ICARS data protection policy

Approved by Executive Management on 20 December 2021

1. Introduction

In everyday business operations ICARS makes use of a variety of data about identifiable individuals (natural persons), including data on:

  • Current, past and prospective employees & consultants
  • Project and other business partners
  • Users of its websites
  • Subscribers to newsletters

Safeguarding the Personal Data of all these persons is an essential aspect of protecting people’s identities, integrity and dignity.

In collecting and using this data, ICARS is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect the data. The General Data Protection Regulation 2016 (GDPR) is one of the most significant pieces of legislation affecting the way that ICARS carries out its data processing activities. Significant fines are applicable if a breach is deemed to have occurred under the GDPR, which is designed to protect the personal data of citizens of the European Union. ICARS’s policy is to ensure compliance with the GDPR and other relevant legislation, including in particular the Danish Data Protection Act 2018.

Relevant national law will take precedence in the event that it conflicts with this Policy, or it has stricter mandatory requirements than this Policy.

2. Purpose

The purpose of this policy is to

  • Protect the personal data of the various stakeholders connected to ICARS,
  • Set out the relevant legislation on data protection and to describe the steps ICARS is taking to ensure compliance.

3. Scope

This policy applies to all systems, people and processes that constitute the ICARS’ information systems, including board members, Executive Management members, ICARS staff, and other third parties who have access to ICARS owned systems (e.g. email address).

Territorial scope of the GDPR (Article 3):

The Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not, and under specific conditions to the processing of personal data subjects who are in the Union by a controller or processor not established in the EU.

4. Key definitions

There are a total of 26 definitions listed within the GDPR (Article 4), the most fundamental and relevant of which are as follows:

Personal data’ is defined as: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

processing’ means: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

controller’ means: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

In addition to the definitions the 173 Recitals that include the reasons for the adoption of the different GDPR articles are also important for understanding and implementing the GDPR. E.g. recital 26 includes information on the fact that anonymized data (as opposed to pseudonymised data) is not personal data and that therefore the GDPR does not apply.

5. Principles relating to the processing of personal data

ICARS is committed to processing all personal data in accordance with the fundamental principles upon which the GDPR is based (Article 5), both in the processing it currently carries out, and as part of the introduction of new methods of processing such as IT-systems. Accordingly, personal data will be:

a)   processed lawfully, fairly and in a transparent manner in relation to individuals;

b)   collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c)   adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d)   accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e)   kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f)   processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

6. Lawful processing

ICARS will only process personal data if one of the six lawful bases defined in Article 6 (2) GDPR are met:

a)   the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b)   processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c)   processing is necessary for compliance with a legal obligation to which the controller is subject;

d)   processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e)   processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f)   processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

ICARS has identified the appropriate basis for processing personal data and has documented all relevant information in two registers: (1) based on systems; and (2) based on the purpose of the processing. Both data mappings will be regularly updated when relevant and reviewed annually by the DPO.

7. Processing based on consent

Requesting consent should only take place if options b.-e. do not apply.

Where processing is based on consent (Article 7 GDPR) as the lawful basis, ICARS ensures that evidence of opt-in consent is kept with the personal data and the data subject has the option to easily withdraw their consent.

ICARS recognized that individuals are free to withdraw their consent at any time. ICARS also commits to ensuring that where communications are sent to individuals based on their consent, the recipient should have the option to opt-out in each communication sent.

ICARS commits to ensuring that any withdrawal of consent is reflected accurately in ICARS’s systems.

Examples of lawful consent requests include[1]:

·          Signing a consent statement on a paper form;

·          Clicking an opt-in button or link online;

·          Selecting from equally prominent yes/no options;

·          Choosing technical settings or preference dashboard settings;

·          Responding to an email requesting consent;

·          Volunteering optional information for a specific purpose (such as optional fields in a form); and

·          Answering yes to a clear oral consent request (this should ideally be recorded, e.g. via a confirmation email, in order to be able to store the evidence)

·          Dropping a business card into a box (e.g. when leaving an event to express interest in follow-up information).

The key point is that consent requests need the individual to provide a clear positive action.

8. Processing based on legitimate interests

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a lawful basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. (Recital 47).

In other words, the conditions generally apply if:

  • there is a specific purpose and clear benefit to the processing, and
  • the processing is necessary for that purpose (e., you cannot achieve the same results in another less intrusive way), and
  • the legitimate interest is not overridden by the individual’s interests, rights or freedoms (“balancing test”); and
  • the data subject should reasonably expect their data to be used in that way.
For example, the sharing of personal data of external experts with a collaborating partner when organizing a networking event/ scientific conference can regularly be justified under this category of lawfulness of processing.

The GDPR highlights the following as specific types of processing that are considered legitimate interest:

  • Fraud prevention (Recital 47)
  • Network and information security (Recital 49)
  • Indicating possible criminal acts or threats to public security (Recital 50)

ICARS recognized that the existence of a legitimate interest needs careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.

ICARS therefore commits to thoroughly establish and document the justification when the conditions are met according to the assessment.

9. Transparency

Transparency is an overarching obligation under the GDPR applying to three central areas:

  • the provision of information to data subjects related to fair processing;
  • how data controllers communicate with data subjects in relation to their rights under the GDPR; and
  • how data controllers facilitate the exercise by data subjects of their rights.[2]

The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing.

The key articles in relation to transparency in the GDPR, as they apply to the rights of the data subject, are found in Chapter III (Rights of the Data Subject). Article 12 sets out the general rules. In particular, Article 12 requires that the information or communication in question must comply with the following rules:

  • it must be concise, transparent, intelligible and easily accessible (Article 12.1);
  • clear and plain language must be used (Article 12.1);
  • the requirement for clear and plain language is of particular importance when providing information to children (Article 12.1);
  • it must be in writing “or by other means, including where appropriate, by electronic means (Article 12.1);
  • where requested by the data subject it may be provided orally (Article 12.1); and
  • it generally must be provided free of charge (Article 12.5).

As a GDPR privacy notice is an important way to help data subjects make informed decisions about the data ICARS collects and uses. ICARS commits to developing and regularly updating privacy notices for different audiences (e.g., conference attendees). A GDPR privacy notice is a public document from an organization that explains how that organization processes personal data and how it applies data protection principles. Articles 12, 13, and 14 of the GDPR provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible.

ICARS Privacy notices

1.     For ICARS website users: Privacy Policy – ICARS (icars-global.org)

2.     For whistleblowers:  ICARS whistleblowing system 

10. Individual Rights

ICARS respects rights conferred to Data Subjects to ensure protection of Personal Data (chapter 3 GDPR). These consist of:

  1. The right to be informed: The right to be told how their personal data is used in clear and transparent language.
  2. The right of access: The right to know and have access to the personal data we hold about them.
  3. The right to rectification: The right to have their personal data corrected where it is inaccurate or incomplete
  4. The right to erasure/ ‘to be forgotten’: The right to have their personal data erased.
  5. The right to restrict processing/ purposes limitation: The right to limit the extent of the processing of their personal data
  6. The right to data portability: The right to receive their data in a common and machine-readable electronic format.
  7. The right to object: The right to complain and to object to processing.
  8. Rights in relation to automated decision making and profiling: The right not to be subject to decisions without human involvement.

Each of these rights are supported by appropriate procedures within ICARS that allow the required action to be taken within the timescales stated in the GDPR.

These timescales are shown in Table 1.

Data Subject Request Timescale
The right to be informed When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)
The right of access One month
The right to rectification One month
The right to erasure Without undue delay
The right to restrict processing Without undue delay
The right to data portability One month
The right to object On receipt of objection
Rights in relation to automated decision making and profiling Not specified

Table 1 – Timescales for data subject requests

Privacy information will acknowledge these rights and explain how individuals can exercise them (see also section 9. of this policy on transparency).

Any request in respect of these rights should be made in writing to

dataprotection@icars-global.org.

Requests that are ‘manifestly unfounded or excessive’ can be refused. ICARS will take reasonable measures to require individuals to prove their identity where it is not obvious that they are the data subject.

11. Privacy by Design

ICARS has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect, or process personal data will be subject to consideration of privacy issues, including the completion of one or more data protection impact assessments.

The data protection impact assessment will include:

  • Consideration of how personal data will be processed and for what purposes
  • Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
  • Assessment of the risks to individuals in processing the personal data
  • What controls are necessary to address the identified risks and demonstrate compliance with legislation

Use of techniques such as data minimization and pseudonymisation are considered where applicable and appropriate.

ICARS is committed to (1) limiting access to personal data to personnel who need access, (2) regularly reviewing access rights based on the two registers, and (3) ensuring appropriate security measures to avoid unauthorised sharing of information.

12. Controller vs processor

Controllers and processors must always be separate entities. To determine whether an entity is a controller or a processor, it is necessary to look at the entity that initiates, participates, and dictates the decision-making process regarding the purposes (“why”) and the means(“how”) of the processing operations in question. In some cases, applicable law may mandate an entity to process personal data for specific purposes and in this limited instance, the determination of the controller will be the easiest scenario.

In its role as data controller, ICARS will only appoint processors who can provide sufficient guarantees around compliance with the GDPR and that the rights of data subjects will be protected.

Where a processor can demonstrate that they adhere to approved codes of conduct or certification schemes, this will be taken into consideration for choice of supplier.

Where ICARS uses a processor, a written contract with compulsory terms as set out in Article 28 of the GDPR will be put in place. Processors can only act on the instruction of ICARS.

An overview of all Data Processing Agreements (DPA) in place will be regularly updated.

Joint controllership

Entities are jointly responsible for data processing within the meaning of Art. 26 GDPR, when and if they jointly determine the purpose and the means of said data processing (joint decision-making).

In cases of joint controllership, the entities involved must enter into an arrangement, stipulating the individual controllers’ data privacy-related obligations in a transparent manner (joint controller arrangement).

However, regardless of those arrangements, each controller remains responsible for complying with all the obligations of controllers under the GDPR.

13. Transfer of data outside the EU

The protection offered by the GDPR travels with the data, meaning that the rules protecting personal data continue to apply regardless of the location of the data. This also applies when data is transferred to a third country, i.e., a country which is not a member of the EU (chapter 5: Transfers of personal data to third countries or international organisations).

The GDPR provides different tools to frame data transfers from the EU to a third country:

  • a third country may be declared as offering an adequate level of protection through a European Commission decision (‘Adequacy Decision’), meaning that data can be transferred with another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions.
  • in the absence of an Adequacy Decision, a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals.
  • finally, if a transfer of personal data is envisaged to a third country that isn’t the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.[3]
The adequacy decisions of the EC are compiled on the following website: Adequacy decisions | European Commission (europa.eu)

The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

In the absence of an adequacy decision from the EC, the EC issued a set of standard contractual clauses designed to provide adequate safeguards for the transfer of personal data to a non-EEA country: Standard contractual clauses for international transfers | European Commission (europa.eu)

ICARS commits to carefully assess the implications of the GDPR rules on transfer of data outside the EU before entering into any agreement with entities based in third countries.

14. Reporting of breaches

A personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

All members of staff should be vigilant and able to identify a suspected personal data breach. A breach could include but are not limited to:

  • loss or theft of devices or data, including information stored on USB drives or on paper
  • hacking or other forms of unauthorised access to a device, email account, or the network
  • disclosing personal data to the wrong person, through wrongly addressed emails, or bulk emails that inappropriately reveal all recipients email addresses
  • alteration or destruction of personal data without permission

Where a member of staff discovers or suspects a personal data breach, this should be reported to the DPO as soon as possible.

Where there is a likely risk to individuals’ rights and freedoms, the DPO will report the personal data breach to the supervisory authority within 72 hours of the organisation being aware of the breach.

Where there is also a likely high risk to individuals’ rights and freedoms, ICARS will inform those individuals without undue delay.

The DPO will keep a record of all personal data breaches reported and follow up with appropriate measures and improvements to reduce the risk of reoccurrence (via a data breach register).

It is also possible to report serious data protection breaches (anonymously) via the ICARS whistleblowing system. For more information see the ICARS Whistleblowing Policy.

15. Consultation and means of communication

Questions about any data protection issue should be directed to the DPO (dataprotection@icars-global.org) or the Director of Operations.

Personal Data requests from Data Subjects (e.g. for access, rectification or deletion of data) should be addressed to dataprotection@icars-global.org.

ICARS will ensure practical communication and training from time to time, including as part of the induction of new staff. The policy will also be published on the ICARS website.

A complementary ICARS internal practical guidance note has been developed which will be regularly updated.

16. Policy Review

The Board of Directors shall authorise and oversee a periodic review of the administration of this policy at least annually. The review may be written or oral. The review shall consider the level of compliance with the policy, the continuing suitability of the policy, and whether the policy should be modified and improved.

Any changes to the policy shall be communicated immediately to all ICARS staff, consultants, advisory forum members, and partners. In addition, the new policy will be published on the ICARS website.

 

[1] Inspired by GDPR: When do you need to seek consent? – IT Governance Blog En.

[2] Article 29 Working Party. Guidelines on transparency under Regulation 2016/679. Adopted on 29 November 2017. As last revised and adopted on 11 April 2018.

[3] Based on What rules apply if my organisation transfers data outside the EU? | European Commission (europa.eu)