GDPR Compliance Statement

[tm_pb_section admin_label=”Section” fullwidth=”off” specialty=”off”][tm_pb_row admin_label=”Row”][tm_pb_column type=”4_4″][tm_pb_text admin_label=”Text” text_orientation=”center” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

GDPR Compliance

[/tm_pb_text][/tm_pb_column][/tm_pb_row][/tm_pb_section][tm_pb_section admin_label=”section”][tm_pb_row admin_label=”row”][tm_pb_column type=”4_4″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Open Applications Consulting Ltd GDPR statement

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

The General Data Protection Regulation significantly changes data protection law in Europe,
strengthening the rights of individuals and increasing the obligations on organisations.

For patient data OpenApp is a Data Processor acting under the instructions of its clients who
are the Data Controllers

OpenApp understands that GDPR shares the responsibility for Personally Identifiable
Information onto Data Controllers and Data Processors.

[/tm_pb_text][/tm_pb_column][/tm_pb_row][/tm_pb_section][tm_pb_section admin_label=”Section” fullwidth=”off” specialty=”off”][tm_pb_row admin_label=”Row”][tm_pb_column type=”4_4″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Our Commitment

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

OpenApp is committed to ensuring the security and protection of the personal information
that is processed, and to provide a compliant and consistent approach to data protection.
OpenApp have always had a robust and effective data protection program in place which
complies with existing law, industry ethics and abides by the data protection principles.
OpenApp has been registered with the Data Protection Commissioner in Ireland for many
years.

OpenApp has service contracts with all of our clients to provide services around storing
personally identifiable data, and those contracts already cover many aspects of GDPR.
Some of these contracts may be amended to provide clarifications on certain points, but
GDPR underlies all of our commitments.

[/tm_pb_text][/tm_pb_column][/tm_pb_row][/tm_pb_section][tm_pb_section admin_label=”Section” fullwidth=”off” specialty=”off”][tm_pb_row admin_label=”Row”][tm_pb_column type=”4_4″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

How is OpenApp prepared for GDPR

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

OpenApp engaged the services of a well-recognised specialist data security firm and
conducted a thorough review of the policies and procedures related to GDPR. From this
review OpenApp are confident that they are complying with all Data Processor aspects of
GDPR, which include:

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

• Protect access to the data: physical, technical & administrative safeguards in place –
only those few OpenApp employees that absolutely need access to patient data will
be given access.
• Data only processed as per the Data Controller’s explicit instructions
• Support Data Controllers for Data Subject rights
• Protect the Data : Retention, and backup policy in line with GDPR.
• Data anonymised or encrypted where required
• Systems are constantly monitored
• Data Protection by design at all stages of product life-cycle, and privacy by default in
all deployments and support
• Staff trained to understand implications of GDPR and to respect data privacy and
confidentiality.
• Reasonable steps taken to ensure the reliability of any employees who can access
Client data
• OpenApp never use a third-party for any reason including data processing unless
explicitly instructed to do so by a client.

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

In addition OpenApp has started the process to ISO27001 certification which is an
internationally recognised standard which focuses on Information Security System (ISMS) to
prevent data loss or exfiltration. This will aide OpenApp when needed to demonstrate
compliance with relevant duties and obligations, and to allow the Data Controller to audit
OpenApp as necessary.

[/tm_pb_text][/tm_pb_column][/tm_pb_row][/tm_pb_section][tm_pb_section admin_label=”Section” fullwidth=”off” specialty=”off”][tm_pb_row admin_label=”Row”][tm_pb_column type=”4_4″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

What our clients need to know about GDPR

[/tm_pb_text][/tm_pb_column][/tm_pb_row][/tm_pb_section][tm_pb_section admin_label=”Section” fullwidth=”off” specialty=”off”][tm_pb_row admin_label=”Row”][tm_pb_column type=”4_4″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Who is Responsible for the Rights of Data Subjects?

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

“Data Subjects” are the natural persons whose privacy rights must be protected. OpenApp
has contracts with all of our clients to provide services storing personally identifiable data.

[/tm_pb_text][/tm_pb_column][/tm_pb_row][tm_pb_row admin_label=”Row”][tm_pb_column type=”1_2″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Client Responsibilities

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Client acts as a Data Controller for End
Users of the clients’ applications developed
by OpenApp.

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Clients will not use the OpenApp Services in
any manner that violates the privacy and
legal rights of its End Users under all
applicable laws and regulations.

Client will obtain and maintain any required
consents from End Users to allow, as
applicable, Client’s access, monitoring, use,
recording, storage and/or disclosure of End
User Data.

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Clients are responsible for performing Privacy Impact Assessments and interactions with the Data Protection Authorities

[/tm_pb_text][/tm_pb_column][tm_pb_column type=”1_2″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

OpenApp Responsibilities

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

OpenApp acts as a Data Processor on behalf
of the client, with no knowledge of the End
Users.
OpenApp is responsible for the personal
information storage, security and consistency
there of.

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

OpenApp maintains and records all requests
to be forgotten for audit purposes. Each
record consists of an identifier, date and
request type

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

OpenApp shall provide assistance to the Clients as reasonably requested under the GDPR or any other relevant Data Protection
Law in relation to the role as Data Processor.

[/tm_pb_text][/tm_pb_column][/tm_pb_row][/tm_pb_section][tm_pb_section admin_label=”Section” fullwidth=”off” specialty=”off”][tm_pb_row admin_label=”Row”][tm_pb_column type=”4_4″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

IF A DATA SUBJECT ASKS TO BE FORGOTTEN, TO HAVE THE DATA
RECTIFIED OR REQUEST THE FULL COPY OF DATA HELD

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

The GDPR includes articles that gives EU citizens the right to erasure (right to be forgotten),
right to rectification and right of access

The Data Controller must have a Data Protection Officer who is responsible for documenting
and fulfilling requests from Data Subjects to have all their personal information removed from
the Data Controller’s possession, current data rectified, or may also request that a copy of all
information held is returned to them in a secure, portable format.

[/tm_pb_text][/tm_pb_column][/tm_pb_row][tm_pb_row admin_label=”Row”][tm_pb_column type=”1_2″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Client Responsibilities

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Client is responsible for handling any
interactions with their End Users.

Client is responsible for properly handling
and processing notices sent by any person.

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Client is responsible for requests related to
external systems.

[/tm_pb_text][/tm_pb_column][tm_pb_column type=”1_2″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

OpenApp Responsibilities

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

OpenApp does not expect to receive
requests from Data Subjects.

All Data Subject requests will be referred to
the Data Controller for instruction.

OpenApp will either provide features in the
platform or enable the service desk to assist
the Data Controller to comply with such
requests.

 

[/tm_pb_text][/tm_pb_column][/tm_pb_row][/tm_pb_section][tm_pb_section admin_label=”Section” fullwidth=”off” specialty=”off”][tm_pb_row admin_label=”Row”][tm_pb_column type=”4_4″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

HOW WILL THE NOTIFICATION PROCESS WORK IN THE EVENT OF A
DATA BREACH

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

A data breach is when information, including personal information of Data Subjects, is made
available to unauthorised parties.

GDPR mandates that all data breaches must be reported within 72 hours.

[/tm_pb_text][/tm_pb_column][/tm_pb_row][tm_pb_row admin_label=”Row”][tm_pb_column type=”1_2″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Client Responsibilities

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Clients agree to require that their users
comply with all applicable laws and
reasonable security measures, and to notify
OpenApp of any suspicious activity.

Clients are responsible for notifying their
users of any breaches.

[/tm_pb_text][/tm_pb_column][tm_pb_column type=”1_2″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

OpenApp Responsibilities

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

OpenApp will maintain the appropriate
reasonable security mechanisms to prevent
any unauthorised breaches of data.

OpenApp will maintain the appropriate
reasonable intrusion detection mechanisms
and to monitor those to detect any
unauthorised access to the systems.

OpenApp is responsible for notifying clients
of any issues that may impact service,
security, or regulatory compliance.

OpenApp is responsible for notifying the
clients of any data breaches within 72 hours
of detection.

[/tm_pb_text][/tm_pb_column][/tm_pb_row][/tm_pb_section][tm_pb_section admin_label=”Section” fullwidth=”off” specialty=”off”][tm_pb_row admin_label=”Row”][tm_pb_column type=”4_4″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

HOW DO WE KNOW WHERE DATA IS BEING PROCESSED, STORED
AND TRANSFERRED TO

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Many items are agreed during the setup of the client systems and described in the service
contract including location, data life cycle, and encryption. Decommissioning also needs to
be agreed to describe what happens at the end of the contract.

[/tm_pb_text][/tm_pb_column][/tm_pb_row][tm_pb_row admin_label=”Row”][tm_pb_column type=”1_2″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Client Responsibilities

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Client is responsible for Data Governance
and will instruct OpenApp appropriately.

Client defines and agrees during project
initiation the location of the data storage, life
cycle, retention and processing.

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Client will give sufficient notice to OpenApp
of termination of the service contract.

[/tm_pb_text][/tm_pb_column][tm_pb_column type=”1_2″][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

OpenApp Responsibilities

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Data retention and life-cycle will be
implemented by OpenApp as agreed.

Data is encrypted both at rest and in transit
as agreed.

OpenApp will not change any aspect of the
system without prior agreement with the
client.

[/tm_pb_text][tm_pb_text admin_label=”Text” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Upon termination of the service contract
OpenApp will arrange to promptly (within a
maximum of 30 days) delete all copies of
data related to the service, unless explicitly
required by applicable law.

[/tm_pb_text][/tm_pb_column][/tm_pb_row][/tm_pb_section]