GDPR

How we fulfil our responsibilities as a processor

When it comes to patients’ personal data or data concerning health under GDPR, we act as a processor for our clients, who are the controllers of this data. Below outlines the GDPR obligations that apply to Cemplicity as a processor and how we fulfill them.

• Controller’s instructions: We only process the personal data on instructions from a controller. This is managed through a clear outline of the processing through both the contractual and program set-up stages.
• Processor contracts: With all clients we have a robust legal process that takes place to ensure we have a binding contract with the controller that complies with the relevant GDPR provisions and jurisdiction-specific data protection legislation.
• Sub-processors: Where we engage sub-processors it is with the controller’s prior written authorisation. All sub-processors have undergone a thorough verification process where we have assessed whether they have the relevant security and data protection measures. Where they process any personal data on our behalf, we ensure that any agreement that we enter with them has the relevant contractual protection mechanisms equivalent to those we have with the processor, generally this is in the form of Standard Contractual Clauses.
• Security: We implement appropriate technical and organisational measures to ensure the security of personal data, protecting against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access. For more information visit Data Protection.
• Accountability obligations: We have thorough processes that ensure we comply with our GDPR accountability obligations, including maintaining records and having an appointed data protection officer.
• International transfers: On occasion where it is necessary for any international transfers, we ensure that we have the controller’s authorization for the transfer and that the relevant transfer mechanisms are in place. This can be through standard contractual clauses or adequacy decisions.

Other obligations we will adhere to if the situation arises:

• Notification of personal data breaches: If we become aware of a personal data breach, we must notify the relevant controller without undue delay.
• Notification of potential data protection infringements: If there is a potential infringement we must notify the controller immediately if any of their instructions would lead to a breach of the GDPR or local data protection laws.
• Co-operation with supervisory authorities: We are obliged to cooperate with supervisory authorities to help them perform their duties.