GDPR Position Statement

London, UK – 15 October 2018: A new European Union personal data (PD) protection regulation – GDPR (General Data Protection Regulation) came into force on 25 May 2018. Ergomed plc together with its affiliated companies (jointly: Ergomed plc Group Entities or EGE, as listed below) has always been committed to high standards of data security. In this spirit, we are now revising our policies and procedures to meet the requirements of GDPR as further elaborated.

EGE identified 16 purposes of PD processing, assigned the legal basis to each purpose as per GDPR, specified appropriate categories of data subjects and categories of PD and set up the Data Protection Impact Analysis (DPIA), which constitute the core for PD processing as per GDPR.

For most of the PD processing purposes we are the data processor, as our clients are the controller, because we process PD on behalf of the controller in order to perform under the relevant contract. The controller determines the purposes and means of PD processing regarding the regulatory obligations and controller’s business needs. The controller may pass some of its obligations on its processor and such obligations have to be specified in the contract between the controller and the processor.

We involve service providers for some business services, which are our processors (processors of deeper level or sub-processors). It is our responsibility to determine the means of PD processing in a contract with each our vendor (sub-processor). We will take care to impose the same data protection obligations on our sub-processors as set out between us and the controller, in contracts with our sub-processors.

We are the controller for some of our PD processing purposes such as for employee’s PD processing, independent contractor’s PD processing and client’s / vendor’s PD processing.

Ergomed plc appointed its Data Protection Officer (DPO) for all EGE who may be contacted at DPO will coordinate his activity in specific PD processing (clinical trials, pharmacovigilance service, etc.) with EGE’s clients’ and vendors’ data protection officers. Ergomed plc decided that the Information Commissioner’s Office, UK will act as the Lead Supervisory Authority for Supervisory Authority related obligations.

We are in the process of updating the contracts with our controllers as well as with our sub-processors  (sites, investigators, etc.) to include GDPR obligations / provisions.

We also updated our forms, templates and procedural documents used in our services to be GDPR compliant (investigator–related and reporter–related as well as the patient–related). We implement a correct PD processing also in cases when the controllers and/or recipients of personal data e.g. our EGE, clients and vendors are located outside the EEA in countries which do not ensure an adequate level of the PD protection by GDPR Article 45.

The current business processes will not be changed. We will raise the protection and security of the PD in the processing to GDPR requirements including the identification of data subjects and their PD processed. We combine regulatory laws obligations regarding PD protection with new GDPR obligations in PD processing – pseudonymization and others. We are ready to respond to data subject’s requests to exercise their rights. Our procedural documents specify the processes for data breach notification.

We also train our staff in terms of both personal data protection policies and security risks.

Our current activities focus on maintaining the GDPR compliance in line with the established requirements. Our security measures regarding PD processing have always been on high level but we continue working on additional improvements of PD processing methods. We concentrate on precision in fulfilling GDPR obligations as well as on the PD processing security improvements using up-to-date cyber security and physical security technology.

We understand that meeting the GDPR requirements will take a lot of time and effort and as your partner we want to assure you of our commitment to continuous compliance including GDPR.

Please do not hesitate to contact our DPO with any questions that you may have.

Click here for more info and to see contact details for each of our affiliates.