Privacy Notice - HPRA

Introduction:

This Privacy Notice (“Notice”) sets out Hauora Ltd.'s (“Hauora", “we”, “us”) commitment to protecting the personal data of employees of The Health Products Regulatory Authority (“HPRA”). Hauora will collect, store, and process personal data in accordance with this Notice and the requirements of data protection laws, including the General Data Protection Regulation (“GDPR”). The personal data processed will be related to the employees of HPRA and processed as part of Hauora's Whole Person Wellbeing Program (“Program”).

Data Controller / Processor:

HPRA, acting as a Data Controller in relation to the processing of personal data of their employees, have engaged Hauora as a Data Processor to provide the Program.

Data Collection and Legal Basis for Processing:

Hauora will collect personal data provided directly to us by the data subject or by HPRA. The legal basis for processing is Article 6(1)b of the GDPR where processing is necessary for the performance of a contract you are party to with the HPRA. This personal data will include contact details (such as names, email addresses, and phone numbers), information related to employment (such as role, and experiences), personal opinions, and inferences drawn from this personal data. It is possible that additional data will be collected through voluntary disclosures such as in free text fields of focus groups. Personal data will generally be collected through surveys, focus groups, follow-up interactions, and data shared by HPRA to enable communication with data subjects. Hauora will process personal data required to fulfil its contracted services with HPRA related to the Program. You are required to complete this survey within the timeframe specified within communications requesting completion.

Data Storage:

The data collected through the Program will be stored in secure locations, such as Google Forms or another secure cloud storage service. Access to this data will be restricted to authorized personnel only and appropriate technical and organisational measures will be implemented to ensure the protection of personal data from unauthorised access, loss, theft, or misuse.

Data Use:

Hauora will use contact details to identify and communicate with individuals via phone calls, emails, or in-person contact. Personal data related to employment, opinions, and inferences drawn from this data will be used to conduct, analyse, and generate reporting related to the Program. Hauora will follow the principle of data minimization and will only process directly identifiable personal data where the outcome cannot be achieved with anonymised or pseudonymised data. Hauora will not process personal data using fully automated processes.

Data Subject Rights:

The employees of HPRA have the following rights in relation to their personal data:

• The right to access their personal data and receive information about how it is being processed.

• The right to correct any inaccuracies in their personal data.

• The right to request that their personal data be deleted.

• The right to restrict the processing of their personal data.

• The right to request a copy of their personal data in a commonly used electronic format.

To exercise any of these rights, the data subject can contact dpo@hauoralife.com or dataprotectionofficer@hpra.ie. We will respond to requests as soon as possible and within the timeframe required by law.

In the event that a data subject has a complaint or dispute regarding the processing of their personal data, they may reach out to the designated Data Protection Officer (DPO) by sending an email to dpo@hauoralife.com or to dataprotectionofficer@hpra.ie. The DPO will investigate the complaint and take appropriate steps to resolve the issue in a timely manner. Data subjects may also contact the Data Protection Commission directly at https://forms.dataprotection.ie/contact.

Data Breach Notification:

In the event of a data breach, Hauora will promptly assess the risk to individuals' rights and freedoms. Hauora will notify HPRA of any breach, and together we would notify the relevant authorities and affected individuals without undue delay. We will also take appropriate steps to mitigate the effects of the breach and prevent similar breaches from occurring in the future.

Data Retention:

Hauora will retain the personal data of employees of HPRA in accordance with GDPR guidelines and Hauora’s data retention policy. The specific retention period will be 3 years. Upon the expiration of this period, the personal data will be securely deleted or destroyed.

Privacy by Design:

Hauora is committed to incorporating privacy considerations into the design and development of new systems, services, and processes. We take a proactive approach to privacy protection and strive to minimise the collection and use of personal data.

Third-Party Data Processors:

Hauora may use third-party data processors, including Google Forms and Google Workspace, to store and process the personal data collected from individuals. These third parties will be contractually bound to maintain the confidentiality and security of the data and to process it only in accordance with Hauora’s instructions.

Conclusion:

This Notice sets out Hauora’s commitment to protecting the personal data of employees of HPRA and to comply with the requirements of data protection laws, including the GDPR. We will regularly review and update this policy as necessary to ensure that it remains compliant and relevant. Updates we make will be posted on the Hauora Privacy Notice for HPRA webpage www.hauoralife.com/privacynoticehpra.

Contact Information:

If you have questions about our collection, or use of personal data, or to exercise one of the rights above, please contact us in one of the following ways:

• dpo@hauoralife.com

• dataprotectionofficer@hpra.ie