GDPR Policy​

About GDPR Policy

General Data Protection Regulation (GDPR) came into force on May 25, 2018, and was designed to protect the personal information of individuals. The GDPR applies to ‘controllers’ and ‘processors’. The controller shall be responsible for, and be able to demonstrate compliance with the principles.

Article 5 of the GDPR requires that personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals; collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The parties acknowledge and agree that Client is the Data Controller of Personal Data and CAARRS is the Data Processor of that data.

As a Client, you are a Data Controller. You own, store and are responsible for data about your customers or patients, and those who may be interested in your services. In line with GDPR regulation, this means that you have a lawful basis to hold data; your existing clients, patients, leads have consented to their data being held and process, you have a process to view, amend and delete requests as per your internal GDPR policy.

Data Processor. CAARRS is a Data Processor. Our Services helps you manage and process data about your patients, clients or leads. CAARRS does not own the data. As a Data Processor, when CAARRS acquires any data on Client behalf, we ensure that consent is acquired with minimum hassle. When filling in a form on the CAARRS platform, the lead will clearly see a consent request that is displayed and submission means consent is giving.

Client Responsibility. Within the scope of the Agreement and in its use of the services, Data Controller shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to the Data Processor and the Processing of Personal Data. For the avoidance of doubt, Data Controller’s instructions for the Processing of Personal Data shall comply with the GDPR Regulations and Data Protection Law. Data Controller shall inform Data Processor without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data.

Obligations of Processor. Data Processor shall collect, process and use Personal Data only within the scope of Data Controller’s Instructions. If the Data Processor believes that an Instruction of the Data Controller infringes the applicable regulations, it shall immediately inform the Data Controller without delay. If Data Processor cannot process Personal Data in accordance with the instructions due to a legal requirement under any applicable European Union or Member State law, Data Processor will promptly notify the Data Controller of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Data Controller issues new instructions with which Data Processor is able to comply. If this provision is invoked, Data Processor will not be liable to the Data Controller under the Agreement for any failure to perform the applicable services until such time as the Data Controller issues new instructions in regard to the Processing. Data Processor shall take the appropriate technical and organisational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

Individuals’ rights to view, amend or delete personal data Individuals have more extensive rights to view the data store about them and may require such data to be amended or completely deleted that information at their request. As a Client, your Privacy Policy should be updated to reflect this in line with the GDPR. If your organisation receive requests to view, amend or delete personal data, you must notify CAARRS of such request. For data view, CAARRS will provide data as a CSV file.

27th November 2019