As a Wellness Advocate, Data Controller, what am I responsible for?
Wellness Advocates are responsible to abide by GDPR. The below list of responsibilities added to section 17 of the Europe Policy Manuals, as follows:
A. Data Protection: As self-employed independent contractors, Wellness Advocates are the data controller for any personal data (including customer personal data) they process in the course of their business activities as a Wellness Advocate. Wellness Advocates are responsible to ensure that such personal data are processed, stored, and disposed of fully in accordance with applicable data protection laws, including the EU General Data Protection Regulation 2016/679. This entails, amongst others, the following responsibilities:
1. to perform all of their obligations under applicable data protection laws, including data security and confidentiality obligations;
2. to ensure that data subjects are provided with appropriate information regarding the processing of their personal data, including the sharing of their personal data with the Company;
3. to ensure that they have a legal basis for the processing of personal data, including the sharing of personal data with the Company and obtain the data subjects’ consent for the processing of their personal data, if required by applicable data protection laws;
4. to ensure that data subjects can exercise the data protection rights granted to them under applicable data protection laws;
5. to enter into a written agreement with data processors they rely on to process personal data on their behalf, in accordance with applicable data protection laws;
6. to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with applicable data protection laws;
7. to notify the Company, immediately, of any actual or suspected data breach affecting personal data processed by Wellness Advocates in connection with their activities as a Wellness Advocate;
8. to cooperate fully with the Company in all reasonable and lawful efforts to prevent, mitigate, or rectify such personal data breach; and
9. for implementing and providing adequate protection in the event of transfer of personal data to countries located outside of the EEA, as required under applicable data protection laws.