Mahalo’s Assessment of GDPR Compliance
GDPR Compliance
Relevant articles of the GDPR
Implementation
Territorial Scope
Article 3
Customers have the option of hosting data in Data Centers located in The Netherlands, US, UK, Singapore or Australia. For European trials, this means that medical data will not be transferred outside of the EU.
Principles relating to processing of personal data.Employee awareness training
Article 5
Personal data of Mahalo Employees is collected solely to support their work at Mahalo. For Customers, personal data is collected solely to support and improve their interactions with Mahalo. This primarily requires each contact’s full name, username, title/role, email address, phone number and job responsibilities. For Patients, the entry and use of personal data is the responsibility of the Customer. Mahalo provides secure hosting of the applications and corresponding databases. Only limited personnel within Mahalo have access to production databases based on their role. Authorizations are granted on the ‘need to know’ and ‘least privilege’ principles. These access restrictions are described in SOPs. All employees are aware of commitment to protecting patient information and are properly trained in Data Privacy, GDPR, and HIPAA. Lawfulness of processing Article 6
Lawfulness of processing
Article 6
Mahalo performs no processing of personal data other than is necessary to manage its Employees, support its Customers, respond to prospective Customers and fulfil its obligations to manage clinical trial data based on contractual requirements with Customers.
Conditions applicable to child’s consent
Article 8
Mahalo assumes that, for Patients in pediatric trials, informed consent is signed by the child’s authorized representative. Therefore no additional provisions are required for a child’s consent. Ultimately, this is the responsibility of the Customer. Processing of special categories of personal data Article 9
Processing of special categories of personal data
Article 9
No such personal data is collected directly from Customers by Mahalo. For Patients, where medical, genetic or biometric data can be collected, Mahalo assumes condition. For Patients, where medical, genetic or biometric data can be collected, Mahalo assumes condition 2(a) of Article 9 applies. i.e., the patient has given explicit informed consent. Data is protected using technical and organisational security measures.
Privacy Statement
Article 5. 12. 13. 14. 15
By visiting Mahalo’s websites and by using its services, website visitors and Customers are trusting Mahalo with their personal data. In the privacy and cookie statement Mahalo explains which data it collects and for which purposes.
Data Portability
Article 20
Participants of investigational studies must request data through Investigator, Sponsor, or CRO. Data Controller will contact Mahalo with any requests. Mahalo has a documented procedure in place to carefully handle these specific requests. Our “Data Subject Request Procedure” describes this process. It can be reviewed during audits
Data Retention Policy
Article 5, 13, 17 and 30
Mahalo documents its data retention policy in a processing activities registry according to article 30 GDPR. Mahalo’s “Document management and retention policy” can be reviewed during audits.
Security of processing
Article 5, 18, 32
Integrity and honesty are the key attributes of everything we do at Mahalo. We are committed to protecting our customers’ data above all else. Mahalo is secured according to the most recent standards in order to protect your data in the best possible way.
Appointment of DPO
Article 37-39
Mahalo has appointed an external DPO in order to comply with the obligations under the GDPR
Data Subject Rights Policy
Article 15-23
Mahalo has a documented procedure in place to carefully handle these specific requests. Our “Data Subject Request Procedure” describes this process. It can be reviewed during audits.
Responsibility of the Controller
Article 24,28
Mahalo has a documented procedure in place to carefully handle these specific requests. Our “Data Subject Request Procedure” describes this process. It can be reviewed during audits.
Privacy by design and by default
Article 25
“Secure Development & Quality Assurance Policy” and “Security/Privacy by Design Checklist” describe how these measures are implemented. Authorizations to internal environments and systems are granted on the ‘need to know’ and ‘least privilege’ principles.
Data Processing Agreement (Mahalo customers) Engaging Sub Processors
Article 28
Mahalo’s obligations towards its Customers is covered under the Master Service Agreement “MSA Mahalo Digital Ventures”. Mahalo also maintains a Supplier procedure that includes the completion of a DPA.
Data Processing Agreement (Suppliers - Mahalo as Controller)
Article 24 and 28
Mahalo’s obligations towards its Customers is covered under the Master Service Agreement “MSA Mahalo Digital Ventures”. Mahalo also maintains a Supplier procedure that includes the completion of a DPA.
Data Processing Agreement (Suppliers - Mahalo as Sun-Processor)
Article 28
Mahalo has a specific procedure in place to make sure products and services are purchased with suppliers who comply with Mahalo’s selection criteria and are onboarded according to Mahalo requirements (including the correct documentation), both to make sure all purchased products and services comply with the quality and information security standards needed for Mahalo. Covered under Data Processing Agreement.
Records of processing activities
Article 30
Documented in “Mahalo GDPR - Processing Activity Register” For Patients, the sponsor or CRO is responsible for the obligations set out in paragraph 1 of Article 30 as the controller. For Mahalo Customers, under paragraph 2, Mahalo only performs processing based on a signed Work Order or Change Request as the processor. MSA’s and DPA’s include details of processing activities and sub-processors.
Data breach procedure
Article 28, 33 and 34
If a data breach poses a risk to an individual’s rights and freedoms, Mahalo has a “Personal Data Breach management procedure” in place to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. If Mahalo operates as a data processor it will notify every data breach to its Customer(s) within 48 hours.
Cooperation with the supervisory authority
Article 31
Mahalo has an established process for supporting a regulatory inspection.
Records of (possible) data breaches
Article 33
Mahalo has an overview of all (possible) security incidents and data breaches, managed through a CAPA List in Legisway
Privacy Impact Assessment
Article 35
A Data Protection Impact Assessment (DPIA) is a process that helps Mahalo identify and minimise the data protection risks of a particular service or product. Mahalo will perform a DPIA if type of processing is likely to result in a high risk to individuals.
Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Article 89
General information disclosed in Mahalo Security Statement
©2023 Mahalo Digital Ventures, Inc.