Data Protection Policy

Purpose

This Policy is key to GlobMed Ltd’s (‘GlobMed’) ability to remain compliant with its obligations under all applicable data protection laws (‘DP Laws’) and contracts or other interactions with stakeholders (including employees, customers, suppliers, partners, regulators, and investors). This policy also aims to reduce or eliminate the potential for the commitment of, and liability for, criminal offences in DP Laws by GlobMed and GlobMed officers and employees.

Scope
This policy applies to all GlobMed officers and employees, including contractors, partners, other third parties, and those operating on its behalf.

In addition, security is fundamental to data protection and this policy closely interacts with GlobMed’s Information Security Policy (‘ISP’) including related policies and procedures.

Interpretation
In this policy, we use definitions from the GDPR unless otherwise stated.

‘Anonymised data’ means information that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

‘Controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

‘DPIA’ means the PIA that must be carried out in certain situations, contain certain information, and over which there are other obligations, as set out in the GDPR.

‘DP Laws’ means the EU GDPR, the UK GDPR, the Data Protection Act, and any other laws in jurisdictions in which we operate.

‘EEA’ or ‘European Economic Area’ means the EU and Iceland, Lichtenstein, and Norway.

‘EU GDPR’ means the EU General Data Protection Regulation, 2016/679.

‘GDPR’ means either or both the EU GDPR and UK GDPR. We will use this when there is little or no difference in the wording of the relevant law for the context.

‘Personal data’ means any information relating to an identified or identifiable natural person, namely one who can be identified, directly or indirectly from that information alone or in conjunction with other information ‘in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. While ‘personal data’ is a defined term in EU and UK law, we use it here to also cover ‘personally identifiable information’ and ‘personal health information’ as defined in US law, and other similar legal definitions.

‘PIA’ means a privacy impact assessment, which is a written assessment of the risks to the rights and freedoms of data subjects through any processing of their personal data. A DPIA is just one type of PIA.

‘Processing‘ means ‘any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

‘Processor’ means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information (such as a lookup table relating alphanumeric identifiers to the individuals), provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

‘Special Categories of Personal Data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

‘Transfer’ means the transfer of personal data either to ‘third countries’ (meaning countries outside the EU for the EU GDPR or outside the UK for the UK GDPR) or ‘international organisations’ (meaning an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries, such as the UN or WHO).

‘UK DPA’ means the UK Data Protection Act 2018.

‘UK GDPR’ means the UK-adopted version of the EU GDPR, which took effect from 1 January 2021 as a result of Brexit.

The Policy

GlobMed commits to ensuring that any processing of personal data by or on behalf of GlobMed is carried out in compliance with DP Laws. Data relating to legal entities are also protected in a small number of countries and, where GlobMed collects or processes such data from such countries, we treat it as personal data within our DPMS.

GlobMed complies with the GDPR including its six core principles (‘6 Principles’) set out in Article 5 of the GDPR, which in summary are:

1. Lawfulness, fairness, and transparency
   Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
2. Purpose limitation

   Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3. Data minimisation

   Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

4. Accuracy

   Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

5. Storage limitation

   Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

6. Integrity and confidentiality

   Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

In addition, when GlobMed, as controller, processes personal data, one of the 6 legal bases set out in Article 6 of the GDPR must apply to ensure lawful processing:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. the processing is necessary for compliance with a legal obligation to which the controller is subject;
4. the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. the processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller;
6. the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (this basis is not available to support processing carried out by public authorities in the performance of their tasks).

Where GlobMed processes Special Categories of Personal Data, or personal data relating to criminal convictions and offences or related security measures, we will comply with additional requirements.

GlobMed Ltd as ‘controller’ and ‘processor’

While, in all cases, the processing of personal data must be in accordance with applicable DP Laws:

• where GlobMed is the controller, we will comply with all obligations applicable to controllers in DP Laws. GlobMed, as with most businesses, is the controller of the majority of personal data we process, for example across employee relations, marketing, and finance activities, and supplier management.
• where GlobMed is the processor, the relevant personal data may only be processed in accordance with the contract we have with, and the instructions of, the controller. GlobMed will also comply with any obligation on processors in DP Laws.

Risk-based Approach

This Policy mirrors the GDPR and is a risk-management-based approach and any additional measures taken under this policy are appropriate to the risk in question. This means that, in some instances, lesser measures are required (for example in the protection of purely public Information) while in other instances significant measures are required (for example in the protection of Special Categories of Personal Data).

Governance
As part of this policy, GlobMed commits to maintaining a governance structure to ensure compliance with DP Laws, including the following.

Senior Sponsorship

The CEO is responsible for establishing, maintaining, and enforcing this Policy.

Responsibilities

While senior sponsorship is set out above, we all have responsibilities to ensure we appropriately process and protect personal data in accordance with DP Laws and the DPMS, including (as appropriate to our roles) reporting personal data breaches, carrying out PIAs, carrying out due diligence on processors, and otherwise implementing privacy by design and privacy by default across GlobMed’s business. Line managers must ensure they are fully aware of the DPMS as it relates to their roles as they are responsible for compliance by their direct reports and by suppliers for whom they are the lead manager.

Policies & Procedures

GlobMed establishes and maintains appropriate policies to ensure compliance with applicable DP Laws across the data lifecycle and appropriate procedures to ensure that the policies may be put into practice. Policies will address governance and risk across the personal data lifecycle from collection to destruction.

Training & Awareness

GlobMed trains staff on the importance of data protection and aspects of this DPMS as appropriate to their role and level of seniority at onboarding, on change of role, and with refresher training sessions as appropriate.

Records

GlobMed establishes and maintains records required to demonstrate compliance, such as the privacy notices provided to data subjects, records of consent, and Article 30 Records.

Security Measures

As a fundamental requirement under GDPR, GlobMed maintains appropriate technical and organizational measures against unauthorized or unlawful processing of personal data held or controlled by GlobMed and against accidental loss or destruction of, or damage to, such personal data. The security measures address the need to maintain the required confidentiality, integrity, and availability of personal data.

Review

As appropriate, GlobMed reviews developments in DP Laws and codes of practice and practical changes in working patterns, assess the DPMS against any such development and consider any required update to the DPMS.

Consent

Whenever consent is to be the legal basis for processing personal data, such consent must be obtained in accordance with the requirements of DP Laws and GlobMed’s Consent Procedure, recorded appropriately, and an appropriate mechanism for withdrawal provided.

Collection, Transparency & Purpose Limitation

Addressing the GDPR’s 1st Principle (Lawfulness, fairness, and transparency) and 2nd Principle (purpose limitation), GlobMed shall provide the information required (in particular under Articles 13 and 14 of the GDPR) in a privacy notice to data subjects at the appropriate time in order for processing of that personal data to be lawful, fair and transparent. The privacy notice will be delivered in a compliant manner for the particular context, whether by single notices, layered notices, tooltips, and other suitable methods. GlobMed shall ensure that the purposes are included in the information provided to data subjects and respected during processing.

Privacy by Design & Privacy by Default

GlobMed adopts policies and procedures to implement privacy by design and privacy by default into its working practices as appropriate. Key areas include the design and use of technology, storage, security systems including access to data, and marketing. We carry out PIAs and DPIAs as appropriate and in accordance with the Data Protection Policy. We also consider the use of anonymisation and pseudonymisation as appropriate.

Whenever the processing of personal data – in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing – is likely to result in a high risk to the rights and freedoms of data subjects, or applicable law otherwise requires it, a DPIA shall be carried out in accordance with the GDPR, with the advice of the Data Protection Officer (if appointed) and the results recorded. DPIAs shall be reviewed at least when there is a change in the risk represented by the processing operation.

Prior to any new or changed processing of personal data, we consider the risk to data subjects and carry out a proportionate PIA, if and to the extent appropriate, to establish if there is a risk to the rights and freedoms of data subjects. Indeed, an SPIA may identify the need for a DPIA.

HR

GlobMed ensures that all processing of personal data concerning officers and employees is processed according to DP Laws at all times. Background checks must not be carried out without consulting HR and criminal reference checks must not be carried out without consulting Legal and in accordance with our Data Protection Policy.

Data Subject Rights

Data subjects – individuals about whom we process personal data – have several rights under the GDPR and other DP Laws. GlobMed Ltd always respects data subjects’ rights and their exercise of them in accordance with those laws and shall respond to the exercise of such rights in accordance with our Data Protection Policy and related procedures.

GlobMed complies with DP Laws regarding Data Subject Rights including in notifying data subjects of their Data Subject Rights as appropriate, receiving an exercise of a Data Subject Right, and in responding to such Data Subject Right.

Special Category Data

Special Category data is personal data that needs more protection because it is sensitive. Special Category data are given much higher protection under DP Laws and shall only be processed by or on behalf of GlobMed in accordance with such requirements and obligations and our Data Protection Policy.

GlobMed shall only process Special Categories of Personal Data when it has a legal basis under Article 6 of the GDPR (see the Data Protection Policy) and a legal basis under Article 9(2) of the GDPR.

Financial Data
GlobMed complies with the PCI Data Security Standard (‘PCI DSS’) at all times when processing credit card data. The PCI DSS provides an actionable framework for developing a robust payment card data security process, including prevention, detection, and appropriate reaction to security incidents.

Anonymisation
Where possible, GlobMed will anonymise personal data. As anonymised data is not personal data, the DP Laws do not apply to any processing of anonymised data. As a result, anonymisation should be considered throughout the data lifecycle although it may not be practical in many circumstances other than the end of a retention period, where personal data may be anonymised as opposed to securely destroyed. Any anonymisation carried out by or on behalf of GlobMed must satisfy legal and regulatory requirements as well as any Anonymisation Procedure we adopted at that time.

Pseudonymisation
Unlike anonymised data, pseudonymised data is still personal data as individuals can be re-identified by the use of additional information, such as a lookup table linking individuals to alphanumeric identifiers. GlobMed shall therefore protect, retain, delete and otherwise process pseudonymised data in the same way as other personal data.

However, pseudonymisation is an excellent tool to reduce risk in certain circumstances and is likely to be applicable on many more occasions throughout the data lifecycle than anonymisation. GlobMed shall consider pseudonymisation when appropriate and any pseudonymisation carried out by or on behalf of GlobMed must satisfy legal and regulatory requirements as well as any Pseudonymisation Procedure we have adopted at that time.

Marketing
Marketing activities must comply with our Data Protection Policy, its related procedure, and any applicable laws.

Marketing activities by or on behalf of GlobMed must comply with applicable DP Laws (and other applicable laws).

Use of processors
The choice and use of processors or sub-processors shall be in accordance with our Data Protection Policy and shall be governed by a Data Processing Agreement.

GlobMed carries out and records due diligence on any prospective processor to ensure that it provides sufficient guarantees to meet, and does meet, the requirements of the GDPR. Such due diligence shall be renewed at least once a year. Such due diligence must at least cover the processor’s security measures and ability to support GlobMed in the execution of its duties regarding data subject rights and personal data breach notification.

Transfers
Transfers of personal data to third countries or international organisations shall only be carried out in accordance with our Data Protection Policy.

No transfer of personal data shall occur without a valid lawful basis.

Retention & End-of-Life
GlobMed shall first honour its legal obligations as to the period for which any particular personal data must be kept. Subject to any such legal obligation, we shall consider any exercise by a data subject of their rights in light of all relevant factors under DP Laws. GlobMed shall assign a retention period to personal data and at the end of the retention period, that personal data shall either be anonymized or securely deleted or destroyed under our Information Security Policy.

Criminal offences

As well as the potential maximum fines in the EU / UK GDPRs of €20m / £17.5m or 4% of global turnover, whichever is higher, national laws typically set out criminal offences for certain processing of personal data contrary to that nation’s DP Laws. Such offences typically include obtaining or sharing personal data unlawfully, causing personal data to be altered without authorisation, and re-identifying individuals without authorisation. GlobMed will always have a lawful basis or lawful authorisation for its processing of personal data.

Approved Codes of Conduct & Certifications

The GDPR allows for the approval of codes of conduct (Article 40) and certification mechanisms (Article 42). Adherence to an approved code or certification mechanism may be used as an element by which to demonstrate compliance with various requirements in the GDPR. If necessary or appropriate, GlobMed will review such codes and certification mechanisms for relevance and fit for our operations.

Breach
If you become aware of a breach of this policy, report it promptly to the CEO and at [email protected].

Enforcement
All GlobMed employees bear responsibility for their compliance with this policy. Breach of this policy is ground for disciplinary proceedings against an employee, which may result in disciplinary action including termination of employment. Breach of this policy by any non-employee such as a temporary worker, contractor, or supplier may be a breach of their contract with GlobMed and grounds for damages or termination.

Ownership
The CEO is responsible for the creation and maintenance (including appropriate periodic review) of this policy and related training and awareness programs.