Privacy Policy
1 Introduction
MedAccess values your privacy. The purpose of this privacy notice (the notice) is to inform you as to how your personal data is collected and used, when it is processed by or on behalf of MedAccess Guarantee Ltd and its affiliated companies (hereinafter together referred to as MedAccess). This notice also tells you about how your personal data is protected and what privacy rights you have.
The policy describes how we process personal data, which personal data we collect and why we collect it, with whom we share this personal data, how we protect it, and the choices you can make about how we use your personal data. This policy applies to any personal data collected, held or processed by or on behalf of MedAccess.
The scope of this policy also includes all the websites, applications, mobile sites, and social media platforms that are owned by MedAccess, where personal data is processed.
Please check this policy periodically at www.medaccess.org/privacy-policy to inform yourself of any changes.
2 The types of information we collect
When you interact with us, or our website we may collect use, store and transfer different kinds of personal data about you. Generally speaking, we will collect the following categories of information relating to you and/or your use of our services.
a. identity and contact information – such as name, email address, telephone number, identification/KYC documents;
b. events data – this may include information necessary to coordinate your booking or attendance, or photos or recordings taken at our events;
c. website usage – if you use our website we will typically collect certain technical data including your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other details about the devices you use to access this website;
d. marketing and communications preferences – if you have consented to us sending you marketing communications;
e. communications with you – if you contact us, we will typically keep a record of that correspondence;
f. information relating to the recruitment processes – such as information contained in your application, references, assessments, offer documentation and associated documents;
g. information relating to transactions – such as information contained in or relating to your proposal and supporting documents;
3 The legal bases we rely upon to process your personal data
We set out below the purposes for which we use the personal data that we collect about you, with the legal basis that we rely upon for its use.
The “legal bases” are set out in data protection laws: they allow companies to process personal data only when the processing is permitted by the specific “legal basis” set out in law. These grounds include:
- Consent: where you have consented to our use of your information.
- Contract performance: where your information is necessary to enter into or perform our contract with you (or to take steps at your request before entering into such a contract).
- Legal obligation: where we need to use your information to comply with our legal and regulatory obligations.
- Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
- Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.
We have identified the relevant legal bases for each type of processing activity in Section 3. However, in summary, we generally rely on our legitimate interests to process your personal data in connection with our ongoing relationship with you and the fulfilment of the processing purposes identified in this notice. We may however process your personal data when:
- it is necessary to enter into or perform a contract with you;
- we are subject to a legal obligation to do so; or
- we are required to collect your consent for a processing activity.
To the extent that we rely upon your consent (for example where required for processing special category personal data, sending marketing communications or cookie placement purposes) as the legal basis under which we process your personal data, you are entitled to withdraw your consent, at any time. Please contact us if you want to do so.
4 How we collect and use your information
4.1 Visitors to our website
We collect IP addresses, cookies, moments of connection from visitors to our websites, which are analysed by Google Analytics, who collect standard internet log information and details of visitor behaviour patterns. We do this to identify the number of visitors to the various sections of the site. This information is not used to identify anyone. Both MedAccess and Google do not make any attempt to discover the identities of visitors to our website. For further information about our use of cookies, please consult our cookie policy.
Legal basis: your consent (for the use of cookies) and our legitimate interests (to allow us to improve our services)
4.1.1 Newsletter
We will collect your name and email address if you choose to subscribe to our newsletter. We use a third-party provider, Mailchimp, to deliver our monthly e-newsletters. For more information, please see:
We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter.
4.1.2 General enquiries
When you submit an enquiry, we will collect your email address and comments, we will also collect your first name, surname and your company name and phone number if you choose to provide it.
Where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
Legal basis: contract performance and our legitimate interests (to enable us to perform our obligations and respond to your enquiries)
4.1.3 Events
The name and email that you provide will be used to process your event booking. We may also use it to contact you via a third-party events management website regarding your booking. We may also contact you to undertake post-event evaluation if you choose to participate in this.
Legal basis: contract performance and our legitimate interests (to allow us to improve our services)
4.1.4 Response to Calls for Expression of Interest or Request for Proposal (RfP)
When you submit an Expression of Interest (EOI) or a proposal in response to an RfP, we will collect your first name, surname, email address, comments and any attached documents you choose to provide us with. We will only use the information supplied to us to review the EOI or the response to RfP, to interact with the submitter throughout the review process, and to provide a final response. We may share your personal data with our partners, specifically mentioned in the Call or RfP.
Legal basis: contract performance and our legitimate interests (to assess whether you are an appropriate partner for us)
4.1.5 People who email us
When you send an email to us we may collect your IP address, email address and other data you have provided within the email or attachments. The information will only be used to address the purposes of your request, it will be recorded in our email and email security systems.
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with security best practices. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
4.1.6 People who call our contact points
When you call MedAccess, we collect Calling Line Identification (CLI) information which may include your telephone number. We use this information to help improve our efficiency and effectiveness. We do not record phone conversations.
4.1.7 People who participate in our surveys
We may contact you to participate in optional surveys from time to time. We will only do this if we have your consent or another lawful basis to do so. We may use a third-party online survey provider to deliver, manage and produce reports relating to the survey. We may collect names, contact details and other information relevant to the survey. We will be transparent when we collect personal data through our surveys, will explain the purposes for which we are collecting it and will only collect the minimum amount of information required for the purposes of the particular survey.
Legal basis: your consent and our legitimate interests (to allow us to improve our services)
4.1.8 People who may make a complaint to us
If we receive a complaint from a person we create a file containing the details of the complaint. This normally contains the identity (name, contact details, address) of the person making the complaint and any other individuals involved in the complaint.
We will only use the personal information we collect to handle the complaint and to check on the level of service we provide.
We may have to disclose the person who submitted the complaint’s identity to whoever the complaint is about.
If the person who submitted the complaint doesn’t want information identifying them to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our record and retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Legal basis: complying with our legal obligations and our legitimate interests (to allow us to improve our services)
4.1.9 Identify data and verification of identity
In some instances, we will need to verify your identity (e.g. access requests, know your customer (KYC), for other screening purposes, visiting our premises). We will always be transparent and explain the purposes for collecting identity data from you prior to processing.
Identity data can include: IDs assigned by us, passport, driving license, or a copy of ID (passport, driver’s licence or comparable identity document), utility bills.
This data will only be used for verification of identity relating to the purposes it was requested for. When visiting our premises, we may be required to share your data with our building manager for the purpose of granting access.
Legal basis: contract performance and complying with our legal obligations
4.1.10 Use of personal data for direct communication purposes
A. Stakeholder communications
We will only use your personal data to send out stakeholder communications via electronic means (e.g. email, SMS or MMS) if we have obtained your prior consent or have another lawful basis to do so. You can withdraw your consent or object to stakeholder communications at any point in time, by following the unsubscribe instructions included in the communications or by contacting the DPO at [email protected]
Legal basis: your consent or our legitimate interests (to contact you about our updates within our business)
B. Our relationship with you
We will use your personal data to send you service communications via electronic means (e.g. email, SMS or MMS) that are necessary for us to fulfil our contract with you and provide you with our services. If you object to receiving these service communications, it may prevent us from providing our services to you.
4.1.11 Photos and videos at MedAccess events
At special events organised by MedAccess we may take photos and videos of you. This includes image recordings such as films, photographs, video recordings, digital photos. We will provide notice to you of this fact at each MedAccess event and provide you with the opportunity both prior to the event to opt-out of any photos and videos taken by us and after the event to not be featured in any of MedAccess’ online content, social media, films, marketing and/or press releases. If you do not wish to be photographed or filmed at any MedAccess event, please notify us prior to the event by emailing [email protected].
Legal basis: your consent
4.1.12 Personal data collected through the recruitment process
We will collect various information from you through our recruitment process. We will control and process all such personal data in accordance with the candidate privacy notice provided to you prior to initiation of the recruitment process.
5 Other Uses
In addition to the above MedAccess may collect and process your information where we have obtained your consent or another lawful basis to do so, including:
- Accounts: including keeping accounts relating to any business and activity carried out by MedAccess and keeping records of purchases, sales and transactions;
- Safety and security: any method, system or process used by MedAccess to protect its physical and intellectual property, to protect its economic and financial interests and to protect the integrity of its directors, employees, partners, clients and stakeholders.
- IT support and development: including processing as part of security event logging and monitoring of systems, business continuity planning and disaster recovery.
- Compliance and legal claims: including ensuring compliance with legal obligations or establishing, exercising or defending legal claims;
- Scientific, historical and statistical research: including the collection and processing of personal data for statistical surveys (or necessary to reach statistical results), analysing earlier events, and establishing patterns and rules of conduct;
- Mergers and acquisitions: To prepare for and carry out a merger, take-over, transfer of an undertaking, transfer of assets or any other type of corporate transaction; and
- Any other purpose described and communicated to you prior to using your personal data for such other purpose.
MedAccess will only process your personal data to achieve the purposes it was collected for, or for any other legitimate and lawful purpose.
MedAccess will notify the processing of personal data to the relevant authorities to the extent required under all applicable data protection laws and regulations.
6 Accurate data
It is important for us to maintain accurate and up to date records of your personal data. Please inform us of any changes to or errors in your personal data as soon as possible by contacting the DPO at [email protected]
We will take reasonable steps to make sure that any inaccurate or out-of-date data is deleted, destroyed or amended accordingly.
7 Timely processing
We shall retain your personal data in a manner consistent with the applicable data protection laws and regulations. We will only retain your personal data for as long as necessary to comply with the applicable laws and regulations or for the purposes for which we process your personal data. For guidance on how long certain personal data is likely to be kept before being destroyed, please contact the DPO at [email protected]
8 Data Security
We shall retain your personal data in a manner consistent with the applicable data protection laws and regulations. We will only retain your personal data for as long as necessary to comply with the applicable laws and regulations or for the purposes for which we process your personal data. For guidance on how long certain personal data is likely to be kept before being destroyed, please contact the DPO at [email protected]
- Confidentiality: we will protect your personal data from unauthorised disclosure to third parties.
- Integrity: we will protect your personal data from being modified by unauthorised third parties.
- Availability: we will ensure that authorised parties are able to access your personal data when needed.
9 Data Protection Officer
MedAccess has taken the decision to appoint a DPO to monitor compliance, inform and advise on our data protection obligations and to act as a contact point for data subjects and the supervisory authority. The designated DPO for MedAccess and their contact information is as follows:
Jonathan Hutchins
MedAccess Guarantee Ltd
84 Eccleston Square
London
SW1V 1PX
[email protected]
If you have a query in relation to this policy or our processing of your personal data, you can contact the DPO.
10 Disclosure of personal data
10.1 Categories of recipients
For the above-mentioned purposes, we may disclose your personal data to the following categories of recipients:
- Authorised staff members of MedAccess;
- Corporate affiliates of MedAccess;
- Our communication agencies: to help us deliver and analyse the effectiveness of our communications;
- Business partners: trusted companies that may use your personal data to provide you with the services and/or the information you requested and/or that may provide you with communications (if you have consented to receiving them). We ask such companies to always act in compliance with applicable laws and this privacy policy and to pay high attention to the confidentiality of your personal data.
10.2 Service providers
Service providers are a core part of our IT, communications and business strategy. MedAccess may share your personal data with external providers of IT related services and communication agencies.
A full list of service providers can be provided upon request.
10.3 Other parties when required by law or as necessary to protect MedAccess
MedAccess may share your personal data with other third parties:
- to comply with the law, regulatory requests, court orders, subpoena, or legal process;
- to verify or enforce compliance with MedAccess policies and agreements; and
- to protect the rights, property or safety of MedAccess and/or its clients.
10.4 Other parties in connection with corporate transactions
MedAccess may share your personal data with other third parties in the context of a divestiture of all or a portion of its business, or otherwise in connection with a merger, consolidation, change in control, reorganisation or liquidation of all or part of MedAccess business.
10.5 Other parties with your consent or upon your instruction
MedAccess may share your personal data with:
- Third parties when you consent to or request such sharing; and
- Any other third party communicated to you by MedAccess prior to sharing your personal data with that third party.
11 Use of social networks
MedAccess sometimes facilitates the publication of (personal) data via social media such as Twitter and LinkedIn. These social media have their own terms of use which you are required to consider and observe if you make use of them. Publication on social media may have (undesired) consequences, including for your privacy or that of persons whose data you share, such as the impossibility of withdrawing publication in the short term. You must estimate these consequences yourself, for you are taking the decision about the publication on these media. MedAccess does not accept any responsibility in that regard.
12 Disclosures outside the UK
Your personal data may be transferred to any of the recipients identified in this policy, some of which may be outside the UK and may be processed by us and any of these recipients in any country worldwide. The countries to which your personal data is transferred may not offer an adequate level of protection. In connection with any transfer of personal data to countries that do not offer the same level of protection as in the UK, MedAccess shall implement appropriate measures to ensure an adequate level of protection of your personal data.
13 Your choices and your rights
We want to be as transparent as possible with you, so that you can make meaningful choices about how you want us to use your information. We can contact you by post and by phone, and if you give us your prior consent to do so, by email, SMS and other electronics means.
13.1 Your choices
You can make a variety of choices about how you want to be contacted by us, through which channel (e.g. email, mail, social media, etc.), for which purpose and how frequently, by contacting [email protected] or by following the unsubscribe instructions included in the communication. Please note, if we have an ongoing relationship with you, you may continue to receive marketing communications from us you have the right to object to receiving these communications (other than essential service communications) at any time.
13.2 Your rights
You have rights (with some exceptions and restrictions) to:
13.2.1 Access to your personal information
You may always contact us by post or email to find out what personal information we have concerning you, the origin of the data and to access or receive a copy of your data. If you make this kind of request and we hold personal data about you, we are required to provide you with information on it, including a description and copy of the personal data and why we are processing it;
13.2.2 Request restricted processing
You can request the restriction of our processing of your personal data in some situations. If you request this, we can continue to store your personal data but are restricted from processing it while the restriction is in place;
13.2.3 Corrections
If you find any mistake in your personal information or if you find it incomplete or incorrect, you can request that we correct it or complete it.
13.2.4 Objections
You may object to our processing of your personal data and also object to the use of your data for direct marketing purposes (if you prefer, you can also advise us on which channel and how frequently you prefer to be contacted by us). object to our processing of your personal data, including profiling. You can object, on grounds relating to your particular situation, at any time. In each case, we shall stop processing the data that your objection relates to, unless we can show compelling legitimate grounds to continue that processing;
13.2.5 Portability of your personal information
You may request a copy of your personal data from us in a structured, commonly used and machine-readable format. You can also request that we transfer your personal data to another controller.
13.2.6 Erasure
You may request for us to erase any data concerning you (except in some cases, for example, where we are required to retain the data by law).
13.2.7 Complaints
You can complain to your local data protection authority or seek a judicial remedy from your national court about our collection or use of your personal data. For example, in the UK, the local data protection authority is the UK Information Commissioner’s Office, although we would like the prior opportunity to respond to any complaint.
If you choose to exercise the rights described above, we may ask you to provide additional information so that we can satisfy ourselves as to your identity before we take further action.
If you would like to exercise any of these rights in relation to any information that we hold about you, please contact us. Our contact details can be found in section 14 of this Notice. We will consider and respond to your request in accordance with the relevant law.
14 Contact
For any privacy issues, questions or complaints concerning the application of this policy or to exercise your rights within the context of this policy, you may contact our DPO at [email protected]
Alternatively, you may write to us:
MedAccess Guarantee Ltd
84 Eccleston Square
London
SW1V 1PX
United Kingdom
15 Definitions
In this Definitions section, we explain some of terminology used in this notice.
- MedAccess means MedAccess Guarantee Ltd & its affiliated companies.
- Controller means the organisation which determines the purposes for which, and the way, any personal data is processed. For the purposes of this notice, the controller(s) is MedAccess.
- Data Protection Officer or DPO means the data protection officer appointed by MedAccess.
- Data subjects means all individuals about whom MedAccess holds personal data.
- Personal data is any data relating to a living individual which allows the individual to be identified, whether from the data alone, or in combination with other information.
- Processing means any operation or set of operations which is performed upon personal data, such as the collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data.
- Processor means the individual and/or organisation which processes personal data on behalf of the Controller.
- Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health, sexual orientation or sex life. Special provisions apply to the processing of sensitive personal data.