(v1 May 2018)
The purpose of this policy is to provide any person (or ‘data subject’) in relation to whom IMVO holds personal data, with details of the information that we collect, how we process it and who we share it with. It also explains your rights under data protection law in relation to our processing of your data.
Certain key terms are used in this policy such as ‘personal data’, ‘processing’, ‘data protection law’ and these are defined in the Definitions section included at Annex 1.
This policy applies to IMVO’s employees, contractors and officers.
Who controls the use of your personal data?
The Irish Medicines Verification Organisation, a company limited by guarantee exempt from the requirement to use ‘CLG’ in its name (with the registered business name ‘IMVO’), whose registered address is c/o IPHA Office, Wilton Park House, Wilton Place, Dublin 2, is the company that controls and is responsible for personal data that is covered by this policy. IMVO is therefore a ‘data controller’.
Compliance with principles of data protection law
IMVO adheres to the principles of the data protection law and as a result, your personal data will be:
What personal data is collected?
The type of information that IMVO holds (in both paper or electronic format), where appropriate and permitted by law, includes personal details relating to you, such as your name, professional contacts, bank account details (if required for payments in performance of a contract) and related information. Additional personal information is held about employees and parties such as directors so that IMVO can comply with relevant contractual and/or statutory obligations.
Special categories of data collected by IMVO include:
Where do we collect your personal data?
Most of your personal data that we collect will be provided by you through your interactions with us. Certain personal information (name, job title, business email address, business address and/or mobile phone number) may be provided to IMVO by third parties (such as your employer) on your behalf for the purpose of contacting you about legitimate IMVO business. IMVO may also source personal data from publicly-available sources such as a company website, commercially published directory, etc.
Legal basis for processing your information
We process your personal data in order to provide you with our services and to assist us in the operation of our business. Under data protection law we are required to ensure that there is an appropriate basis for the processing of your personal data, and we are required to let you know what that basis is.
There are various options under data protection law, but the primary bases on which we process your personal data are:
IMVO will only use your information for the purposes for which it was collected, unless we reasonably consider that we need it for another purpose that is compatible with the original purpose. If we need to use your information for an unrelated but compatible purpose, we will notify you in advance of our use of your information and explain the legal basis for this. Note that we may process your information without your knowledge or consent where this is required or permitted by applicable law.
IMVO will not use your personal data for any marketing or promotional purposes.
IMVO does not carry out automated decision-making processes with personal data.
Who do we share your personal data with?
You should be aware that in certain circumstances, IMVO may need to transfer or disclose your personal information to third parties, including service providers who render administration, technical and other support services to IMVO, but will only do so where it is consistent with the purposes outlined above.
IMVO will also disclose your personal information in response to a valid, legally compliant request by a competent authority or in response to a court order or otherwise in compliance with any applicable law, regulation, legal process or enforceable governmental request or other statutory requirement; to detect, prevent or otherwise address fraud, security or technical issues; or to protect against imminent harm to the rights, property or safety of IMVO, its employees, its members or the public, as required or permitted by law.
IMVO will ensure through contracts and data processing agreements that third parties with whom your personal data is shared, apply appropriate security measures to protect your data from loss, misuse and unauthorised access or disclosure.
Transfers outside of the European Economic Area (EEA)
IMVO does not transfer personal data outside the European Economic Area.
Retention of personal data
IMVO will retain your personal data in accordance with our record retention policy. This policy operates on the principle that we keep personal data for no longer than is necessary for the purpose for which we collected it. It is also kept in accordance with any legal requirements that are imposed on us. This means that the retention period for your personal data will vary depending on the type of personal data. For further information about the criteria that we apply to determine retention periods, please see below:
IMVO will permanently delete your personal data when the relevant retention period has expired.
All breaches of personal data held by IMVO will be reported to the Data Protection Authority within 72 hours, unless the data was anonymised or encrypted.
Breaches of this policy by employees will be dealt with under IMVO’s Grievance and Disciplinary Policy and may lead to a disciplinary sanction.
IMVO takes the security of your data very seriously and has implemented an information security policy which describes the technical, procedural and physical measures in place to protect your data from loss, misuse and unauthorised access or disclosure. IMVO also maintains reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete and current.
Employees who handle personal data covered by this policy are trained on the information security policy and how to correctly collect, process, store and delete data in accordance with this policy.
You have various rights under data protection law, subject to certain exemptions, in connection with our processing of your personal data:
In order to exercise any of these rights, please get in touch using the contact details set out below.
Changes to this policy
The provisions of this policy may be altered by IMVO from time to time. Any alteration or addition will be posted on our website at www.imvo.ie.
Queries and complaints
IMVO has not appointed a data protection officer, however, if you have any queries or complaints in connection with our processing of your personal data, you can get in touch with us using the following contact details:
Complaints may also be submitted to the Data Protection Commission which is the Data Protection Authority for Ireland (see www.dataprotection.ie):
Annex 1 – Key Definitions:
“Data Protection Authority” means the Irish Data Protection Commission which is IMVO’s supervisory authority in the European Union.
“data protection law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in Ireland and any successor legislation to the GDPR or the Data Protection Acts 1988-2003.
“consent” of the data subject means any freely given, specific, informed an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her – such as a written/electronic statement or an oral statement.
“data controller” means the legal person or company who determines the purposes and means of the processing of personal data, e.g. IMVO.
“data processor” means a person or company who processes personal data on behalf of the data controller, e.g. IMVO’s payroll provider.
“data subject” means an identifiable natural person who is the subject of the personal data, e.g. an employee, an employee of an IMVO member organisation;
“personal data” means any information relating to an identified or identifiable natural person (data subject).
“processing” means any operation which is performed on personal data, where automated or not, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.
“special categories of data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and data concerning health or a person’s sex life or sexual orientation.