.
As part of its social responsibility, DH Research is committed to compliance with data protection laws, regulation and rules. This Policy adopts the fundamental principles of the EU’s General Data Protection Regulation (“GDPR”) as the minimum standard to which DH Research, its employees and suppliers will have to adhere.
DH Research depends on the collection and analysis of information about living individuals (“Data Subjects”) to carry out its market research and associated business. Maintaining respondents’ and the public’s confidence requires that respondents do not suffer direct adverse consequences, risk or harm as a result of providing DH Research with their information or their Personal Data being processed for DH Research’s business purposes. The information may be obtained from any kind of individual or organisation.
To conduct its business, DH Research also needs to collect and process certain types of information about people with whom DH Research deals. These include current, past and prospective employees, suppliers, clients and others with whom it might communicate. In addition, DH Research may occasionally be required by law to process certain types of Personal Data to comply with the certain legal requirements.
This Policy describes the minimum standards of how Personal Data must be processed, collected, handled and stored to meet DH Research’s data protection standards. Data Users are obliged to comply with this Policy when processing Personal Data on DH Research’s behalf. Any breach of this Policy may result in disciplinary action, up to and including dismissal from DH Research.
2. Scope
This Policy will form the minimum standard to which DH Research, employees and suppliers have to adhere, regardless of whether GDPR directly applies to any specific activity or territory.
Everyone who works for DH Research has some responsibility for ensuring Personal Data are collected, stored and handled appropriately. It is everyone’s responsibility that Personal Data are handled and processed in line with this Policy and its data protection principles.
DH Research also expects that its suppliers/vendors comply with the principles as set out herein.
This Policy will form the minimum standard to which DH Research, employees and suppliers have to adhere, regardless of whether GDPR directly applies to any specific activity or territory.
Everyone who works for DH Research has some responsibility for ensuring Personal Data are collected, stored and handled appropriately. It is everyone’s responsibility that Personal Data are handled and processed in line with this Policy and its data protection principles.
DH Research also expects that its suppliers/vendors comply with the principles as set out herein.
3. Application of National Laws and Codes of Conduct
This Data Protection Policy adopts the internationally accepted privacy principles as enhanced by the GDPR. It is subsidiary to and supplements any applicable national legislation. The relevant national laws will take precedence if there is a conflict with this Policy or it has stricter requirements than this Policy. Any registration, notification or reporting requirement for data processing under national laws must be observed. The contents of this Policy must also be observed in the absence of corresponding national legislation.
This Data Protection Policy adopts the internationally accepted privacy principles as enhanced by the GDPR. It is subsidiary to and supplements any applicable national legislation. The relevant national laws will take precedence if there is a conflict with this Policy or it has stricter requirements than this Policy. Any registration, notification or reporting requirement for data processing under national laws must be observed. The contents of this Policy must also be observed in the absence of corresponding national legislation.
4. Principles For Processing Personal Data
All Personal Data must be dealt with properly, irrespective of how they are collected, recorded and processed - whether on paper, in a computer file, database, or recorded on other material. DH Research regards the lawful and correct treatment of Personal Data and maintaining the confidence of those with whom it deals as a vital component of its business operations and is committed to act ethically and responsibly in respect of these Personal Data and to always provide a high degree of confidentiality and security. To demonstrate these commitments, DH Research adheres to the principles relating to the processing of Personal Data found in the GDPR.
DH Research respects the following principles, (explained in more detail later) concerning Personal Data, which are that:
• Processed fairly and lawfully;• Processed for limited purposes and in an appropriate way;• Adequate, relevant and not excessive for the purpose;• Accurate;• Not kept longer than necessary for the purpose;• Processed in line with Data Subjects' rights;• Secure;• Not transferred to people or organisations situated in other countries without adequate protection.
4.1 Lawfulness, Fairness and Transparency - Personal Data must be processed and collected lawfully, fairly and in a transparent manner in relation to the Data Subject. Furthermore, Data Subjects must be informed of how his/her data are being handled. In general, Personal Data must be collected directly from the individual concerned. Where this is not the case the legal basis on which the processing is nevertheless justified must be documented.
4.2 Purpose Limitation - Personal Data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Subsequent changes to the purpose are only possible to a limited extent and require substantiation and validation.
4.3 Data Minimisation - Personal Data must be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed. It must be determined whether and to what extent the processing of Personal Data is necessary to achieve the purpose for which the processing is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymised data must be used instead of Personal Data.
4.4 Accuracy - Personal Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard for the purpose for which they are processed, are erased or rectified without delay.
4.5 Storage Limitation - Personal Data must not be retained in a form which permits identification of Data Subjects for longer than is necessary for the purpose for which the Personal Data are processed. DH Research will not keep Personal Data longer than is necessary for the purpose or purposes for which they were collected. DH Research will take all reasonable steps to destroy, or erase from its systems, all Personal Data which are no longer required.
4.6 Integrity and Confidentiality - Personal Data must be processed in a manner that ensures appropriate security of the Personal Data from being revealed, disseminated, accessed or manipulated. Therefore, where methodologically possible and the expense is not disproportionate to the Data Subject’s risks, anonymised data must be used for the processing.
4.7 Restriction on Transfers - Personal Data must not be transferred to other countries that do not offer an adequate level of protection.
4.8 General Measures and Considerations - Additionally in respect of its market research business DH Research complies with the MRS (Market Research Society) & ESOMAR International Code on Market, Opinion, and Social Research and Data Analytics.
All Personal Data must be dealt with properly, irrespective of how they are collected, recorded and processed - whether on paper, in a computer file, database, or recorded on other material. DH Research regards the lawful and correct treatment of Personal Data and maintaining the confidence of those with whom it deals as a vital component of its business operations and is committed to act ethically and responsibly in respect of these Personal Data and to always provide a high degree of confidentiality and security. To demonstrate these commitments, DH Research adheres to the principles relating to the processing of Personal Data found in the GDPR.
DH Research respects the following principles, (explained in more detail later) concerning Personal Data, which are that:
• Processed fairly and lawfully;• Processed for limited purposes and in an appropriate way;• Adequate, relevant and not excessive for the purpose;• Accurate;• Not kept longer than necessary for the purpose;• Processed in line with Data Subjects' rights;• Secure;• Not transferred to people or organisations situated in other countries without adequate protection.
4.1 Lawfulness, Fairness and Transparency - Personal Data must be processed and collected lawfully, fairly and in a transparent manner in relation to the Data Subject. Furthermore, Data Subjects must be informed of how his/her data are being handled. In general, Personal Data must be collected directly from the individual concerned. Where this is not the case the legal basis on which the processing is nevertheless justified must be documented.
4.2 Purpose Limitation - Personal Data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Subsequent changes to the purpose are only possible to a limited extent and require substantiation and validation.
4.3 Data Minimisation - Personal Data must be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed. It must be determined whether and to what extent the processing of Personal Data is necessary to achieve the purpose for which the processing is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymised data must be used instead of Personal Data.
4.4 Accuracy - Personal Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard for the purpose for which they are processed, are erased or rectified without delay.
4.5 Storage Limitation - Personal Data must not be retained in a form which permits identification of Data Subjects for longer than is necessary for the purpose for which the Personal Data are processed. DH Research will not keep Personal Data longer than is necessary for the purpose or purposes for which they were collected. DH Research will take all reasonable steps to destroy, or erase from its systems, all Personal Data which are no longer required.
4.6 Integrity and Confidentiality - Personal Data must be processed in a manner that ensures appropriate security of the Personal Data from being revealed, disseminated, accessed or manipulated. Therefore, where methodologically possible and the expense is not disproportionate to the Data Subject’s risks, anonymised data must be used for the processing.
4.7 Restriction on Transfers - Personal Data must not be transferred to other countries that do not offer an adequate level of protection.
4.8 General Measures and Considerations - Additionally in respect of its market research business DH Research complies with the MRS (Market Research Society) & ESOMAR International Code on Market, Opinion, and Social Research and Data Analytics.
5. Legal Grounds for Data Processing
DH Research will be collecting, processing and using Personal Data only under the following legal bases, always provided that such legal basis exists under applicable national law. One of these legal bases is also required if the purpose of collecting, processing and using the Personal Data is to be changed from the original purpose, unless there is clear compatibility between the original purpose and the new purpose.
5.1 Respondent Data
Respondents are the most common Data Subjects in DH Research’s business. Consequently, the correct treatment of their Personal Data is at the heart of DH Research’s business.
5.1.1 Consent to Data Processing
Personal Data can be processed following consent by the Data Subject. Before giving consent, the Data Subject must be informed in accordance with the transparency principle as set out under paragraph 4.1. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone surveys, consent can be given verbally. In all cases, the granting of consent must be documented. Any consent will only be valid if it constitutes a freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which it giving a statement or by a clear affirmative action, signifies agreement to the processing of the Personal Data relating to him/her.
5.1.2 User Data and Internet
If Personal Data are collected, processed and used on websites or in apps, the Data Subject must be informed of this in a privacy statement including, if applicable, information about cookies or similar technical measures. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible, easily understandable and consistently available by and for the Data Subject. If use profiles (tracking) are created to evaluate the use of websites and apps, the Data Subjects must always be informed accordingly in the privacy statement. Tracking of Data Subjects online may only be affected if it is permitted under national law or upon explicit consent of the Data Subjects. Even if tracking uses a pseudonym for the Data Subject, the Data Subject should be given the chance to opt out in the privacy statement.
If websites or apps can access Personal Data in an area restricted to registered users/respondents, the identification and authentication of the Data Subject must offer sufficient protection during access.
5.2 Personal Data Provided by Clients
Transmission of Personal Data to DH Research by its clients is a common occurrence. It usually happens to provide us with sample or to enhance existing sample. In respect of any Personal Data so received, DH Research will be the Processor and may only Process these Personal Data in accordance with the instructions agreed with or received from the client. These instructions may include restrictions on transfers to other parties or transfers to other countries as well as specific security requirements. Any such restrictions must be complied with. It is imperative that any such instructions are documented in writing and agreed before any relevant contractual arrangements are accepted by DH Research, to ensure that DH Research is actually able to comply with any client specific restrictions or requirements. Irrespective of any client requirements, any Personal Data provided by a client may only be:
• Processed for the purpose they were provided for;• Not be kept for longer than is required for the purpose;• Subject to the same security requirements applicable to DH Research’s own Personal Data.
5.3 Employee Data
5.3.1 Data Processing for the Employment Relationship
In employment relationships, Personal Data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the applicant’s Personal Data can be processed. If the candidate is rejected his/her data must be deleted in observance with the required retention period unless the applicant has agreed to remain on file for a future selection process. In the existing employment relationship, data processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorised data processing apply. If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws must be observed. In cases of doubt, consent must be obtained from the Data Subjects.
There must be legal authorisation to process Personal Data that is related to the employment relationship but was not originally part of performance of the employment agreement. This can include legal requirements, collective regulations with employee representatives, consent of the employee or the legitimate interest of the company.
5.3.2 Collective Agreements on Data Processing
If a data processing activity exceeds the purposes for fulfilling a contract, it may be permissible if authorised through a collective agreement between the employer and employee representatives, within the scope allowed under the relevant employment law. The agreements must cover the specific purpose of the intended further data-processing activity and must be drawn up within the parameters of national data protection and employment legislation.
5.3.3 Consent to Data Processing
Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Within the EU/European Economic Area, consent generally does not constitute a valid legal basis for the processing in the employment context as there is a legal presumption that such consent was not submitted voluntarily and any processing will have to rely on one of the other legal bases available. Involuntary consent is void.
5.3.4 Data Processing Pursuant to Legitimate Interest
Personal Data may also be processed if it is necessary to enforce a legitimate interest of DH Research, where the applicable law allows for the processing of Personal Data based on a legitimate interest. Within the employment context, legitimate interests are generally of a legal or financial nature. Control or supervisory measures that require processing of employee data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measures must also be examined before such measures are applied. The justified interests of the company in performing the control measure (e.g. compliance with internal company rules or security interests) must be weighed against any interest meriting protection that the employee affected by the measure may have in its exclusion and the measure cannot be performed unless found to be appropriate. The legitimate interests of the company and any interests of the employee meriting protection must be identified and documented before any measures are taken by way of a legitimate interest assessment. Moreover, any additional requirements under national law (e.g. rights of codetermination for the employee representatives and information rights of the Data Subjects) must be taken into account.
5.3.5 Processing of Special Categories of Personal Data
Special categories of Personal Data can be processed only if the law requires this or the Data Subjects has given his/her explicit consent. These data can also be processed if it is mandatory for asserting, exercising or defending legal claims.
5.4 Marketing Contacts
Generally marketing contacts are no different than respondents’ in respect of the privacy protections accorded to them. Their contact details constitute Personal Data, even if they are business related. Only if the contact details are truly generic like “contact@acme.com”, will they not fall under this Policy.Marketing communications are often subject to specific legal requirements, particularly if they are sent electronically or made by phone.It has to be assumed that marketing contacts have not requested the marketing materials. In other words, the recipients have not asked to receive marketing communications from DH Research. To proceed legally, the conditions concerning legal basis, in particular consent requirements set out in paragraph 5.1.1, apply here as well.
Exceptionally a 'soft opt-in' can be applied, if the below conditions are met:
• where the Data Subject’s details were obtained in the course of a sale or negotiations for a sale of DH Research services;• where the messages are only marketing similar services; and• where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in all future messages.
DH Research will be collecting, processing and using Personal Data only under the following legal bases, always provided that such legal basis exists under applicable national law. One of these legal bases is also required if the purpose of collecting, processing and using the Personal Data is to be changed from the original purpose, unless there is clear compatibility between the original purpose and the new purpose.
5.1 Respondent Data
Respondents are the most common Data Subjects in DH Research’s business. Consequently, the correct treatment of their Personal Data is at the heart of DH Research’s business.
5.1.1 Consent to Data Processing
Personal Data can be processed following consent by the Data Subject. Before giving consent, the Data Subject must be informed in accordance with the transparency principle as set out under paragraph 4.1. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone surveys, consent can be given verbally. In all cases, the granting of consent must be documented. Any consent will only be valid if it constitutes a freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which it giving a statement or by a clear affirmative action, signifies agreement to the processing of the Personal Data relating to him/her.
5.1.2 User Data and Internet
If Personal Data are collected, processed and used on websites or in apps, the Data Subject must be informed of this in a privacy statement including, if applicable, information about cookies or similar technical measures. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible, easily understandable and consistently available by and for the Data Subject. If use profiles (tracking) are created to evaluate the use of websites and apps, the Data Subjects must always be informed accordingly in the privacy statement. Tracking of Data Subjects online may only be affected if it is permitted under national law or upon explicit consent of the Data Subjects. Even if tracking uses a pseudonym for the Data Subject, the Data Subject should be given the chance to opt out in the privacy statement.
If websites or apps can access Personal Data in an area restricted to registered users/respondents, the identification and authentication of the Data Subject must offer sufficient protection during access.
5.2 Personal Data Provided by Clients
Transmission of Personal Data to DH Research by its clients is a common occurrence. It usually happens to provide us with sample or to enhance existing sample. In respect of any Personal Data so received, DH Research will be the Processor and may only Process these Personal Data in accordance with the instructions agreed with or received from the client. These instructions may include restrictions on transfers to other parties or transfers to other countries as well as specific security requirements. Any such restrictions must be complied with. It is imperative that any such instructions are documented in writing and agreed before any relevant contractual arrangements are accepted by DH Research, to ensure that DH Research is actually able to comply with any client specific restrictions or requirements. Irrespective of any client requirements, any Personal Data provided by a client may only be:
• Processed for the purpose they were provided for;• Not be kept for longer than is required for the purpose;• Subject to the same security requirements applicable to DH Research’s own Personal Data.
5.3 Employee Data
5.3.1 Data Processing for the Employment Relationship
In employment relationships, Personal Data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the applicant’s Personal Data can be processed. If the candidate is rejected his/her data must be deleted in observance with the required retention period unless the applicant has agreed to remain on file for a future selection process. In the existing employment relationship, data processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorised data processing apply. If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws must be observed. In cases of doubt, consent must be obtained from the Data Subjects.
There must be legal authorisation to process Personal Data that is related to the employment relationship but was not originally part of performance of the employment agreement. This can include legal requirements, collective regulations with employee representatives, consent of the employee or the legitimate interest of the company.
5.3.2 Collective Agreements on Data Processing
If a data processing activity exceeds the purposes for fulfilling a contract, it may be permissible if authorised through a collective agreement between the employer and employee representatives, within the scope allowed under the relevant employment law. The agreements must cover the specific purpose of the intended further data-processing activity and must be drawn up within the parameters of national data protection and employment legislation.
5.3.3 Consent to Data Processing
Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Within the EU/European Economic Area, consent generally does not constitute a valid legal basis for the processing in the employment context as there is a legal presumption that such consent was not submitted voluntarily and any processing will have to rely on one of the other legal bases available. Involuntary consent is void.
5.3.4 Data Processing Pursuant to Legitimate Interest
Personal Data may also be processed if it is necessary to enforce a legitimate interest of DH Research, where the applicable law allows for the processing of Personal Data based on a legitimate interest. Within the employment context, legitimate interests are generally of a legal or financial nature. Control or supervisory measures that require processing of employee data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measures must also be examined before such measures are applied. The justified interests of the company in performing the control measure (e.g. compliance with internal company rules or security interests) must be weighed against any interest meriting protection that the employee affected by the measure may have in its exclusion and the measure cannot be performed unless found to be appropriate. The legitimate interests of the company and any interests of the employee meriting protection must be identified and documented before any measures are taken by way of a legitimate interest assessment. Moreover, any additional requirements under national law (e.g. rights of codetermination for the employee representatives and information rights of the Data Subjects) must be taken into account.
5.3.5 Processing of Special Categories of Personal Data
Special categories of Personal Data can be processed only if the law requires this or the Data Subjects has given his/her explicit consent. These data can also be processed if it is mandatory for asserting, exercising or defending legal claims.
5.4 Marketing Contacts
Generally marketing contacts are no different than respondents’ in respect of the privacy protections accorded to them. Their contact details constitute Personal Data, even if they are business related. Only if the contact details are truly generic like “contact@acme.com”, will they not fall under this Policy.Marketing communications are often subject to specific legal requirements, particularly if they are sent electronically or made by phone.It has to be assumed that marketing contacts have not requested the marketing materials. In other words, the recipients have not asked to receive marketing communications from DH Research. To proceed legally, the conditions concerning legal basis, in particular consent requirements set out in paragraph 5.1.1, apply here as well.
Exceptionally a 'soft opt-in' can be applied, if the below conditions are met:
• where the Data Subject’s details were obtained in the course of a sale or negotiations for a sale of DH Research services;• where the messages are only marketing similar services; and• where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in all future messages.
6. Transmission of Personal Data
Transmission of Personal Data to recipients outside or inside DH Research is subject to the authorisation requirements for processing Personal Data under paragraph 4.7 Restriction on Transfers. The data recipient must be required to use the data only for the defined purposes. Where Personal Data are transmitted by third party (like a sample supplier) to DH Research, it must be ensured that the Personal Data can be used for the intended purpose.
Transmission of Personal Data to recipients outside or inside DH Research is subject to the authorisation requirements for processing Personal Data under paragraph 4.7 Restriction on Transfers. The data recipient must be required to use the data only for the defined purposes. Where Personal Data are transmitted by third party (like a sample supplier) to DH Research, it must be ensured that the Personal Data can be used for the intended purpose.
7. Outsourced/Third Party Data Processing
In some cases, DH Research may use external providers to process Personal Data. In these cases, an agreement on data processing on behalf of DH Research must be concluded with such provider. This can be done either by way of including appropriate provisions in the agreement governing the overall relationship with the provider or in a separate and specific document. In respect of processing on behalf of DH Research, the provider may only process the Personal Data as per the instructions from DH Research. When instructing a provider, the following requirements must be complied with:
• Where the Personal Data in question fall under paragraph 5.2 (client data), any relevant client requirements need to be passed down to the provider.• The provider must be chosen based on its ability to cover the required technical and organisational protective measures and in line with DH Research supplier approval process.• The provider must not subcontract the processing further without DH Research’s prior written consent.• The instructions must be placed in writing by way of an appropriate contract. The instructions on data processing and the responsibilities of DH Research and provider must be documented.• Before the data processing begins, DH Research must be confident that the provider will comply with its duties. A provider can document its compliance with data security requirements in particular by presenting suitable certification. Depending on the risk of data processing, the reviews must be repeated on a regular basis during the term of the contract. DH Research should retain the right to audit the provider’s compliance.
In some cases, DH Research may use external providers to process Personal Data. In these cases, an agreement on data processing on behalf of DH Research must be concluded with such provider. This can be done either by way of including appropriate provisions in the agreement governing the overall relationship with the provider or in a separate and specific document. In respect of processing on behalf of DH Research, the provider may only process the Personal Data as per the instructions from DH Research. When instructing a provider, the following requirements must be complied with:
• Where the Personal Data in question fall under paragraph 5.2 (client data), any relevant client requirements need to be passed down to the provider.• The provider must be chosen based on its ability to cover the required technical and organisational protective measures and in line with DH Research supplier approval process.• The provider must not subcontract the processing further without DH Research’s prior written consent.• The instructions must be placed in writing by way of an appropriate contract. The instructions on data processing and the responsibilities of DH Research and provider must be documented.• Before the data processing begins, DH Research must be confident that the provider will comply with its duties. A provider can document its compliance with data security requirements in particular by presenting suitable certification. Depending on the risk of data processing, the reviews must be repeated on a regular basis during the term of the contract. DH Research should retain the right to audit the provider’s compliance.
8. Rights of the Data Subject
Every Data Subject has the following rights. Their request is to be handled immediately by DH Research and may not result in any disadvantage to the Data Subject. Where the relevant Personal Data are being processed by DH Research under paragraph 5.2 Personal Data Provided by Clients, the relevant client contract must be consulted in respect of any process to be followed and the client has to be informed about such request immediately.
• Right of access:o The Data Subjects may request information on how Personal Data relating to him/her have been stored, how the data were collected and for what purpose.o If Personal Data are transmitted to 3rd parties, information must be given about the identity of the recipient or the categories of recipients.
• Right to rectification: If Personal Data are incorrect or incomplete, the Data Subject can demand that they are corrected or supplemented.
• Right to withdraw consent: Where the Personal Data are processed on the basis of Consent (see also the separate guidance on Consent), the Data Subjects can object to the processing at any time. These Personal Data must be blocked from the processing that has been objected to.
• Right to erasure: The Data Subject may request his or her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
• Right to object: The Data Subjects generally has a right to object to his/her data being processed and this must be taken into account if the protection of his/her interest takes precedence over the interests of the data controller owing to the particular personal situation. This does not apply if a legal provision requires that the Personal Data are data to be processed.
• Right to data portability: The Data Subject has the right to request for the Personal Data provided by him/her to be made available to the Data Subject in a easily readable format, like a Word or Excel document.
Every Data Subject has the following rights. Their request is to be handled immediately by DH Research and may not result in any disadvantage to the Data Subject. Where the relevant Personal Data are being processed by DH Research under paragraph 5.2 Personal Data Provided by Clients, the relevant client contract must be consulted in respect of any process to be followed and the client has to be informed about such request immediately.
• Right of access:o The Data Subjects may request information on how Personal Data relating to him/her have been stored, how the data were collected and for what purpose.o If Personal Data are transmitted to 3rd parties, information must be given about the identity of the recipient or the categories of recipients.
• Right to rectification: If Personal Data are incorrect or incomplete, the Data Subject can demand that they are corrected or supplemented.
• Right to withdraw consent: Where the Personal Data are processed on the basis of Consent (see also the separate guidance on Consent), the Data Subjects can object to the processing at any time. These Personal Data must be blocked from the processing that has been objected to.
• Right to erasure: The Data Subject may request his or her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
• Right to object: The Data Subjects generally has a right to object to his/her data being processed and this must be taken into account if the protection of his/her interest takes precedence over the interests of the data controller owing to the particular personal situation. This does not apply if a legal provision requires that the Personal Data are data to be processed.
• Right to data portability: The Data Subject has the right to request for the Personal Data provided by him/her to be made available to the Data Subject in a easily readable format, like a Word or Excel document.
9. Confidentiality of Processing
Personal Data are subject to data secrecy. Any unauthorised collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorised to carry out as part of his/her legitimate duties is un-authorised. The “need-to-know” principle applies. Employees may have access to Personal Data only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as in limitation, of roles and responsibilities. Furthermore, the requirements of the Information Management Policy apply. Employees are forbidden to use Personal Data for their own private or commercial purposes, to disclose them to unauthorised persons, or to make them available in any other way. Supervisors must inform the employees at the start of the employment relationship about the obligation to maintain data secrecy. This obligation shall remain in force even after employment has ended.
Personal Data are subject to data secrecy. Any unauthorised collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorised to carry out as part of his/her legitimate duties is un-authorised. The “need-to-know” principle applies. Employees may have access to Personal Data only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as in limitation, of roles and responsibilities. Furthermore, the requirements of the Information Management Policy apply. Employees are forbidden to use Personal Data for their own private or commercial purposes, to disclose them to unauthorised persons, or to make them available in any other way. Supervisors must inform the employees at the start of the employment relationship about the obligation to maintain data secrecy. This obligation shall remain in force even after employment has ended.
10. Privacy by Design and Default
DH Research will use a Privacy by Design and Default approach in all its work, but in particular when:• building new IT systems for storing or accessing personal data;• developing new applications or research approaches;• embarking on a data sharing initiative; or• using data for new purposes.
Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. It is a key consideration in the early stages of any project, and then throughout its lifecycle. Taking a privacy by design approach is an essential tool in minimising privacy risks. Building trust when designing projects, processes, products or systems, with privacy in mind from the outset.
DH Research will use a Privacy by Design and Default approach in all its work, but in particular when:• building new IT systems for storing or accessing personal data;• developing new applications or research approaches;• embarking on a data sharing initiative; or• using data for new purposes.
Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. It is a key consideration in the early stages of any project, and then throughout its lifecycle. Taking a privacy by design approach is an essential tool in minimising privacy risks. Building trust when designing projects, processes, products or systems, with privacy in mind from the outset.
11. Processing Security
Personal Data must be safeguarded from unauthorised access or disclosure (whether caused internally or externally), unlawful processing as well as accidental loss, modification or destruction. This applies regardless of whether the data is processed electronically or in paper form. Apart from securing existing Personal Data in line with DH Research’s relevant policies, before the introduction of new methods of data processing, particular new IT systems or research approaches, technical or organisational measures to protect Personal Data must be defined and implemented.
As a minimum, DH Research will process all Personal Data it holds in accordance with its Security Policy and take appropriate security measures against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data.
Personal Data must be safeguarded from unauthorised access or disclosure (whether caused internally or externally), unlawful processing as well as accidental loss, modification or destruction. This applies regardless of whether the data is processed electronically or in paper form. Apart from securing existing Personal Data in line with DH Research’s relevant policies, before the introduction of new methods of data processing, particular new IT systems or research approaches, technical or organisational measures to protect Personal Data must be defined and implemented.
As a minimum, DH Research will process all Personal Data it holds in accordance with its Security Policy and take appropriate security measures against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data.
12. Data Protection Incidents
All employees must inform the company management immediately about cases of violations of this Data Protection Policy or other regulations on the protection of Personal Data.
In case of:• improper transmission of Personal Data to 3rd parties;• improper transmission of Personal Data across borders;• improper access, including by third parties, to Personal Data, or• loss of Personal Data (including then becoming public due to internal failures)A data protection breach notification must be made immediately to ensure that a) any reporting duties under national law can be complied with, b) any affected client can be informed and c) any stakeholder communication can be managed. Any Data Protection breach will also constitute an information security incident under the IT Incident Management policy.
All employees must inform the company management immediately about cases of violations of this Data Protection Policy or other regulations on the protection of Personal Data.
In case of:• improper transmission of Personal Data to 3rd parties;• improper transmission of Personal Data across borders;• improper access, including by third parties, to Personal Data, or• loss of Personal Data (including then becoming public due to internal failures)A data protection breach notification must be made immediately to ensure that a) any reporting duties under national law can be complied with, b) any affected client can be informed and c) any stakeholder communication can be managed. Any Data Protection breach will also constitute an information security incident under the IT Incident Management policy.
13. Responsibilities and Sanctions
The executive body of DH Research is responsible for all areas of data handling and processing. Management are responsible for ensuring that organisational, HR and technical measures are in place so that any data processing is carried out in accordance with these data protection requirements. Compliance with these requirements is also the responsibility of the relevant employees.
The executive body of DH Research is responsible for all areas of data handling and processing. Management are responsible for ensuring that organisational, HR and technical measures are in place so that any data processing is carried out in accordance with these data protection requirements. Compliance with these requirements is also the responsibility of the relevant employees.
Page updated
Google Sites
Report abuse