Policies | Child Protection Policy | Guidelines for Charitable Organisations on Fundraising from the Public | Privacy Policy| Cookies Policy | Whistle Blowing Policy | Anti Fraud Policy | Data Protection Policy

5. POLICY STATEMENTS

5.1 Fair and lawful processing:
Valid Nutrition shall Process Personal Data lawfully and fairly.

(a) Legal basis for processing:
Valid Nutrition shall ensure it relies on one of the following legal bases for each Processing activity:

• (I) consent;
• (II) Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
• (III) Processing is necessary for compliance with a legal obligation to which Valid Nutrition is subject;
• (IV) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• (V) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Valid Nutrition; or
• (VI) Processing is necessary for the purposes of the legitimate interests pursued by Valid Nutrition or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data.

Where the Processing is based on consent from the data subject, the consent should be freely given, specific and unambiguous and be indicated by a positive action taken by the data subject. The data subject shall be informed of the method for withdrawing consent. If the consent is given in the context of a written declaration that deals with other matters, the consent should be clearly distinguishable.

Sensitive Personal Data is considered extremely sensitive and therefore additional care must be taken when dealing with it. Valid Nutrition shall ensure it relies on one of the following legal bases for each Processing activity:

• (I) explicit consent;
• (II) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the fields of employment, social security and social protection law under national or EU law or a collective agreement providing for appropriate safeguards for the interests of the data subject;
• (III) Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; (
• IV) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the Processing relates solely to the members, former members or to persons who have regular contact with it in connection with its purposes and that the Personal Data is not disclosed outside that body without the consent of the data subjects;
• (V) Processing relates to Personal Data which is manifestly made public by the data subject;
• (VI) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
• (VII) Processing is necessary for reasons of substantial public interest, on the basis of national or EU law which shall be proportionate, to respect the right to data protection and provide for suitable measures to safeguard interests of the data subject;
• (VIII) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or national law or pursuant to contract with a health professional and subject to appropriate conditions and safeguards;
• (IX) Processing is necessary for reasons of public interest in the area of public health on the basis of national or EU law which provides for suitable measures to safeguard the rights of the data subject, in particular professional secrecy; or (
• X) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with national or EU law which shall be proportionate to the aim pursued, respect the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights of the data subject.

With respect to (VIII) above, data must be processed by or under the responsibility of a professional subject to the obligation of professional secrecy under national or EU law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under national or EU law or rules established by national competent bodies.

(b) Transparency:

• (I) Valid Nutrition shall Process Personal Data in a transparent way ensuring notices, policies, and consents are concise, intelligible, easily accessible, provided in clear and plain language and are easy to understand and free of charge;
• (II) Valid Nutrition shall communicate the name and contact details of the data controller and the purposes of the Processing to individuals. Valid Nutrition shall also give details of the purposes of (and the legal basis for) the Processing of Personal Data, the recipients or categories of recipients of Personal Data, the storage period applicable to such data, the source from which the Personal Data originates (where Personal Data is not obtained directly from the data subject), information on automated decision-making (where relevant) and, where applicable, the basis of any international data transfers outside of the EEA;
• (III) Valid Nutrition shall inform data subjects of their rights in relation to their Personal Data and how those rights can be exercised;
• (IV) Where Valid Nutrition Processes Personal Data based on legitimate interests, it shall describe those interests;
• (V) Where Valid Nutrition Processes Personal Data based on consent, it will inform the data subject of the method for withdrawing consent;7and
• (VI) Valid Nutrition shall inform data subjects of their rights and how those rights can be exercised.

5.2 Purpose limitation:

Valid Nutrition shall collect Personal Data for explicit and legitimate purposes and not further Process such data in a manner that is incompatible with those purposes.

(a) Any further Processing of Personal Data that is incompatible with the original purpose that it was collected for must be approved by the Data Protection Compliance Team.

(b) If the Personal Data proposed to be Processed for an incompatible purpose is Sensitive Personal Data, it must be submitted for a Privacy Impact Assessment.

5.3 Data minimisation & storage limitation:

Valid Nutrition shall implement measures and procedures which minimise the Processing of Personal Data to that which is adequate, relevant, and limited to what is necessary, and shall erase the data when no longer necessary for the purposes for which they were collected, except in cases of data used for statistical purposes, which may be further retained.

5.4 Accuracy:

Valid Nutrition shall ensure that Personal Data shall be accurate and, where necessary, kept up to date.

(a) Valid Nutrition shall provide Personnel with the ability to update their Personal Data on an ongoing basis;

(b) Valid Nutrition shall ensure that direct marketing recipients are informed of how to update their Personal Data as part of Valid Nutrition’s direct marketing materials;

(c) Valid Nutrition shall update service provider Personal Data when alerted to do so by the service provider or at a time of contract renewal.

5.5 Security:

Valid Nutrition shall implement appropriate measures to ensure the integrity, availability and confidentiality of Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

5.6 General obligations:

Valid Nutrition shall comply with the following obligations under the GDPR:

(a) Personal Data breach notification:

All Personnel are required to inform the Data Protection Compliance Team, relevant Legal representative, and Tech Support immediately upon discovering a Personal Data breach. Valid Nutrition shall notify the relevant supervisory authority of data breaches within 72 hours if the breach is likely to result in a risk to the rights and freedoms of natural persons. If the breach has the potential for serious harm to an individual’s rights and freedoms, that individual will be notified without undue delay (with certain exceptions if there are new security standards or it would involve disproportionate effort).13

Regardless of severity or requirement to notify, Valid Nutrition will keep a record of Personal Data breaches including date, time, location of event, and rational for reporting or not reporting the incident.

(b) Privacy by design and default:
Valid Nutrition shall consider privacy compliance at the outset of new projects (e.g., new IT systems, new research projects using Personal Data, contracting with vendors) or when looking at mergers or acquisitions, taking into consideration the risks to data subjects.14

(c) Data subjects’ rights:

(I) Subject Access:
Valid Nutrition shall, if applicable, provide the data subject with electronic access to (and where applicable, a copy of) Personal Data without undue delay and at the latest within one month and give reasons where Valid Nutrition does not intend to comply with the relevant request.

(II) Data Portability:
Valid Nutrition shall facilitate or provide the data subject the ability to receive, move, copy or transmit their Personal Data from Valid Nutrition to another controller without undue delay and at the latest within one month (or within three months in complex cases), if such Personal Data was Processed on the basis of consent or necessary for a contract of which the data subject was a party and if all of the following apply:

• i. the Personal Data concerns the data subject;
• ii. the Personal Data is provided by the data subject and is not inferred or derived data; and
• iii. the provision of the right above shall not adversely affect the rights and freedoms of other data subjects.

(III) Rectification and Erasure:
Valid Nutrition shall have procedures in place allowing for the rectification of inaccurate Personal Data or erasure of Personal Data upon the request of a data subject. Valid Nutrition shall grant the request if one of the following applies:

• i. the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise Processed;
• ii. the data subject withdraws consent on which the Processing is based (and where there is no other legal ground for the Processing, to be confirmed by the Data Protection Compliance Team);
• iii. the data subject objects to the Processing and there are no overriding legitimate grounds for the Processing to be confirmed by the Data Protection Compliance Team;
• iv. the Personal Data has been unlawfully Processed, to be confirmed by the Data Protection Compliance Team; and
• v. the Personal Data has to be erased for compliance with a legal obligation.

(IV) Right to Restrict Processing:
Valid Nutrition shall comply with a data subject’s request to restrict Processing where one of the following conditions applies:

• i. the accuracy of the Personal Data is contested by the data subject, for a period enabling Valid Nutrition to verify the accuracy of the Personal Data;
• ii. the Processing is unlawful and the data subject opposes the erasure of the Personal Data and requests the restriction of use of such Personal Data instead;
• iii. Valid Nutrition no longer needs the Personal Data for the purposes of the Processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
• iv. the data subject has objected to Processing, pending the verification whether the legitimate grounds of Valid Nutrition override those of the data subject.

(V) Objection to Processing:
Valid Nutrition shall have procedures in place allowing for the individual’s right to object to any profiling (including online tracking and behavioural advertising).

(VI) Process for responding to Data Subject Requests:

• i. Request may be made in any written form. If any member of Personnel receives a document or other communication that may be a data subject request, this must be forwarded at the earliest to the Data Protection Compliance Team at DPO@validnutrition.org.
• ii. Any data subject making a request must be required to provide sufficient identification to confirm their identity before Valid Nutrition Group shall take further steps. The types of information used to confirm a data subjects identity may vary depending on the situation and sensitivity of the information requested.
• iii. Valid Nutrition’s response to Data Subject Requests will be guided by the Data Subject Request Guide.

(d) Appointment of data processors:
Valid Nutrition shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures such that the Processing meets the requirements of the GDPR and ensures the protection of rights of the data subject.16 Valid Nutrition’s process for appointing a data processor will be guided by the Privacy by Design Toolkit.

(I) When an Valid Nutrition entity engages the services of a processor to Process Personal Data on its behalf and the processor is a third party, the Valid Nutrition entity shall select a data processor that provides appropriate assurances as to the level of security it shall employ in respect of the Personal Data to be Processed.

(II) The Valid Nutrition entity shall ensure that a contract is entered into with third-party processors which addresses relevant requirements of the GDPR and as a minimum requires that the processor shall:

• i. act only on instructions from the controller;
• ii. impose a duty of confidentiality on relevant staff;
• iii. implement security measures;
• iv. subcontract only with the controller’s prior permission;
• v. make arrangements to enable the controller to fulfil the rights of data subjects (see above);
• vi. assist the controller in complying with its obligations regarding data security and consultation with supervisory authorities;
• vii. return all relevant Personal Data to the controller after the end of the Processing and not Process the relevant Personal Data further; and viii. make available to the controller and the supervisory authority all necessary information regarding the processor’s data Processing activities.

(III) Where the Valid Nutrition entity is established in the EEA and engages a third-party processor established outside the EEA to Process Personal Data on its behalf, the Valid Nutrition entity shall either:

• i. ensure that a contract is in place with the data processor substantially in the form of, or incorporating the terms of, the Model Clauses for data processors (subject to any amendments that may be permitted by applicable EU privacy laws); or
• ii. ensure that other suitable protections are in place, in accordance with applicable EU privacy laws.

(e) Training and awareness:
Valid Nutrition shall provide training to staff who are involved in any Processing of Personal Data.

• (I) Valid Nutrition maintains a privacy and security awareness program focused on educating all Personnel about the Valid Nutrition Group’s privacy and security policies, as well as privacy and security best practices. A variety of communication channels shall be used to disseminate privacy and security awareness information. Best practice and privacy and security awareness tip sheets and initiatives guides are available on dedicated privacy and security intranet sites for all Personnel to access.
• (II) Valid Nutrition also ensures that Personnel who have access to, or responsibility for, handling Personal Data are provided with appropriate guidance and training.
• (III) All Personnel are required to comply with our training policies and must indicate their acceptance of these policies on an annual basis.

(f) Data transfers outside the EEA:
Valid Nutrition shall ensure that all transfers of Personal Data to third parties shall be subject to the appropriate safeguards (e.g., Model Clauses, Privacy Shield, BCRs, approved codes of conduct, etc.) unless a derogation applies (such as where the data subject has given explicit consent, or where the transfer is necessary for the performance of a contract, etc.), and that enforceable rights and effective legal remedies shall be available for data subjects.18

(g) Resources and audit:
Valid Nutrition shall ensure the necessary resources are made available to implement and monitor policies, procedures, and controls required by the Data Protection Framework, and shall regularly conduct data protection audits to ensure compliance with this Policy and the Data Protection Framework.

Valid Nutrition shall implement an audit programme, including:

• (I) Internal audit – audits are carried out by Valid Nutrition’s Data Protection Compliance Team on a rolling basis, assessing information security and compliance within the Group.
• (II) External audit – audits assessing the security of the firm’s business systems are carried out annually by Valid Nutrition’s external auditors.

5.7 Exceptions:
There are no exceptions to compliance with this Policy.