(last amended 29 July 2021)
1. provides you with an overview of how we collect your data, how we use your information and how we comply with the law in doing so
2. sets out your rights in respect of your personal information and how to exercise them.
We will advise you in our communications with you of the specific company within the Genmed group of companies that is making decisions about the use of your personal information. This may be:
1. Genmed Group Limited, Genmed House Llantarnam Park Way, Llantarnam Industrial Park, Cwmbran, Wales, NP44 3GA with company number 12434274
2. Genmed.Me Limited, Genmed House Llantarnam Park Way, Llantarnam Industrial Park, Cwmbran, Wales, NP44 3GA with company number 06045647
3. Genmed Commercial Services Limited, Genmed House Llantarnam Park Way, Llantarnam Industrial Park, Cwmbran, Wales, NP44 3GA with company number 11950000
4. Genmed Managed Services Limited, 38 Upper Mount Street, Dublin 2, Republic of Ireland, with company number 647404
It is important that you read and retain this policy (and any updated version of it), together with any other privacy policies we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.
This website is not intended for use by children and we do not knowingly collect or use personal information relating to children.
The Data Protection Officer (“DPO”) helps to ensure that the Genmed group of companies complies with the data protection law and has responsibility for the data protection compliance of the companies set out above.
Please contact us if you have any queries or concerns about how your personal information is used or managed.
You have the right to complain to the Information Commissioner, which you can do by contacting the Information Commissioner’s Office (ICO) directly. Full contact details, including a helpline number, can be found on the ICO website (www.ico.org.uk). This website also has useful information on your rights and our obligations. However, please raise any concerns or issues with us first so that we may deal with this as quickly as possible for you.
Data protection principles
We will comply with data protection law (and any applicable Irish data protection legislation). This states that the personal information we hold about you must be:
What kind of personal information do you hold about me?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
The personal information that we collect about you depends on the particular activities carried out. This may include your:
1. Name, title, gender
2. Business address, business email address, job title, mobile number and landline number
3. Internet protocol (IP) address, login data, browse type and version, time zone, setting and location, browser plug in types and versions, operating systems and platform and other technology on the devices that you use to access our website
4. Details of any feedback you give us by phone, post, via our website enquiry form or social media
5. Marketing and communications data including your preferences in receiving marketing from us and any additional information that you provide to us, for example when you let us know those areas of our business that you are interested in receiving information about
How do we collect your personal information?
We may collect personal information:
Special categories of personal information
Certain categories of personal data are considered by the law to be “special categories of personal data” and are subject to additional safeguards. We do not process any such categories of personal data in connection with the relationship between us.
How do we use your personal information?
We will use the personal information in the provision of services, including for the necessary administration of the relationship with our customer (whether public or privately funded) and our suppliers (and prospective customers and suppliers), and to comply with requirements that we are required to undertake.
Our legal basis for processing personal information
When we use your personal information we are required to have a legal basis for doing so. There are various different legal bases on which we may rely, depending on what personal information we process and why. We will only use your personal information when the law allows us to.
Most commonly, we will use your personal information in the following circumstances:
1. contract: in performance of a contract (where our use of your personal information is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract); and/or
2. legal obligation: in compliance with a legal or regulatory obligation (where our use of personal information is necessary for us to comply with the law (not including contractual obligations)); and/or
3. legitimate interests: where our use of your personal information is necessary for our legitimate interests or those of a third party (unless there is good reason to protect your personal information, which overrides our legitimate interests). We rely on this for activities such as our business records and developing and improving our products and services.
We may also use your personal data in the following situations, which are likely to be less common:
If we ask for your consent we will always aim to be clear and transparent about why we need your consent and what we are asking it for. Where we are relying on consent to use your personal data you have the right to withdraw it at any time by contacting our DPO (contact details found at the top of this document).
Purpose 1: entering in to and performing our contractual obligations – including submitting requests for proposals, negotiating contracts, placing orders, invoicing, settling invoices, updating SAP, emailing internally and externally, vetting third parties, dealing with complaints
Legal bases for using personal data:
1. Contract: we need to fulfil our contract with you for the provision of services
Purpose 2: Managing our business - maintaining business and accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax, financial, legal, or public relations advice), IT systems (e.g. document filing and storage, account management systems, growth management tools) and complying with legal or regulatory obligations
Legal bases for using personal data:
1. Legal obligation: to comply with our legal and regulatory obligations; and
2. Legitimate interests: for our legitimate business interest in manging our business operations, which does not overly prejudice you.
Purpose 3: providing improved quality services and conducting customer satisfaction surveys
We want to improve our services for our customers and will use your personal information to contact you to gather your thoughts.
Legal bases for using your personal data:
1. Legitimate interests: we need to use your personal data for our legitimate business interest which does not overly prejudice you.
Purpose 4: advising you of other services offered by Genmed (“Marketing”)
1. Legitimate interests: we need to use your personal data for our legitimate business interest in marketing our services to increase sales. Processing your data is necessary to achieve this as long as it does not overly prejudice you. You can object to us using your personal data for this purpose and we have to stop doing so. If you would like to object, please contact our DPO (contact details found at the top of this document); or
2. Consent: you have consented to receiving marketing from us.
We collect personal data in our contact relationship management system (if you give us a copy of your business card we will include your details on this system). As a business, we need to carry out marketing to our business contacts, but we will only send you information about products or services which may be of interest to you. This includes, but is not limited to, newsletters, news updates, product updates, articles, case studies and offers.
Personal data will be used to provide you with Marketing information that you ask for, or that we think are relevant to you. Marketing emails will be sent using Mailchimp (a cloud-based solution that is hosted on a secure network, that is fully maintained, monitored and kept updated with your preferences).
We may analyse what areas of information are of interest to you (e.g. surgery, pathology) or all so that we can better target the Marketing information that we provide. We record and retain your marketing preferences to help ensure that you only receive the marketing that you have confirmed that you wish to receive.
If at any time you no longer wish to receive marketing emails sent by us you can click on the “unsubscribe” link that appears in all our emails, otherwise you can contact the DPO to update your preferences.
We may also provide your personal data to market research agencies to collect your feedback which will be used to better develop products and services for you.
Who is my personal information shared with?
We will share your personal information with third parties where we are under a legal or regulatory obligation or where it is necessary to administer the working relationship with you.
We share your personal data with other companies in the Genmed group.
We may share personal information with:
1. third-parties as is necessary in the provision of our services (including customers, suppliers, framework providers)
2. third-party providers who deliver services to support the operation of Genmed including IT suppliers, web hosting and email delivery companies, auditors, lawyers, tax advisers, bankers, management consultants, marketing agencies, insurers, document management providers
3. third-party sponsors of sponsored events
4. NHS membership organisations
5. HM Revenue & Customs, regulators and other authorities and government bodies (including NHSE, NHSi and the Department of Health)
6. other NHS bodies (including NHS trusts), private hospitals or clinics
7. selected third-parties in connection with any sale, merger and transfer or disposal of our business or acquisition of another business.
In respect of all disclosures of personal information, we will only share the personal information which is necessary for the particular purpose for which it is provided, or where we have another legitimate interest in doing so, and we will ensure that the personal data is appropriately protected.
How long will you keep my data for?
We will keep personal data only for as long as is necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting or reporting requirements. Normally, our retention period for personal data collected for this purpose is a minimum of 6 years after the end of the period that we are providing services. Any personal data that we have from you solely for the purposes of your receiving Marketing information will not be used once you have asked us to stop providing these to you (except to the extent that it is necessary to stop you receiving the Marketing information).
It is very important that the personal information that we hold about you is accurate and current. Please tell us if your personal information changes during your relationship with us.
We have put in place appropriate physical, technological and organisational security measures to prevent your personal data from being accidentally lost, altered, disclosed used or accessed in an unauthorised way. In addition, we limit access to your personal data to those of our people and other third parties who have a business need to know it. They will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure. We have put in place procedures to deal with any suspected data security breach and will notify you and the ICO of a suspected breach where we are legally required to do so.
International data transfers
We (or third parties acting on our behalf (including suppliers) pursuant to the terms of contractual documentation with us) may store or process information that we collect about you in countries inside and outside the European Economic Area ("EEA"). For example, we use growth management tool software (Align) which may capture a limited amount of personal data which is transferred to the USA. Personal data may be transferred outside of the EEA by data processors acting on our behalf. For example, our marketing emails which we send to you (using Mailchimp) involves data transfer to the USA. Where a transfer of your personal information is made outside of the EEA to countries not considered adequate by the European Commission, we will take the required steps to ensure that your personal data is adequately protected. This would include by use of the Standard Contractual Clauses or Binding Corporate Rules adopted by the European Commission to protect personal data.
Genmed is a business-to-business managed services and procurement group. Much of the data we collect and hold are business contacts that we send newsletters, news updates, product updates, articles, case studies and offers to you in compliance with The Privacy and Electronic Communications Regulations 2003 (PECR) rules.
Under certain circumstances, you have the right by law to request:
1. access to your personal data (commonly known as a “data subject access request”). This enables you to ask to receive a copy of the personal data that we hold about you and to check that we are lawfully processing it.
2. correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
3. erasure of your personal data. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below)
4. object to processing of your personal data where we are relying on our legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you object, we can no longer process your information unless we can demonstrate legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. You also have the right to object where we are processing your personal information for direct marketing purposes.
5. restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
6. transfer of your personal data to another party.
Links from our website
Our website may, from time to time, contain links to and from the websites of third parties that we permit to make such links. If you follow a link to any of these websites, please note that these websites have their own privacy notices or policies and that we do not accept any responsibility or liability for these notices or policies. We recommend that you check these privacy notices or policies before you submit any personal data to these websites.