Medex Research Ltd. - Respondent Privacy Notice - Nov 22 Version
This “Privacy Notice” sets out what data we collect, how we process it and who we may share it with and why. It also explains your rights with respect to the Personal Data that we may collect from you; that is data that identifies you as an individual or from which you may be identified.
The UK General Data Protection Regulation (UK GDPR):
On 31st December 2020 the EU General Data Protection Regulation (GDPR) was replaced by the UK GDPR which sits alongside an amended version of the Data Protection Act (DPA 2018).
On 28th June 2021 the UK was awarded “Adequacy Status” with the EU, allowing the two-way flow of information within the European Economic Area (EEA) until 27th June 2025 subject to regular review.
Since July 2020, when the Court of Justice of the European Union (CJEU) judgement in Schrems II invalidated the EU’s adequacy decision for the Privacy Shield, the UK and USA have been in technical discussions on a new UK adequacy arrangement. It is anticipated that this will be in place in Q2 2023 and until then risk assessments will be carried out on any data transferred to or stored on US Servers and where possible we will ensure that it is pseudonymised.
The Person Responsible for Data Collection in the Company is the Data Controller:
Medex Research Ltd. complies with the UK GDPR and is registered as a ‘Data Controller’ with the Information Commissioner’s Office, Reg. No. ZB347899. You can check our details at the following link: https://ico.org.uk/ESDWebPages/Search
The Data Controller (DC) is Mrs. S Masson, Managing Director (MD) and she can be contacted as follows:
By Email: firstname.lastname@example.org or by Telephone: +44 (0)1243 790779
Or in writing to:
The Data Controller, Medex Research Ltd., 2 Chapel Street, Chichester, West Sussex, PO19 1BU, United Kingdom
“Medex Research Ltd” is committed to ensuring that your personal data is processed fairly and lawfully, is accurate, is kept securely and is retained for no longer than is necessary.
Medex Research Ltd. Is a company dedicated to Medical Device & Diagnostic Market Research, running projects for Clients across the globe and is trusted by some of the world’s leading healthcare companies.
Medex Research Ltd. Works with an extensive Network of Healthcare Professionals worldwide to harvest their understanding and experience to deliver knowledge based research.
Amongst our goals is a commitment to adopt:
- Data Security & Protection by Design
- Ethical Data Protection Principles for our Clients, Staff, Contractors & Respondents
Why do we need to hold and process your personal data?
Medex Research Ltd. processes personal data in order to fulfil its contractual obligations to its Clients and in some circumstances our Respondents.
The Lawful Bases we rely upon for processing data are as follows:
- This basis applies to Respondents who complete our consent form for participation in research projects.
- This applies to our Clients with whom we have a contract to conduct research projects.
- It is also relevant to Respondents where we have entered into a Contract for specific services from them, usually for a specific project.
- It applies to Staff.
- Legal Obligation:
- This applies where the processing of data is necessary for us to comply with the law (but does not include contractual obligations). Examples include:
- Compliance with Tax & Employment legislation
- Requirements for maintaining financial records
- Vital Interests:
- This is rarely used but is important in the protection and safeguarding of individuals, examples of the reasons are:
- Public interest in the areas of health.
- Establishment, exercise or defence of legal claims, or whenever Courts are acting in their judicial capacity.
- The protection of an individual.
- Substantial public interest, based on law, which is proportionate in the circumstances and which provides measures to safeguard the fundamental rights and the interests of the Data Subject.
- Legitimate Interest:
- Before using Legitimate Interest for any purpose we will always conduct a Legitimate Interest Assessment (LIA).
- If data has been provided to us on the basis of “Consent”, then we apply Legitimate Interest to use that data for a wider range of purposes when it has been pseudonymised, this would not include personal data. In particular this may be for:
- Further scientific or historical research
- Statistical purposes
- In any other circumstances, if we wish to change the purpose for which we obtained Consent to use your personal data, we will seek your agreement first.
Anonymisation & Pseudonymisation of Data:
It is our policy to apply Pseudonymisation techniques to data that Respondents have supplied to us under the basis of Consent, this provides:
- A higher degree of data security
- Reassurance for Respondents that they can express controversial or critical views without the data being directly attributable to them.
When we delete any potential link between data and the Data Subject rendering it impossible to draw any link between individual(s) and a data set then that data becomes anonymised and is no longer subject to the UK GDPR or Data Protection Act 2018.
What sort of personal information could we be collecting about you or your organisation and processing?
Respondents - The categories of information that we collect, hold and process include:
- Personal information (such as name, address, phone number, email address, age profile).
- Current employment information.
- Professional Qualifications.
- Employment experience.
- Role / position within your Organisation.
- Your personal and professional views and opinions on matters surveyed.
- Detail of papers or research published where applicable
Do we pass on or share your personal information with anyone else?
Medex Research Ltd. will never sell your personal data to a Third Party.
We will not give your personal information or details to anyone outside Medex Research Ltd., except as indicated below or unless we are required by the law to do so. Reports that we produce for our Clients based on your understanding, experience and opinion are pseudonymised before submission to protect the identity of Research Associates.
We use Third Party contractors to carry out certain functions, they are controlled by a Data Processing Agreement (DPA) which limits the extent to which they may use and process your data to the purposes that we require. These are:
- R & D Analysis – Extrapolate, tabulate and perform statistical analysis on data, producing substantive output for reports.
- Consultants contracted directly by Medex Research Ltd who undertake surveys on our behalf and who are governed by our Privacy Policies.
- MARCOM Computing – IT Contractor – Secure Back-up / Recovery Services – Advice on Data Security & Protection.
How long will we retain your data?
Some data such as records of financial transactions will be kept for seven years for audit and tax purposes.
Medex Research Ltd. principle is not to retain any data or personal information for longer than is necessary in relation to the purposes for which it was collected. We will always be driven by best practice to ensure that Information will be held in accordance with the latest guidelines.
What are my rights regarding the data you hold about me?
Under UK GDPR you have significantly enhanced rights which include:
- Being informed of data processing (which is covered by this Privacy Notice).
- Accessing information (also known as a Subject Access Request (SAR)) that we hold on you, in some circumstances there can be a charge for this.
- Having inaccuracies corrected promptly.
- Having information that we hold about you erased except where there is a statutory or legal requirement for us to collect process or hold it.
- Restricting processing of your data except where there is a contractual, statutory or legal requirement to process it.
- Data portability where relevant.
- Intervention in respect of automated decision making (automated decision making is not operated by PRPT).
- Withdrawing consent (see below). (Right to be forgotten).
- Complaining to the Information Commissioner’s Office (ICO) (See below).
Can I stop you holding and processing my data?
Withdrawal of Consent
Where Medex Research Ltd. processes personal data solely on the basis that you have consented to the processing, you will have the right to withdraw that consent.
Data which is processed to meet the “Legal Obligation or Contract” bases requirements and is proportionate and necessary in order to fulfil such obligations or where we have legitimate interest, supported by an LIA may not be subject to the withdrawal of consent.
To exercise any of these rights you must in the first instance contact the Data Controller (DC) in writing or by email at the addresses on Page 1.
If you are unhappy with the way your request has been handled, you may wish to ask for a review of the DCs decision by challenging it in writing within 28 days.
Complaints to the ICO
If you are not content with the outcome of the internal review, you may apply directly to the Information Commissioner’s Office for a decision. Generally the ICO cannot make a decision unless you have exhausted our internal review procedure. The Information Commissioner can be contacted at:
The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF