Rods&Cones Commitment to GDPR and privacy
On May 25th 2018, the General Data Protection Regulation (GDPR) came into force. For us, to be compliant is not only a legal requirement, but an essential part of our organisational culture, from daily operations to top management. To achieve compliance we train and make everyone involved in the processing of personal data aware of how to do properly.
Our personal data protection policy is based on 4 pillars:
Highest standard: We apply the GDPR to everyone in the globe. We do not take advantage of the fact that in some countries the laws are less restrictive. We hold GDPR to the highest standard, and therefore, everyone will receive the utmost protection no matter their citizenship or location.
Transparent purpose: We remain diligent in communicate how we use the data we collect. Providing a great and confidential experience within an operating room is our only business model. We do not trade nor sell personal information. And we never will.
Human-centered: People are not numbers or robots. We will always make an effort to communicate our practices in a respectful and clear fashion, giving knowledgeable power back to the people through explicit consent.
Privacy by default and by design: Throughout all our services and products, data protection and security are kept in mind in every step. We don’t wait until afterwards to incorporate privacy and protection. Even when we release a project, the strictest privacy settings apply by default.
These are the main actions that we have taken to ensure compliance with GDPR:
- Rods&Cones’ top management has a high degree of commitment to advancing in the fields of data protection and information security dedicating the necessary resources to achieve compliance.
- Rods&Cones team is aware and has been trained on both security and privacy. All employees have also agreed on a Code of Conduct including some data protection clauses and obligations.
- The company has appointed a Data Protection Officer and has created an Information Security Committee to follow up current and future legal requirements.
- A Risk Assessment and a Data Privacy Impact Assessment have been conducted.
- The company maintains an updated register of all processing activities including for each of them: the legal basis, the retention period, the type of data processed, the categories of recipients and, if any, the planned international data transfers.
- The company has in place Data Transfer Agreements for all identified suppliers outside of the EU.
- The company has signed agreements with data processors to ensure they will act based on its instructions and will comply with EU GDPR.
- The company has established a process to evaluate a data breach, and to notify the Supervisory Authority and data subjects.
- Rods&Cones maintains documentation and operating procedures so that interested parties can exercise their rights of access, rectification, deletion, limitation of treatment, portability and opposition.
- Rods&Cones applies the appropriate technical and organizational security measures to guarantee the confidentiality, integrity and availability of the information it handles.
For us, respecting privacy is a unique opportunity to reinforce the social value of our work. In doing this, we will be building a more trustable and sustainable medical industry. If you need more information, do not hesitate to get in touch with us.
Oriol LlauradóChief Privacy Officer, certified as CIPM by the International Association of Privacy Professional