Last updated: 12th July, 2024
Inherent Risks is committed to the protection and privacy of personal data, and medical data,
including that provided by third parties, and is subject to the principles of the General Data
Protection Regulation (GDPR), the UK’s Data Protection Act (DPA) 2018 that mirrors the same
requirement, United States, State Privacy Laws, and all applicable healthcare privacy laws,
including the Health Insurance Portability and Accountability Act (HIPAA).
GDPR covers the protection of natural persons regarding the processing of personal data, and the
free movement of such data. It gives individuals greater rights over their personal information, and
places greater obligations on organisations to protect this data. It includes the right to be forgotten,
the right to know when personal data falls into the wrong hands and the need for explicit consent
(in certain cases) prior to processing personal information.
This Privacy Statement is provided in accordance with the General Data Protection Regulation
2016/679 (“GDPR”), including any EU national laws implementing or supplementing the same, and
any other applicable data protection laws (the “Data Privacy Laws”).
Inherent Risks operates globally and as such we are committed to complying with the applicable
data privacy and security requirements in the jurisdictions in which we operate. Inherent Risks
complies with internationally recognised standards of privacy protection, and with various privacy
laws globally including, but not limited to, the GDPR.
To the extent that Inherent Risks is deemed to be a data controller under Data Privacy Laws, this
notice fulfils our obligation to provide certain information to third parties whose personal data we
process in this capacity as required by Article 14 of the GDPR and the notice requirements set out
in any other Data Privacy Laws for processing personal data which has been obtained indirectly.
Data will be collected by Inherent Risks.
The Primary Principle of GDPR - “Privacy by design and by default”:
“Privacy by design and by default” stipulates that, from the initial stages onwards, organisations
must consider the impact that processing and controlling personal data can have on an individual’s
privacy.
Accountability and compliance:
Companies covered by the GDPR are rightly held more accountable for their handling of an
individual’s personal data. At Inherent Risks we take our responsibilities in this regard extremely
seriously – not only is it a legal requirement but it is also pivotal for client confidence in the
company. All Inherent Risks’ staff are to adhere closely to its data protection policies, impact
assessments and documentation covering regulatory requirements on how data is processed.
Personal data: Is “any information relating to an identified or identifiable natural person”. Personal
data can be anything that allows a living person to be directly or indirectly identified. This may be a
name, an address, or even an IP address. It includes automated personal data and can also
encompass pseudonymised data if a person can be identified from it.
Sensitive personal data:
There are greater and more specific conditions to be satisfied for sensitive personal data (or
'special categories') of information. These include trade union membership, religious beliefs,
political opinions, racial information, and sexual orientation.
There is also a requirement for businesses to obtain consent to process data in some situations.
When an organisation is relying on consent to lawfully use a person's information they have to
clearly explain that consent is being given and there has to be a "positive opt-in".
Controller:
A controller is an entity that decides the purpose and manner that personal data is used or will be
used.
Processor:
The person or group that processes the data on behalf of the controller. Processing is obtaining,
recording, adapting or holding personal data.
Requests for personal information are free-of-charge. When someone asks a business for their
data, they must provide the information within one month. Everyone will have the right to get
confirmation that an organisation has information about them, access to this information and any
other supplementary information.
Inherent Risks collects the following categories of personal data:
Contact data: We may collect information about data subjects such as name and contact details
(email, phone number, etc.) in order to communicate and facilitate the provision of our services
with our clients' or potential clients. For example, contact details of individuals who work for or on
behalf of the clients, in order to carry out the client’s engagement with Inherent Risks.
Services data: Personal data may be provided to us by clients to the extent required to perform the
services. Inherent Risks may also acquire personal data from a third party as required to perform
services requested by our client(s).
Marketing information: We may collect information to respond to inquiries regarding our products
and services or to provide you with information, reports, or updates.
Website visitor information: when you visit our website, we may collect information such as your IP
address and the pages you visited and when you use our services we may collect information on
how you use those services.
Clients and other third parties who provide personal information to Inherent Risks must do so in
compliance with applicable data privacy regulations.
We collect personal data to offer and administer our services.
The data you provide to us will be processed in accordance with the purposes specified in this
notice, namely:
a. To provide the products or perform the services requested by clients and individuals pursuant to
a letter of engagement, service level agreement, statement of work, or similar (where the
processing is necessary for our legitimate business interests in conducting and managing our
business).
b. To provide the products or perform the services requested by clients and individuals using our
website or web applications (where the processing is necessary for our legitimate business
interests in conducting and managing our business).
c. For complying with obligations provided by laws, current regulations and European legislation
(e.g. tax regulations) (where processing is based on a legal obligation) or legislation in other
jurisdictions that may be applicable.
d. For legitimate business purposes to advise you through email, phone call, or post, in the
framework of our ordinary commercial relationship, about other products or services similar to the
products or services we have provided to you and that we think will be of interest to you (where the
processing is necessary for our legitimate business interests).
e. For marketing purposes. For example, we may use your information to further discuss your interest
in the services and to send you information regarding Inherent Risks' such as information about
promotions, events, products or services. You can withdraw your consent or opt out of receiving
our marketing communications at any time. If you are not located in the EU, you may opt-out of
receiving marketing communications and updates at any time. You can manage your receipt of
marketing and non-transactional communications by clicking on the «unsubscribe» link located on
the bottom of Inherent Risks marketing emails.
f. For improving Inherent Risks communications with you. Emails sent to you by us may include
standard tracking, including open and click activities. We may collect information about your
activity as you interact with our email messages and related content.
g. For operating and improving Inherent Risks website and your customer experience. For
example, we may collect and analyse data on your use of our website and process it for the
purpose of improving our online experience.
h. For security purposes. For example, we may use your data to protect Inherent Risks and its third
parties against security breaches and to prevent fraud and violation of Inherent Risks applicable
agreements (where the processing is necessary for our legitimate business interests).
Whenever we process your personal data for our legitimate interests, we make sure to consider
and balance any potential impact on you and your rights under data protection laws. Our legitimate
business interests do not automatically override your interests – we will not use your personal data
for activities where our interests are overridden by the impact on you (unless we have your consent
or are otherwise required or permitted to by law). You have the right to object to this processing if
you wish.
Personal data is processed both manually and electronically in accordance with the above- mentioned purposes and in compliance with current regulations. We permit only authorised Inherent Risks employees to have access to your information. Such employees are appropriately designated and trained to process data only according to the instructions we provide them.
Inherent Risks will retain personal data for a reasonable period, taking into account legitimate business needs to capture and retain such information. Information will also be retained for a period necessary to comply with state, local, federal regulations, or country specific regulations and requirements, and in accordance with Inherent Risks policies.
We only share your personal data with your consent or in accordance with this notice. We will not
otherwise share, sell or distribute any of the information you provide to us except as described in
this notice.
We share personal data among Inherent Risks-controlled affiliates and subsidiaries who act for
Inherent Risks for the purposes set out in this notice.
Inherent Risks may share your information with external third parties, such as vendors,
consultants, legal advisors, auditors and other service providers who are performing, advising or
assisting with certain services on behalf of our company. Such third parties have access to
personal data solely for the purposes of performing the services specified in the applicable
contract, and not for any other purpose. Inherent Risks requires these third parties to undertake
security measures consistent with the protections specified in this notice.
Inherent Risks may be required to disclose personal data in response to lawful requests by public
authorities, including meeting national security or law enforcement requirements.
If Inherent Risks business enters into a joint venture with or is merged with another business entity,
your information may be disclosed to our new business partners.
Personal information may be transferred, accessed and stored globally as necessary for the uses
stated above in accordance with this notice, and in compliance with local law and regulations.
Data concerning EU data subjects may be transferred to or processed in locations outside of the
EU only where one of the following safeguards is in effect:
Transfers to the US, pursuant to D&P’s participation in the EU-U.S. Privacy Shield
Transfers to certain countries which the EU Commission has determined ensures an adequate
level of protection
Transfers pursuant to standard contractual clauses or contract terms ensuring adequate data
protection
Where required, Inherent Risks entities have entered into European Union Model Clause
Agreements which allows for the processing of your personal information and for transfers of your
personal information.
You have the following rights concerning your data processed by Inherent Risks:
Access: You have the right to access personal information that Inherent Risks holds about you.
Rectification: You have the right to ask us to rectify information Inherent Risks holds about you if it
is inaccurate or not complete.
Erasure: You can request that Inherent Risks erase your personal data. We will keep basic data to
identify you and retain it solely for preventing further unwanted processing.
Restrict Processing: You have the right to ask Inherent Risks to restrict how we process your data.
This means we are permitted to store the data but not further process it. We keep just enough data
to make sure we respect your request in the future.
Object to processing: Where processing is based on legitimate interests, you have the right to
object to Inherent Risks processing your data. We will discontinue processing your data, unless we
can demonstrate compelling legitimate grounds for the processing. We will keep basic data to
identify you and retain it solely for preventing further unwanted processing.
Portability: Where processing is based on consent or performance of a contract, you have the right
to data portability. Inherent Risks must allow you to obtain and reuse your personal data for your
own purposes in a safe and secure way without this affecting the usability of your data.
Automated decisions are defined as decisions about individuals that are based solely on the
automated processing of data and that produce legal effects that significantly affect the individuals
involved.
Inherent Risks does not make automated decisions using personal data. If automated decisions
are to be made, affected persons will be given an opportunity to express their views on the
automated decision in question and object to it.
If you choose not to provide certain personal information, it may be an impediment to the exchange of information necessary for the execution of the contract or provision of services, and we may not be able to provide you with some services and you may not be able to participate in some of the activities on our website(s).
We are not responsible for the privacy practices of any non-Inherent Risks operated websites, mobile apps or other digital services, including those that may be linked through Inherent Risks websites or services, and we encourage you to review the privacy policies or notices published thereon.
Please contact us with questions, concerns, or complaints:
For data subjects located in the EU: if we are not able to satisfactorily resolve your questions,
concerns, or complaints, or if you believe that the processing of your personal data infringes on
your rights under applicable data protection laws, you have the right, without prejudice to any other
administrative or judicial remedies, to lodge a complaint with a supervisory authority, in particular in
the Member State of your habitual residence, place of work or place of the alleged infringement.
Contact information for the supervisory authorities may be found here:
EU Data Protection Authorities:
http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
