GDPR Manual
GDPR – Right of Access, Correction, Restriction of Processing and Erasure of Personal Information Manual
1.0 Right of Access to Information
1.1 Introduction
The right of access plays an integral role in the General Data Protection Regulation (GDPR). This allows the Data Subject to act on further rights including but not limited to the request to correct Personal Information, to restrict the processing activities thereof or request for the Personal Information to be Erased or ‘forgotten’.
The Controller of the data should thus make every effort to provide the Data Subject with the requested information as detailed in Article 15 of the GDPR. It is important to note that in some instances, specifically when it comes to Clinical Trial related activities, nuvoteQ will assume the role of the Processor of the data and would thus be obliged to notify the Client of any such Subject access requests before exercising any further duties.
1.2 Availability of the nuvoteQ GDPR Manual and Entry Point for requests
This document serves as the nuvoteQ GDPR – Right of Access, Correction, Restriction of Processing and Erasure of Personal Data Manual (“the GDPR Manual” and/or “Manual”) in accordance with the General Data Protection Regulation to facilitate access to records held by nuvoteQ.
The Controller of the data should thus make every effort to provide the Data Subject with the requested information as detailed in Article 15 of the GDPR. It is important to note that in some instances, specifically when it comes to Clinical Trial related activities, nuvoteQ will assume the role of the Processor of the data and would thus be obliged to notify the Client of any such Subject access requests before exercising any further duties.
- This Manual is available for inspection at the offices of nuvoteQ, free of charge.
- A copy of this Manual is available to any person of the public in a PDF (“Portable Document Format”) version on request from the Data Protection Officer referred to in this Manual.
Note: The Manual may be amended from time to time and as soon as any amendments have been finalised, the latest version can be made available.
In summary the Manual provides information on the:
- Contact details of the Data Protection Officer.
- Procedure that needs to be followed and criteria that must be met by a requestor to request access, correction, restriction of processing or erasure of a record.
1.3 Who may request access to the information?
The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their Personal Information which are being processed. These requests are often referred to as “Data Subject Access Requests”, or “Access Requests”.
Requestors may make a request as:
- A personal requestor (Data Subject) who requests a record about him/herself.
- A third-party requestor who requests a record about someone
else with that person’s consent and where it is required for
the protection of that person’s legal right.
- It fulfils the requirements of procedural compliance;
- The record is required for the exercise or protection of a right;
- No grounds for refusal exist.
1.4 Contact Details of nuvoteQ Data Protection Officer
The Chief Executive Officer of nuvoteQ has delegated his powers to the Data Protection Officer below in terms of GDPR to handle all requests on nuvoteQ’s behalf and ensure that the requirements of GDPR are administered in a fair, objective, and unbiased manner.
nuvoteQ contact details:
Data Protection Officer: Marina Lazaridis
Deputy Data Protection Officer: Ricky Haug
Physical Address
47 Hazelwood Rd, Hazelwood, Pretoria, 0081, South Africa
Email: marina@nuvoteq.io
Email: ricky@nuvoteq.io
1.5 Policy regarding Confidentiality and Access to Information
nuvoteQ will protect the confidentiality of information provided to it by third parties (OP-GM-03, PC-HR-01, PC-GM-03), subject to nuvoteQ’s obligations to disclose information in terms of any applicable law or a court order requiring disclosure of the information. If access is requested to a record that contains information about a third party, nuvoteQ is obliged to attempt to contact this third party to inform them of the request. This permits the third party the opportunity of responding by either consenting to the access or by providing reasons why the access should be denied. In the event that the third party furnishes reasons for the support or denial of access, the Data Protection Officer will consider these reasons in determining whether or not access should be granted.
2.0 nuvoteQ Structure
2.1 Scope
This Manual has been prepared in respect of the nuvoteQ organisational structure, (as applicable).
The scope of this Manual will serve to provide a reference regarding the records held by nuvoteQ at its registered office and other applicable business premises.
2.2 nuvoteQ Group of Companies Profile and Structure
nuvoteQ is a South African based and registered Company providing global software solution services to CROs (and other companies within the Healthcare industry) as well as other industry organisation(s).
Additional information on nuvoteQ is available on the website nuvoteQ.io.
3.0 Key definitions and clarifications
Data: Information, facts and statistics used for reference or analysis in electronic form.
Data Subject: The person to whom the Personal Information relates.
Data Protection Officer (DPO): Is someone, either an employee or a professional hired externally, who has responsibility for ensuring that their organisation is compliant with GDPR.
Personal Information: Information relating to an identifiable, living natural person, and where it is applicable, and identifiable, existing juristic person, including, but not limited to (a) information relating to the race, gender sex, pregnancy, marital status, nationality, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture or employment history of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views, or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the content of the original correspondence; (g) the views or opinions of other individuals about the person; and (h) the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person. “Personal Data” has a corresponding meaning. Without limiting the generality of the foregoing, Personal Information must always be treated as Confidential Information, even after the individual’s death. It should be noted that Personal Information which has undergone Pseudonymisation and/or was de-identified, and which can be attributed to a Data Subject by the use of additional information and/or deidentified, should be considered as Personal Information.
Controller (Joint Controller): The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
4.0 Templates
ML-GM-02 v00 TPL-1.0: Data Subject Access Request Form
ML-GM-02 v00 TPL-2.0 Correction, Restriction of Processing or Erasure Request Form
5.0 Related Documents
OP-GM-03: Confidentiality of Information
OP-IT-01: Security, Management and Use of Information Technology
PC-HR-01: Code of Conduct
PC-GM-03: Privacy, Security and Protection of Personal Information
PC-GM-04: nuvoteQ Online Services Privacy Policy
WI-GM-01: Good Documentation Practice
6.0 Access Procedure and Requests
The purpose of this section is to provide requestors with sufficient guidelines and procedures to facilitate a request for access to a record held by nuvoteQ.
It is important to note that an application for access to information can be refused under the conditions specified in Article 12(5) of GDPR. Similarly, the successful completion and submission of an access request form does not automatically allow the requestor access to the requested record. In limited circumstances, the Controller may refuse to act on a request if it is proven to be “manifestly unfounded or excessive” (Article 12(5), GDPR). Similarly, an application for access to a record may be subjected to general limitations as detailed in Article 15(4) of the GDPR, where the right and freedoms of others may be adversely affected.
If it is reasonably suspected that the requestor has obtained access to nuvoteQ’s records through the submission of materially false or misleading information, legal proceedings may be instituted against such requestor.
6.1 Guidance on Completion of Prescribed Access Form:
In the event that nuvoteQ is not the Controller of the Personal Information, the company is obliged to inform the Controller (Client) in writing of:
- Any legally binding request for the disclosure of Personal Information by a law enforcement authority unless otherwise prohibited (to preserve the confidentiality of a law enforcement investigation).
- Any accidental or unauthorised access to Personal Information.
- Any request received directly from the Data Subject, without responding to that request.
Under these circumstances, nuvoteQ should follow the instructions as detailed in the Client’s (Controller) procedural documents or as communicated by their nominated DPO.
However, for nuvoteQ to facilitate any access to a record, the attached prescribed “Data Subject Access Request Form” (ML-GM-02 v00 TPL-1.0) should be completed by the Data Subject themselves or the Requestor. Please take note that the prescribed access form must be completed in full, failure to do so will result in the process being delayed until such additional information is provided. nuvoteQ will not be held liable for delays due to receipt of incomplete forms.
Due cognisance should be taken of the following instructions when completing the “Data Subject Access Request Form” because the Data Protection Officer shall not process any request for access to a record until satisfied that all requirements have been met:
- The nuvoteQ “Data Subject Access Request Form” has been submitted in writing.
- Proof of identity has been provided to authenticate the requestors identify. If the requestor is the Controller of the data, the requestor shall provide proof of the identity of the person on whose behalf the request is made and authorisation (consent) from the Data Subject to act on their behalf.
- Type or print in BLOCK LETTERS an answer to every question.
- If a question does not apply, state “N/A” in response to that question.
- If there is nothing to disclose in reply to a particular question, state “nil” in response to that question.
- If there is insufficient space on a printed form in which to answer a question, additional information may be provided on an additional attached folio.
- When the use of an additional folio is required, precede each answer thereon with the title applicable to that question.
- Any other supporting documents or justification has been attached (where applicable).
6.2 Submission of Prescribed Access Form
The completed “Data Subject Access Request Form” must be submitted via email and addressed to the designated nuvoteQ Data Protection Officer.
6.3 Notification
nuvoteQ will within one-month of receipt of the request decide whether to grant or decline the request and give notice with reasons (if required) to that effect.
The one-month period within which nuvoteQ must decide whether to grant or refuse the request, may be extended for a further period of not more than two months, taking into consideration the number and complexity of requests received. nuvoteQ will notify the requestor in writing should an extension be sought.
If the request for access to a record is successful, the requestor will be notified of the form in which the access will be granted. If the request for access to a record is not successful, the requestor will be notified of the reasons for the refusal and their right to lodge a complaint with the supervisory authority.
Note: If nuvoteQ is not the Controller of the data, every effort should be made to respond to the Controller well in advance of the one-month to assist with the fulfilment of their timed obligation to respond to requests from the Data Subject.
7.0 Correction, Restriction of Processing or Erasure Procedures and Requests
The purpose of this section is to provide requestors with sufficient guidelines and procedures to facilitate a request for the correction, restriction of processing or Erasure of Personal Information records held by nuvoteQ.
7.1 Guidance on Completion of prescribed Correction, Restriction of Processing or Erasure Request Form
In the event that nuvoteQ is not the Controller of the Personal Information, the company is obliged to inform the Controller (Client) in writing of:
- Any legally binding request for the correction, restriction of processing or Erasure of Personal Information by a law enforcement authority unless otherwise prohibited (to preserve the confidentiality of a law enforcement investigation).
- Any accidental or unauthorised correction or Erasure of Personal Information.
- Any request received directly from the Data Subject, without responding to that request.
Under these circumstances, nuvoteQ should follow the instructions as detailed in the Client’s (Controller) procedural documents or as communicated by their nominated DPO.
However, for nuvoteQ to facilitate any request to correct, restrict processing of or erase Personal Information records, the attached prescribed “Correction, Restriction of Processing or Erasure Request Form” (ML-GM-02 v00 TPL-2.0) should be completed by the Data Subject themselves or the Requestor. Please take note that the prescribed form must be completed in full, failure to do so will result in the process being delayed until such additional information is provided. nuvoteQ will not be held liable for delays due to receipt of incomplete forms.
Due cognisance should be taken of the following instructions when completing the “Correction, Restriction of Processing or Erasure Request Form” because the Data Protection Officer shall not process any such request until satisfied that all requirements have been met:
- The nuvoteQ “Correction, Restriction of Processing or Erasure Request Form” has been submitted in writing.
- Proof of identity has been provided to authenticate the requestors identify. If the requestor is the Controller of the data, the requestor shall provide proof of the identity of the person on whose behalf the request is made and authorisation (consent) from the Data Subject to act on their behalf.
- Type or print in BLOCK LETTERS an answer to every question.
- If a question does not apply, state “N/A” in response to that question.
- If there is nothing to disclose in reply to a particular question, state “nil” in response to that question.
- If there is insufficient space on a printed form in which to answer a question, additional information may be provided on an additional attached folio.
- When the use of an additional folio is required, precede each answer thereon with the title applicable to that question.
- Any other supporting documents or justification has been attached (where applicable).
7.2 Submission of Prescribed Correction, Restriction of Processing or Erasure Request Form
The completed “Correction, Restriction of Processing or Erasure Request Form” must be submitted via email and addressed to the designated nuvoteQ Data Protection Officer.
7.3 Notification
nuvoteQ will within one-month of receipt of the request action the request accordingly. The one-month period within which nuvoteQ must decide to grant or refuse the request, may be extended for a further period of not more than two months, taking into consideration the number and complexity of requests received. nuvoteQ will notify the requestor in writing should an extension be sought.
If the request to correct, restrict processing or erase records is successful, the requestor will be notified accordingly. If the request is unsuccessful, the requestor will be notified of the reasons for the refusal and their right to lodge a complaint with the supervisory authority.
Note: If nuvoteQ is not the Controller of the data, every effort should be made to respond to the Controller well in advance of the one-month to assist with the fulfilment of their timed obligation to respond to requests from the Data Subject.
8.0 Ensuring that the Correct Records are Shared, Corrected, Restricted, or Erased.
It is the responsibility of the nuvoteQ Data Protection Officer (DPO) to ensure that every effort is made to confirm the identity of the Data Subject and match that with the particulars of the Personal Information record(s) being provided, corrected, restricted, or erased. There should be no cross-contamination of records shared or evidence provided to the Data Subject or Requestor upon execution of any request. It is thus mandated that the deputy DPO perform a documented quality review prior to any notice of request decision or outcome being issued.
9.0 Records that cannot be Found or do not Exist
If nuvoteQ has searched for a record and it is believed that the record either does not exist or cannot be found, the requestor will be notified by way of an affidavit or affirmation. This should include the steps that were taken to try to locate the record.