GDPR Data Protection Policy
Document Reference: Centre for Health
Revision Date: 10th April 2018
Revision Number: 001
The Centre for Health is committed to conducting
its business in accordance with all applicable Data Protection laws and
regulations and in line with the highest standards of ethical conduct.
This policy sets forth the expected behaviours of Centre for Health Employees and Third Parties in relation to the collection, use, retention, transfer, disclosure and destruction of any Personal Data belonging to a Centre for Health Contact (i.e. the Data Subject).
Personal Data is any information (including opinions and intentions)
which relates to an identified or Identifiable Natural Person.
Personal Data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process Personal Data.
An organisation that handles Personal Data and makes decisions
about its use is known as a Data Controller. Centre for Health, as a Data
Controller, is responsible for ensuring compliance with the Data
Protection requirements outlined in this policy.
Non-compliance may expose Centre for Health to complaints, regulatory action, fines and/or reputational damage.
Centre for Health’s leadership is fully committed to ensuring continued and
effective implementation of this policy, and expects all Centre for Health
Employees and Third Parties to share in this commitment.
Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.
This policy has been approved by Centre for Health’s Practice Manager,
This policy applies to all Centre for Health Entities where a Data Subject’s Personal Data is processed:
• In the context of the business activities of the Centre for Health Entity.
• For the provision or offer of goods or services to individuals (including
those provided or offered free-of-charge) by a Centre for Health Entity.
• To actively monitor the behaviour of individuals.
• Monitoring the behavior of individuals includes using data
processing techniques such as persistent web browser cookies or
dynamic IP address tracking to profile an individual with a view to:
• Taking a decision about them.
• Analysing or predicting their personal preferences , behaviours
This policy applies to all Processing of Personal Data in electronic form
(including electronic mail and documents created with word processing
software) or where it is held in manual files that are structured in a way
that allows ready access to information about individuals.
This policy has been designed to establish a worldwide baseline
standard for the Processing and protection of Personal Data by all
Centre for Health Entities. Where national law imposes a requirement which is
stricter than imposed by this policy, the requirements in national law must be followed. Furthermore, where national law imposes a requirement that is not addressed in this policy, the relevant national law must be adhered to.
If there are conflicting requirements in this policy and national law, please consult with the Officer for Data Protection for guidance.
The protection of Personal Data belonging to Centre for Health Employees is not within the scope of this policy.
Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Any form of automated processing of Personal Data where Personal Data is used to evaluate specific or general characteristics relating to an Identifiable Natural Person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behavior, location or movement.
Binding Corporate Rules
The Personal Data protection policies used for the transfer of Personal Data to one or more Third Countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
The process of converting information or data into code, to prevent unauthorised access.
Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) without a “key” that allows the data to be re-identified.
Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) by any means or by any person.
To demonstrate our commitment to Data Protection, and to enhance the
effectiveness of our compliance efforts, The Centre for Health has established an Officer for Data Protection. The Officer operates with independence and has been granted all necessary authority. The Officer for Data Protection reports to the Centre for Health Board of Directors. The Officer for Data Protections role includes:
• Informing and advising The Centre for Health and its Employees who carry out
Processing pursuant to Data Protection regulations, national law or Union based Data Protection provisions;
• Ensuring the alignment of this policy with Data Protection regulations,
national law or Union based Data Protection provisions;
• Providing guidance with regards to carrying out Data Protection Impact
• Acting as a point of contact for and cooperating with Data Protection
• Determining the need for notifications to one or more DPAs as a result of The Centre for Health’s current or intended Personal Data processing activities;
• Making and keeping current notifications to one or more DPAs as a result of The Centre for Health’s current or intended Personal Data processing activities;
• The establishment and operation of a system providing prompt and
appropriate responses to Data Subject requests;
• The ongoing administration and management of customer services.