Cort is committed to the protection and security of personal data we collect and process from our customers and partners within the European Union and the United Kingdom. In alignment with the General Data Protection Regulation (GDPR) and the UK GDPR, Cort has implemented comprehensive data protection strategies to comply with the requirements of both regulations. Below are the key aspects of our compliance:
Data Protection Measures
Data Minimization: Cort adheres to the principles of data minimization by collecting only the data necessary for the specified purposes, ensuring minimal data processing under both EU and UK regulations.
Encryption and Security: We employ advanced security measures, including encryption, firewalls, and secure server facilities, to protect personal data against unauthorized access, alteration, or destruction.
Regular Audits: Cort conducts regular audits of its data processing activities and security measures to ensure continuous compliance with EU GDPR and UK GDPR standards.
Data Protection Impact Assessments (DPIAs): Cort proactively conducts DPIAs to identify and mitigate any risks associated with data processing activities. These assessments help ensure that all new and existing processes are compliant with GDPR regulations and that risks to data subject rights are minimized. DPIAs are particularly utilized when introducing new technologies or data processing methods that are likely to result in a high risk to individuals' privacy.
Rights of Data Subjects
Cort acknowledges and respects the rights granted to data subjects under both the EU GDPR and the UK GDPR, including:
Right to Access: Individuals have the right to access their personal data processed by Cort to understand the nature and purpose of processing.
Right to Rectification: Cort provides mechanisms for individuals to update or correct their personal data when necessary.
Right to Erasure (Right to be Forgotten): Individuals can request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected.
Right to Restrict Processing: Data subjects can request that processing of their personal data be restricted under certain conditions.
Right to Data Portability: Cort allows individuals to receive their personal data in a structured, commonly used, and machine-readable format. They can also request that their data be transferred to another controller.
External Data Protection Officer (DPO)
To reinforce trust in our data protection practices, Corti has appointed Bo Pyskow of Sixtus Security as our external Data Protection Officer (DPO). Our DPO, brings extensive expertise in data protection and privacy management and has played a pivotal role in elevating our privacy practices, culminating in our successful completion of the demanding ISAE 3000 audit. In his capacity as an external consultant, Bo will continue to enhance our privacy framework by:
Providing expert advisory guidance on our GDPR related privacy practices and documentation.
Delivering an annual data protection and privacy review report to our management team.
Offering 24/7 support in the event of a data breach.
Registering as Corti’s DPO with national data protection authorities (Denmark, UK etc.) and acting as our representative in case of a data breach or related inquiries.
This appointment underscores our unwavering commitment to maintaining the highest standards of data privacy and security while ensuring compliance with evolving regulatory requirements.
ISAE 3000 Certification
Corti is proud to hold the ISAE 3000 type 1 certification, a testament to our rigorous adherence to the highest standards of data protection and compliance. This certification specifically supports our commitment to upholding General Data Protection Regulation (GDPR) requirements of the data provided by the customer (user data and patient data) as detailed in the Data Protection Agreement (DPA).
Valid until June 2025, the ISAE 3000 certification validates the effectiveness of our privacy and data protection control systems, ensuring they are suitably designed to protect personal data against unauthorized access and loss. Our adherence to this standard, demonstrates Corti's proactive approach to privacy and security, highlighting our dedication to maintaining trust and integrity in all our data handling practices. By aligning our operations with the ISAE 3000 standard, we provide our clients with the assurance that their sensitive information is managed in compliance with respected and recognized frameworks, enhancing our reliability as a trusted partner in data security.