The GDPR (General Data Protection Regulation) is a new regulation developed by the European Union which was aimed at guiding and regulating the way companies across the world must handle their customer’s personal information and protect the individual information in the European Union region and Iceland, Liechtenstein, and Norway. GDPR was introduced on 25th May 2018 and it has replaced the Data Protection Directive 95/46/EC, which was adopted in 1995.
GDPR is been built on Data Protection Directive 95/46/EC with some key changes as mentioned here:
The GDPR implies to all the companies that are dealing with the personal details of the people residing in EU/EEA irrespective of the company’s location.
As per the GDPR policy, any breach in the organisations can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be implemented on the company for data breach. However, there few other tired methods such as company can be fined 2% of annual turnover for not contacting the supervising authority about the data breach. The fines will be implement to both the controllers and processors (even the cloud service providers will also be fined).
The consent provided by Moebius Research Trust will be be clear and different from other matters and this must be presented in an intelligible and easily accessible form, using clear and plain language.
As per the GDPR policy, breach notification is become compulsory in all member states where a data breach is likely to result in a risk for the rights and freedoms of individuals. Breach notifications will be made by Moebius Research Trust within 72 hours after any breach happened and the data processors will notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Right to Access
One of the major factors involved in the GDPR is the right to access. The data subjects can obtain information from the data controllers whether personal data concerning them is being processed, where and for what purpose. Further, our controller shall provide a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten (Data Erasure)
The right to be forgotten provides an option for the data subject to request the data controller to erase their personal data, cease further distribution of the data and the third parties halt processing of the data. The data can be removed if it is no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. Moebius Research Trust will oblige any parties looking to exercise their right to erasure.
The GDPR implements data portability where the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine-readable format' and have the right to transmit that data to another controller.
Privacy by Design
Privacy by Design has become a legal requirement with the GDPR. The Privacy by Design demands for inclusion of data protection from the onset of the designing of systems. According to article 23 of GDPR “The controller shall. Implement appropriate technical and organisational measures. In an effective way. to meet the requirements of this Regulation and protect the rights of data subjects”.
Data Protection Officer
According to the GDPR, it is not necessary to submit notifications / registrations to each local DPA of data processing activities, and it is not required to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). Only there will be internal record keeping requirements.
Our data protection officer requirement is compulsory for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
As outlined in the GDPR Article 39, Moebius Research Trusts’ DPO’s responsibilities include, but are not limited to, the following:
Educating the company and employees on important compliance requirements
Training staff involved in data processing
Conducting audits to ensure compliance and address potential issues proactively
Serving as the point of contact between the company and GDPR Supervisory Authorities
Monitoring performance and providing advice on the impact of data protection efforts
Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request
Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information.
2. GDPR Privacy Notice
1. Purpose of this Notice
Moebius Research Trusts’ privacy notice provides information as per the rules stated in the articles 13 and 14 of the European General Data Protection Regulation (GDPR) stated by the European Union for transparency of personal data used for the business purpose. The definitions of the terms are added in the appendix at the end of privacy notice.
Moebius Research Trust offers diverse types of care based on the requirement of our service users needs.
We understand that companies and/or individuals will be providing personal information to the Moebius Research Trust such as full name of the employees/individual, email address, phone number in order to allow the charity to undertake its day to day activities.
4. Data Controllers
Moebius Research Trust being a Data Processor and working at the instruction of companies/individual who use the services of the charity may use the personal information of the employees for numerous services offered Moebius Research Trust.
Moebius Research Trust will also become a Data controller if it collects the information directly from the employees/individuals or gathers additional information from the clients. In these situations, Moebius Research Trust will be acting under the ‘Legitimate Interest’ to legally process the data services and fulfill the contract obligations of the service users. Moebius Research Trust will also act as a data controller for the personal data gathered for its own employees and legally processes the data based on the contract with the employees.
3. Who are we?
The Moebius Research Trust was set up in September 2006 by two sets of parents with children who have the condition. They recognised that as the condition was so rare there would be no Government funding into this condition. So they set about doing something themselves.
In order to fund research into Moebius Syndrome the Charity needs to raise £250,000. The aim is to find the cause of the Syndrome. We believe that as technological advances have moved on so much in the last few years it is possible to find the cause. These results would be published Worldwide and could really make a difference to so many people's lives.
In addition to research the Moebius Research Trust provides a signposting service to those with the condition. This includes providing informative articles and research documents on their Facebook Page, Twitter and this website. The charity works closely with a wide range of medical experts and aims to raise awareness of this condition within the medical profession and wider community.
4. What personal information we collect?
Moebius Research Trust will collect personal information of the employees working with our clients. The information will be shared by our clients includes first name, last name, job title, personal email id, official email id, post code, official address and residential address.
5. Third Party Data Transfer
Moebius Research Trust undertakes that it will not process any data via a third party without the positive consent of any individual or company for whom we hold data. Should we require to process any data in via a third part, opt in consent will be sought.
6. How we will use the Personal Information?
The personal information provided by our service users will be used only for the services offered by Moebius Research Trust. We undertake not to share our service users’ and /or our employee’s data with any organisation unless opt in consent is granted by the concerned party. We undertake only to use data when required and in relation to our services.
7. How we will collect the personal information?
Moebius Research Trust will not be saving any data without informing the concerned parties. The charity’s website has not enabled cookies to save the user information and this applies to all the browsers.
The personal information is collected by following means:
The information is collected directly from our service users/employees.
Data collected from the third party will be according to the agreement between Moebius Research Trust and the third-party vendor/service provider.
During the project we might require additional data, and this will be collected only after consultation of the relevant parties and their approval.
If the any company becomes our client or donations are made by individuals, for the payment related we might require credit card, debit card or any other payment related information.
While making the payment, we will not save the credit card, debit card in our website.
8. Where we will share personal data?
Personal data of the service users/employees will be highly confidential and will not be shared without informing the concerned party. For the any other purpose Moebius Research Trust might need to share in the third party, and this will known to the person while opting for our service.
9. Where do we store and process personal data?
Moebius Research Trust will safely and securely store all the information related to our clients. The information is stored in securely at our head office and is not accessible to any individual or company without consent.
Should we require to send out any information of personal nature to any individual via email, we will ensure that any sensitive information is encrypted and an encryption key is sent under separate cover.
10. Moebius Research Trust Legal Basis for Processing the Data
As per the article 6(1)(f) of the GDPR, Moebius Research Trust can process your data “if necessary for the purpose of the legitimate interest followed by Moebius Research Trust or any third party, expect where your data required protection as per the fundamental rights”.
In certain circumstances, our charity may require a service user/employee’s consent to process their personal data which is related to our services. Depending on how we will use your data, this consent will be opt-in-consent or soft opt-in consent.
Processing of your personal data is very much necessary to meet our contractual obligations with service users/employees. The processing of your personal data might also require at the start of the contract.
The processing is necessary for legitimate interest which is pursed by Moebius Research Trust, expect when these interest or fundamental rights and freedoms of the data subject which require personal data protection. Moebius Research Trust will stop the processing if is objected by our customers.
Under the vital interest processing is only necessary to safe guard the vital interest of our clients or natural person.
Moebius Research Trust will process the data when it is required to be done in the public interest or any concerned government authority.
Processing of data is compulsory for the Moebius Research Trust to comply with the UK and EU Law.
11. How do Moebius Research Trust Secure the Personal Data?
Moebius Research Trust uses various approaches to secure the clients information including but not limited to: -
To protect data from accidental loss, data is saved.
Prevention methods are used to prohibit any unauthorised access of the critical data
Restricted access to personal information – Moebius Research Trust offers your data only to those who use it for the charity’s purposes.
Moebius Research Trust avoids third party risk with the any individuals/companies who engage out service.
Moebius Research Trust will train their staff and other third-party vendors on the data security.
12 How long we will keep the Personal Data?
Moebius Research Trust requires to state how long the client’s information is saved in their database. According to the GDPR policy companies should hold the data more the necessary time of required for their purpose.
In the case where Moebius Research Trust cannot specify the data time limit, it will be stored, as mentioned according to any contractual obligations between the interested parties.
13 Your Rights
Access: Right to provide copy of the personal data
Rectification: Right to correct the personal data if there any errors
Deletion – Right to delete the personal data
Withdrawal of consent (if processing data on condition of consent)
Data Portability: Right to obtain the personal data in machine read format, editable and easy to transfer to any third party (if required)
To Object to transfer of the data to third party marketing services
Profiling analyses aspects of an individual’s personality, behaviour, interests and habits to make predictions or decisions about them.
Based on this information we will incorporate the data in GDPR policy.
15. Third Party Sharing
Moebius Research Trust may provide links to other websites for your comfort and to have more information on our partners. Please do note that links and websites may have their privacy policies which might differ from that of Moebius Research Trust, and our service users/employees are requested to check them and then proceed further. Moebius Research Trust is not the owner for these sites and we will not take any responsibilities for their content, applications and their GDPR policies.
Please use our Contact Us page if you need any more information related to the GDRP policy and privacy policies managed by Moebius Research Trust.