(last amended 14 July 2020)
1. provides you with an overview of how we collect your data, how we use your information and how we comply with the law in doing so
2. sets out your rights in respect of your personal information and how to exercise them.
We will advise you in our communications with you of the specific company within the Genmed group of companies that is making decisions about the use of your personal information. This may be:
1. Genmed Group Limited, Genmed House Llantarnam Park Way, Llantarnam Industrial Park, Cwmbran, Wales, NP44 3GA with company number 12434274
2. Genmed.Me Limited, Genmed House Llantarnam Park Way, Llantarnam Industrial Park, Cwmbran, Wales, NP44 3GA with company number 06045647
3. Genmed Commercial Services Limited, Genmed House Llantarnam Park Way, Llantarnam Industrial Park, Cwmbran, Wales, NP44 3GA with company number 11950000
4. Genmed Managed Services Limited 40 Upper Mount Street, Dublin 2, D02 PR89, Republic of Ireland with company number 647404
It is important that you read and retain this policy (and any updated version of it), together with any other privacy policies we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.
This website is not intended for use by children and we do not knowingly collect or use personal information relating to children.
The Data Protection Officer (“DPO”) helps to ensure that the Genmed group of companies complies with the data protection law and has responsibility for the data protection compliance of the companies set out above.
Please contact us if you have any queries or concerns about how your personal information is used or managed.
You have the right to complain to the Information Commissioner, which you can do by contacting the Information Commissioner’s Office (ICO) directly. Full contact details, including a helpline number, can be found on the ICO website (www.ico.org.uk). This website also has useful information on your rights and our obligations. However, please raise any concerns or issues with us first so that we may deal with this as quickly as possible for you.
Data protection principles
We will comply with data protection law (and any applicable Irish data protection legislation). This states that the personal information we hold about you must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.
What kind of personal information do you hold about me?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
The personal information that we collect about you depends on the particular activities carried out. This may include your:
1. Name, title, gender
2. Business address, business email address, job title, mobile number and landline number
3. Internet protocol (IP) address, login data, browse type and version, time zone, setting and location, browser plug in types and versions, operating systems and platform and other technology on the devices that you use to access our website
4. Details of any feedback you give us by phone, post, via our website enquiry form or social media
5. Marketing and communications data including your preferences in receiving marketing from us and any additional information that you provide to us, for example when you let us know those areas of our business that you are interested in receiving information about
How do we collect your personal information?
We may collect personal information:
1. from you directly or from third parties in relation to the provision of services by Genmed
2. from third party providers who deliver services to support the operation of Genmed
3. from publicly available sources including analytics providers such as Google and social media channels such as Facebook, LinkedIn, Twitter, Instagram and You Tube (including where you reference Genmed in a public social media post), companies house and the electoral register
4. from third-party providers who have aggregated data where you have given your consent for the information to be used and shared with us or who have a legitimate interest to share your data with us
5. from you when you take part in marketing activities or where you have asked to receive our marketing materials
6. when you access our website, make an enquiry via our website enquiry form, send us feedback via our site and/or complete customer satisfaction surveys
Special categories of personal information
Certain categories of personal data are considered by the law to be “special categories of personal data” and are subject to additional safeguards. We do not process any such categories of personal data in connection with the relationship between us.
How do we use your personal information?
We will use the personal information in the provision of services, including for the necessary administration of the relationship with our customer (whether public or privately funded) and our suppliers (and prospective customers and suppliers), and to comply with requirements that we are required to undertake.
Our legal basis for processing personal information
When we use your personal information we are required to have a legal basis for doing so. There are various different legal bases on which we may rely, depending on what personal information we process and why. We will only use your personal information when the law allows us to.
Most commonly, we will use your personal information in the following circumstances:
1. contract: in performance of a contract (where our use of your personal information is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract); and/or
2. legal obligation: in compliance with a legal or regulatory obligation (where our use of personal information is necessary for us to comply with the law (not including contractual obligations)); and/or
3. legitimate interests: where our use of your personal information is necessary for our legitimate interests or those of a third party (unless there is good reason to protect your personal information which overrides our legitimate interests). We rely on this for activities such as our business records and developing and improving our products and services.
We may also use your personal data in the following situations, which are likely to be less common:
• vital interests: where our use of your personal information is necessary to protect your or someone’s life;
• public task: where our use of your personal information is necessary for us to perform a task in the public interest or for official purposes;
• consent: you have given us your consent to use your personal information for marketing purposes.
If we ask for your consent we will always aim to be clear and transparent about why we need your consent and what we are asking it for. Where we are relying on consent to use your personal data you have the right to withdraw it at any time by contacting our DPO (contact details found at the top of this document).
Purpose 1: entering in to and performing our contractual obligations – including submitting requests for proposals, negotiating contracts, placing orders, invoicing, settling invoices, updating SAP, emailing internally and externally, vetting third parties, dealing with complaints
Legal bases for using personal data:
1. Contract: we need to fulfil our contract with you for the provision of services
Purpose 2: Managing our business - maintaining business and accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax, financial, legal, or public relations advice), IT systems (e.g. document filing and storage, account management systems, growth management tools) and complying with legal or regulatory obligations
Legal bases for using personal data:
1. Legal obligation: to comply with our legal and regulatory obligations; and
2. Legitimate interests: for our legitimate business interest in manging our business operations, which does not overly prejudice you.
Purpose 3: providing improved quality services and conducting customer satisfaction surveys
We want to improve our services for our customers and will use your personal information to contact you to gather your thoughts.
Legal bases for using your personal data:
1. Legitimate interests: we need to use your personal data for our legitimate business interest which does not overly prejudice you.
Purpose 4: advising you of other services offered by Genmed (“Marketing”)
1. Legitimate interests: we need to use your personal data for our legitimate business interest in marketing our services to increase sales. Processing your data is necessary to achieve this as long as it does not overly prejudice you. You can object to us using your personal data for this purpose and we have to stop doing so. If you would like to object, please contact our DPO (contact details found at the top of this document); or
2. Consent: you have consented to receiving marketing from us.
We collect personal data in our contact relationship management system (if you give us a copy of your business card we will include your details on this system). As a business, we need to carry out marketing to our business contacts, but we will only send you information about products or services which may be of interest to you. This includes, but is not limited to, newsletters, news updates, product updates, articles, case studies and offers.
Personal data will be used to provide you with Marketing information that you ask for, or that we think are relevant to you. Marketing emails will be sent using Clevermail+ (a cloud-based solution that is hosted on a secure network, that is fully maintained, monitored and kept updated with your preferences). This marketing system is integrated into our website.
We may analyse what areas of information are of interest to you (e.g. surgery, pathology) or all so that we can better target the Marketing information that we provide. We record and retain your marketing preferences to help ensure that you only receive the marketing that you have confirmed that you wish to receive.
If at any time you no longer wish to receive marketing emails sent by us you can click on the “unsubscribe” link that appears in all our emails, otherwise you can contact the DPO to update your preferences.
We may also provide your personal data to market research agencies to collect your feedback which will be used to better develop products and services for you.
Some of the personal data which we process is collected directly from you, but in other circumstances it may be obtained under licence from a third party, for example the Public Sector Information (PSi) database which is owned by Public Sector Information Group Limited. This is a subscription based service providing business details of professional health contacts, NHS personnel, healthcare professionals and those working in the healthcare industry. When we obtain your personal data under licence from an organisation such as Public Sector Information Group Limited we do so on the understanding that they have confirmed that they have a legitimate interest in including your details on their database and have advised you that your data is being shared with organisations such as Genmed. Where we obtain your name from such a database we will contact you by email and ask you to confirm that you are happy to receive marketing information from Genmed. There are no pre-ticked boxes – everything requires you to opt-in and you will have the opportunity to opt out of receiving further marketing materials. If we do not hear from you, we will make contact with you by email on no more than three more occasions and if we still don’t hear anything from you, we will assume that you do not want to receive any marketing materials from us and we will remove you from our database.
If you are receiving emails that you do not feel are useful to you then simply click on the unsubscribe links or email the DPO and we will ensure that your preferences are up to date.
Who is my personal information shared with?
We will share your personal information with third parties where we are under a legal or regulatory obligation or where it is necessary to administer the working relationship with you.
We share your personal data with other companies in the Genmed group.
We may share personal information with:
1. third-parties as is necessary in the provision of our services (including customers, suppliers, framework providers)
2. third-party providers who deliver services to support the operation of Genmed including IT suppliers, web hosting and email delivery companies, auditors, lawyers, tax advisers, bankers, management consultants, marketing agencies, insurers, document management providers
3. third-party sponsors of sponsored events
4. NHS membership organisations
5. HM Revenue & Customs, regulators and other authorities and government bodies (including NHSE, NHSi and the Department of Health)
6. other NHS bodies (including NHS trusts), private hospitals or clinics
7. selected third-parties in connection with any sale, merger and transfer or disposal of our business or acquisition of another business.
In respect of all disclosures of personal information, we will only share the personal information which is necessary for the particular purpose for which it is provided, or where we have another legitimate interest in doing so, and we will ensure that the personal data is appropriately protected.
How long will you keep my data for?
We will keep personal data only for as long as is necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting or reporting requirements. Normally, our retention period for personal data collected for this purpose is a minimum of 6 years after the end of the period that we are providing services. Any personal data that we have from you solely for the purposes of your receiving Marketing information will not be used once you have asked us to stop providing these to you (except to the extent that it is necessary to stop you receiving the Marketing information).
It is very important that the personal information that we hold about you is accurate and current. Please tell us if your personal information changes during your relationship with us.
We have put in place appropriate physical, technological and organisational security measures to prevent your personal data from being accidentally lost, altered, disclosed used or accessed in an unauthorised way. In addition, we limit access to your personal data to those of our people and other third parties who have a business need to know it. They will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure. We have put in place procedures to deal with any suspected data security breach and will notify you and the ICO of a suspected breach where we are legally required to do so.
International data transfers
We (or third parties acting on our behalf (including suppliers) pursuant to the terms of contractual documentation with us) may store or process information that we collect about you in countries outside the European Economic Area ("EEA"). For example, we use growth management tool software (Align) which may capture a limited amount of personal data which is transferred to the USA. Personal data may be transferred outside of the EEA by data processors acting on our behalf. For example, our marketing emails which we send to you (using Clevermail+) involves data transfer to the USA. Where a transfer of your personal information is made outside of the EEA to countries not considered adequate by the European Commission, we will take the required steps to ensure that your personal data is adequately protected. This would include by use of the Standard Contractual Clauses or Binding Corporate Rules adopted by the European Commission to protect personal data.
Genmed is a business-to-business managed services and procurement group. Much of the data we collect and hold are business contacts that we send newsletters, news updates, product updates, articles, case studies and offers to you in compliance with The Privacy and Electronic Communications Regulations 2003 (PECR) rules.
Under certain circumstances, you have the right by law to request:
1. access to your personal data (commonly known as a “data subject access request”). This enables you to ask to receive a copy of the personal data that we hold about you and to check that we are lawfully processing it.
2. correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
3. erasure of your personal data. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below)
4. object to processing of your personal data where we are relying on our legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you object, we can no longer process your information unless we can demonstrate legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. You also have the right to object where we are processing your personal information for direct marketing purposes.
5. restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
6. transfer of your personal data to another party.
Links from our website
Our website may, from time to time, contain links to and from the websites of third parties that we permit to make such links. If you follow a link to any of these websites, please note that these websites have their own privacy notices or policies and that we do not accept any responsibility or liability for these notices or policies. We recommend that you check these privacy notices or policies before you submit any personal data to these websites.