Privacy Policy

Effective date: 1 August 2025

INTRODUCTION

This policy relates to the privacy of personal information of individuals who access the privacy policy located both on the Deciphex and affiliate websites. The Management of Deciphex is committed to ensuring best practice in the area of Information Security Management. This Policy has been created as part of this commitment and is available to all employees at Deciphex

PURPOSE

This policy is intended to outline Deciphex’s obligations when processing personal data of visitors to our website and their rights under the GDPR.The purpose of this policy is to ensure that the Company meets its legal, statutory and regulatory requirements under privacy and data protection laws and to ensure that all personal and  special category information is processed compliantly and, in the individuals, best interest. In particular, it  complies with the transparency requirements under the GDPR.  

The privacy and data protection laws include provisions that promote accountability and governance and the Company has put comprehensive and effective governance measures into place to meet these provisions. The  aim of such measures is to ultimately minimise the risk of breaches and uphold the protection of personal data.  This policy also serves as a reference document for any individual or entity, or third-parties on the responsibilities  of handling and accessing personal data and data subject requests.

SCOPE

This Policy is available to all directors, employees, officers, interns and contractors within Deciphex group of  companies and affiliates including:  

  • Deciphex Limited
  • Diagnexia UK Limited
  • Deciphex Inc d/b/a Diagnexia US
  • Diagnexia Canada Limited
  • Patholytix Ltd  

( “collectively the “ Deciphex Group” and individually a “Company” for purposes of this Policy) and any other  location where the company carries our services or operations.

This policy applies to all visitors to the Company websites, all staff within the Company (meaning permanent, fixed  term, and temporary staff, employment candidates, any third-party representatives or sub-contractors, agency  workers, volunteers, interns, agents, engaged with the Company in Ireland, the United States, Canada and relevant  overseas jurisdictions).  

This policy applies to visitors to the company websites and is made available via those websites:

  • https://www.deciphex.com
  • https://www.diagnexia.com
  • https://www.patholytix.com

Privacy Statement  

Deciphex Holdings Limited (hereinafter referred to as the “Company”) collects personal information to carry out our  everyday business functions and activities and to provide the products and services defined by our business type,  employ our staff and manage our global network of expert Pathologists.

The company acts as both a Controller and a Processor, depending on which business function we are performing  or which services we are providing.  

Our contact details are:

DCU Alpha Building,  
Innovation Campus,  
11 Old Finglas Rd, Glasnevin, Co. Dublin, D11 KXN4, Ireland.  

Company Data Protection Officer/ HIPAA Privacy Officer contact details: dataprotectionofficer@deciphex.com

You may contact the DPO with any queries on this policy or to make an access request. If you wish to make an  access request for your data, the Company requires proof of identity and address for all requests made to the  Company, together with a comprehensive outline of data you wish to access or the specific right you wish to  exercise under data protection and privacy laws. You will find details of all rights in this Policy  

For queries relating to your rights the relevant Supervisory Authority in Ireland:

Ireland
Data Protection Commission  
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland

Phone : (01) 765 01 00

When we act as Controller:;

Personal Data is collected from employees, candidates (when we interview you for recruitment purposes), customers, suppliers, contractors, Pathologists and clients including (but is not limited to), name, address, email address, data of birth, IP address, identification numbers, private and confidential information, sensitive information,  CCTV recordings / physical site security data, bank/credit card details, or if you contact us or submit any information  online or in email.  

When we act as Processor:

Personal Data, including PHI (protected health information), medical data, hospital numbers and other sensitive  health data is processed when we provide our reporting or consulting services for clients. When we provide our  services, we always act on the instructions of our Client.  

In addition, we may be required to collect and use certain types of personal information to comply with the  requirements of the law and/or regulations, however we are committed to processing all personal information in  accordance with the General Data Protection Regulation (GDPR), GDPR UK, Irish data protection laws, other  relevant regulatory provisions (for example, but not limited to, the AI Regulation, the European Health Data Space  Regulation, HIPAA Privacy Rules), the data protection laws and codes of conduct (herein collectively referred to  as “privacy and data protection laws”).  

The Company has developed policies, procedures, controls and measures to ensure continued compliance with  privacy and data protection laws and principles, including staff training, procedure documents, audit measures and  assessments. Ensuring and maintaining the security and confidentiality of personal and/or special category data  including medical data, is one of our top priorities and we are proud to operate a ‘Privacy by Design’ approach,  assessing changes and their impact from the start and designing systems and processes to protect personal  information at the core of our business.

Generative AI:

The Company uses internally approved Generative AI tools across our business processes to improve efficiencies  and workflows. The Company has an Acceptable Usage Policy governing our AI usage encompassing our  obligations under the AI Regulation. Generative AI tools are approved by a Generative AI Steering Committee and  also appropriate supplier management to assess their security and privacy provisions.

  • We may use Generative AI enabled CV reviewing and scoring, including assisted note taking tools to both  record and transcribe interviews, reference checks and hiring discussions. Please see below under the  section dedicated to Employee data;
  • We record consent at the time it is obtained and evidence such consent to the Supervisory Authority  where requested
  • To comply with automated decision making requirements in our Acceptable Usage Policy, any Generative  AI tools we use require us to apply human intervention to review any notes, recordings or transcriptions  made in the course of our business activities to ensure that such recordings, scoring, and transcriptions  are accurate and verify any decisions we make out of such recordings
  • We will advise you at the start of any hiring process of your right to object to such processing or use of  Generative AI tools, or withdraw consent at any time to use such tools
  • We do not use any of your personal data to train language models.  

Consent Controls

Consent is defined as any “freely given, specific, informed and unambiguous indication of the data subject’s wishes  by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal  data relating to him or her’.

Consent to obtain and process personal data is obtained by the Company, where consent is the basis of the  processing, through: –

  • Face-to-Face
  • In Writing
  • Email/SMS
  • Electronic (i.e. via website form)

Consent may be revoked at any time, without detriment to the individual.  

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) (EU)2016/679) was approved by the European Commission in  April 2016 and will apply to all EU Member States from 25th May 2018. As a ‘Regulation‘ rather than a ‘Directive’,  its rules apply directly to Member States, replacing their existing local data protection laws and repealing and  replacing Directive 95/46EC and its Member State implementing legislation.

As the Company processes personal information regarding individuals (data subjects), we are obligated under the  General Data Protection Regulation (GDPR) to protect such information, and to obtain, use, process, store and  destroy it, only in compliance with its rules and principles.

Personal Data  

Information protected under the GDPR is known as “personal data” and is defined as: –

“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who  can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification  number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic,  mental, economic, cultural or social identity of that natural person.”

The Company ensures that a high level of care is afforded to personal data falling within the ‘special categories’  (previously sensitive personal data), due to the assumption that this type of information could be used in a negative  or discriminatory way and is of a sensitive, personal nature to the persons it relates to.

The GDPR Principles

Article 5 of the GDPR requires that personal data shall be: –

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness  and transparency’)
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is  incompatible with those purposes; further processing for archiving purposes in the public interest, scientific  or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be  considered to be incompatible with the initial purposes (‘purpose limitation’)
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are  processed (‘data minimisation’)
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that  personal data that are inaccurate, having regard to the purposes for which they are processed, are erased  or rectified without delay (‘accuracy’)
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes  for which the personal data are processed; personal data may be stored for longer periods insofar as the  personal data will be processed solely for archiving purposes in the public interest, scientific or historical  research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of  the appropriate technical and organisational measures required by this Regulation in order to safeguard  the rights and freedoms of the data subject (‘storage limitation’)
  6. processed in a manner that ensures appropriate security of the personal data, including protection against  unauthorised or unlawful processing and against accidental loss, destruction or damage, using  appropriate technical or organisational measures (‘integrity and confidentiality’).

Article 5(2) requires that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the  data protection laws principles’ (‘accountability’) and requires that firms show how they comply with the principles,  detailing and summarising the measures and controls that they have in place to protect personal information and  mitigate the risks of processing.

The Office of the Data Protection Commissioner (DPC) and Information Commissioner’s  Office (ICO, PIPEDA (Canada)

The DPC is an independent regulatory office whose role it is to uphold information rights in the public interest. The  legislation they have oversight for includes: –

  • The Data Protection Acts 1988 and 2003(pre-25th May 2018)
  • General Data Protection Regulation(post-25th May 2018)
  • The Privacy and Electronic Communication (EU Directive) Regulations 2011

The DPC’s mission statement is “to uphold information rights in the public interest, promoting openness by public  bodies and data privacy for individuals” and they can issue enforcement notices and fines for breaches in any of  the Regulations, Acts and/or Laws regulated by them.

Under the data protection laws the DPC, as Ireland’s data protection authority (Supervisory Authority), will have a  similar role as previously, when it comes to oversight, enforcement and responding to complaints with regards to  the data protection laws and those firms located solely in Ireland.

  • The Information Commissioner’s Office (ICO) in the UK is responsible for upholding the personal data  protection rights for processing in the UK.  
  • PIPEDA is the Canadian Privacy Authority.  

Data Protection Officer

Articles 37-39, and Recital 97 of the GDPR detail the obligations, requirements and responsibilities on firms to  appoint a Data Protection Officer and specify the duties that the officer themselves must perform. A Data Protection Officer (DPO) must be appointed by a firm where: –

  • The processing is carried out by a public authority or body(except for courts acting in their judicial capacity)
  • the core activities of the controller/processor consist of processing operations which, by virtue of their  nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on  a large scale
  • the core activities of the controller/processor consist of processing on a large scale of special categories  of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in  Article 10

The Company has appointed a DPO and has done so in accordance with the GDPR requirements and have  ensured that the assigned person has an adequate and expert knowledge of data protection law. They have been  assessed as being fully capable of assisting the Company in monitoring our internal compliance with the Regulation  and supporting and advising employees and associated third parties with regards to the data protection laws and  requirements.  

The contact details for our DPO is dataprotectionofficer@deciphex.com

Objectives

We are committed to ensuring that all personal data processed by the Company is done so in accordance with  privacy and data protection laws and its principles, along with any associated regulations and/or codes of conduct  laid down by the Supervisory Authority and local law. We ensure the safe, secure, ethical and transparent  processing of all personal data and have stringent measures to enable data subjects to exercise their rights.

The Company has developed the below objectives to meet our data protection obligations and to ensure continued  compliance with the legal and regulatory requirements.

The Company ensures that:  

  • We protect the rights of individuals with regards to the processing of personal information
  • We develop, implement and maintain a data protection policy, procedure, audit plan and training program  for compliance with the privacy and data protection laws.
  • Every business practice, function and process carried out by the Company, is monitored for compliance  with the privacy and data protection laws and its principles
  • Personal data is only processed where we have verified and met the lawfulness of processing  requirements
  • We process special category data and medical data in accordance with both HIPAA and GDPR / GDPR  UK requirements  
  • We record consent at the time it is obtained and evidence such consent to the Supervisory Authority  where requested
  • All employees are competent and knowledgeable about their obligations and are provided with in-depth  training in the data protection laws, principles, regulations and how they apply to their specific role and  the Company
  • Individuals feel secure when providing us with personal information and know that it will be handled in  accordance with their rights under the data protection laws
  • We maintain a continuous program of monitoring, review and improvement with regards to compliance  with the data protection laws and to identify gaps and non-compliance before they become a risk, affecting  mitigating actions where necessary
  • We monitor the Supervisory Authority, European Data Protection Board (EDPB) and any GDPR news and  updates, to stay abreast of changes, notifications and additional requirements
  • We have robust and documented Complaint Handling and Data Breach controls for identifying,  investigating, reviewing and reporting any breaches or complaints with regards to data protection
  • We have appointed a Data Protection Officer who takes responsibility for the overall supervision,  implementation and ongoing compliance with the data protection laws and performs specific duties as set  out under Article 37 of the GDPR
  • We have an Audit schedule in place to perform checks and assessments on how the personal data we  process is obtained, used, stored and shared. The audit scheduled is reviewed against our data protection  policies, procedures and the relevant regulations to ensure continued compliance
  • We provide clear reporting lines and supervision with regards to data protection
  • We store and destroy all personal information, in accordance with our retention policy and schedule which  has been developed from the legal, regulatory and statutory requirements and suggested timeframes
  • Any information provided to an individual in relation to personal data held or used about them, will be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language
  • Employees are aware of their own rights under the data protection laws and are provided with the Article  13/14 information disclosures in the form of a Privacy Notice
  • Where applicable, we maintain records of processing activities in accordance with the Article 30  requirements
  • We have developed and documented appropriate technical and organisational measures and controls for  personal data security and have a robust Information Security program in place.

Governance Procedures

Accountability & Compliance

Due to the nature, scope, context and purposes of processing undertaken by the Company, we identify, assess,  measure and monitor the impact of such processing. We have implemented adequate and appropriate technical  and organisational measures to ensure the safeguarding of personal data and compliance with the data protection  laws and can evidence such measures through our documentation and practices.

Our main governance objectives are to: –

  • Educate management and employees about the requirements under the data protection laws and the  possible impact of non-compliance
  • Provide a dedicated and effective data protection training program for all employees
  • Identify key stakeholders to support the data protection compliance program
  • Allocate responsibility for data protection compliance and ensure that the designated person(s) has  sufficient access, support and budget to perform the role
  • Identify, create and disseminate the reporting lines within the data protection governance structure

The technical and organisational measures that the Company has in place to ensure and demonstrate compliance  with the data protection laws, regulations and codes of conduct, are detailed in information security policies  managed internally by the Company.

Privacy by Design

We operate a ‘Privacy by Design’ approach and ethos, with the aim of mitigating the risks associated with  processing personal data through prevention via our processes, systems and activities. We have developed  controls and measures (detailed below), that help us enforce this ethos.

Data Minimisation

Under Article 5 of the GDPR, principle (c) advises that data should be ‘limited to what is necessary’, which forms  the basis of our minimalist approach. We only ever obtain, retain, process and share the data that is essential for  carrying out our services and/or meeting our legal obligations and only retain data for as long as is necessary.

Our systems, employees, processes and activities are designed to limit the collection of personal information to  that which is directly relevant and necessary to accomplish the specified purpose. Data minimisation enables us to  reduce data protection risks and breaches and supports our compliance with the data protection laws.

Measures to ensure that only the necessary data is collected includes: –

  • Electronic collections only have the fields that are relevant to the purpose of collection and subsequent  processing.
  • Physical collection (i.e. face-to-face, telephone etc) is only that which is relevant and necessary
  • We have SLA’s and bespoke agreements in place with third-party controllers who send us personal  information (either in our capacity as a controller or processor). These state that only relevant and  necessary data is to be provided as it relates to the processing activity we are carrying out
  • We have documented destruction procedures in place where a data subject or third-party provides us with  personal information  

Pseudonymisation

We utilise pseudonymisation to record and store personal data in a way that ensures it can no longer be attributed  to a specific data subject without the use of separate, additional information (personal identifiers).  Encryption and partitioning is also used to protect the personal identifiers, being kept separate from the  pseudonymised data sets.

When using pseudonymisation, we ensure that the attribute(s) being removed and replaced, are unique and  prevent the data subject from being identified through the remaining markers and attributes. Pseudonymisation  can mean that the data subject is still likely to be identified indirectly and as such, we use this technique in  conjunction with other technical and operational measures of risk reduction and data protection.

Annonymisation

We utilise anonymisation to record and store personal data using technical means, which no longer identify the  individual and cannot be reversed.  

Encryption

We utilise encryption as a security measure securing the personal data that we hold. Encryption with a secret key  is used to make data indecipherable unless decryption of the dataset is carried out using the assigned key.

Restriction

Our Privacy by Design approach means that we use company-wide restriction methods for all personal data  activities. Restricting access is built into the foundation of the Company’s processes, systems and structure and  ensures that only those with authorisation and/or a relevant purpose, have access to personal information. Special  category data is restricted at all levels and can only be accessed by individuals who are obligated to perform  processing as part of the essential services delivery teams or development team.

Data Protection Audits

To enable the Company to comply with the data protection laws, we carry out data protection and privacy audits to  better enable us to record, categorise and protect the personal data that we hold and process.

This process helps us identify:

  • What personal data we hold
  • Where it came from
  • Who we share it with
  • Legal basis for processing it
  • What format(s) is it in
  • Who is responsible for it?
  • Where is it stored?
  • Disclosures and Transfers

Legal Basis for Processing (Lawfulness)

At the core of all personal information processing activities undertaken by the Company, is the assurance and  verification that we are complying with Article 6 of the GDPR and relevant provisions of the GDPR UK and our  lawfulness of processing obligations. Prior to carrying out any personal data processing activity, we identify and  establish the legal basis for doing so and verify these against the regulation requirements to ensure we are using  the most appropriate legal basis. AI processing is linked to the original purpose and legal basis for the data collected  or processed.  

The legal basis is documented on our ROPA. Data is only obtained, processed or stored when we have met the  lawfulness of processing requirements, where:

  • The data subject has given consent to the processing of their personal data for one or more specific  purposes
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to  take steps at the request of the data subject prior to entering into a contract
  • Processing is necessary for compliance with a legal obligation to which we are subject
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural  person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise  of official authority vested in the Company
  • Processing is necessary for our services including the processing of medical or patient data
  • Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third  party (except where such interests are overridden by the interests or fundamental rights and freedoms of  the data subject which require protection of personal data, in particular where the data subject is a child).

Processing Special Category Data

Special categories of Personal Data are defined in the data protection laws as: –

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or  trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying  a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall  be prohibited – unless one of the Article 9 clauses applies.

Where the Company processes any personal information classed as special category or information relating to  criminal convictions, we do so in accordance with Article 9 of the GDPR and relevant provisions of the GDPR UK. We will only ever process special category data where:

  • The data subject has given explicit consent to the processing of the personal
  • Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of  the controller or of the data subject in the field of employment and social security and social protection  law
  • Processing is necessary to protect the vital interests of the data subject or of another natural person where  the data subject is physically or legally incapable of giving consent
  • Processing is carried out in the course of its legitimate activities with appropriate safeguards by a  foundation, association or any other not-for-profit body with a political, philosophical, religious or trade  union aim
  • Processing relates to personal data which are manifestly made public by the data subject
  • Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are  acting in their judicial capacity
  • Processing is necessary for reasons of substantial public interest
  • Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of  the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment  or the management of health or social care systems and services
  • Processing is necessary for reasons of public interest in the area of public health
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research  purposes or statistical purposes in accordance with Article 89(1)

Where the Company processes personal information that falls into one of the above categories, we have adequate  and appropriate provisions and measures in place prior to any processing. Measures include:

  • Verifying our reliance on Article 9(1) GDPR prior to processing
  • Documenting the Article 6(1) legal basis relied upon from processing on our ART 30 ROPA
  • Having an appropriate policy document in place when the processing is carried out, specifying our:
    • procedures for securing compliance with the data protection laws principles
    • policies as regards the retention and erasure of personal data processed in reliance on the condition
    • retention periods and reason(i.e. legal, statutory etc)
    • procedures for reviewing and updating our policies in this area.

Records of Processing Activities

As an organisation that processes personal & special category data which could result in a risk to the rights and  freedoms of individuals the Company maintains records of all processing activities and maintains such records in  writing, in a clear and easy to read format and readily available to the Supervisory Authority upon request.

Acting in the capacity as a controller (or a representative), our internal records of the processing activities carried  out under our responsibility, contain the following information:

  • Our full name and contact details and the name and contact details of the Data Protection Officer. Where  applicable, we also record any joint controller and/or the controller’s representative
  • The purposes of the processing
  • A description of the categories of data subjects and of the categories of personal data
  • The categories of recipients to whom the personal data has or will be disclosed(including any recipients  in third countries or international organisations)
  • Where applicable, transfers of personal data to a third country or an international organisation(including  the identification of that third country or international organisation and where applicable, the  documentation of suitable safeguards)
  • Where possible, the envisaged time limits for erasure of the different categories of data
  • A general description of the processing security measures as outlined in section 12 of this  document(pursuant to Article 32(1) of the data protection laws)

Acting in the capacity as a processor our internal records of the categories of processing activities carried out on  behalf of a controller, contain the following information:

  • The full name and contact details of the processor(s) and of each controller on behalf of which the  processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the  data protection officer
  • The categories of processing carried out on behalf of each controller
  • Where applicable, transfers of personal data to a third country or an international organisation(including  the identification of that third country or international organisation and where applicable, the  documentation of suitable safeguards)
  • A general description of the processing security measures as outlined in section 13 of this  document(pursuant to Article 32(1) of the data protection laws).  

Third-Party Processors

The Company utilise external processors for certain processing activities (where applicable). We categorise and  record all personal data that is processed outside of the company, so that the information, processing activity,  processor and legal basis are all recorded, reviewed and easily accessible. Such external processing includes (but  is not limited to):

  • IT Systems and Services
  • Legal Services
  • Financial and Accounting Services
  • Travel Agencies
  • Debt Collection Services
  • Human Resources
  • Payroll
  • Cloud Hosting or Email Servers
  • Credit Reference Agencies
  • Direct Marketing/Mailing Services
  • Pathologists
  • Third party laboratories
  • CCTV / Physical Security Services

The continued protection of data subjects’ rights and the security of their personal information is always our top  priority when choosing a processor and we understand the importance of adequate and reliable outsourcing for  processing activities as well as our continued obligations under the data protection laws for data processed and  handled by a third-party.

We execute Service Level Agreements (SLAs) and contracts. We comply with ART 28 of the GDPR and relevant  GDPR UK provisions, when we act as a Controller and a Processor.  

Data Retention & Disposal

The Company has defined procedures for adhering to the retention periods as set out by the relevant laws,  contracts and our business requirements, as well as adhering to the GDPR requirement to only hold and process  personal information for as long as is necessary. All personal data is disposed of in a way that protects the rights  and privacy of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion, hard drive  destruction) and prioritises the protection of the personal data in all instances. Additionally, we comply with the  data retention requirements under HIPAA and any other relevant retention provisions.  

Data Protection Impact Assessments (DPIA)

Individuals have an expectation that their privacy and confidentiality will be upheld and respected whilst their data  is being stored and processed by the Company. We therefore utilise several measures and tools to reduce risks  and breaches for general processing. However, where processing is likely to be high risk or cause significant impact  to a data subject, we use proportionate methods to map out and assess the impact ahead of time.

Carrying out DPIAs enables us to identify the most effective way to comply with our data protection obligations and  ensure the highest level of data privacy when processing. It is part of our Privacy by Design approach and allows  us to assess the impact and risk before carrying out the processing, thus identifying and correcting issues at the  source, reducing costs, breaches and risks.

The DPIA enables us to identify possible privacy solutions and mitigating actions to address the risks and reduce  the impact. Solutions and suggestions are set out in the DPIA and all risks are rated to assess their likelihood and  impact. The aim of solutions and mitigating actions for all risks is to ensure that the risk is either:

  • Eliminated
  • Reduced
  • Accepted

Data Subject Rights Procedures

Consent & The Right to be Informed

The collection of personal and sometimes special category data is a fundamental part of the products/services  offered by the Company and we therefore have specific measures and controls in place to ensure that we comply  with the conditions for consent under the data protection laws.

The data protection law defines consent as; ‘Any freely given, specific, informed and unambiguous indication of  the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement  to the processing of personal data relating to him or her.  

Information Provisions

Where personal data is obtained directly from the individual (i.e. through consent, by employees, written materials  and/or electronic formats (i.e. website forms, subscriptions, email etc)), we provide the below information in all  instances, in the form of a privacy notice:

  • The identity and the contact details of the controller and, where applicable, of the controller’s  representative
  • The contact details of our data protection officer
  • The purpose(s) of the processing for which the personal information is intended
  • The legal basis for the processing
  • Where the processing is based on point (f) of Article 6(1)“processing is necessary for the purposes of the  legitimate interests pursued by the controller or by a third party”,details of the legitimate interests
  • If applicable, the fact that the Company intends to transfer the personal data to a third country or  international organisation and the existence/absence of an adequacy decision by the Commission
  • where the Company intends to transfer the personal data to a third country or international organisation  without an adequate decision by the Commission, reference to the appropriate or suitable safeguards the  Company has put into place and the means by which to obtain a copy of them or where they have been  made available
  • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine  that period
  • The existence of the right to request access to and rectification or erasure of, personal data or restriction  of processing concerning the data subject or to object to processing as well as the right to data portability
  • Where the processing is based on consent under points (a) of Article 6(1) or Article 9(2), the existence of  the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent  before its withdrawal
  • The right to lodge a complaint with the Supervisory Authority
  • Whether providing personal data is a statutory or contractual requirement, or a requirement necessary to  enter into a contract, as well as whether the data subject is obliged to provide the personal data and of  the possible consequences of failure to provide such data
  • The existence of any automated decision-making, including profiling, as referred to in Article 22(1) and  (4) and explanatory information about the logic involved, as well as the significance and the envisaged  consequences of such processing for the data subject.  

Personal Data Not Obtained from the Data Subject

Where the Company obtains and/or processes personal data that has not been obtained directly from the data  subject, the Company ensures that the information disclosures contained in Article 14 are provided to the data  subject within 30 days of our obtaining the personal data (except for advising if the personal data is a statutory or  contractual requirement).

In addition to the information disclosures where personal data has not been obtained directly from a data subject,  we also provide them with information about:

  • The categories of personal data
  • The source the personal data originated from and whether it came from publicly accessible sources Where the personal data is to be used for communication with the data subject, or a disclosure to another recipient  is envisaged, the information will be provided at the latest, at the time of the first communication or disclosure. Where the Company intends to further process any personal data for a purpose other than that for which it was  originally obtained, we communicate this intention to the data subject prior doing so and where applicable, process  only with their consent.

Whilst we follow best practice in the provision of the information noted in the relevant section of this policy, we  reserve the right not to provide the data subject with the information if:

  • They already have it and we can evidence their prior receipt of the information
  • The provision of such information proves impossible and/or would involve a disproportionate effort
  • Obtaining or disclosure is expressly laid down by Union or Member State law to which the Company is  subject and which provides appropriate measures to protect the data subject’s legitimate interest
  • Where the personal data must remain confidential subject to an obligation of professional secrecy  regulated by Union or Member State law, including a statutory obligation of secrecy

Employee Personal Data

As per the data protection law guidelines, we do not use consent as a legal basis for obtaining or processing  employee personal information. We process employee personal and sensitive data pursuant to a contract of  employment.  

Employee personal and sensitive personal data is processed by the Company pursuant to contract.  

When you interview with us, we collect personal data such as contact details, CV, professional qualifications,  recorded interviews, recorded notes, and other information to allow the Company evaluate prospective candidates.  We use Generative AI tools to record, score, and transcribe meeting notes, which assist us in improving our hiring  standards. We implement the provisions of our Acceptable Usage Policy whereby any automated decision making  must have human intervention to verify the accuracy of the recorded material and confirm any decisions /  conclusions we make. We require consent to record interviews and you may withdraw such consent without  detriment, at any point during the process.  

Our HR policies ensure that employees are provided with the appropriate information disclosure and are aware of  how we process their data and why.

During the interview process we may use AI-driven tools to record and transcribe conversations to ensure accuracy  and efficiency. Participation in this process is completely voluntary. If you prefer not to be recorded or transcribed,  or if you decide to withdraw your consent at any time, please inform us and rest assured that your decision will  have no impact on your application or candidacy.  

All employees are provided with our Staff Handbook which informs them of their rights under the data protection  laws and how to exercise these rights and are provided with a Privacy Notice specific to the personal information  we collect and process about them.

Our employees receive detailed onboarding training Data Protection and Privacy with regular refresher training  thereafter.  

The Right of Access

We have ensured that appropriate measures have been taken to provide information referred to in Articles 13/14  and any communication under Articles 15 to 22 and 34 (collectively, The Rights of Data Subjects), in a concise,  transparent, intelligible and easily accessible form, using clear and plain language.

Such information is provided free of charge and is in writing, or by other means where authorised by the data  subject and with prior verification as to the subject’s identity (i.e. verbally, electronic).

Information is provided to the data subject at the earliest convenience, but at a maximum of 30 days from the date  the request is received. Where the retrieval or provision of information is particularly complex or is subject to a valid  delay, the period may be extended by two further months where necessary. However, this is only done in  exceptional circumstances and the data subject is kept informed in writing throughout the retrieval process of any  delays or reasons for delay.

Where we do not comply with a request for data provision, the data subject is informed within 30 days of the  reason(s) for the refusal and of their right to lodge a complaint with the Supervisory Authority.

Subject Access Request

Subject Access Requests (SAR) are passed to the DPO at dataprotectionofficer@deciphex.com as soon as  received and a record of the request is noted. The type of personal data held about the individual is checked against  our Information to see what format it is held in, who else has it has been shared with and any specific timeframes  for access. The request must be in writing and accompanied by proof of identity, address along with specific details  of the right to be exercised and personal data requested if it is an access request.  

Your rights include the right to be informed; right of access to your personal data; right of rectification; the right to  erasure (right to be forgotten); right to data portability; right to object to processing and rights in relation to  automated decision making and profiling.  

SARs are always completed within 30-days and are provided free of charge. Where the individual makes the  request by electronic means, we provide the information in a commonly used electronic format, unless an  alternative format is requested.

Security & Breach Management

Alongside our ‘Privacy by Design’ approach to protecting data, we ensure the maximum security of data that is  processed, including as a priority, when it is shared, disclosed and transferred. Our Information Security Policies  and Incident Response Procedures provide the detailed measures and controls that we take to protect personal  information and to ensure its secure disposal.

We have implemented adequate and appropriate technical and organisational measures to ensure a level of  security appropriate to the risk.

Whilst every effort and measure are taken to reduce the risk of data breaches, the Company has dedicated controls  and procedures in place for such situations, along with the notifications to be made to the Supervisory Authority  and data subjects (where applicable).

Transfers & Data Sharing

The Company takes proportionate and effective measures to protect personal data held and processed by us at all  times, however we recognise the high-risk nature of disclosing and transferring personal data and as such, place  an even higher priority on the protection and security of data being transferred. We do not share data, unless  required by law or occasionally when we apply for grants.  

Data transfers within Ireland, UK and EU are deemed less of a risk than a third country or an international  organisation, due to the data protection laws covering the former and the strict regulations applicable to all EU  Member States.  

We deploy our services utilising a global network of qualified Pathologists for our reporting and consulting services,  and occasionally may be required to facilitate a restricted transfer to a third country. Where this occurs, we require  the GDPR UK Addendum as approved by the ICO UK. Prior to any transfer, we conduct a Transfer Impact  Assessment to assess the data protection and privacy ecosystem of the intended import country. Included within  the Transfer Impact Assessment is a detailed review of the IT environment.  

Where data is being transferred for a legal and necessary purpose, compliant with all Articles in the Regulation,  we utilise a process that ensures such data is encrypted and where possible is also subject to our data minimisation  methods.

We use approved, secure methods of transfer. All data being transferred is noted so that tracking is easily available,  and authorisation is accessible. The Data Protection Officer authorises all EU transfers and verifies the encryption  and security methods and measures.