We will take appropriate security measures against unlawful or unauthorized processing of personal data and against the accidental or unlawful destruction, damage, loss, alteration, or unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed.
We will put in place procedures and technologies to maintain the security of all personal data from the point of the determination of the means for processing and point of data collection to the point of destruction. Personal data will only be transferred to a data processor if he or she agrees to comply with those procedures and policies, or if he or she puts in place adequate measures himself/herself.
We will maintain data security by protecting the confidentiality, integrity, and availability of the personal data, defined as follows:
- Confidentiality: Only people who are authorized to use the data can access it.
- Integrity: Personal data should be accurate and suitable for the purpose for which it is processed.
- Availability: Authorized users should be able to access the data if they need it for authorized purposes. Personal data should therefore be stored on the Heal With Maddie, LLC central computer system & databases instead of individual PCs.
Our Security Procedures:
- Entry controls: Any stranger seen in entry-controlled areas will be reported.
- Securing lockable desks and cupboards all the time. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
- Data minimization will be practiced.
- Pseudonymisation and encryption of data will be the primary state of storing the data.
- Methods of disposal: Paper documents would be shredded. Digital storage devices would be physically destroyed when they are no longer required. Electronic data would be deleted once it’s intended purpose is fulfilled.
- Equipment: Staff has to ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
Transferring Personal Data Outside of the EEA: We may transfer any personal data we hold to a country outside the European Economic Area (‘EEA’) or to an international organization, provided that one of the following conditions applies:
- The country to which the personal data is transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
- The data subject has given his consent.
- The transfer is necessary for one of the reasons set out in the Act, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.
- The transfer is legally required on important public interest grounds or for the establishment, exercise or defense of legal claims.
- The transfer is authorized by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
Subject to the requirements above, personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Those staff may be engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.