Ergomed Data Protection Compliance Statement

Published: 23 April 2024

As a responsible and forward-looking business, the Ergomed group of companies recognizes the need to comply with applicable data protection legislation and ensure that effective measures are in place to protect the personal data of our customers, employees, and other stakeholders.

Within the Ergomed Group

  • All relevant policies and procedures are regularly updated to ensure the protection of personal data and to ensure compliance with applicable data protection legislation. All relevant documents are approved by management and communicated to all employees and other stakeholders, as appropriate.
  •  

  • All employees receive awareness training regarding data protection. Employee onboarding training and refresher annual trainings are held in line with the relevant training matrix. Training is specially designed to reflect the specifics of our business and regulatory environment, the services we provide and all other relevant matters. Also, we regularly organize educational cross-functional workshops for various departments within the Group (e.g. Human Resources, Quality, Marketing, Business Development, Operations, IT).
  •  

  • We are encouraging a culture of privacy protection through various educational and raising awareness initiatives. We have a communication and awareness plan in place to ensure that all personnel engaged in the processing of personal data, whether it be employee or customer data, are aware and reminded of their obligations and rights. In addition, we developed Ergomed Data Protection Intranet where all important data protection updates are posted, and internal know-how documents are shared.
  •  

  • We maintain Records of Processing Activities (RoPA) – as required in accordance with data protection regulation. We have identified the personal data we process, including where special categories are involved. For each occasion when we process personal data, we have established the lawful basis of the processing under the relevant regulation/ legislation. It is done and maintained in the form of general RoPA and HR RoPA at Ergomed group level (with local legislative specifics of each office/affiliate within the Group).
  •  

  • All our employees are subject to confidentiality obligations concerning personal data in their employment agreements. We have adopted a blended approach, using privacy notices and a layered Privacy Policy, to ensure that the required privacy information is provided in clear language whenever we collect/process personal data. Each Ergomed employee is provided with the following key documents: Onboarding Workplace Privacy Etiquette, Data Protection Information Notice, Photo/Recording Consent and Video Surveillance Notice (where applicable).
  •  

  • We are continually committed to high standards of information security, privacy and transparency, and place a high priority on protecting and managing data in accordance with accepted standards. Tested procedures and online user facilities are in place to promptly process and fulfil data subject access requests, such as consent withdrawal, access, and rectification (IT tests conducted).
  •  

  • The length of time we keep personal data, or the way we decide this, has been defined in each area of processing and has been minimized as far as possible. Please bear in mind that in respect of our CRO and PV business operations, the retention period is usually defined by our clients who act as Data controllers.
  •  

  • Ergomed keeps all contracts with partners updated to comply with the requirements of relevant data protection legislation: Master Service Agreements, Clinical Trial Agreements, Safety Data Exchange Agreements, Consultancy Agreements, Data Processing Agreements, Data Sharing Agreements, Confidential Disclosure Agreements, etc.
  •  

  • Where Ergomed transfers personal data internationally, we ensure that the transfer is permitted under the relevant data protection legislation. Also, we regularly apply appropriate safeguards, such as European Commission’s standard contractual clauses, adequacy decisions, etc.
  •  

  • We have implemented robust Personal Data Breach Management. We have tested procedures in place to fulfil our obligations in the event of a breach of personal data (confidential information and/or personal data), both as a controller and as a processor.
  •  

  • We have appointed a Group Data Protection Officer (dpo@wordpress-546467-1930493.cloudwaysapps.com), registered in front of the Information Commissioner Office and EU GDPR Representative (gdprrep@ergomedgroup. com).
  •  

  • We are the first organization to have achieved the status of compliance with international data protection and privacy standards under the MyData-TRUST label ‘Good Data Protection Practice’ (GDP2®).
     
    These are just the building blocks of what we do daily to achieve full data protection compliance. We will continue to develop and improve our data protection policies and controls over time, guided by legal and regulatory requirements, market practice and the needs and preferences of our customers and partners.