Data Protection and GDPR Compliance Statement

We are committed to protecting the privacy and personal data of all individuals with whom we engage, including applicants, clients, partners, and employees. In accordance with the General Data Protection Regulation (GDPR), we ensure that all personal data is processed lawfully, fairly, and transparently.

Scope

This statement applies when we process personal data in the context of offering services to or monitoring the behavior of individuals in the European Economic Area (EEA), or where our activities otherwise bring us within the scope of GDPR Article 3. Where relevant, we also comply with the UK GDPR for individuals in the United Kingdom.

Lawful Basis for Processing

We process personal data only where there is a lawful basis to do so, including:

  • The performance of a contract
  • Compliance with a legal obligation
  • Protection of vital interests
  • Consent (explicit and informed)
  • Legitimate interests pursued by Occu-Med or a third party, where such interests are not overridden by the rights and freedoms of the data subject

Data Subject Rights

Under GDPR, individuals have the right to:

  • Access their personal data
  • Request rectification or erasure
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with a supervisory authority

You may submit a request via our web form, by email at privacy@occu-med.com, or by postal mail to the address below. We will verify your identity to protect your information and will not make use of unreasonable barriers to exercising your rights.

Occu-Med

Attention: GDPR Privacy Officer

2121 W. Bullard Ave

Fresno, CA 93711

Procedural Clarity for Data Subject Requests

We have implemented a structured process to ensure timely and secure handling of data subject requests:

  • Verification: All requests are subject to identity verification to prevent unauthorized access or modification.
  • Response Timeframe: We respond to data-subject requests within one month of receipt. Where requests are complex or numerous, we may extend the response period by up to two additional months and will inform you within one month of receipt, explaining the reason for the delay.
  • Data Location and Access: Personal data is stored in secure environments located in Fresno, California and within the Microsoft Azure Government Community Cloud (GCC).

Documentation and Audit Trail

To maintain accountability and transparency, we maintain a detailed log of:

  • All data subject requests received
  • Actions taken in response, including any denials and their legal justification
  • Dates of receipt and resolution
  • All communications with the data subject throughout the process

These records are retained in accordance with our internal compliance and audit policies.

Third-Party Coordination

Where personal data is shared with third-party vendors or service providers (which only occurs when required to perform the services requested of us, or with written approval from the individual whose personal data will be shared) we ensure that contractual agreements include obligations for those parties to:

  • Assist promptly with any rectification or erasure requests
  • Comply with applicable GDPR requirements
  • Provide notice of any data access or deletion actions taken on our behalf

We conduct regular reviews of vendor compliance and maintain data processing agreements (DPAs) to ensure alignment with our privacy and security standards.

We engage third-party processors under written Data Processing Agreements requiring, at a minimum: processing only on our documented instructions; confidentiality; appropriate security measures; breach notification to us without undue delay; assistance with data-subject rights and DPIAs; restrictions and due diligence for sub-processors; return or deletion of personal data at end of services; and audit and cooperation obligations.

Data Transfers and Safeguards

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and Transfer Impact Assessments (TIAs), in line with the latest EU guidance on cross-border data transfers.

Depending on the engagement, we act as a controller or as a processor for our clients. Where we act as a processor, we will promptly inform and assist the relevant controller in responding to requests and fulfilling GDPR obligations, in accordance with our data processing agreements.

Security and Retention

We implement technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and staff training. Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

Personal data may be retained for the duration of any active service contract if and to the extent that deletion would breach the terms of that contract or impair the Company’s ability to fulfill its contractual obligations. This includes obligations related to service provision, dispute resolution, audit compliance, and record keeping. Personal data will be securely stored and only accessible to authorized personnel for purposes related to the execution or management of the contract. Upon contract termination, data will be assessed for deletion or further retention in accordance with legal and regulatory obligations.

Automated Decision-Making

We do not engage in automated decision-making that produces legal or similarly significant effects without human intervention, in accordance with Article 22 of the GDPR.