General Data Protection Regulation (GDPR) requires businesses to protect the personal data of European Union (EU) citizens making transactions within EU member states. Because Cambridge Brain Sciences handles personally identifiable  information of EU citizens using our BrainLabs service, GDPR applies to Cambridge Brain Sciences.

Personally identifiable information (PII): All of our PII handling is guided by Article 6 of the GDPR, whereby subject companies must only process data required for operations, and Article 32, 1a, whereby personal data must be encrypted. All personal data is stored in an encrypted or obscured format within our private database, and both articles of the GDPR are satisfied as per our requests for PII and per our User Personal Data handling practices and procedures. We actively maintain an overview of the user personal data stored, user data flow, as well as a Data Retention Policy that categorizes and locates user data.

Right to erasure: your personally identifiable information and related account data can be fully erased from the BrainLabs service. The account deletion feature is available to you at any time through the account section of the web site. Users, patients, and participants with personal data in CBS Health or CBS Research can request to have their information deleted by the practitioner or researcher who created the account, or by contacting a CBS employee who can manually erase information.

Right to rectification: If mistakes or incomplete data are found, users of BrainLabs may rectify common personal data using the online account management feature, and all other data may be rectified by means of contacting CBS. While most users of CBS Health and CBS Research do not have personal data stored in our systems, should any be stored then users may have data rectified by means of contacting CBS.

Data portability: BrainLabs users are permitted to download all PII in a CSV file via the personal data download feature within the account section of the web site. 

Right to know when one’s data has been hacked: Per articles 33 and 34 of the GDPR, personal data breaches must be reported to authorities and affected users within 72 hours of their discovery. Regarding communications, the CBS Security Incident Handling procedure includes a step to notify partners, clients, end users, and interested institutional bodies when an incident has been discovered.

Data protection officer: Because we process more than 5,000 data subjects per year and also perform regular observation on a large scale, we are required to designate a Data Protection Officer (DPO), and that role is assigned to Risto Juola.

Accountability: With regards to the requirements of accountability as set forth by the GDPR, we here note that our data processing meets and in some cases exceeds relevant industry standards.

Pseudonymization: To ensure that a user’s data cannot be linked to the user without additional data, we encrypt all PII, meaning that in order to correlate personal data with a user, the encryption key(s) applied to their data must be used in addition to the user data itself.

If you are 16 years old or younger, you are required to obtain parental consent before using BrainLabs. If you have not entered your age, you will be prompted to verify that you are over 16 or have obtained parental consent. After you click the checkbox, hit save to continue using BrainLabs.

If you have any questions at all about your data, we are happy to help. Just send us a message at any time using the chat box in the bottom right of your screen, or view the Contact Us page for additional contact methods.