London, UK – 16 May 2018: A new European Union personal data (PD) protection regulation – GDPR (General Data Protection Regulation) will come into force on 25 May 2018. Ergomed plc together with its affiliated companies (jointly: Ergomed plc Group Entities or EGE, as listed below) has always
been committed to high standards of data security. In this spirit, we are now revising our policies
and procedures to meet the requirements of GDPR as further elaborated.
EGE identified 15 purposes of PD processing, assigned the legal basis to each purpose as per
GDPR, specified appropriate categories of PD and set up the Data Protection Impact Analysis
(DPIA), which constitute the core for PD processing as per GDPR.
For most of the PD processing purposes we are the data processor, as our clients are the
controller, because we process PD on behalf of the controller in order to perform under the
relevant contract. The controller determines the purposes and means of PD processing regarding
the regulatory obligations and controller’s business needs. The controller may pass some of its
obligations on its processor and such obligations have to be specified in the contract between the
controller and the processor.
We involve service providers for some business services, which are our processors (processors of
deeper level or sub-processors). It is our responsibility to determine the means of PD processing
in a contract with each our vendor (sub-processor). We will take care to impose the same data
protection obligations on our vendors as set out between us and the controller, in contracts with
We are the controller for some of our PD processing purposes such as for employee’s and
independent contractor’s PD processing.
Ergomed plc appointed its Data Protection Officer (DPO) for all EGE who may be contacted at
DPO@ergomedplc.com. DPO will coordinate his activity in specific PD processing (clinical
trials, pharmacovigilance service, etc.) with EGE’s clients’ and vendors’ data protection officers.
Ergomed plc decided that the Information Commissioner’s Office, UK will act as the Lead
Supervisory Authority for Supervisory Authority related obligations.
We are in the process of updating the contracts with our controllers as well as with our subprocessors (sites, investigators, etc.) to include GDPR obligations / provisions.
We are also finalizing our forms, templates and procedural documents used in our services to be
GDPR compliant (investigator/reporter-related as well as the patient-related). We implement a
correct PD processing also in cases when the controllers and/or recipients of personal data e.g.
our EGE, clients and vendors are located outside the EEA in countries which do not ensure an
adequate level of the PD protection by GDPR Article 45.
The current business processes will not be changed. We will raise the protection and security of
the PD in the processing to GDPR requirements including the identification of data subjects and
their PD processed. We combine regulatory laws obligations regarding PD protection with new
GDPR obligations in PD processing. We are ready to respond to data subject’s requests to
exercise their rights. Our procedural documents specify the processes for data breach
We also train our staff in terms of both data protection policies and security risks.
Our current activities focus on GDPR compliance in line with the established requirements. Our
security measures regarding PD processing have always been on high level but we continue
working on additional improvements of PD processing methods.
We concentrate on highly sophisticated automation tools in fulfilling GDPR obligations as well
as on the security improvements using up-to-date cyber security and physical security
We understand that meeting the GDPR requirements will take a lot of time and effort and as
your partner we want to assure you of our commitment to continuous compliance including
Please do not hesitate to contact our DPO with any questions that you may have.