Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
    • GP-001 Control of documents
    • GP-002 Quality planning
    • GP-003 Audits
    • GP-004 Vigilance system
    • GP-005 Human Resources and Training
    • GP-006 Non-conformity, Corrective and Preventive actions
    • GP-007 Post-market surveillance
    • GP-008 Product requirements
    • GP-009 Sales
    • GP-010 Purchases and suppliers evaluation
    • GP-011 Provision of service
    • GP-012 Design, Redesign and Development
    • GP-013 Risk management
    • GP-014 Feedback and complaints
    • GP-015 Clinical evaluation
    • GP-016 Traceability and identification
    • GP-017 Technical assistance service
    • GP-018 Infrastructure and facilities
    • GP-019 Software validation plan
    • GP-020 QMS Data analysis
    • GP-021 Communications
    • GP-022 Document translation
    • GP-023 Change control management
    • GP-024 Cybersecurity
    • GP-025 Corporate Governance
    • GP-026 Product requirements for US market
    • GP-027 Product requirements for UK market
    • GP-028 Product requirements for the Brazilian market
    • GP-050 Data Protection
      • Templates
      • Specific procedures
        • SP-050-001 Data protection officer manual
        • SP-050-002 Manual of functions and obligations of the staff
        • SP-050-003 Data sharing
    • GP-051 Security violations
    • GP-052 Data Privacy Impact Assessment (DPIA)
    • GP-100 Business Continuity (BCP) and Disaster Recovery plans (DRP)
    • GP-101 Information security
    • GP-200 Remote Data Acquisition in Clinical Investigations
  • Records
  • TF_Legit.Health_Plus
  • Licenses and accreditations
  • External documentation
  • Procedures
  • GP-050 Data Protection
  • Specific procedures
  • SP-050-001 Data protection officer manual

SP-050-001 Data protection officer manual

Scope​

This document is a brief informative guide on the functions and obligations of the Data Protection Officer.

Introduction​

info

When we say we, we are talking about the company registered under the name AI Labs Group SL, with ID number B95988127 and address in Bilbao, 48013 (Vizcaya).

We perform data processing that, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and by which directive 95/46/CE is repealed, (hereinafter, GDPR), a Data Protection Delegate (DPD) must be appointed.

Thus, we appoint a Data Protection Officer based on their professional qualities, and in particular on their specialized knowledge of data protection law, especially in relation to data processing operations. data that the Data Controller performs.

Definition of Data Protection Officer​

The Company, as the data controller, is legally in charge of the security of the processing and of applying the technical and organizational measures that effectively and reliably guarantee the security of the processing. Thus, to facilitate compliance with the adoption of such measures and in accordance with the characteristics of the Company, it has established the appointment of a Data Protection Officer, who will be a cornerstone in accountability and help so that the Company, as Responsible for the Treatment, can carry out the fulfillment of the obligations that correspond to it.

The DPD designated by the Company, is not in any case personally responsible for the fulfillment of the obligations determined by the GDPR, being in any case the Company who must guarantee and demonstrate that the treatment is carried out in accordance with the duties of responsibility imposed (article 24.1 ).

Functions and Obligations​

As specified in the previous section, the level of knowledge of the DPD is in accordance with the sensitivity, complexity and amount of data that, due to its business nature, the Company deals with.

The Data Protection Delegate may perform other functions and tasks as long as said functions and tasks do not give rise to a conflict of interest.

The DPD will not be dismissed as such, nor sanctioned as for carrying out its functions in terms of data protection, in accordance with the GDPR.

coordination function​

The DPD will be in continuous coordination and contact with the Company, the Security Manager designated by it, the interested parties, as well as the control authorities.

This figure must be accessible at all times, and for this reason the Company will ensure that its contact details are available to all those who actively or passively intervene in the processing carried out, as Data Controller.

One of its main functions is to participate appropriately and in a timely manner in all matters relating to the protection of the Company's personal data.

Monitor GDPR compliance​

Thus, the DPD will have to supervise the observance of the GDPR by the Company, in such a way that it will collect information to determine the treatment activities, analyze and verify compliance with the regulations and inform, advise and recommend the general management about of the treatment activities carried out.

In relation to this, you may, if the Company considers it so, supervise the treatment registry together, advising in relation to the treatment activities carried out and if they comply with the principles established in the GDPR.

You will report independently to the General Manager.

Treatment risks​

As part of the main obligations of the DPO, he must pay attention to the risks associated with the treatment operations, taking into account the nature, scope, context and purposes of the treatment, advising the Company accordingly, facilitating or recommending in relation to the deficiencies detected.

For example, among others, it may recommend carrying out internal training activities to provide personnel with the necessary information in establishing the functions that correspond to them in the development of their activities, the performance of external audits or external advice.

General advice​

Although it is the responsibility of the Data Controller to carry out when necessary for regulatory compliance, it is important to note that the DPO is not the one who must directly carry out certain actions (such as Impact Assessments, Privacy by Design or by Default, Audits, drafting of clauses or contracts...), but must supervise what must be done, their results and carry out the appropriate follow-up for adequate compliance. This is because otherwise their independence would be violated and a conflict of interest would be created.

For example, with regard to Impact Assessments or the performance of audits, the DPO will provide support in such tasks, advising the Company about the need for the assessment, the audits or their consequences.

In addition, in relation to advice on legal issues such as clauses or contracts, the performance of Privacy actions by Design or by Default, etc., it will be your job to coordinate the parties involved so that privacy is taken into account in all actions of the Company and advise you on their implementation.

Within the advice, the DPD must provide support regarding the suitability of carrying out the actions, which may be carried out by other internal or external personnel, the methodology applicable to it, as well as the technical and organizational measures that the Company must take. in relation to mitigating the risks to the rights and interests of those affected and documenting their conclusions about it.

Confidentiality and secrecy​

You must maintain confidentiality and secrecy in the functions and development of your activity, which does not preclude, in relation to the following obligation, to contact the control authority and seek its advice, when necessary.

Cooperation with the control authority​

The DPD must cooperate with the control authority and act as a point of contact with it for all matters related to treatment, including prior consultation in relation to those treatments that may entail a high risk for the interests and rights of the interested parties. or notification of security breaches in less than 72 hours.

In this way, it will facilitate access by the control authority to the necessary documentation and information, so that it can exercise the functions that the GDPR has recognized in its competence.

Attention to interested parties​

An important function of the DPD is to attend to the interested parties. Your contact information must be in the legal information that the Data Controller offers in its informative clauses as a legal obligation. In this way, the functions of the DPO include dealing with the requests, doubts or queries about data protection that are sent to him, which will generally be related to the attention of his legal rights.

DECLARATION OF THE DATA PROTECTION DELEGATE​

The undersigned declares to have been informed by AI Labs Group, SL (hereinafter the Company), NIF B95988127 and address in Bilbao, Calle Urquijo s/n - 2º planta, s/n - 2º 48013 Bilbao (Vizcaya), regarding the regulatory regulations on the Protection of Personal Data, both legal and internal, and especially on his appointment as Data Protection Delegate, in accordance with the provisions of his contract.

Likewise, the undersigned declares to have received the "Data Protection Delegate Manual" and in particular declares to know the functions and obligations that he will assume in accordance with the data protection regulations. In turn, he declares that he has the necessary knowledge to carry out the treatments that the Company carries out, as well as being free of conflicts of interest, for the development of his functions.

For the appropriate purposes and as proof of receipt of the Data Protection Delegate Manual, I sign this document.

Mr/ Mrs: _____________________
DNI:______________________
Date: _____________

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: JD-020, JD-004
  • Reviewer: JD-003
  • Approver: JD-001
Previous
Specific procedures
Next
SP-050-002 Manual of functions and obligations of the staff
  • Scope
  • Introduction
  • Definition of Data Protection Officer
  • Functions and Obligations
    • coordination function
    • Monitor GDPR compliance
    • Treatment risks
    • General advice
    • Confidentiality and secrecy
    • Cooperation with the control authority
    • Attention to interested parties
  • DECLARATION OF THE DATA PROTECTION DELEGATE
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI LABS GROUP S.L.)