Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
    • GP-001 Control of documents
    • GP-002 Quality planning
    • GP-003 Audits
    • GP-004 Vigilance system
    • GP-005 Human Resources and Training
    • GP-006 Non-conformity, Corrective and Preventive actions
    • GP-007 Post-market surveillance
    • GP-008 Product requirements
    • GP-009 Sales
    • GP-010 Purchases and suppliers evaluation
    • GP-011 Provision of service
    • GP-012 Design, Redesign and Development
    • GP-013 Risk management
    • GP-014 Feedback and complaints
    • GP-015 Clinical evaluation
    • GP-016 Traceability and identification
    • GP-017 Technical assistance service
    • GP-018 Infrastructure and facilities
    • GP-019 Software validation plan
    • GP-020 QMS Data analysis
    • GP-021 Communications
    • GP-022 Document translation
    • GP-023 Change control management
    • GP-024 Cybersecurity
    • GP-025 Corporate Governance
    • GP-050 Data Protection
      • Templates
      • Specific procedures
    • GP-051 Security violations
    • GP-052 Data Privacy Impact Assessment (DPIA)
    • GP-100 Business Continuity (BCP) and Disaster Recovery plans (DRP)
    • GP-101 Information security
  • Records
  • TF_Legit.Health_Plus
  • Licenses and accreditations
  • External documentation
  • Procedures
  • Records
  • Procedures
  • GP-050 Data Protection

GP-050 Data Protection

Purpose​

We have designed this manual in collaboration with our trusted legal firm, to find out what measures in particular we should take in order to improve compliance with data protection regulations, especially in relation to the General Data Protection Regulation or GDPR.

Scope​

All our data processing activities.

Responsibilities​

JD-001 General Manager (GM)​

  • To approve the documents.

JD-004 Quality Manager (QM)​

  • To ensure that we carry out the process according to the methodology established in the present procedure.
  • To check that all maintenance activities are being carried out and recording all non-conformities related that may affect the proper functioning of the processes.

JD-005 Technical Manager​

  • To coordinate the maintenance tasks of each infrastructure element and generate the corresponding records.
  • To coordinate the correction and documentation of detected incidents according to the defined plan.

Introduction to data protection​

The GDPR was conceived to promote a culture of privacy in companies and organizations that handle personal data, through a clear reinforcement in the duties of information and transparency that binds all those responsible for the treatment, together with the application of a set of principles and obligations that will be linked to the treatment throughout the life of the data, as well as greater decision-making capacity and a wide range of rights for the interested parties.

All these changes occur, however, under a clear focus on freedom of form for companies to achieve the primary objective of the standard: the effective protection of privacy and data protection of interested parties.

However, the GDPR does establish certain significant operational changes that must be fully observed as essential obligations of this regulatory framework, especially in terms of the transparency with which the data controller must act, the way in which they must be obtain consent (or other bases of legitimacy), and the establishment of certain organizational measures based on the principle of proactive responsibility and risk analysis. In fact, these last two points constitute the most relevant changes of this new European standard:

Proactive responsibility​

The GDPR describes this principle as the need for the data controller to apply those technical and organizational measures necessary to guarantee and demonstrate that the data processing carried out is in accordance with the regulations.

In other words, this principle requires controllers and processors to analyze what data they collect, for what purposes and what type of processing operations they carry out. And based on this, they must specifically and explicitly determine how they will comply with the obligations derived from the GDPR.

But if it is important to detect the measures to be applied, it is even more important to be able to demonstrate to the interested parties or the supervisory authorities:

  1. that the guarantees implemented are adequate;
  2. that these guarantees are applied in practice.

In short, this principle requires a conscious, diligent and proactive attitude towards all personal data processing carried out; and a documentation effort on all the decisions adopted in relation to this important fundamental right, since effective compliance with data protection regulations implies not only having the compliance design, but also a practical and demonstrable application of the implemented procedures. .

Risk approach​

In response to the principle of proactive responsibility, the GDPR seeks that the measures aimed at guaranteeing regulatory compliance by those who process data, are not generic, but are taken into account for their definition and implementation:

  1. The nature, scope, context and purposes of the treatment.
  2. The risk to the rights and freedoms of the interested parties.
  3. The state of the art and application costs.

The previous data protection regulations established three levels of security (basic, medium and high) to be applied according to a series of criteria and assessed assumptions: it was enough, for example, to process any health data to be led to the highest level of security statutorily required. With the current data protection regulations, it will be the person responsible for the treatment who must decide, according to the risks associated with the treatment, what measures to adopt for each of the treatments, according to their characteristics and circumstances (eg, the type of data object of treatment, the context in which it is carried out, the purposes of each treatment, the number of possible interested parties affected by the operation, etc.).

Thus, the GDPR allows certain measures to be applied only when there is a high risk to the rights and freedoms of the interested parties, while others may be modulated according to the level and type of risk that each treatment presents.

For this reason, the measures provided for in the GDPR must be adapted to the characteristics of the data processing carried out, taking into account its structure and activity, and the risk involved for the interested parties.

This Report will propose technical and organizational measures that Legit.Health may adopt within its organization for regulatory compliance, although the specific definition of physical or logical security measures in the systems, as well as their implementation, must be studied. and adopted in response to the risks that are detected.

Penalty system​

The sanctioning regime of the GDPR incorporates significant changes with respect to the previous regulatory framework. As far as the maximum amounts are concerned, the current regulations have established, depending on the seriousness of the infraction, sanctions that can reach ten million euros or 2% of the total annual global turnover of the offending entity, or even twenty million euros or 4% of the total annual global turnover of the company, which represents a significant increase in the maximum amounts applicable with respect to the sanctions that were applied in the context of the previous Organic Protection Law of data.

This sanctioning regime has been specified through the LOPDGDD, which has established a detailed classification based on three types of infraction: minor, serious or very serious.

Regarding the determination of the applicable amount for each infraction, each sanction will be imposed by the AEPD (or the control authority that corresponds in each case) according to a series of circumstances foreseen in the norm, such as the number of affected by non-compliance, the types of data subject to processing, the malicious conduct of the offender, their degree of collaboration with the AEPD or the repetition of the offending conduct, among other criteria.

info

Annex 1 contains detailed information on the sanctioning system and the types of infractions with specific examples, as well as information on the statute of limitations for infractions and sanctions.

Basic definitions​

Before getting into the matter, it is worth remembering the definitions of two of the main elements to take into account: personal data and treatment.

By personal data, the GDPR understands “all information about an identified or identifiable natural person (“the interested party”)”; and clarifies that “an identifiable natural person shall be considered any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical, physiological, genetic, mental, economic, cultural or social identity of said person”. In other words, a very broad concept.

The definition of data processing has not changed much in the GDPR compared to the previous regulation, and it continues to refer to "any operation or set of operations carried out on personal data or sets of personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of authorization of access, collation or interconnection, limitation, suppression or destruction”; in short, to any action carried out with personal data.

Nor has the definition of data controller or data controller changed much, which continues to be “the natural or legal person, public authority, service or other body that, alone or jointly with others, determines the purposes and means of processing”; that is, the one who can make the most important decisions regarding the use of personal data. It should be remembered that the treatment actions carried out in the private sphere (such as personal agendas or files for domestic use) continue to be excluded from the scope of application of the GDPR.

GDPR general principles​

However, the basic principles for data processing have been expanded with respect to Directive 95/46/EC and the LOPD. These are the principles (art. 5.1. GDPR) that Legit.Health must comply with when processing data:

  1. Legality, loyalty and transparency, that is to say, obtain the data in a legal, transparent and loyal way in relation to the interested party, where the information offered is key.
  2. Limitation of the purpose, and must be collected for specific, explicit and legitimate purposes, preventing them from being subsequently processed in a manner incompatible with said purposes.
  3. Minimization of data, they should only be subject to data processing that is adequate, pertinent and limited to what is necessary in relation to the purposes for which they are collected.
  4. Accuracy of the data, that is, that they are accurate and updated, in such a way that they reflect the current reality of the interested party; which implies that reasonable measures must be taken to delete or rectify personal data that is inaccurate with respect to the purposes for which it is processed.
  5. Limitation of the retention period, or what is the same, that the data should not be kept for longer than necessary to carry out the purposes that motivate the treatment.
  6. Integrity and confidentiality, they must be treated in such a way as to guarantee adequate security of personal data, including protection against unauthorized or illegal treatment and against loss, destruction or accidental damage, through the application of appropriate technical or organizational measures. .

In addition, article 5.2 of the GDPR requires Legit.Health to be responsible for compliance with the above principles and must be able to demonstrate it. This is the so-called principle of proactive responsibility, discussed in a later section.

In this sense, the main recommendation is to establish means and systems that allow the application and compliance of the measures applied to comply to be demonstrated in writing.

The application of the above principles regarding the data processing carried out by Legit.Health is developed below.

Time of data collection​

The first three principles (lawfulness, fairness and transparency; purpose limitation and minimization) refer mainly to the time of data collection. As a general rule, they must be incorporated into the information to be given to the interested party, although they also refer to moments after collection, so active supervision of their practical application is recommended.

Principle of legality, loyalty and transparency​

The principle of legality, loyalty and transparency not only requires that the interested party be informed about the processing of their data, but also that it comply with the law (according to the bases of legitimacy of section 2) and that said legality be maintained in the weather.

The information that must be offered to the interested party, both regarding the conditions of the treatments that affect them, and in the responses to the exercises of rights, must be provided in a concise, transparent, intelligible and easily accessible manner, with clear language. And simple. These provisions translate into measures such as the following:

  1. Especially cumbersome formulas that incorporate references to legal texts should be avoided, so that the interested party does not have to search for said texts.
  2. The information to the interested parties must be provided in writing, including the information provided by electronic means, when appropriate.
  3. The informative clauses must explain the following content in a clear and accessible way for the interested parties, regardless of their knowledge of the matter:
    1. Purpose and legal basis of the treatment.
    2. The possibility of resorting to the Control Authority.
    3. The procedure to exercise the rights recognized to the interested parties
    4. If profiles are going to be created with the data collected.
    5. Data of the Data Protection Delegate (if any).
    6. Period of conservation of the data or, failing that, criteria to determine it.
    7. Intention to make international transfers.
    8. Data recipients.
Digital environments​

Compliance with the duty of transparency implies the need for natural persons whose data is being processed to have the possibility of knowing the circumstances in which that processing is going to be carried out in a concise, intelligible and easily accessible manner.

To achieve this purpose when the data is collected through digital environments, the European Data Protection Committee and the Spanish Data Protection Agency have proposed systems such as information by layers, similar in their approach to the solutions currently used to inform about the existence of cookies. These proposals have been incorporated into the LOPDGDD, which dedicates its section 11.2. to define its minimum content, as follows:

  1. The basic information referred to in the previous section must contain, at least:

    a) The identity of the data controller and his representative, if any.

    b) The purpose of the treatment.

    c) The possibility of exercising the rights established in articles 15 to 22 of Regulation (EU) 2016/679.

If the data obtained from the affected party were to be processed for profiling, the basic information will also include this circumstance. In this case, the affected party must be informed of their right to oppose the adoption of automated individual decisions that produce legal effects on them or significantly affect them in a similar way, when this right concurs in accordance with the provisions of article 22 of the Regulation (EU) 2016/679.

Therefore, the first layer of information must, at least:

  1. Identify the data controller, which will be done (according to the AEPD criteria) by means of the brand or trade name by which it is known to the public, without the need to include the full company name in this first layer. If the form includes the organization's logo prominently, our interpretation is that this requirement would have been met.
  2. Specify the purpose of the treatment, specifically and exactly. Ambiguous, imprecise or unclear expressions (such as "to offer you personalized information" or "to develop new services") should be avoided.
  3. Offer a means to allow the interested party to exercise their rights in terms of data protection. It must be appropriate to the context in which the data is collected, so depending on the circumstances, it could be an email address, a phone number, a link to a form on a website...
  4. Finally, you must indicate to the user in question how to access the complete information, which is usually specified by means of a link to the privacy policy.

However, this initial minimum information may be extended in certain cases, especially when the information is intended to be collected for a plurality of purposes, based on the user's consent:

  1. Consent under the GDPR requires clear affirmative action by the user. In that case, it would suffice for the above information to be offered before the “continue” or “send” button. When the user presses that button, it will be understood that this clear affirmative action has taken place, without the need to check any acceptance box (in other words, it is enough to offer a brief description of the treatment and the possibility for the user to continue: if he does not want your data is processed, you have the option not to continue).
  2. However, the system of acceptance or verification boxes will continue to be necessary and useful for the user to express their consent for purposes ancillary to the main one (shown in the information of the first layer), such as data communications to third parties, the elaboration of profiles or the sending of own advertising shipments or those of third parties.
  3. It is recommended to establish systems that allow proving that the requirement of having shown the information has been fulfilled. In the case of digital environments, actions such as collecting logs on the IP address, the action of checking or not checking the box, as well as the date and time on which the action occurs, would be valid actions in this regard.
  4. The first layer of information must be located in a place that is visible prior to the processing of personal data, this is, for example, at the bottom of any form that collects personal data.
  5. This first layer will be accompanied, where appropriate, by as many unchecked boxes as consents are necessary to request to process data for a purpose other than the main one. .

The AEPD has also proposed an information system consisting of a first layer in table mode, in which to complete information about the person in charge, purposes, legitimacy of the treatment, forecast of communications or transfers, way of exercising rights and origin of the data, like the proposal below.

info

Annex 2 contains the first layer information for digital environments that follows the recommendations of the Spanish Agency for Data Protection.

The second layer of information will include all the information provided for in articles 13 and 14 of the GDPR, that is, the complete privacy policy, specific for each type of environment and processing.

It is recommended that these privacy policies be adapted in accordance with the general principles of the GDPR.

A model Privacy Policy for the website is provided in the "Documentation" - "Internet" section of Audens :: Data Protection (GDPR.audens.es), which must be adapted according to the collection purposes of the specific page.

However, it is recommended to contact our DPO by phone or email, in order to deal with the needs of privacy policies for each environment and according to the treatments that are carried out in them.

The main recommendations in this regard include:

  1. This second layer of information would be accessed through a link from the first layer.
  2. In addition, it is recommended that this privacy policy be accessible from any part of the website (for example, by establishing a link in the footer) or in an App (through an information section in the user menu or general information ).
Non-digital environments​

Of course, when collecting data on paper, the interested party must also be informed about the collection, purposes and other concepts. In general, the double information layer system is not used in the non-digital environment, but in some specific cases it could occur.

In this regard it is recommended:

  1. When collecting data on paper, it must always be ensured that the interested party is informed of the processing of their data, which means including specific clauses, annexes or contracts on the matter.
  2. As the documentation is on paper, it is easy to store and save as proof of the existence of the relationship, of having informed, and where appropriate, of having obtained consent.

A series of general information clauses are provided with the documentation to the interested parties regarding the processing of their data in different circumstances. The clauses are accessible from the "Documentation" - "Clauses" section.

Purpose limitation​

For its part, data processing must be limited to the purposes that have been determined by the company (purpose limitation), which must be clearly and explicitly explained to the interested party. For example, the data collected in the recruitment of candidates through a contact form on the website could have the purpose of including the candidates in the company's future selection processes.

On the other hand, they could not be used to send newsletters or commercial communications without the user knowing and expressly and specifically accepting this purpose.

The main recommendations in this regard include:

  1. As a diligence measure, it is recommended to carry out a review of all the treatments that are carried out once a year in order to determine the uses that are given to the data in practice.
  2. As an example of purpose limitation, it can be applied to the case of receiving CVs from candidates for selection processes. The processing of said data should be limited to the reasonable purpose of considering the candidacy of the interested party in the company's selection processes (for which they may be sent emails, calls, etc., related to that subject). But what cannot be done (except with prior consent) is to include the candidate in the subscription of newsletters or in advertising mailings. They would be incompatible purposes (unless there was an extra authorization, such as consent).
  3. In the event that such decisions are made, it is recommended that the review and decision-making be documented in order to demonstrate diligence in the matter.

Data minimization​

Regarding the principle of data minimization, it establishes the obligation that only the strictly necessary data be requested to respond to the purpose for which said data was collected. It is a manifestation of the constitutional principle of proportionality, according to which only treatments that pass a triple test could be carried out: suitability (the data processed allow the proposed objective to be achieved), necessity (there is no other more moderate measure to achieve the objective persecuted), and weighting or balance (the treatment derives more benefits for the company than harm for those affected). For example: if we develop a flashlight application for a mobile phone, requesting the user access to his contact list or his location in real time would be more than questionable and,

The main recommendations are:

  1. Compliance with these principles means for Legit.Health, fundamentally, having to control the data that is collected in relation to the purposes for which it is intended, and establish adequate information mechanisms for the interested party based on it.
  2. To this end, it is recommended to carry out a review of all the processing carried out once a year, in order to determine what data may not be accurate or necessary to obtain or process. In the event that such decisions are made, it is recommended that the review and decision-making be documented in order to demonstrate diligence in the matter.

Accuracy​

The personal data processed must be accurate and up-to-date. For this reason, systems must be established by which Legit.Health can keep said information updated, and modify, complete or delete any personal information that is inaccurate.

The paradigmatic example is the employees. Legit.Health has a staff of workers for whom it has complete data to carry out payroll and labor control, but there may be changes in personal situations: address, bank account, personal circumstances that affect the calculation of payroll (children, dependents, disabilities...). It is information that usually varies over time, with the consequent duty of updating for the company.

It is recommended to adopt measures to update data for those interested parties with whom they have medium or long-term relationships.

For example, with regard to workers, it is recommended to make a data update request once a year, which could well be done by completing Form 145 of the Tax Agency, which allows updated information on the worker to be obtained, both for the calculation of your payroll as of any other personal circumstance.

Limitation of the term of conservation​

The European standard requires that the data not be processed beyond the time necessary to fulfill its purpose. For this reason, it is essential that Legit.Health has an internal protocol on data processing and retention periods that establishes the measures that it will apply, when the time comes.

The limitation periods for actions provided for in national regulations help define the periods in which certain personal data must be available, so these sources can be used to establish retention schedules.

info

A table with extended information on retention periods according to the circumstances of the treatment is provided as Annex 3 . The annex is accessible from the "Documentation" - "Documents" section.

When it is determined that some data is no longer necessary, taking into account the purposes for which it was collected, it must be deleted. In this sense, it must be taken into account that:

  1. The deletion of the data is understood as its total elimination in a safe way;
  2. The deletion of the data, however, does not lead to its total deletion, but to its conservation as blocked information, solely and exclusively for the purpose of using it if it is necessary for actions before Public Administrations and Judges and Courts. , for the attention of possible responsibilities in relation to their treatment, during the prescription period of such responsibilities. Once this period has elapsed, the data must be permanently deleted.

Integrity and confidentiality principle​

This principle affects the application of appropriate technical measures to prevent unauthorized or illicit processing of personal data, and to protect them against accidental loss, destruction or damage. Due to the extension of the obligations and recommendations, it will be analyzed in a separate section.

Notwithstanding the foregoing, this principle of integrity and confidentiality also affects organizational issues, especially in relation to employees, who are the ones who can mainly cause, with their actions or omissions, confidentiality problems regarding the personal data of which Legit.Health it's responsible.

Guaranteeing the secrecy and confidentiality of the personal data processed in the systems and facilities of Legit.Health is therefore a fundamental duty in the processing of personal data. Your main obligation as responsible, in this sense, is to disseminate among your staff and among the people who access personal data under your responsibility, in general, the obligation of secrecy and confidentiality that they have with respect to the personal data they access.

Bases of legitimacy​

It is impossible to comply with the above principles if there is no solid legitimacy base, in order to process personal data. Until now, with national legislation, there were basically three legitimacy bases for data processing: the consent of the interested party, legal authorization and the need for processing for the execution of a contract.

The GDPR extends the list (art. 6), so that the treatment will only be lawful if it is carried out on the basis of any of the following conditions:

  1. The interested party has given their consent for the processing of their personal data for one or more specific purposes.
  2. The treatment is necessary for the execution of a contract in which the interested party is a party, or for the application, at the request of the latter, of pre-contractual measures.
  3. The treatment is necessary for the fulfillment of a legal obligation applicable to the person in charge of the treatment.
  4. The treatment is necessary to protect the vital interests of the interested party or of another natural person.
  5. The treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller;
  6. The treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that the interests or fundamental rights and freedoms of the interested party that require the protection of personal data do not prevail over said interests, in particular when the interested is a child.

The Control Authorities have insisted several times that consent must be the last option in order to enable data processing. Thus, when a treatment can be based on the fulfillment of a contract, it will be preferable to consent.

In addition, article 9 of the GDPR provides for a series of circumstances to process "special categories of data".

The processing of personal data that reveals ethnic or racial origin, political, religious or philosophical opinions, as well as trade union affiliation, and the processing of genetic data, biometric data that allow the identification of a natural person, health data or relating to the sexual life or sexual orientation of the interested party.

However, the above treatments will not be prohibited if at least one of the following conditions is met:

  1. The interested party has given their explicit consent for the processing of the aforementioned personal data with one or more of the specified purposes, unless the Law of the Union or of the Member States establishes that the previous prohibition cannot be lifted by the interested party.
  2. The treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the person in charge of the treatment or of the interested party in the field of Labor Law and social security and protection, to the extent authorized by the Law of the Union of the Member States, or a collective agreement in accordance with the law of the Member States, establishing guarantees of respect for fundamental rights and the interests of the interested party.
  3. The treatment is necessary for the protection of the vital interests of the interested party or of another natural person, in the event that the interested party is not capable, physically or legally, to give their consent.
  4. The treatment is carried out, within the scope of its legitimate activities and with due guarantees, by a foundation, an association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that the treatment refers exclusively to current or former members of such organizations, or to persons who maintain regular contact with them in relation to their purposes and provided that personal data is not communicated outside of them without the consent of the interested parties.
  5. The treatment refers to personal data that the interested party has made manifestly public.
  6. The treatment is necessary for the formulation, exercise or defense of claims, or when the courts act in the exercise of their judicial function.
  7. The treatment is necessary for reasons of essential public interest, based on the Law of the Union or of the Member States, which must be proportional to the objective pursued, essentially respect the right to data protection and establish adequate measures and specific to protect the interests and fundamental rights of the interested party.
  8. The treatment is necessary for the purposes of preventive or occupational medicine, evaluation of the worker's ability to work, medical diagnosis, provision of assistance or treatment of a health or social nature, or management of health and social assistance systems and services based on the Law of the Union, or of the Member States, or by virtue of a contract with a health professional and without prejudice to the fact that their treatment is carried out by a professional subject to the obligation of professional secrecy, or under their responsibility, or by any other person also subject to the obligation of secrecy, in accordance with the Law of the Union, or of the Member States, or the rules established by the competent national bodies.
  9. The treatment is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or to guarantee high levels of quality and safety of health care and medicines or medical devices , on the basis of the Law of the Union or of the Member States that establishes adequate and specific measures to protect the rights and freedoms of the interested party, in particular professional secrecy.
  10. The treatment is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89, paragraph 1, on the basis of the Law of the Union or of the Member States, which must be proportional to the objective pursued, essentially respect the right to data protection and establish appropriate and specific measures to protect the interests and fundamental rights of the interested party.

Likewise, Member States may maintain or introduce additional conditions, including limitations, with respect to the processing of genetic data, biometric data or data related to health.

Consent​

The consent of the affected party is one of the classic legal bases to protect data processing, especially when said treatments cannot be framed in the other bases of legitimacy. In addition, with the arrival of the GDPR, obtaining consent has significantly altered the way in which these treatments must be regularized, which can now only be carried out through clear specific and affirmative actions.

The consent must be unequivocal in all cases and, in addition, be explicit with the treatment of special categories of data, the adoption of automated decisions or international transfers.

The treatments initiated prior to the beginning of the application of the GDPR on the basis of consent, will continue to be legitimate as long as that consent had been given in the way that the GDPR itself provides, that is, by means of a declaration or clear affirmative action.

Specific issues to consider:

  1. The regulations do not allow the use of personal data for which there is no prior consent based on a clear affirmative action by the affected party. If there are databases based on tacit consent, or the data was obtained legitimately, but it cannot be demonstrated that it was collected with the consent of the affected party, said data should not be used.
  2. When the treatment intends to use this legitimation basis, the personal data must be obtained through a consent system, either manifest (through a clear affirmative action of the interested party) for the treatment of standard data, or express for category treatments. special data (such as health, sexual orientation, biometrics, ideology...). For clear affirmative action, it would suffice for the interested party to carry out any action on their own, (for example, accepting a button or giving it to continue, or filling in a form or writing), while explicit consent requires a plus of activity, such as the signature of the interested party or uncheck a consent checkbox before treatment.

Contract execution​

When it is necessary to process data for the execution of a contract in which the interested party is a party, for example an employment contract, this basis will be sufficient to carry out the treatment. Take into account, on the one hand, that the article speaks of “necessity”, not of “convenience”, so it does not cover the use of any personal data; and on the other, that it is the most used basis for processing data in the workplace, since the consent given by a worker can be considered invalid by the AEPD, since in no case has it been understood as free, given the dependency situation between the employee and the employer.

Legitimate interest​

The GDPR provides that a treatment is lawful when it is necessary for the satisfaction of legitimate interests pursued by the controller. However, said interests must prevail over the interests or the fundamental rights and freedoms of the interested party, taking into account the reasonable expectations of said interested parties based on their relationship with the person in charge.

Such legitimate interest could arise, for example, where there is a relevant and appropriate relationship between the data subject and the company, such as in situations where the data subject is an employee of a customer or supplier and there is an ongoing provision of services. In any case, the existence of a legitimate interest would require a careful evaluation, even if a data subject can reasonably foresee, at the time and in the context of the collection of personal data, that the processing for that purpose may occur. In particular, the interests and fundamental rights of the data subject should prevail over the interests of the data controller when processing personal data in circumstances where the data subject does not reasonably expect further processing to take place. In any case,

Main recommendations in this regard:

  1. In the event that data processing is required to be based on legitimate interest and not on the preceding bases of legitimacy, it will be recommended that it be an analysis of the need for such treatment and the legality of using the basis of legitimation of interest. legitimate, and that this analysis is documented and preserved.
  2. In the event that data processing is finally established based on legitimate interest, it is recommended:
    1. The principles of the GDPR are respected.
    2. This basis of legitimation is justified in writing and the interested party is informed.
    3. It is guaranteed not to violate the rights of the interested parties in the collection and processing of their data.

Legal obligation​

Another legal authorization for data processing is that it is necessary to comply with a legal obligation applicable to the data controller, in other words, that a rule requires the communication of data. Note that it speaks of "obligation", and not "authorization", as was the case with the previous regulations: thus, those treatments that were based on the existence of an enabling law (such as video surveillance or the inclusion of non-payments in delinquent files ) must be based on another basis of legitimacy, which ideally will be the "legitimate interest" or even the "public interest".

Despite the above, there are a large number of regulations that require the communication of data, from the health field to the public (such as the Treasury or Social Security in the case of customer or worker data).

It is recommended to contact our DPO by phone or email, in order to assess, weigh and document the data processing that is desired or should be based on legitimate interest.

Rights of those affected​

In general, the interested parties must be facilitated in the exercise of their rights, and the procedures and forms for this must be visible, accessible and simple. The GDPR requires that it be possible to submit requests by electronic means, especially when the treatment is carried out by these means.

As a general rule, the exercise of rights will be free for the interested party, except in cases in which manifestly unfounded or excessive requests are made, especially repetitive ones, being able to charge a fee that compensates the administrative costs of attending to the request or refusing to do so. Act. In this case, the person in charge should demonstrate the unfounded or excessive nature of the requests that have a cost for the interested party.

The Regulation will grant each person, with respect to their personal data, both the traditional rights already known, as well as others of new content. Thus, the interested party has at their disposal the exercise of the following rights:

  1. Access: this right consists of requesting information about the possible treatment to which your personal data may be subjected, the information available on its origin and the communications made, or that are planned to be made with them. This right has been qualified by the AEPD, since it consists of obtaining information, but it does not cover access to specific documents, notwithstanding that other regulations cover the obtaining of documentation.
  2. Rectification: this right allows the interested party, in the event that the data processed contains an error, to request its modification or update.
  3. Opposition: this right allows the interested party to request that the processing of their data not be carried out, or that it be ceased, in a series of assessed cases, such as, for example, when the legal basis is legitimate interest or the purpose is direct marketing.
  4. Limitation: allows the interested party to request the person in charge to, in certain cases, suspend the processing of their data (for example, while the correct exercise of another right is verified) or to keep said data (for example, because they need them to raise a claim). claim).
  5. Portability: it consists of an advanced form of the right of access, allowing the data of the interested party to be obtained in a structured format of common use and mechanical reading for its transmission to another person in charge. Its primary objective is to facilitate the change from one service provider to another, thus reinforcing competition between services.
  6. Deletion (oblivion): this right supposes, on the one hand, the deletion of the personal data of the interested party when certain circumstances occur and, on the other, the consequent manifestation of the rights of cancellation or opposition in the online environment. This last assumption makes it possible to limit the universal and indiscriminate dissemination of personal data in general search engines when the information is obsolete or no longer relevant or of public interest, even though the original publication is legitimate.
  7. Not to be subject to automated decisions: allows the interested party to react to those decisions that produce legal effects on him or significantly affect him, when they are based exclusively on the automated processing of personal data.
  8. In general, the user will have the right to file a claim with the Spanish Data Protection Agency if they consider that their data has not been processed in accordance with the provisions of the data protection regulations.

The deadline for responding to these rights is one month from receipt of the request, which may be extended for another two months if necessary, taking into account the complexity and number of requests, so they must be adopted the action protocols defined to attend to the requests.

A Guide to the Exercise of Rights is provided, accessible through our compliance platforms in the section "Documentation" - "Rights" and which includes the response models for each exercise of rights.

Processors​

Legit.Health, as data controller, may require third-party companies or individuals to carry out some type of action with the data or carry out, in whole or in part, any treatment on their behalf and on their behalf. In other words, you can commission third parties to carry out activities that may involve data processing under your responsibility. This relationship is called a treatment order, so the service provider would be a treatment manager on behalf of Legit.Health.

The ultimate responsibility for the treatment continues to be attributed to Legit.Health, which is the one who determines the existence of the treatment and its purpose.

Thus, the relations between the person in charge and the person in charge must be formalized in a contract or in a legal act that binds the person in charge with respect to the person in charge (it must be in writing, including in electronic format), which must have a minimum content, provided for in article 28 GDPR.

When Legit.Health is going to hire any service provider that can access data for which it is responsible, such as labor agencies, computer maintenance, consultants, lawyers, hosting, marketing and advertising companies... it must keep the contract properly signed with each one of them and monitor, as far as possible, the data processing they do, paying special attention that, in the performance of their functions, the data does not leave the European Economic Area (for example, to be stored on servers or programs that are not in this environment are used).

It is important to document the instructions given to the person in charge about the treatment, which can range from the simplest aspects to more far-reaching obligations, such as preventing subcontracting or establishing periodic controls to review compliance with regulations.

On the other hand, it is possible that Legit.Health provides services on behalf of third parties and for the development of its activities it is necessary, or may be necessary, to process personal data that are the responsibility of its clients, for which it will be considered then in charge of the treatment.

In this sense, it should be noted that, from the outset, subcontracting is not allowed without the prior authorization of the person in charge, so if in the development of its services it uses third parties that may also have access to customer data (hosting, software in the cloud, freelancers, other external providers...), this fact must be communicated to the Responsible and be authorized to do so. In addition, the person in charge must be informed of any planned change in the incorporation or substitution of other managers, thus giving the person in charge the opportunity to oppose said changes with reasonable notice.

In addition, mainly Legit.Health will be obliged to help the person in charge to guarantee compliance with the obligations regarding data security, taking into account the nature of the treatment and the information available to the person in charge.

The records of all entities that process data on our behalf or on whose behalf we process data is the record R-050-004 Controllers, processors and subprocessors of our QMS. This record

It is provided as Legal Procedure 1 - Treatment commissioning regime , accessible through our compliance platforms in the "Documentation" - "Documentation" section.

Models of treatment order contract adapted for Legit.Health accessible through our compliance platforms are provided in the "Documentation" - "Clauses" section.

Contracts adapted to Legit.Health are also provided, with respect to its providers that have been included in the our compliance platforms. These completed contracts are accessible in the "Companies" - "They treat our data as" section.

Likewise, contracts adapted to Legit.Health are provided, with respect to its clients (when it is in charge of their treatment) that have been included in the our compliance platforms. These completed contracts are accessible through our compliance platforms in the "Companies" - "We treat your data as" section.

Data processing in foreign jurisdictions​

The General Data Protection Regulation is designed to protect the personal data of individuals within the EU, but its reach is also extraterritorial in certain aspects. For that reason, when processing data of foreign persons, we maintain compliance with GDPR, and also do our best efforts to comply with the local regulations of the country where the data subjects reside.

To that effect, we implement the following measures:

  • Data transfer agreements: when transferring data outside a country, we use standard contractual clauses or other legal mechanisms to ensure compliance.
  • Establish clear data handling policies: we define how data is collected, stored, used, and transferred, aligning these policies with both GDPR and relevant local regulations. This is accomplished in the contract we sign with the person.
  • Implement adequate safeguards: when possible, this will include pseudonymization, encryption, and ensuring physical and digital security measures are in place.
  • Obtain necessary consents: we ensure that consents are collected in compliance with the strictest of applicable laws, which mean adhering to both GDPR and local requirements.
  • Conduct a data protection impact assessment: when the activity carried out is of high risk, as refined in our Record of Processing Activities, we carry out a DPIA. This helps in understanding the risks associated with processing data and the necessary measures to mitigate these risks.

Data communications​

A communication of personal data constitutes a transmission of information relating to a natural person by a person in charge (transmitter) to another natural or legal person (recipient), who plans to also use them as responsible for them; that is, instead of a processing order, in which one of the parties acts under the instructions of the person in charge, in this case, each party will process the data for its own purposes and means.

There are data communications required by law, for example, the transfer of workers' data to Social Security or the Tax Agency, or derived from the need to fulfill a contract, for example the communication of workers' data to the bank for the payment of their payroll, being cases in which the communication occurs due to compliance with a legal obligation or the execution of a contractual relationship.

But outside of this type of case, prior and duly informed authorization from the interested party is usually required, as well as the signing of a special contract between the transmitter and the receiver.

It is recommended to contact our DPO by phone or email, in order to assess the specific needs for these communications and adopt specific measures for each case.

International Data Transfers​

In principle, the data may only be communicated outside the European Economic Area (EEA):

  1. To specific countries, territories or sectors (the GDPR also includes international organizations) on which the Commission has adopted a decision recognizing that they offer an adequate level of protection.
  2. To recipients who have offered adequate guarantees about the protection that the data will receive at its destination, through specific contracts or other binding legal documents; either
  3. When any of the exceptions that allow the data to be transferred without guarantees of adequate protection for reasons of necessity linked to the data owner's own interest or to general interests apply.

In general, international data transfers are prohibited, so they must be evaluated with special care.

It is recommended to contact our DPO by phone or email , in order to assess the specific needs for these international data transfers and adopt specific measures for each specific case.

Among the decisions adopted by the European Commission there was one, issued on July 12, 2016, by virtue of which it declared that United States companies adhering to the agreement known as "Privacy Shield" or "Privacy Shield" were suitable for process data from the EEA. However, the Court of Justice of the European Union declared this decision inapplicable, and as a consequence, the "Privacy Shield" no longer serves as a justification for the flow of data with US companies. Therefore, any possible transfer based on this agreement must be adapted to the new legal situation resulting from this ruling.

It is also important to determine, in the context of contracting services with providers, the conditions under which these services can be provided, especially in the case of technology providers. For example, contracting services in the cloud, such as file storage, may imply that the provider's servers are located outside the European Economic Area, even though the company is located in Spain; thus, an International Data Transfer would be taking place, although initially the service is being contracted with a European provider. These aspects must be taken into account, especially, when choosing one or another provider.

Record of Processing Activities (ROPA)​

Unlike the previous data protection regulations, which established the obligation to notify the control authority of the files subject to processing, the GDPR has now obliged those responsible for processing to maintain a record of processing operations (Record of Processing Activities, or ROPA for short) containing the information established by the GDPR:

  1. Name and contact information of the person in charge or jointly in charge and of the Data Protection Delegate, if any.
  2. Purposes of the treatment.
  3. Description of categories of interested parties and categories of personal data processed.
  4. International data transfers.

As a general rule, organizations that employ less than 250 workers are exempt, unless the treatment they carry out may entail a risk to the rights and freedoms of the interested parties, is not occasional or includes special categories of data, or data related to criminal convictions and offenses.

In our case, we keep a Record of Processing Activities in the record called R-050-001 Record of Processing activities (ROPA). This record is reviewed or updates at least yearly.

Risk Analysis​

The GDPR conditions the adoption of active responsibility measures to the risk that the treatments may pose to the rights and freedoms of the interested parties. For this reason, one of the main and most basic obligations of Legit.Health will be to determine the risk in the data processing that it carries out.

Legit.Health must carry out a risk assessment of the treatments it performs, in order to be able to establish what measures it must apply and how it must be done. The type of analysis will vary depending on:

  1. The types of treatment.
  2. The nature of the data.
  3. The number of stakeholders affected.
  4. The quantity and variety of treatments that are carried out on the same data or interested party.

The analysis will be the result of a reflection, minimally documented, on the implications of the treatments in the rights and freedoms of the interested parties, and the adoption of security measures in this regard.

Such measures will be classified according to four variables, and taking into account the state of the technology and the risks to which the information is exposed, after carrying out the risk analysis:

  1. Cost of the technique.
  2. Application costs.
  3. Nature, scope, context and purposes of the treatment.
  4. Risks to rights and freedoms.

If a risk is detected, it must be handled in two ways:

  1. In cases where a low risk is detected, which can be easily eliminated or reduced, measures must be taken to do so, always modulating according to the level and type of risk that the treatment entails. For example, it would be convenient to carry out Data Protection by Design measures in those affected treatments, in order to redirect the situation (as will be seen in a later section), and/or apply new security measures in order to guarantee the protection of data. the data.
  2. In other cases, when the treatment involves a high risk for the rights and freedoms of the interested parties, before carrying out the treatment, Impact Assessments on Data Protection must be carried out (as will be seen in a later section).
  3. In any of the above cases, it will be recommended that the treatments on which a Risk Analysis has been developed be specified in the Risk Analysis Registry, in order to be able to demonstrate diligence and proactivity.

Through our compliance platforms, Legit.Health can learn about the risks of the treatments detected in the initial consulting phase contracted to Audens, as well as manage, modify and update them as adjustments are made.

info

In addition, a general situation report has been generated on initial risks and improvement proposals and risk reduction expectations based on these improvement proposals. A status report is provided as Annex 6 downloadable from the "Documentation" - "Documents" section.

Data Protection Impact Assessments​

Once the aforementioned risk analysis has been carried out, data controllers must carry out an Impact Assessment on Data Protection (EIPD) on those treatments that present a high level of risk to the rights and freedoms of the interested parties.

The data protection regulations themselves, as well as the Control Authorities, establish certain assumptions and criteria that qualify the level of risk of the treatment, regardless of the concurrence of other factors, such as the case that the treatment is carried out through innovative technological means and with little implantation in the market, or that the treatment implies a systematic treatment of special categories of data.

Such treatment will be carried out by the person in charge, who will seek advice from the data protection delegate, if appointed, when carrying out the impact assessment, being able in a single evaluation to address a series of treatment operations as long as they are similar and risks are correlative.

The impact assessment should include:

  1. The systematic description of the planned treatment operations and the purposes of the treatment, including, when appropriate, the legitimate interest pursued by the person in charge.
  2. The evaluation of the necessity and proportionality of the treatment operations with respect to their purpose.
  3. The measures envisaged to deal with the risks, including guarantees, security measures and mechanisms that guarantee the protection of personal data and demonstrate compliance with current development regulations. The application of these measures is therefore aimed at mitigating the risks identified.

The foregoing also applies to those treatments that the person responsible for the treatment carried out prior to the application of the GDPR which, if the indicated conditions are met, must be submitted to an EIPD under the same conditions.

If the level of risk of the treatment continues to be high after the application of the controls proposed in the EIPD, the person in charge must consult the Spanish Agency for Data Protection about this situation prior to the start of the treatment .

It is recommended to contact our DPO by phone or email , in order to assess the specific needs for carrying out an adequate Data Protection Impact Assessment.

Notwithstanding the foregoing, Legal Procedure 2 - Data Protection Impact Assessment is provided, downloadable from the "Documentation" - "Documents" section.

Privacy by design and privacy by default​

Prior to the start of the treatment and also when it is being carried out, and especially when a low or moderate risk has been detected in a Risk Analysis, the implications of each of the data protection matters must be analyzed. actions or treatments carried out by the data controller, in order to address the appropriate corrective measures.

This type of action very directly reflects the proactive responsibility approach that the person responsible for the treatment must comply with, since it is a question of anticipating and analyzing each action from the very moment in which a treatment, a product or service that implies the treatment of data is designed. personal data and propose the appropriate legal, organizational and technical measures for its adoption.

Compliance with the principle of proactive responsibility also requires being able to demonstrate compliance with the obligations, so these analyzes or privacy reports by design and by default must be documented and available to the Control Authority, where appropriate.

Privacy by design​

From the beginning of the activities of conceptualization and design of programs, applications, advertising campaigns or any other activity that has implications for personal data, those responsible must take organizational and technical measures to integrate in the treatments that said activities are carried out with the maximum guidelines for the privacy and protection of the data of the interested parties (art. 25.1 GDPR).

Taking into account the nature, scope, context and purposes of the treatment, as well as the risks of varying probability and severity that the use of data entails for the rights and freedoms of natural persons, Legit.Health is obliged to apply, both in the moment of determining the means of treatment as well as during its production, appropriate technical and organizational measures to protect the rights of the interested parties.

In short, Legit.Health must document that data collection and subsequent processing will be carried out in accordance with the general principles of the GDPR; and this in order to be able to demonstrate, in accordance with the principle of proactive responsibility, the fulfillment of its obligations.

It is recommended to contact our DPO by phone or email , in order to assess the specific needs for the implementation of privacy by design in the specific activities that require it.

Privacy by default​

In addition, in terms similar to the previous section, the GDPR also imposes the obligation to apply appropriate technical and organizational measures to guarantee, by default, that only the personal data that is necessary for each of the specific purposes of the treatment are processed. Such measures will guarantee in particular that, by default, personal data are not accessible, without the intervention of the person, to an indeterminate number of natural persons (Art. 25.2 GDPR).

This obligation refers to situations in which there may be several data treatments and that they may be known by other users or third parties.

An example of this would be social networks or any other element in which the user is allowed to publish their data, or the person in charge is the one who publishes them. According to this regulation, the person in charge should allow that, by default, that is, that the privacy options of the application or data processing were initially as restrictive as possible, safeguarding the rights of the interested party. If the latter then wanted to open said restrictions, they would already be the interested party's own actions, so the company would no longer be responsible for said communications or publications.

It is recommended to contact our DPO by phone or email, in order to assess the specific needs for the realization of privacy by default in the specific activities that require it.

Organizational security measures​

The GDPR states in its recital 39 that personal data must be processed in a way that guarantees their security and confidentiality, both to prevent unauthorized access or use of the data and the equipment used for processing, and to guarantee the availability of data in case of loss or unauthorized access.

This has repercussions on the evident taking of measures to ensure data processing. That is why, in accordance with the foregoing, the new regulations impose a duty of responsibility on the Data Controller in adopting the appropriate technical and organizational measures to guarantee and demonstrate that the processing is in accordance with the provisions of the Regulation. .

Thus, although the need to have a security document is not specified, as provided for in the previous regulations, containing the security measures established for the different treatments, Legit.Health is obliged to register the technical and organizational security measures that applies to guarantee the security of personal data. Therefore, giving continuity to these security documents may be a good idea.

The implementation of security measures also responds to the obligation to implement technical and organizational measures that reinforce people's control over their information and the proper treatment of it in the face of possible risks. Thus, an adaptation to the evolution of technology and society is allowed, which through continuous evaluations facilitates the supervision of new risks that appear.

Notwithstanding the foregoing, the security measures are reflected in our compliance platform tool accessible through GDPR.audens.es, although they are also accessible through the documentation generated and made available to the tool through the sections "Organization, Resources, Security and Personnel". In these sections you will find the measures and information defined in the tool that are updated by Legit.Health or by Audens, in the event of contracting maintenance.

It is recommended to contact our DPO by phone or email , in order to assess the specific needs for the realization of privacy by default in the specific activities that require it.

Likewise, Legit.Health will find specific documentation in the "Documentation" - "Documents" section.

Notification of security breaches​

Data security violations, or security breaches, are defined in the GDPR in a very broad way, and include any incident that causes the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed. form, or unauthorized communication or access to such data.

When a breach of data security occurs, the data controller must notify the AEPD, unless it is unlikely that the breach poses a risk to the rights and freedoms of those affected. In addition, in those cases where the security breach is likely to entail a high risk for the rights or freedoms of the data subjects, the notification to the supervisory authority must be complemented by a notification addressed to the latter.

The notification of the bankruptcy to the authorities must occur without undue delay and, if possible, within 72 hours after the person in charge becomes aware of it.

Examples of bankruptcies: the loss of a laptop, unauthorized access to an organization's databases (even by its own staff), or the accidental deletion of some records are security breaches under the GDPR and must be addressed as the Regulation establishes. In the first two examples, the pseudonymization or encryption of the information can be decisive when making decisions about whether or not it is necessary to inform the control authority (or even the interested parties).

In certain cases, the lack of notification to the control authority or to the interested parties, as the case may be, of a data breach, may be considered as a lack of security, of measures or inadequacy of the existing ones.

Legal Procedure 3 - Security Violations has been created and can be downloaded from the "Documentation" - "Documents" section. Said document establishes the recommendations on how to act in case of security violations.

Data Protection Delegate​

The GDPR has come to implement a fundamental figure within certain data controllers to guarantee adequate compliance with data protection regulations, through the figure of the Data Protection Officer (DPO). This figure is entrusted with certain tasks and obligations, such as informing and advising the person responsible for data protection on data protection regulations, supervising the adequate compliance of the person in charge with this regulation, carrying out dialogue and mediation between the person in charge of the treatment and the interested parties or the AEPD, etc.

Although this appointment is not mandatory for all data controllers, there are cases in which this appointment must be carried out under certain circumstances such as the following:

  1. When their main activities include processing operations that require regular and systematic observation of interested parties on a large scale.
  2. Managers or managers whose main activities include the large-scale processing of sensitive data, that is, data that reveals racial or ethnic origin, ideology, religion or philosophical beliefs, union membership, genetic data, and the processing of biometric data to uniquely identify a person, as well as those related to health and life and sexual orientation. And also when they refer to data related to convictions and criminal records.

Additionally, the LOPDGDD has established a series of assessed assumptions in which, due to the activity of the person in charge, it is necessary to appoint a data protection delegate.

info

A full explanation of the role of the Data Protection Officer is provided as Annex 11 , when compliance is mandatory or necessary, as well as an assessment of whether or not Legit.Health would be required to have a Data Protection Officer.

Conclusion​

In this report, the main aspects of consideration that Legit.Health must observe in order to guarantee adequate compliance with the personal data protection regulations have been identified in general.

As indicated at the beginning of this document, part of the compliance aspects derived from the current data protection regulations grant data controllers greater formal freedom to comply with said obligations; however, the objectives and requirements set by the GDPR will involve, for the most part, adaptation processes and modifications at the operational level.

Although in the context of the adaptation process addressed, Audens provides a series of annexes aimed at detailing all the compliance requirements for each of the aspects indicated in this report, it is important to highlight the need for constant review that Legit.Health must address, given the short time of application of this new regulatory framework and the evolution of the criteria of the entities with scope in the matter, such as jurisprudence or national or supranational control authorities. In this way, the report outlines the necessary compliance aspects that Audens has considered, to the best of its knowledge and understanding, according to the moment of analyzing the documentation provided by Legit.Health and the appropriate interviews carried out.

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: JD-020, JD-004
  • Reviewer: JD-003
  • Approver: JD-001
Previous
T-025-003 Board composition record
Next
Templates
  • Purpose
  • Scope
  • Responsibilities
    • JD-001 General Manager (GM)
    • JD-004 Quality Manager (QM)
    • JD-005 Technical Manager
  • Introduction to data protection
    • Proactive responsibility
    • Risk approach
    • Penalty system
  • Basic definitions
  • GDPR general principles
    • Time of data collection
      • Principle of legality, loyalty and transparency
        • Digital environments
        • Non-digital environments
      • Purpose limitation
      • Data minimization
    • Accuracy
    • Limitation of the term of conservation
    • Integrity and confidentiality principle
  • Bases of legitimacy
    • Consent
    • Contract execution
    • Legitimate interest
    • Legal obligation
  • Rights of those affected
  • Processors
  • Data processing in foreign jurisdictions
  • Data communications
  • International Data Transfers
  • Record of Processing Activities (ROPA)
  • Risk Analysis
  • Data Protection Impact Assessments
  • Privacy by design and privacy by default
    • Privacy by design
    • Privacy by default
  • Organizational security measures
  • Notification of security breaches
  • Data Protection Delegate
  • Conclusion
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI LABS GROUP S.L.)