Privacy Protocol
The privacy of clients and employees is of paramount importance to MediLingua. Employees are expected to take the right organizational and technical safeguards to prevent the privacy of clients and employees of MediLingua from being compromised. The employee is considered to have performed the correct organizational and technical guarantees if they have followed the following instructions.
A. External processing of personal data
1. At the time of quoting, the client is advised to limit the personal data supplied.
2. Personal data, which are processed in translation orders is used only insofar as this is necessary for a good quality service and for the assigned task.
3. The risk categories are made known to the client and the following is requested for the translation assignment:
a) which categories are involved;
b) whether the client wants to anonymize the personal data or pseudonymise; c) whether it is considered desirable for the translation agency to anonymize or pseudonymise the translation and translation order after execution for storage; d) or if different storage periods must be maintained for category 1 and 2;
e) whether the personal data in categories 1 and 2 must be returned or must be destroyed;
f) whether there are additional requirements.
4. No later than the time of quoting or when the translation is assigned to a resource, the employee will divide the translation assignment into one of the following categories:
Category 1: High risk
Type: The contract contains personal data of a very sensitive nature, such as criminal records and medical data.
Group: Limited to the actual translator and a person within MediLingua.
Security:
‐ very limited viewing rights
‐ storage takes place in an anonymous or pseudonymized form
- strictly limited storage period
- processing exclusively within the European Economic Area (EEA)
Category 2: Average risk
Type: The contract contains personal data that are of a sensitive nature and which are qualified by law as special personal data, with the exception of medical data, or relate to a well‐known person or related to a person or dispute that can lead to a disturbance in society.
Group: Limited to a small group of up to 5 people, all based on ‘need to know’.
Security:
- limited access rights
- storage does not have to be anonymous or pseudonymised
- general retention period
- processing exclusively within the EEA and countries with an adequacy decision
Category 3: Normal risk
Type: The assignment contains personal details such as name, address, place of residence.
Group: Limited to a group within MediLingua and the actual translator.
Security:
‐ internal access rights not secured
‐ normal storage process
‐ general retention period
‐ processing can take place worldwide within the framework of the GDPR
5. Employees are not allowed to use translation programs from open sources such as Google Translate. These are programs that initially request that license is granted to make use of the (translated) texts, even if the original texts are subsequently removed.
6. Employees are only allowed to use a LSP, which MediLingua has approved. These LSPs must comply with the GDPR. In the case of any doubt, MediLingua will remove LSPs from the list and inform them of this. From the moment of this knowledge it is no longer permitted to use LSPs that have been removed from the LSP list, unless the order has already been approved. In that case, the employee will immediately report this and MediLingua will make the final decision to use the LSP or not. MediLingua can request additional guarantees from the LSP.
B. Internal processing of personal data
The employee will:
1. Only process orders (view, store, translate etc.) in a secure manner via the translation platform or via a secure link/source.
2. Ensure that only those who have the authority to do so can see the assignment. The instructions from the client will form the guideline herein.
3. Insofar as there is a paper translation, the employee ensures that the paper translations are not left unattended and are always stored in a safe and screened location, even during short interruptions.
4. When closing the office or the workplace at the end of the working day, the employee will ensure that no documents, where possible personal data can be included, are visible on the desks (clean desk policy). For physical mailboxes, these are in a locked room, which is closed every day.
5. Insofar as it is necessary in the abovementioned cases to send paper files or documents (certified translations), transport is always by registered mail. The track and trace label should be kept for as long as the retention of the original document and until the translation is delivered to the destination.
6. Insofar as the sending or taking of personal data outside the translation platform is necessary, the personal data will only leave the company on a secure USB stick or the most secure (and workable) method at that moment.
7. With every absence, no matter how short, the employee must lock their equipment (computer, tablet, smartphone, etc.). Equipment is left as unattended as possible.
8. Log in data and passwords of employees are strictly personal and are never shared with colleagues or third parties.
9. The employee is constantly alert to e-mails with suspicious content and does not open them in case of any doubt about their authenticity or reliability.
10. If the employee notices that equipment reacts in practice differently than normal or if unusual reports appear on the screen, the employee reports this immediately to the Privacy Protection Officer (PPO) and uses the notified devices only after the PPO has determined whether it is safe to continue to use the device or the data.
11. The employee, who sends an e-mail with attachments to a third party, always checks whether the correct attachments have been added and whether these attachments contain confidential information or personal data that may not be made available to third parties.
12. The employee will make as much use as possible of the shipment of documents via a secure line or will send the documents encrypted.
C. Other provisions
1. Employees can be randomly checked for compliance with the aforementioned rules and guidelines.
2. MediLingua reserves the right to adjust this Privacy Protocol as a result of incidents or changed legislation and/or developments in the field of privacy monitoring. On our website you will always find a copy of the most current version of this Privacy Protocol.
Leiden, 20th May 2018
MediLingua Medical Translations B.V.