Version 1.1 / April 2021
Table of Contents
- Purpose and Scope
- General Principles for the Collection and Processing of Personal Data
- Legal Basis for Processing of Personal Data
- Data Security
- Processing of Personal Data by Third Parties
- Transfer of Personal Data to another Country
- Rights of the Data Subject
- Data Processing Proof
- Data Protection Risk Impact Assessment
- Data Breaches and their Reporting
- Data Protection Training
- Violations of this Policy
- Help with Questions and Problems
- Approval and Coming into Effect Date
1. Purpose and Scope
This Policy applies to all Monasterium Laboratory Skin & Hair Research Solutions GmbH companies and our directors, medical directors, managers, department heads, employees and other professionals who provide services to all of our company (the "Employees") and to our contractors and other contracting partners. All of the above are expected to familiarize themselves with this Policy and any other local policies and guidelines and to comply with the principles set forth therein when processing Personal Data.
For the purposes of this Policy, personal data means any information relating to an identified or identifiable individual (the "data subject"). Examples of personal data include name, (email) address, telephone number, bank account information, date of birth, social security number, benefit assessment or billing information and medical documentation. In addition, since we are dealing with private individuals, we mainly process sensitive personal data, i.e. data relating to the health and possibly creditworthiness of an individual. Such sensitive personal data is considered a special category of personal data, and most applicable data protection laws require special protection for such sensitive personal data. In addition, information about our employees may also contain sensitive personal data and must be protected and processed accordingly.
Processing for purposes of this policy means any act or operation performed on personal data, such as collection, storage, use, deletion, organization, alteration or disclosure of personal data. Examples of processing activities in our daily practice include: Patient management, entering patient information into our management system, accessing patient data from the management system after a consultation, transferring patient data to a supplier for personalized products, or sending invoices to patients. However, entering employee data into HR systems or collecting supplier contact information are also processing activities. The term "processing" is very broad, and employees should assume that all operations involving individuals' personal data are covered by and subject to this policy.
2. General Principles for the Collection and Processing of Personal Data
When processing personal data, there are some general principles that must be observed. These principles are contained in the General Data Protection Regulation and most national data protection laws and are the guiding principles for any data processing and Monasterium Laboratory Skin & Hair Research Solutions GmbH undertakes to comply with these principles at all times when processing personal data.
2.1. Principle of Fairness and Lawfulness
Personal data must be collected and processed in a fair and lawful manner at all times. This means that personal data may only be processed if it has been collected (i) lawfully and (ii) in a manner that is fair to the interests of the data subject. Please refer to Section 3 of this Policy to learn when the processing of personal data is lawful.
2.2. Principle of Limitation to a Specific Purpose
Personal data may only be processed for the specific purpose that was established in advance and communicated to the data subject when his or her personal data were collected. The personal data collected must be relevant and limited to what is necessary for processing. The use of personal data collected for a specific purpose for another purpose is limited. In principle, the purpose of processing personal data may only be changed to a purpose compatible with the original purpose. The local data protection officer is consulted in advance to find out whether existing personal data can be used for other purposes. The purpose of the processing shall be specified in our internal documentation. When planning a new processing activity, please contact the local data protection officer.
The personal data we collect from our patients, etc., may generally only be used for the provision of contractual, medical services to our patients, etc., unless local laws permit further use. In addition, this data may also be used for marketing purposes if local laws permit and patient consent, if required, has been obtained. Monasterium Laboratory Skin & Hair Research Solutions GmbH will not tolerate patient data, etc. being used for purposes other than those described in the consent form or in the patient privacy notice, etc. In particular, we do not tolerate any employee using data for personal purposes. In addition, national laws in most countries where we operate impose a duty of confidentiality on all administrative and medical staff. Misuse of personal data is therefore also a violation of this obligation and may even constitute a criminal offense.
Similarly, personal data of our employees may only be collected and processed in connection with and related to the employment relationship and may not be processed for personal use. For more information on how our company processes personal data of our employees, please refer to the local data protection notices for employees.
2.3. Principle of Transparency
The principle of transparency requires that the Data Subject is informed about what and how his or her Personal Data are collected and processed. In particular, the Data Subject shall be informed about (I) the identity of Monasterium Laboratory Skin & Hair Research Solutions GmbH, which is responsible for the collection and processing of the Personal Data, (II) the purpose(s) for which the Personal Data are processed (see Section 2 of this Policy). (III) the legal basis for the processing of personal data (see Section 3 of this Policy), (IV) the categories of personal data to be processed, (V) the sources from which the personal data are collected, (VI) the recipients to whom personal data may be disclosed, (VII) the rights of the data subject (see Section 7 of this Policy), and (VIII) any other information that will ensure fair and transparent processing of the personal data.
The appropriate way to inform the data subject about the above will depend on the circumstances. In relation to our patients, we inform them about these points in, for example, our consent form or in the privacy notices available in our locations and on the company's websites. In the event of updates, changes to the privacy notices must be communicated to our patients. When we enter into contracts, we ensure that our partners are informed of these items when the performance of the contract requires the processing of personal data. In addition, all of our websites contain privacy notices that explain how we process personal data of our patients, partners and applicants within Monasterium Laboratory Skin & Hair Research Solutions GmbH. In addition, privacy notices explaining how we process personal data of our employees will be available from management.
2.4. Principle of Data Minimization
Personal data collected and processed must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.
In other words, we must only collect personal data that is relevant and necessary for the purposes for which we intend to process the personal data. Before collecting and processing personal data, we must consider whether the intended processing procedure is the procedure that least violates the privacy of the data subject(s), or whether there are other, less invasive ways of processing the personal data to achieve the intended purpose.
The principle of data minimization also affects how long personal data can be retained and stored. When the personal data is no longer necessary to fulfill the purpose for which the personal data was collected, the data must be deleted, unless the applicable laws provide for a longer retention period. Most national laws contain specific rules for the retention of personal data, and our company must comply with these rules. If the data subject behind the personal data no longer needs to be identifiable, but the data is still relevant to our company, the personal data must be anonymized. For anonymization, please contact the local data protection officer or the IT department.
When planning the collection of personal data, we identify and document retention periods for the collected data or, if we cannot establish specific retention periods, criteria by which the retention period is determined.
2.5. Principle of Confidentiality and Data Security
The principle of confidentiality and data security requires that access to personal data be granted on a need-to-know basis only. This means that employees may only access personal data to the extent necessary to perform their duties or tasks.
Personal data must be treated confidentially at all times. Any unauthorized use or misuse of personal data is strictly prohibited. Employees may not use personal data obtained in the course of their professional duties for private purposes. Any private use of personal data will result in disciplinary action. As mentioned above, national laws generally impose an obligation of confidentiality on all administrative and medical staff, and misuse of patient data is a violation of this obligation and may even constitute a criminal offense.
Personal data must be protected by appropriate organizational and technical security measures. These security measures must ensure that personal data is protected from unauthorized or unlawful processing and accidental loss, destruction, or damage. For more information on what constitutes appropriate technical and organizational measures, please contact our Data Protection Officers.
2.6. Principle of Accuracy
The personal data we process must be accurate and up-to-date. We will not process personal data that is inaccurate or out of date. We must take appropriate steps to ensure that inaccurate, outdated or incomplete personal data in our systems is corrected, updated or deleted without delay.
2.7. Accountability Principle
Measures related to the processing of personal data and the risks associated with it must be reviewed regularly to ensure that the measures taken are sufficient to protect the data and, if necessary, these measures will be updated. In addition, we will ensure that data protection documentation is adequate and up-to-date so that, for example, in the event of an audit by a national data protection authority, compliance with our company's data protection obligations can be demonstrated.
3. Legal basis for the Processing of Personal Data
All our processing of personal data must have a legal basis. For example, a legal basis may be (I) the consent of the data subject/patient or employee to the processing of his/her personal data, (II) the performance of a contract or treatment for our patients, (III) a legal obligation of the company, or (IV) legitimate interests of Monasterium Laboratory Skin & Hair Research Solutions GmbH.
The collection and processing of our patients' personal data is usually based on the fulfillment of a treatment/contract and the fulfillment of our legal obligations.
The consent of the patient or other data subject in connection with our processing activities must always be documented. In the event of a withdrawal of consent, it must be ensured that future data processing is discontinued insofar as the processing of personal data is based on the consent of the data subject.
The legal basis for each processing activity at Monasterium Laboratory Skin & Hair Research Solutions GmbH shall be defined in our internal documentation. When planning a new processing activity, please contact the local Data Protection Officer.
4. Data Security
When processing personal data, we must take appropriate technical and organizational measures (such as password protection, encryption, access control, confidentiality obligations, physical access restrictions, etc.) to ensure a level of protection appropriate to the risk of our processing activities to the data subject's privacy. The IT department and management of Monasterium Laboratory Skin & Hair Research Solutions GmbH is responsible for taking the appropriate technical and organizational measures to ensure that all personal data processed in our company is adequately protected. Since Monasterium Laboratory Skin & Hair Research Solutions GmbH processes sensitive patient data, we must therefore apply high security standards. One of our main responsibilities in this regard is to protect all personal data we have.
All our employees are responsible for protecting their portable electronic storage devices as well as their laptops, cell phones and physical and electronic files from unauthorized access. For more information on IT security, please refer to the IT Department's policies.
5. Processing of Personal data by Third Parties
Monasterium Laboratory Skin & Hair Research Solutions GmbH may also engage service providers to assist us in the processing of personal data. Examples of such service providers are the hosting provider who hosts our servers/webpages and the IT service provider who takes care of our IT system. Other companies, such as Colosseum Dental Deutschland GmbH, which may provide centralized services to Monasterium Laboratory Skin & Hair Research Solutions GmbH, are also considered service providers for these purposes. These service providers - also called data processors - may only process the personal data according to our instructions. Monasterium Laboratory Skin & Hair Research Solutions GmbH as data controller is always responsible and liable for the correct processing of the personal data. Since the primary responsibility for outsourcing certain data processing activities lies with the outsourcing company, the agreement with the service provider must include provisions on the scope of the assignment and the requirements for data protection and adequate data security. The service provider is not entitled to process the personal data for its own purposes or to link it to its own data registers. The service provider may only process the personal data to the extent required for the order and only in accordance with our instructions.
The data protection officers are responsible for ensuring that agreements with service providers contain the necessary clauses to protect the personal data that the service provider processes on behalf of our company.
6. Transfer of Personal Data to another Country
Some of the group's business activities may require us to transfer personal data to a party located in another country. For example, storing personal data on a server in another country is considered an international data transfer. If that party is located in a country that does not provide a legal framework that ensures adequate protection of personal data, such transfer is only permitted if additional safeguards are in place to protect the personal data. In principle, personal data may not be transferred outside the EU/EEA or Switzerland without the prior consent of the local data protection officer.
The local data protection officer shall ensure that appropriate data protection safeguards, such as the European Commission's standard contractual clauses, are in place when personal data is transferred to a country outside the EU/EEA or Switzerland.
If personal data is to be transferred to a country outside the EU/EEA, this must be communicated to the data subjects.
7. Rights of the Data Subject
National and European data protection laws give data subjects several rights so that they can control the processing of their personal data. For example, a data subject has the right to (I) be informed about the collection and processing of his or her personal data (see Section 2, of this Policy), (II) obtain confirmation as to whether or not personal data concerning him or her is being processed and, if data concerning him or her is being processed, request a copy of the personal data being processed, (III) request the company to correct inaccurate personal data, (IV) in certain cases, request the company to erase all personal data concerning them, (V) request the company to restrict the processing of personal data concerning them, and (VI) object to the processing of their personal data.
As part of our commitment to ensuring a high level of data protection, Monasterium Laboratory Skin & Hair Research Solutions GmbH endeavors to respond to data subjects' request to exercise their rights as quickly and effectively as possible. For complex access requests, the local data protection officer may be consulted. Requests from data subjects must be answered within one month. Only in the case of complex requests can the deadline be extended to a total of three months. However, even if the deadline can be extended, the data subject must be informed of the extension within one month. Please note that the identity of the data subject exercising his or her data protection rights must be confirmed before the data subject's request is fulfilled. For more information on processing data subject requests, please contact our Data Protection Officer.
8. Data Processing Record
Each company that processes personal data must maintain a record of the processing activities under its responsibility. Each local data protection officer is responsible for ensuring that his or her company maintains such a record for all processing activities taking place under his or her responsibility in the relevant country.
9. Data Protection Risk Impact Assessment
Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of data subjects, Monasterium Laboratory Skin & Hair Research Solutions GmbH shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to the processing (so-called data protection impact assessment). The department wishing to set up the intended processing is responsible for conducting the data protection impact assessment. The local data protection officer shall support the responsible department or function in conducting this assessment.
If the data protection impact assessment shows that the intended processing would result in a high risk for the data subject and the controller is not in a position to implement security measures and safeguards to mitigate the risk, the competent national data protection authority must be consulted by the local data protection officer. Prior consultation can only take place after the data protection impact assessment has been carried out. In addition, the consultation must be carried out before the processing of personal data begins.
10. Data Breaches and their Reporting
A personal data breach is a breach of security in our company's systems (both electronic and non-electronic) or processes that results in the accidental or unlawful loss, destruction, alteration, or unauthorized disclosure of or access to the personal data we process. Data breaches include not only an attack by hackers, but also the loss of data (e.g., a computer or USB stick containing personal data being lost or stolen), the transfer of personal data to the wrong recipient(s), and any other incident that compromises the confidentiality and integrity of the personal data we process (e.g., malware infections leading to data corruption).
When a (suspected) data breach is identified, it is important that immediate action is taken. In the event of a personal data breach, the affected company must report the personal data breach to the national data protection authority without undue delay, but no later than 72 hours after becoming aware of it.
The local data protection commissioner shall be notified of a personal data breach without undue delay. For more information on how to respond in the event of a data breach, please contact our management.
11. Data Protection Training
In order to promote a culture of compliance with data protection, each company must provide data protection training for its employees. The local data protection officer is responsible for organizing and documenting this training.
12. Violations of this Policy
It is the responsibility of each employee of Monasterium Laboratory Skin & Hair Research Solutions GmbH to familiarize themselves with this Policy, applicable local policies and guidelines, and the data processing requirements contained herein. We expect everyone who works for our company to comply with the requirements set forth in this policy. Violations of this policy may result in disciplinary action ranging from a reprimand to immediate termination of employment for repeated or very serious violations. The specific disciplinary action for a particular violation will depend on the severity of the violation and the employee's conduct in correcting that violation.
13. Help with Questions and Problems
If you have questions about this Policy or the proper processing of Personal Data in a particular situation, you may contact the local data protection officer at any time for assistance.
14. Approval and Coming into Effect Date
Your data protection officer:
trans-acta Datenschutz GmbH
Mr. Bernd van Straelen