Data Processing Obligations Policy

PPL biomechanics is, in its own right, a ‘processor’ of data for the purposes of the GDPR. Consequently, in accordance with Article 28 of the GDPR, PPL biomechanics has in place suitable measures to ensure adherence to the GDPR. In particular, Article 28(3) outlines a range of regulatory responsibilities that any data ‘processor’ must adhere to when managing data as a result of a commercial relationship:

PPL biomechanics must only process data on instruction from the ‘data controller’ (e.g., in the form of a contract concerning the activity in question, or more informally, such as following an e-mail), including with regards to transfers of personal data to a third party or an international organisation, unless required to do so by Union or Member State law to which  PPL biomechanics is subject; in such case, PPL Biomechanics shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

  • PPL biomechanics ensures that its staff are authorised to process the personal data and are committed to confidentiality;
  • PPL biomechanics takes all appropriate security and organisational measures relating to the processing activities in question, pursuant to Article 32;
  • PPL biomechanics will assist data ‘controllers’ in complying with the rights of the data subject;
  • PPL biomechanics respects the conditions referred to in Article 23(2) and Article 23(4) for engaging another processor;
  • PPL biomechanics will assist data ‘controllers’ in complying with their data breach notification obligations, taking into account the nature of processing and the information available to PPL Biomechanics;
  • PPL biomechanics will delete or return all personal data to data controllers, if requested, at the end of processing activities or at the end of service provision or on termination of the contract, unless Union or Member State law requires storage of the personal data;

PPL biomechanics makes available to the controller all information necessary to demonstrate compliance with the obligations laid out in Article 28.