ComplianceLine has a Data Processing Agreement in place with Clients within the European Union (EU) and vendors, which include the standard contractual clauses (EU 2010/87) ComplianceLine has dual verification system for reports that may contain GDPR (General Data Protection Regulation) information.
During the setup process, any client who has locations in the EU or related states will automatically be assigned a category named, “GDPR”. Any report that comes in from an EU or related state will be assigned the “GDPR” category. Also, as part of the review process by our QA Team, the reviewer will mark the “GDPR” checkbox identifying these calls as GDPR. Two data points allow ComplianceLine to be able to identify at any time to identify reports related to GDPR.
We are able to provide clients and their reports information in a timely fashion due to this. If a reporter contacts CL directly, we will notify the client of any data requested within one business day. ComplianceLine will wait for up to one-business-day for the client to respond to any data requests. If the client has not responded at that time, ComplianceLine will act according to GDPR guidance.
ComplianceLine has determined that all call records pertaining to GDPR will be retained for 6 months. After 6 months, all report data will be purged from the system. A shell of the report will remain with a note that this report has been removed according to GDPR guidelines.
In order to identify records in SanctionCheck that are GDPR related, we provide clients with a field that they fill out when uploading their files to the system. All searches done against these names will be flagged as GDPR. This flag is how we identify any information that is provided in accordance with GDPR. If a data requestor, requests for change, or request for deletion comes to ComplianceLine, we will respond to the client who performed the search within one-business-day. ComplianceLine will wait up to one-business-day for a response from the client for instruction on how to proceed with the request. If the client does not respond in this period, ComplianceLine will fulfill the request based on GDPR guidance.
Since SanctionCheck is a system of audit for checking employees, vendors, physicians, board members, and volunteers against sanction databases, we will save any records and search results for 2 years for any entity flagged as GDPR. After the 2-year time period, all search information will be completely purged from our system, leaving only a shell of the search with a note that this person “has been removed” in accordance with GDPR guidelines.