General Data Protection Regulation (GDPR)

Last revised on April 2020

What is General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR), is a European privacy law that has been approved by the European Commission in 2016, and has been in effect since May 25th, 2018. The GDPR replaces a previous European Union privacy directive - Directive 95/46/EC that has been the cornerstone of European data protection law since 1995. The GDPR strengthens and modernizes the EU data protection law to intensify individual rights and freedoms that is consistent with the European perception of privacy as a fundamental human right. Among other things, the GDPR regulates how people and organizations may collect, use, store, transfer, and discard personal data. In short, it gives individuals and organizations control over their personal data while interpreting the regulatory environment for international business that takes place in the EU.

The Data Protection regulations include terms such as:

  • All the collected personal data must be processed in a legitimate, fair, and transparent way and should only be used in a form that a person would expect reasonably;
  • Personal data should be collected only for a specific purpose and the information should be used only for that purpose. Organizations must specify the requirement to collect personal data;
  • Personal data should not be held for any longer than required to fulfill its specific purpose;
  • People covered by the GDPR have the right to access their personal data. They can also request a copy of their personal data, and give consent for their data to be updated, deleted, restricted, or transferred to another organization.

Why is it important?

GDPR adds some new specifications regarding how organizations should protect the personal data of customers and users that have been collected and processed as a part of the service. It enforces stringent compliance regulations that impose greater penalties for breach. At Wellness360, we strongly believe that your data privacy and security are very important. Although we already impose reliable security and privacy measures, we still abide by the requirements of this new regulation to ensure no loopholes.

Data Processing Addendum

Wellness360 offers a data processing addendum (DPA) for our customers who collect data from populations in the EU. Our DPA offers contractual terms that meet the required GDPR terms and also reflect our customer data privacy and security assurances. Find our DPA regulations in our Data Processing Addendum page, Terms of Use or contact us at support@wellness360.co. Our current Wellness360 customers do not have to take any extra action.

To ensure that no terms are imposed on us that are beyond our DPA and Terms of Service, we do not agree to sign DPAs of our customers. As we are a small team, we do not encourage making individual changes to our DPA as there is no full-time legal team on our staff. Any changes to the standard DPA would require legal guidance and counsel and a lot of discussions that could be cost-prohibitive for our company.

If you have any questions or concerns, kindly contact us at - support@wellness360.co

Training and Awareness

Our core group of privacy and project managers ensures all the GDPR requirements, including marketing, implementation, to People Ops are covered. The team has regular communications to discuss the current status, progress, and GDPR validations. This team also ensures that all the required associates working at Wellness360 are aware of and trained about the current GDPR.

Consent

Our cookie policy has been updated to provide you with complete transparency into what happens when you visit our site and how it is being used. Our cookie policy page also gives the steps to control how your browser handles website cookies. You can make the required changes in the browser settings.

Data Inventory

We have reviewed and identified all the areas of Wellness360 where we collect and process customer data, categorize and record everything - from cookies to support conversations. Using this pattern, we have validated our legal grounds to collect and process all the customer personal data. They are double-checked to ensure appropriate security and privacy measures across our entire infrastructure and software system. Our Privacy Policy classifies what we do with the collected data and how we manage consent.

Updates to our third-party vendor contracts

Wellness360 is in the process of reviewing our third-party vendors and also deeply reviewing their GDPR compliance. We already have DPAs in place with most of our vendors who offer a signed version, while others are taking the same approach as us and having the DPA be automatically accepted as part of the Terms of Service.

Clear and concise terms of service and privacy policy

At Wellness360, we follow transparency at every step, and it extends to our customers and services too. With our updated Terms of Service and Privacy Policy, we clearly describe the personal data we are collecting, processing, why, how we use it, who we share it with, and how long we store it. We have always made an effort to keep the language in our Terms of Service and Privacy Policy as simple as possible and we have updated these notices to describe how we are respecting and protecting your personal data. We hope you find it concise, transparent, intelligible, and easily accessible.

Individual Data Subject’s Rights – Data Access, Portability, and Deletion

Wellness360 is committed to helping our clients meet the data subject rights requirements of GDPR. We process or store all the personal data in fully scrutinized, DPA-compliant vendors. All the information, conversation, and personal data are stored for up to 6 years unless the account is deleted. In case the account is deleted, the data will not be stored for more than 60 days, after which it shall be disposed of according to the Terms of Use and Privacy Policy.

Working with EU customers requires giving them the ability to access, update, recover, transfer, or delete personal data, and so, Wellness360 provides you access to your data and your customer's data. For any queries about exporting data, access concerns, or any other questions, please contact us at - support@wellness360.co.

Risk Assessment (data protection impact assessments)

Having a controlled data protection impact assessment (DPIA) process is a necessity for GDPR. A DPIA process helps in identifying and minimizing the data protection risks of a certain project. The Wellness360 team always makes diligent security and privacy checks while making any creation and implementation decisions, so this requirement is an easy one for us. Every time a change is introduced to handle personal data, a lot of time is spent discussing its potential impact on Wellness360's customers, along with the possible privacy and security risks to personal data. In case a possible risk is identified, our product and operations team collaborate to find a suitable solution that will alleviate the data privacy and security risk to anyone who interacts with the Wellness360 platform. We ensure to continue to perform this risk assessment process as we expand Wellness360 program offerings.

Breach Management

Wellness360 is prepared with a breach management and communication plan that complies with the GDPR terms and supports the HIPAA requirements that concern the escalation process and provisions for data subject notification.

Contact Us

If you have any questions regarding how we protect customer personal data and comply with the GDPR terms, contact us at - support@wellness360.co or leave a message at - Contact Us