General Data Protection Regulation Policy
The Medray group of companies will fully comply with the Global Data Protection Regulations EU 2016/679, within the Republic of Ireland (ROI) and the Data Protection regulations within the United Kingdom (UK). Management will oversee the evaluation of data types, the company’s role, and legal reasons for controlling or processing personal data and approve and review this policy annually. The Group Compliance manager will oversee data protection and act as the Data Protection Officer.
Personal Data Medray Use
Medray store and process staff personal data, by consent of employees. The Human Resources department collect, safely store, and make approvals for data processing through the Employee Contract of Employment and policies on retention, access, and opportunity for objection accessible to all Medray employees. Personally identifiable data includes name, address, role number, National Insurance number, bank details and tax reference numbers for to allow payment of salary and submissions to tax and revenue government departments, along with information on dependants/next of kin for pension and insurance purposes. This activity is secondary to the main business and so is not a core activity.
Medray store and process some personal data, such as contact names and contact details, along with company data of customers. The data is provided by customers consent, details are in sales contracts along with information on how a customer can see information we hold and how we process it and raise any concerns. The data is processed to assess credit worthiness, deliver customer orders, service requests and to invoice for goods and services. Medray will only process the Personal Data only (i) as needed to provide the Services, (ii) in accordance with the specific instructions that it has received from Customer, including with regard to any Transfers, and (iii) as needed to comply with law (in which case, the Processor shall provide prior notice to Customer of such legal requirement, unless that law prohibits this disclosure).
Customers electronic data that may contain patient identifiable information is from time to time processed to allow medical device trouble shooting and incident investigation. The data is in the form of labels on medical diagnostic images or equipment log files. The customer gives consent in service contracts for this. Occasionally, the device manufacturer (a sub processor) may need to see images or logs that could contact personal data, to resolve faults or complete investigations that Medray do not have the depth of knowledge/design information access to. The customer contracts to this via the service contract, but this personal data is only retained until issue is resolved. Where data is passed to an equipment manufacturer for sub processing, Medray will provide consent on behalf of customer, at each event, along with required restrictions/security to be considered and how long it may be retained by sub processor.
Medray store and process some personal data, such as contact names and contact details, along with company data of suppliers. The data is provided by supplier’s consent, details are in purchase contracts along with information on how a supplier can see information we hold and how we
process it and raise any concerns. The data is processed to assess supplier capabilities and pay suppliers.
Provision of dosimetry service in Ireland
Medray companies in Ireland offer a radiation protection service to meet the requirements of Environmental Protection Agency licences for people working with radiation emitting devices or sources. The service involves provision of active dosimetry and the receipt and storage of the manufacturer of devices in the European Union. Data security and control is assured by a detailed agreement and review between Medray and the manufacturer as a data processor.
Medray Status under GDPR
On evaluation of data use, Medray is considered a data processor under article 28, except for the dosimetry service within Ireland, where it is a data controller. For UK, Given the size of data, the scope of processing and the type data involved, Medray UK does not require a Data Protection Officer (DPO) or registration with the Information Commissioners Office (ICO). In ROI there is no requirement to register with the Data Protection Commissioner or due, to the types of data, formally appoint or register a DPO.
Detecting Breeches and notification to authorities
Human Resources, Sales, Service and Purchasing managers are responsible for ensuring any data breach is detected and reported to senior management, senior management will notify relevant authorities in either country of any breach through the Medray compliance team, within the required 72 hours.
Auditing and review
Auditing is done through external and internal ISO9001 audits, and an annual audit is completed by Medray compliance team and reviewed, with policy reaffirmed by company annually.