Merimna Institute Privacy Policy

GDPR Compliant (May 2018)

Overview

Merimna Institute is a certified center for continuing dental education in Greece, licensed by the Hellenic Ministry of Education, Research and Religious Affairs,  General Secretariat of Lifelong Learning  , E.O.P.P.E.P Licence Number Ke.Di.Bi.M1 2101624 – Ke.Di.Bi.M2 202168085 Merimna Institute is committed to protecting your privacy. The General Data Protection Regulation (GDPR) is a new EU legal framework for data protection. The GDPR will apply to all member states from the 25th May 2018. The GDPR introduces some new obligations for organisations that collect, use, share and store personal data. This Policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others, and how we keep it secure. We may change this Policy from time-to-time so please check this page occasionally to ensure that you are happy with any changes. By using our website, you are agreeing to be bound by this Policy. Any questions regarding this Policy and our privacy practices should be sent by email to: dpo@merimnaseminars.gr or by writing to: Merimna Institute Continuing Dental Education Institution , 272Α Vouliagmenis A. Ag. Dimitrios, Athens, Postal Code: 173 43 Greece Phone: (+30) 210 9734000 Lawful Basis for Processing Under EU data protection law, there must be a lawful basis for all processing of personal data (unless an exemption or derogation applies): Legitimate interests Consent Legal Contractual necessity Compliance with legal obligations

What Personal Data Do We Collect?

We collect information about you when you register with us for services. We also collect information when you voluntarily complete customer surveys, provide feedback and participate in competitions. Website usage information is collected using cookies. We may collect information from you, such as: Name Address Telephone number Email address Nationality Work experience Professional registration number (if relevant) Feedback and testimonials of our courses Photographs at events IP address Ethnicity (if relevant) Special needs (if relevant)  

How Will We Use the Information?

  We collect information about you to provide our services and, if you agree, to email you about other services we think may be of interest to you. We use your information collected from the website to personalise your repeat visits to our website. Merimna Institute will not share your information for marketing purposes with other companies. We may process your information as follows: Send you details about our services Register you on a course or service Send you information about the course or service you have signed up for Seek views or comments about the services we provide Send communications you have requested and that may be of interest Process a grant or job application Use your feedback and photos taken at events for marketing purposes Who will the information be shared with? In order to provide certain services, we will be obliged to share your information with third parties in the following circumstances: University or awarding-bodies With third-party education, distribution and accounting services In each of these circumstances we have contacted the organisations and obtained a copy of their GDPR compliant policies. For more detailed information please contact us.  

Marketing

  We would like to send you information about our services and other companies in our group, which may be of interest to you. If you have consented to receive marketing, you may opt out at a later date. We also may ask to share your information with relevant third-party organisations such as sponsors of a learning event. We will always ask your permission before doing this and give you the option to opt out at a later time. You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, please let us know by emailing us here: dpo@merimnaseminars.gr or by writing to: Merimna Institute Continuing Dental Education Institution , 272Α Vouliagmenis A. Ag. Dimitrios, Athens, Postal Code: 173 43 Greece Phone: (+30) 210 9734000  or follow the link bellow “Unsubscribe”

Access to Your Information and Correction

  You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please let us know by emailing us here: dpo@merimnaseminars.gr or by writing to: Merimna Institute Continuing Dental Education Institution , 272Α Vouliagmenis A. Ag. Dimitrios, Athens, Postal Code: 173 43 Greece Phone: (+30) 210 9734000 We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information that you think is inaccurate.  

Cookies

  Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. For further information visit: www.aboutcookies.org or www.allaboutcookies.org You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

Merimna Institute Data Protection Policy

May 2018

Overview

Merimna Institute is a certified center for continuing dental education in Greece, licensed by the Hellenic Ministry of Education, Research and Religious Affairs,  General Secretariat of Lifelong Learning  , E.O.P.P.E.P Licence Number Ke.Di.Bi.M1 2101624 – Ke.Di.Bi.M2 202168085 This Policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and how we keep it secure. Merimna Institute needs to collect and maintain certain information about its employees, students and other users of its services to allow it to monitor, for example, performance, achievements, and Health and Safety. It is also necessary to process information so that employees and students can be recruited; employees paid, courses organised, external funding secured and legal obligations to funding bodies and government complied with. Accordingly, data may be collected, not only from and about actual employees, students and service users, but also from and about a wide range of individuals having or contemplating dealings with Merimna Institute; including employees and students, individuals involved in fund-raising and other individual stakeholders. In order to ensure that information is collected and used fairly, stored safely and not disclosed to any other person unlawfully and that employees or others who process or use any personal information ensure that they follow the Data Protection Principles set out below; Merimna Institute has adopted this Information and Data Protection Policy. We may change this Policy from time to time so please check this page occasionally to ensure that you are happy with any changes. By using our website, you are agreeing to be bound by this Policy. Any questions regarding this Policy and our privacy practices should be sent by email to: dpo@merimnaseminars.gr or by writing to: Merimna Institute Continuing Dental Education Institution , 272Α Vouliagmenis A. Ag. Dimitrios, Athens, Postal Code: 173 43 Greece Phone: (+30) 210 9734000 Merimna Institute has appointed the CEO as the Data Protection Controller (DPC) who will endeavour to ensure that all personal data is processed in compliance with this Policy.  

Policy Statement

  Merimna Institute will ensure that information is collected and used fairly, stored safely and not disclosed to any other person unlawfully. Whenever collecting information about people Merimna Institute will therefore comply with the Data Protection Principles, which are set out in the General Data Protection Regulation (GDPR) and require that personal data shall be: a) processed lawfully, fairly and in a transparent manner in relation to individuals; b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.  

Lawful Basis

  In ensuring that personal data are processed lawfully, Merimna Institute will only process data under one of the six lawful basis for processing set out in Schedule 6 of the GDPR: Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). Vital interests: the processing is necessary to protect someone’s life. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.  

Individual’s Rights

  Merimna Institute recognises that individuals have the following rights: a) the right to be informed of the information Merimna Institute holds on them in a concise, transparent, intelligible and easily accessible way. Merimna Institute will typically make this information available through a Privacy Notice; b) the right of access to their personal data and supplementary information, and to be aware of and verify the lawfulness of the processing; c) the right to rectification of their personal data if it is inaccurate or incomplete; d) the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing; e) the right to ‘block’ or suppress processing of personal data; f) the right to data portability: to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability; g) the right to object to: processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics; and h) the right not to be subject to a decision when it is based solely on automated processing and produces a legal effect or a similarly significant effect on the individual. In interpreting the Data Protection Principles and in making judgments on specific matters, Merimna Institute will take account of the most recent guidance issued by the Information Commissioner’s Office (ICO).

Policy Objectives

To ensure that Merimna Institute adopts best practice and compliance with legal requirements in its collection, processing and storage of personal data.

Scope of Policy

The policy applies to all employees, students and other users of Merimna Institute services. This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by Merimna Institute from time to time. Any breach of the General Data Protection Regulation or this policy will be considered to be an offence and in that event, Merimna Institute disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with Merimna Institute and who have access to personal information will be expected to have read and to comply with this policy. Employees who deal with external agencies will take responsibility for ensuring that such agencies sign a declaration agreeing to abide by this policy and detailing for how long it has been agreed that any data should be retained. Details of the declaration must be entered on a register to be held by Merimna Institute Data Protection Controller. Any employee or student (or former employee or student) or other individual who considers that the policy has not been followed in respect of the personal data held about them, should initially raise the matter with the Data Protection Controller. If the matter is not resolved it should be raised as a formal grievance or complaint.  

Practical Implementation

  All Employees Are Responsible For: a) checking that any information that they provide to Merimna Institute in connection with their office or employment is accurate and up to date; b) informing Merimna Institute of any changes to the information which they have provided e.g. changes of address, next of kin, bank details etc.; c) checking the information that Merimna Institute will send out from time to time, giving details of information kept and processed about them; d) informing Merimna Institute of any errors or changes; and e) ensuring that they abide by Merimna Institute Information Systems Acceptable Use Policy. Merimna Institute cannot be held responsible for any errors unless the individual has informed Merimna Institute of them. If and when, as part of their responsibilities, employees collect information about other people they must comply with the guidelines for employees. In particular they are responsible for ensuring that: any personal data that they hold are kept securely; when personal data need to be transmitted, internally or externally, they are transmitted securely; and personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party. Employees should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases. Personal Information Must: be kept in a locked filing cabinet; or be kept in a locked drawer; or if it is computerised, be password protected; or be kept only on electronic media which are themselves kept securely. Managers Must Ensure That: all personal data processed within or by members of their curriculum or professional service team are processed according to the Data Protection Principles outlined above; privacy notices have been adequately communicated to those whose data are collected, stored or processed; consent has been duly obtained where it forms the lawful basis for processing the data; individuals have been made aware of their rights under the GDPR; any third parties who are commissioned to process personal data on Merimna Institute behalf are engaged under a written contract which includes those terms required under the GDPR as set out in guidance issued by the Information Commissioner’s Office; privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. In planning projects, managers must ensure the principles of “privacy by design” are observed and where required a Data Protection Impact Assessment is undertaken in conjunction with the Data Protection Controller; and that any breaches of personal data are immediately notified to the Data Protection Officer who will investigate accordingly and where necessary notify the Information Commissioner’s Office. Student’s Responsibilities: Students must ensure that all personal data provided to Merimna Institute are accurate and up to date. They must ensure that changes of address, etc. are notified to the Student Services Team. Students who use Merimna Institute computer facilities may, from time to time, process their own personal data. If they do so they must ensure that they comply with Merimna Institute‘s IT Systems Acceptable Use Policy. Data Subject Rights Data Subjects (those individuals about whom Merimna Institute has information on its records) have rights regarding data processing, and the data that are recorded about them, as set out above. Employees, students and other persons from or about whom Merimna Institute has collected personal data therefore have the right to access any personal data that are being kept about them or to receive notification of the information currently being held about them either on computer or in relevant files. Any person who wishes to exercise this right should submit their request to the Data Protection Controller. Merimna Institute aims to comply with requests for access to personal information as quickly as possible, and will ensure that it is provided within one month unless requests are complex or numerous. If this is the case, Merimna Institute will inform the individual within one month of the receipt of the request that it needs to extend the period of compliance by a further two months, and will explain why the extension is necessary. Merimna Institute reserves the right to charge a reasonable fee, taking into account the administrative costs of providing the information, where requests are manifestly unfounded or excessive, in particular because they are repetitive. In exceptional circumstances Merimna Institute may exercise its right to refuse to respond but will explain, at the latest within one month, why, to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy. Disclosure Merimna Institute will ensure that personal data are not disclosed to unauthorised third parties (including family members, friends, government bodies or the Police) except in the circumstances set out in Part 4 of, and Schedule 7 to, the Data Protection Act 1998 and listed below in which personal data may legitimately be disclosed. Personal data may be legitimately disclosed where one of the following conditions applies: a)the individual has given their consent (e.g. a student/employee has consented to Merimna Institute corresponding with a named third party); b)the disclosure is in the legitimate interests of Merimna Institute (e.g. personal information can be disclosed to other Merimna Institute employees if it is clear that those employees require the information to enable them to perform their jobs); c)Merimna Institute is legally obliged to disclose the data; or d)disclosure of data is required for the performance of a contract (e.g. informing a student’s employer or sponsor of course changes/withdrawal etc). The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes to safeguard national security: prevention or detection of crime including the apprehension or prosecution of offenders; assessment or collection of tax duty; discharge of regulatory functions (includes health, safety and welfare of persons at work); to prevent serious harm to a third party; to protect the vital interests of the individual (this refers to life and death situations). Sensitive Information Sometimes it is necessary to process information about a person’s health, criminal convictions, race, gender or family details. This may be to ensure that Merimna Institute is a safe place for everyone, or to operate other Merimna Institute policies, such as the Sick Pay Policy or Equality and Diversity Policy. Merimna Institute may also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. Merimna Institute will only use such information in the protection of the health and safety of the individual. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, employees and students will be asked to give express consent for Merimna Institute to do this. All prospective employees and students will therefore be asked to provide consent for Merimna Institute to process data, regarding particular types of information when an offer of office or employment or a course place is made. A refusal to sign such a form will result in the offer being withdrawn. Examination/Assessment Marks Students who have no outstanding payment of course or assessment fees will be entitled to information about their marks or grades for both coursework and examinations. This may take longer than other information to provide, but will normally be available within 28 days, dependent on when the relevant awarding organisation furnishes Merimna Institute with the information. Where students have outstanding course or assessment fee payments due, Merimna Institute may withhold certificates, accreditation or references until the full course fees have been paid, or all books and equipment returned to Merimna Institute. Retention and Disposal of Data Merimna Institute will normally keep personal information only for as long as it is required to retain it for legal or other statutory reasons or as required by the funding or examination body or to meet its responsibilities as an employer (e.g. information regarding pensions, taxation, potential or current disputes or litigation regarding the employment) or education provider. A schedule of retention for different categories of personal information will be maintained by the Data Protection Controller. Personal data will be disposed of in a way that protects the rights and privacy of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion). Data Security In order to ensure the protection of personal data held electronically, staff and students are required to adhere to Merimna Institute IT Systems Acceptable Use Policy. Breaches of this policy where they concern misuse of personal data will be treated as disciplinary matter. Merimna Institute Management Team are responsible for ensuring that there are appropriate and adequate security measures in place including, as part of Merimna Institute Business Continuity arrangements, an IT Recovery Plan. Should there be a breach of security Merimna Institute will notify any individuals whose personal data may have been disclosed to a third party as a result of the breach and will consider whether the breach warrants reporting to the Information Commissioner’s Office under the ICO’s Guidance on Notification of Data Security Breaches. Communication and Training The policy will be communicated to staff and students through Merimna Institute website and internal communication services. Review and Monitoring of Policy The Information and Data Protection Policy will be reviewed biennially. The Senior Management Team is responsible for monitoring the implementation of the Policy via reports from the Data Protection Controller and relevant members of the Management Team. Employee Guidelines for Data Protection Many employees will process data about students on a regular basis, when marking registers or Merimna Institute work, writing reports or references, or as part of a pastoral or academic supervisory role. Other employees may need to process data about fellow members of staff or other individuals. Merimna Institute will ensure, through registration and recruitment procedures that all students give their consent to such processing, and are notified of the categories of processing, as required by the 1998 Act. The information that employees deal with on a day-to-day basis will be ‘standard’ and will cover categories such as: general personal details such as name and address; details about attendance, or about course work marks, grades and associated comments or performance at work; and notes of personal supervision, including matters about behaviour and discipline. Information about an individual’s physical or mental health; sexual orientation; political or religious views; trade union membership or ethnicity or race is sensitive and can only be collected and processed with the student’s consent. If employees need to record this information where agreed Merimna Institute policies and practices require or encourage the sharing of this information, they should use Merimna Institute standard forms and templates. All employees have a duty to make sure that they comply with the Data Protection Principles, which are set out in the Merimna Institute Information and Data Protection Policy. In particular, employees must ensure that records are: (a) accurate; (b) up-to-date; (c) fair; and (d) kept and disposed of safely, and in accordance with Merimna Institute policy. Employees must not disclose personal data relating to any individual to any student, unless for normal academic or pastoral purposes, without authorisation or agreement from the Data Protection Controller, or in line with Merimna Institute policy. Employees must not disclose personal data relating to any individual to any other employee except with the authorisation or agreement of the Data Protection Controller, or in line with Merimna Institute policy. Before processing any personal data, all employees should consider the following checklist: Do you really need to record the information? Is the information ‘standard’ or is it ‘sensitive’? If it is sensitive, do you have the data subject’s express consent? Has the data subject been told that this type of data will be processed? Are you authorised to collect/store/process the data? If yes, have you checked with the data subject that the data are accurate? Are you sure that the data are secure? If you do not have the data subject’s consent to process, are you satisfied that it is in the best interest of the student or the employee to collect and retain the data? Have you reported the fact of data collection to the authorised person within the required time?