English (UK)
logo mobile

ICARE /// - New Data Protection Policy May 2018 - GDPR

Policy prepared by:                                                                   Gil Mercier - Data Protection Officer                                       

Policy became operational on:                                                  Friday 25th May 2018

Introduction

Legal basis for collecting and processing personal data

For business and market research study activity, icare villeneuve d'ascq needs to gather and use personal data. Those include respondents (healthcare professionals, patients, customers, other professionals), suppliers, clients, employees.

When agreeing to participate into market research projects with icare villeneuve d'ascq, individuals are consenting to us keeping and processing their personal data.

As their privacy is very important to us, we take great care in protecting people’s privacy and the information they provide whilst conducting research with us (whether through online, telephone/mobile or face to face research approaches).

We therefore collect, handle and store the data in respect with the General Data Protection Regulation (GDPR) and icare villeneuve d'ascq’s standards.

This data protection policy ensures that icare villeneuve d'ascq:

  • complies with data protection laws and follows good practice
  • protects individual rights (respondents, clients, suppliers, employees)
  • is transparent about how personal data is stored and protected
  • protects itself from data breach


We do not sell or promote anything. We conduct market research and we commit, in obtaining people’s cooperation, not to mislead them about the nature of the research or how the findings will be used. Responses will be treated as confidential unless people consent to being identified.

When we contact a potential respondent, we generally do so for one of the following purposes:

  • To invite them to participate in research
  • To confirm the details of research they have agreed to take part in
  • To conduct research with them
  • To validate answers/views they gave in a recent research icare villeneuve d'ascq conducted (if they have consented to us doing so)
  • To update and to ensure that our records of their personal information are correct (this is applicable to those consenting to being part of an ongoing database)

If people have been contacted by icare villeneuve d'ascq and they do not believe they have given their permission or just wish their name to be removed from the database, they may contact us and we will remove them from the contact list for that specific research project. Their rights under GDPR are protected and we will reply to any ‘subject access requests’ within 1 week. Please submit any requests or queries to This email address is being protected from spambots. You need JavaScript enabled to view it.

Individual rights as a data subject

Under the EU GDPR, individuals benefit from certain rights including the right to access their personal data held on our databases, to correct them, to ask us to remove them and to restrict us from using them. To use any of these rights, they can contact: This email address is being protected from spambots. You need JavaScript enabled to view it. where our security Manager who handles data protection and privacy can address any concerns or requests in a timely manner.

How long we keep details

We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Personal data will in any case be destroyed after a 4-year period, unless we have people’s consent to keep them further.

The personal information we collect is:

  • Combined with the responses/views/opinions of others who participated in the same research and reported back anonymously to the client that commissioned the study
  • Used on an aggregated basis to analyze the data based on certain groups or demographic profiles
  • Used to administer and operate incentives
  • Occasionally used to re-contact individuals to validate their responses (if they have consented to us doing so).

Who do we share information with

All of survey responses are treated as confidential. We will never intentionally disclose any personal information or individual survey responses to the client that commissioned the study or any third parties unless individuals request or consent to sharing their identifying information and individual responses.

Agreements are in place to ensure that any third parties must also process the personal information as set out in this Privacy Policy and as permitted by the GDPR.

The data we collect during the research process is reported back to our client in anonymized format unless individuals have explicitly given permission to be identified.

Cookies

A cookie is a small text file that may be placed on people’s device (computer, mobile phone, tablet) when they complete one of our online surveys. To complete a survey with us we will use a session cookie. This is a temporary cookie and is removed when people close the browser. This session cookie allows us to give the visit to our website a unique identifier so individuals can complete the survey. They can configure their browser to notify when cookies are being placed on their computer. People can also turn cookies off and delete those they do not want.

Security

icare villeneuve d'ascq maintains appropriate technical, administrative and physical safeguards to protect information, including, without limitation, personally identifiable information, received or collected by us. We review, monitor and evaluate our privacy practices and protection systems on a regular basis. Only certain employees have access to the personal information individuals provide and are only granted access for data analysis and quality control purposes.


Current Data Protection Law

The GDPR describes how organizations must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The GDPR imposes significant requirements for organizational compliance measures and safeguards such as ensuring privacy by design and default, use of data protection impact assessments (DPIAs), keeping comprehensive data processing records and reporting of data breaches.

The GDPR is based on accountability, responsibility of data controllers* and demonstrable compliance with the following six privacy principles:

  • Lawfulness, fairness and transparency – PD must be processed lawfully, fairly and in transparent manner
  • Purpose limitation – PD is obtained for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Data minimization – PD is adequate, relevant and not excessive (limited to what is necessary)
  • Accuracy – PD is accurate and kept up to date
  • Storage limitation – PD not to be held for any longer than necessary
  • Integrity and confidentiality – Appropriate technical and organizational measures are put in place to guard against unauthorized or unlawful processing, loss, damage or destruction (DP must be processed in accordance with the rights of data subjects, be protected in appropriate ways, DP cannot be transferred outside the European Economic Area [EEA], unless that country or territory also ensures an adequate level of protection)


Rights and responsibilities

This policy applies to:

  • All icare villeneuve d'ascq staff
  • All contractors, suppliers and other people working on behalf of icare villeneuve d'ascq

It applies to all personal data that the company holds. This includes:

  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • Bank details
  • Any other information relating to the individuals
  • Audio and video recordings and images

Subjects’ rights

Individuals’ co-operation in any survey conducted by icare villeneuve d'ascq is voluntary at all times.

Compliance to the GDPR means that icare villeneuve d'ascq must fully consider the risks that processing poses to the fundamental rights and freedoms of individuals.

Subject’s rights include:

  • Right to information – subjects’ right to be informed about the collection and use of their personal data
  • Right to withdraw consent – subjects’ right to withdraw consent for participation in one of our surveys at any time
  • Right to access data – subjects’ right to access their personal information
  • Right to rectification – subjects’ right to update any incorrect information
  • Right to data portability – subjects’ right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services
  • Right to erasure / to be forgotten – subjects’ right to have their personal data held by us securely erased
  • Right to restrict processing and right to object to processing
  • Right not to prevent automated decisions and profiling


Data protection risks

Data protection measures and policy aim to protect icare villeneuve d'ascq from:

  • Breaches of confidentiality – information being given out inappropriately
  • Failing to offer choice – individuals should be free to choose how the company uses their data
  • Reputational damage – the company could suffer if hackers successfully gained access to sensitive data.

Everyone who works for or with icare villeneuve d'ascq has some responsibility for ensuring data is collected, stored and handled appropriately, that is in line with data protection principles.

  • The board of directors, Gil Mercier and Eric Engelbrecht, is ultimately responsible for ensuring that icare villeneuve d'ascq meets its legal obligation.

  • The  Data Protection Officer, Gil Mercier, is responsible for:

    • Informing and advising the organization and its employees about their obligations to comply with data protection laws
    • Monitoring compliance with the GDPR and other data protection laws
    • Reviewing all data protection procedures and related polices
    • Keeping the icare villeneuve d'ascq team updated about data protection responsibilities, risks and issues
    • Conducting internal audits and assessing the data protection risks
    • Advising on  data protection impact assessments
    • Arranging data protection training and advice for the icare villeneuve d'ascq team
    • Addressing subject access requests to see the data icare villeneuve d'ascq holds about them
    • Checking and approving and contracts or agreements with third parties that may handle the company`s sensitive data
    • Keeping accountability records
    • Reporting confidentiality breaches to the ICO


  • The IT Manager and Security Manager, Martial Seynaeve, is responsible for:
    • Ensuring appropriate safeguards are in place so that all systems, services and equipment used for storing data meet high security standards (physical and virtual security)
      • Ensuring automated systems are protected
      • Ensuring technical measures are in place to restrict access to systems holding PD
      • Ensuring technical measures are in place to secure data during transit (to subcontractors, clients and interviewers)
      • Ensuring obsolete hardware and software is securely disposed
      • Ensuring that copies of printouts, obsolete back up recordings are securely disposed
    • Using virus and perimeter protection (firewalls, malwarebytes, virus protections) and performing regular checks and scans to ensure full security of hardware and software
    • Ensuring icare villeneuve d'ascq website is compliant and protected
    • Evaluating any third-party services, which the company is considering using to store or process data
    • Ensuring that databases are regularly checked against industry suppression files

  • The Project Directors, Project Managers, Research Executives are responsible for:
    • Ensuring data protection statements are included in appropriate study material
    • Ensuring their internal team and international partners properly use all data protection related consent forms, store them and/or share them with icare villeneuve d'ascq
    • Approving any data protection statements attached to emails and letters
    • Addressing any data protection queries
    • Ensuring compliance with data protection principles throughout the research process

  • The Fieldwork Coordinators are responsible for:
    • Ensuring that respondents databases are updated and accurate
    • Ensuring that respondents consents and refusals are properly collected and stored
    • Ensuring that refusals of consent lead to immediate suppression of respondent’s personal data


icare villeneuve d'ascq DATA PROTECTION POLICY

General guidelines

  • The only people able to access data covered by this policy should be those who need it for their work.
  • icare villeneuve d'ascq will provide training to all employees to help them understand their responsibilities when handling data.
  • Employees should keep all data secure, by taking sensible precautions and following the guidelines
  • In particular, passwords must be used and they should never be shared
  • Personal data should not be disclosed to unauthorized people, either within the company or externally
  • Data should be regularly reviewed and updated. If no longer required, it should be deleted and disposed of securely
  • Employees request help from the data protection officer if they are unsure about any aspect of data protection

Data storage

When data is stored on paper, it is kept in a secure and locked place where unauthorized people cannot access it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

  • When not required, the paper or files are kept in a locked place
  • Employees make sure paper and printouts are not left where unauthorized people could see them, like on a printer
  • Data printouts are disposed of securely when no longer required


When data is stored electronically, it is protected from unauthorized access, accidental deletion and malicious hacking attempts:

  • Data is protected by passwords that are changed regularly and never shared between employees
  • If data is stored on removable media (like a CD or a DVD), these are kept locked away securely when not been used
  • Data is only stored on designated drives and servers
  • Servers containing personal data are sited in a secure location
  • Data is backed up frequently. Those backups are tested regularly, in line with the company`s standard backup procedures
  • Data is never saved directly on laptops or other mobile devices like tablets or smart phones
  • All servers and computers containing data are protected by approved security software and a firewall

Data use

  • When working with personal data, employees ensure the screens of their computers are always locked when left unattended.
  • Personal data is not shared informally. In particular, it is never sent by email, as this form of communication is not secure
  • Data is encrypted before being transferred electronically to authorized external contacts
  • Personal data is never transferred outside of the European Economic Area (EEA), without any specific consent of data protection compliance

Data accuracy

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

  • Data is held in as few places as necessary
  • Staff takes every opportunity to ensure data is updated
  • Data is updated as inaccuracies are discovered
  • It is the IT Manager’s responsibility to ensure marketing databases are regularly checked against industry suppression files


Subject access requests

Under the GDPR, individuals who are the subject of personal data held by icare villeneuve d'ascq have enhanced rights that allow them to control and protect the use of their data. EU based individuals participating in market research are subjects with GDPR right that must be respected. They are entitled to:

  • Know what information the company holds about them and for what purpose
  • Know how to access this data
  • Be informed how to keep it up to date
  • Be informed how the company y is meeting its data protection obligations

A subject access request is an individual contacting the company and requesting this information.

Those subject access requests can be made by telephone or by emails addressed to the Security Manager at This email address is being protected from spambots. You need JavaScript enabled to view it.

An answer will be provided by the Security Manager within 1 week, after control of the individual’s identity to make sure confidential information is not disclosed to anyone else.

Informing individuals

Individuals must be aware that their data is being processed, how it is being used and how to exercise their rights.

At the start of every research project, icare villeneuve d'ascq will provide the vital information that will allow individuals to provide informed consent as to whether they wish to take part or not.

________________

Data Controller: A person (who either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

Data Processor: Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.