01. Introduction
Framework
The General Data Protection Regulation (GDPR) define the principles and rules concerning the processing by a person, an enterprise or an organization of personal data relating to persons in the European Union (EU). The goal is to protect the rights and freedoms of all individuals and to ensure that their personal data are not dealt with without their knowledge and, in the absence of any other reason, they are processed with their consent.
The GDPR applies to the total or partial processing of personal data by automated means (i.e. by computer) and to the processing of personal data by non-automated means (i.e. paper records) which are part of a file system or are intended to become part of a file system.
The GDPR is applied to all data controllers established in the EU (European Union) and who process personal data in the context of their activities. It will also apply to data controllers outside the EU that process personal data to provide goods and services or monitor the behavior of interested individuals residing in the EU.
Definitions
Establishment – The principal establishment of the data controller in the EU will be the site where the data controller makes the main decisions about the purpose and means of his data processing activities. The principal establishment of a processor in the EU will be his administrative center. If a controller is based outside the EU, a representative must be appointed in the jurisdiction area where the controller operates to act on behalf of the controller and deal with the supervisory authorities.
Personal data – Any information relating to an identified or identifiable person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, an online identifier, or one or more specific factors of the physical identity, physiological, genetic, mental, economic, cultural or social identity of that person.
Data relative to health – They are personal data considered to be sensitive and related to the physical or mental health of an individual, including the provision of health services, that expose information about that person´s health status.
Special Categories of Personal Data – Personal data exposing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and processing of genetic data, biometric data for the purpose of identifying an individual, health data or data relating to the sexual life or sexual orientation of a person.
Data Controller – Individual or collective person, public authority, agency or other entity which, individually or jointly with others, determines the purposes and means of processing personal data; where the purposes and the means of such processing are determined by the Union or the Member State, and the specific criteria for the indication of the data controller may be laid down by the Union or by the Member State.
Data Processor – Individual or collective person, public authority, agency or any other entity that processes personal data on behalf of the data controller.
Data Subject – Any individual whose personal data is being collected and processed by an organization that makes it identifiable.
Processing – Any operation or set of operations that is performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction.
Profiling – Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a individual, particularly to analyze or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. This definition is linked to the right of the data subject to oppose the profile and the right to be informed about the existence of profiles, of the measures based on the profile and the expected effects of the profile on the individual.
Violation of personal data – Security breach that leads to the unauthorized destruction, loss, alteration, disclosure or access to personal data transmitted, stored or processed in an accidental or illegal manner. There is an obligation on the data controller to report to the supervisory authority any breaches of personal data with risk to the data subject and when such data are liable to harm the data integrity or privacy of the data subject.
The consent of the data subject – It means a free, specific, informed and explicit manifestation of will, by which the data subject accepts, through a statement or an unequivocal positive act, that the personal data concerning him or her are treated. Silence, pre-validated options or the omission of the data subject are not considered a form of consent.
Child – The GDPR defines a child as anyone under 16 years of age. The processing of a child’s personal data is only legal if the consent of the parental guardian or his representative has been obtained. The data controller shall make reasonable efforts to verify, in such cases, that consent is given or authorized by the holder of parental responsibility over the child.
Third Party – Individual or collective person, a public authority, an agency or a entity other than the data subject, the data controller, the data processor and the persons who, under the direct authority of the data controller or the data processor, are authorized to process personal data.
Files System – Any structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
02. Privacy Policy Statement
The Management Board of the Instituto de Microcirurgia Ocular (IMO) is committed to compliance with all relevant laws of the EU and the Portuguese State regarding personal data and the protection of rights and freedoms of individuals whose information IMO collects and processes in accordance with the General Data Protection Regulation (GDPR).
The compliance with GDPR is described by this policy and other relevant policies, such as the Policy of Information Security and the Quality Policy together with related processes, procedures and records.
The GDPR and this policy apply to all personal data processing functions at IMO, including those functions performed with the personal and sensitive data of patients, employees, suppliers and entities and any other personal data that the organization handles of any other source.
This policy applies to all IMO stakeholders, such as suppliers, service providers, partners, patients, entities, employees and referenced doctors. Any breach under the GDPR shall be dealt with in accordance with the disciplinary policy of IMO and when it is a breach of privacy, the matter shall be referred to the supervisory authority as soon as possible in accordance with the established procedure.
Partnerships and any third parties working with or for IMO and have access to or able to process personal data must have read, understood and complied with this policy. No third party may access personal data held by IMO without having signed a data confidentiality agreement, which imposes obligations on third parties no less onerous than those to which IMO is committed, and which gives IMO the right to audit its compliance conformity.
03. GDPR Management System
To support compliance with the GDPR, the Management Board of IMO has approved and supported the development, implementation, maintenance and continuous improvement of a documented GDPR management system.
All IMO stakeholders should comply with this management system. All IMO staff, service providers and partners have received appropriate training. The consequences of disrespecting this management system are established in the disciplinary policy of IMO and in contracts and agreements with third parties.
In determining the extent of compliance with GDPR, IMO considers:
- The external and internal issues relevant to the purpose of IMO and which affect its ability to achieve the expected results of its GDPR Management System;
- The specific needs and expectations of the interested parties that are relevant to the implementation of the GDPR Management System;
- Organizational objectives and obligations;
- The acceptable level of risk of the organization;
- Any applicable legal, regulatory or contractual obligations.
The objectives of IMO to insure compliance with GDPR are:
- consistent with this policy;
- measurable;
- consider the GDPR’s privacy requirements and the results of risk assessments and risk treatments;
- monitored;
- communicated;
- updated as appropriate.
To achieve these objectives, IMO determined:
- what will be done;
- what resources will be needed;
- who will be responsible;
- when it will be completed;
- how the results will be evaluated.
04. Responsabilities
IMO is a Data Controller under the GDPR.
Top management and all those with management or supervisory functions in IMO are responsible for developing and encouraging good information management practices within IMO. The responsibilities are defined in the job descriptions.
The General Director of IMO is appointed by the Management Board for the management of personal data within IMO, and to ensure that the compliance with data protection legislation and good practices can be demonstrated. This responsibility includes:
- the development, implementation and continuous improvement of GDPR as required by this policy;
- security and risk management in relation to policy compliance.
The General Direction advised by the Data Protection Officer, whom the Board of Directors considers appropriately qualified and experienced, has been appointed to take responsibility for the compliance of IMO with this policy on a day-to-day basis and, in particular, has the direct responsibility of insuring that IMO complies with the GDPR, as well as all executives regarding the processing of data that occurs within their areas of responsibility.
The General Direction has specific responsibilities in relation to various procedures, including those related to the rights of data subjects, particularly for access requests, and should be the first point of contact for staff and service providers seeking clarification on any aspect with data protection.
Compliance with data protection legislation as well as compliance with IMO`s GDPR management system, is the responsibility of all IMO staff and service providers who process personal data.
IMO Training Procedure establishes specific training and awareness requirements for the specific roles of IMO staff and service providers.
IMO employees and service providers are responsible for ensuring that all personal data about them and provided by them to IMO is accurate and up-to-date.
The General Direction is responsible for ensuring that IMO does not collect information other than what is strictly necessary for the purposes specified.
The General Direction is responsible for periodic internal/external audit review and that all methods of data collection remain adequate, relevant and not excessive.
05. The Principles of Data Protection
All personal data processing in IMO is conducted in accordance with the principles of data protection as set accordingly by GDPR. IMO policies, processes, procedures and records have been designed to ensure compliance with the principles.
1. Principle of Lawfulness, Loyalty and Transparency
This principle concerns the information provided to data subjects about the identity of the controller and the purposes for which the processing is intended, as well as information to ensure that it is carried out with fairness and transparency to the natural persons concerned and to safeguard their right to obtain confirmation and communication of personal data concerning them being processed. Natural persons to whom the data relate should be made aware of the risks, rules, guarantees and rights associated with the processing of personal data and the means at their disposal to exercise their rights in relation to such processing. In particular, the specific purposes of the processing of personal data should be explicit and legitimate and be determined when collecting personal data.
- We always identify appropriate lawful basis, pre-contractual at the request of the data subject, contractual in which the data subject is a part and legitimate interest;
- We provide Privacy Notices (notifications) to data subjects that will provide more detailed information on the processing of data done by IMO.
2. Principle of Purpose Limitation
Data are collected for specific, explicit and legitimate purposes and are not further processed in a manner that is incompatible with those purposes.
3. Principle of Data Minimization
The collected and processed data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4. Principle of Accuracy
Appropriate measures have been taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay, and the data subject can exercise his right of rectification at any time.
5. Principle of Storage Limitation
The data shall be stored in a way which permits the identification of data subjects only for the period necessary for the purposes for which they are processed, and in compliance with the rules and regulations in force.
6. Principle of Integrity and Confidentiality
IMO works with diligence to ensure that the data is processed in a way that guarantees its safety, protecting it against unauthorized or unlawful processing and against accidental loss, destruction or damage.
7. Principle of Accountability
IMO is able to demonstrate in a responsible manner its commitment to the GDPR principles.
IMO has implemented data protection policies, processes, procedures and records, inventoried both the personal data and the processing performed on this data, taken measures to raise awareness of its employees and service providers, has obtained their commitment, and the data processors, to privacy, takes into account privacy in the implementation of new services, assessing the risk of the potentially resulting processes, and has data breach notification procedures and incident response plans.
06. Rights of Data Subjects
GDPR created new rights for Data Subjects and reinforced existing rights. As a Data Controller, IMO ensures compliance with these rights through the development and implementation of new procedures that aim to respond in a timely and appropriate manner to the requests of the subjects while exercising these rights, namely:
- Right to be informed
- Right to Access
- Right to Rectification
- Right to Erase Data
- Right to Restrict Processing
- Right to Data Portability
- Right to Object the Processing of Data
- Rights relating to automated decision making and profiling
Data Subjects may make this type of requests by sending an email to privacidade@imo.pt
Data Subjects have the right to complain to IMO about the processing of their personal data and their requests while exercising their rights.
They may file a complaint with the National Control Authority (CNPD- National Commission for Data Protection).
07. Disclosure of Data
IMO has taken steps to ensure that personal data are not disclosed to unauthorized third parties and which include family members, friends, and government agencies and, in certain circumstances, the Police.
All employees and service providers are made aware to be cautious when asked to disclose personal information of an individual to a third party.
All requests to provide data are supported by appropriate documents and all such disclosures must be specifically authorized by the General Direction.
08. Transfer of Data
IMO does not transfer personal data outside the European Union (third countries).
09. Document Owner and Approval
The General Direction is the owner of this document and is responsible for ensuring that this policy document is reviewed in accordance with the established revision requirements.
A current version of this document is available to all team members in a form of physical support at data collection points and in the computer network.
This policy was approved by the Management Board on 14/01/2019 and is issued under version control under the signature of the General Director.