THERAPYAUDIT’s GDPR Statement
The EU General Data Protection Regulation (GDPR) is a regulation designed to increase protections around the processing of personal data of data subjects in the European Union.
When does the GDPR take effect?
The GDPR takes effect on May 25, 2018.
Who does the GDPR apply to?
The GDPR applies to any organisation in the European Union that is processing personal data. It also applies to any organisation that processes the personal data of EU data subjects, regardless of whether the organisation has a presence in the European Union or whether the processing is conducted within the European Union.
What changes are happening with the GDPR?
The GDPR lays out a range of requirements related to consent, individual rights, and data processing. This overview is a non-exhaustive summary of the most significant requirements of the GDPR.
Consent, initially defined in Article 4, is addressed throughout the text of the GDPR. In general, the GDPR institutes much higher standards of consent when compared to the Data Protection Directive.
Consent under the GDPR needs to be both informed and explicit.
have an obligation to present information about processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12). Where data processing is based on consent, organisations will need explicit consent from individuals—and they need to be able to prove that individuals have given consent (Article 7).
When organisations collect personal data, they are required to divulge certain information in accordance with Article 13.
If we have communicated with you before we will have requested reconfirmation from you that you consent to continued communication and holding of your personal data. If you are new to us we will have asked you to confirm your consent to communication, and provided you with a way to remove that consent(unsubscribe). At the same time you will be prompted to request removal of all personal data held by us.
Articles 12-23 present the individual rights covered by the GDPR. In general, the GDPR expands individual rights as they relate to personal data.
Right of access
Covered by Article 15, the right of access is the right of individuals to request information about how their data is being used as well as a copy of the data itself.
Right to rectification
According to Article 16, individuals are allowed to contact a Controller to correct inaccurate personal data.
Right to be forgotten
According to Article 17, individuals can request that their data be erased under certain specific circumstances. These circumstances include, but are not limited to:
- When the data no longer needs to be processed for the original reason it was collected
- When the individual withdraws consent
- When the data was processed unlawfully
Right to restriction of processing
According to Article 18, individuals have the right to restrict how their data is processed in certain circumstances.
Right to data portability
According to Article 20, individuals have a right to receive their personal data for the purpose of using it somewhere else.
Right to object
Article 21 states that people have the right to object to the processing of their data in certain circumstances, “unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”
The GDPR specifies a variety of requirements surrounding the processing of personal data. This section will explore some of the data processing requirements and provide links to relevant sections of the text of the GDPR.
Controllers and Processors
A Controller is the organisation that determines how personal data will be used. A Processor is the organisation that processes personal data on behalf and on the instructions of the Controller. The specific responsibilities of each party are laid out in Articles 24-43.
In most cases, ActiveCampaign is a Processor and users of ActiveCampaign are Controllers. Note that it is possible for a single organisation to be both a Processor and Controller.
Data processing agreements
Article 28 states that Controllers must have clearly documented contracts with Processors that define the scope of processing. These contracts must be “in writing, including in electronic form.” Requirements for processing contracts can be found in the remainder of Article 28.
Data protection officers
According to Article 37, many organisations will be required to appoint a data protection officer. The specific responsibilities of a data protection officer are covered in Article 39. In general, the data protection officer is responsible for compliance with the GDPR.
Transfer of personal data to third countries or international organisations
Articles 44-50 of the GDPR cover the specific requirements for transferring personal data to third parties or international organisations. The GDPR does not require that personal data of EU citizens remain exclusively in the EU, but it does have some requirements for such transfers.
How does GDPR affect data held in THERAPYAUDIT’s cloud services?
If you are a TAMONITOR (beetroot DMARD) user, your personal data (for example email address), and that of your patients held in the TAMONITOR database is subject to the provisions of your NHS Trust, which is acting as Data Controller and Data Processor. Should you wish to exercise any of your GDPR rights, or any of your patients should wish to do the same, they should in the first instance contact your NHS employer.
If you are a TACCARD user THERAPYAUDIT acts as Data Processor, but the administrator of the overall CCARD service acts as Data Controller. Please refer to What Can You Do? to find out how you can exercise your GDPR rights in cooperation with THERAPYAUDIT.
If you have had encounter data about yourself recorded in any TACCARD database that data is completely anonymised.. As your data is anonymised it will not be possible for THERAPYAUDIT or anyone else to identify data associated with you.
What Can You Do?
If you have any concerns about your GDPR rights with reference to THERAPYAUDIT’s use of your data, or if want to do any of the following please contact as via GDPRrequest@therapyaudit.com
- Request information as to how we use your data, and receive a copy of all the personal data we hold about you both for your information and also for you to potential use elsewhere
- Request a change in the personal data we hold about you (but you must have received a copy of that data first, and then tell us where and why the data is wrong)
- Request that all personal data we hold about you is removed from our data stores (but please tell us why you want this to happen and we may seek confirmation that you are who you say you are)
- Request a change in how we process your data (but you must be specific as to the change you require)
- Raise an objection as to how we process your data (but please be specific as to what your objection is)
- Find out who our data protection officer is.