Strawberry Medical Limited – Privacy Policy May 2018

Introduction

The General Data Protection Regulation (GDPR) 2018, is a European Union (EU) wide set of standardised rules for the handling and storage of personal information within the EU. This will apply to anyone who is controlling the information of an EU citizen or processing it on their behalf, even if the processor or controller are based outside the EU.

This Privacy Statement tells you what information we may obtain and hold about you, how and why we collect it, and what we do with it, as well as who we share it with. It also sets out your various rights pertaining to your data. You should read this statement when you give us information, so you are aware of how and why we are using this. Please update us if any of the information supplied by you changes.

In pursuance of our business, we are committed to helping everyone concerned in our related processes, to protect the privacy of their Personal Data or Sensitive Personal Data (includes health related data). Personal Data, being any information that could directly or indirectly, be linked to the identity of an individual person, who may also be referred to as a Data Subject.

Who we are and what we do

Strawberry Medical Limited (also referred to in this policy as ‘we’ or ‘us’) is a micro business, which supplies, provides and supports the fitting and maintenance of unique and innovative medical products for the treatment of human beings.

The data we may collect and hold (process) together with the reasons why

The various purposes for which it may be necessary for us to process your information include ‘Contractual performance’, ‘Legal obligation’, ‘Legitimate interest’ and ‘Consent’. The relevance of these terms is further explained in Table 1 below.

We collect personal information directly from patients who engage us without a formal referral, to administer or facilitate a course of treatment or when people engage or seek to engage in joint enterprise with us, seek to obtain employment with us or seek to discuss any aspect of a treatment or device with us. This contact could be in person, via a letter, telephone, text, email or via our website.

We collect personal information indirectly, when we are approached by a medical practitioner (or a person acting on their behalf), to whom you are already listed as a patient (public or private) and they ask us to provide medical equipment, specifically to treat an existing medical issue you have. They may also request that a Strawberry employee is booked to attend and advise during the fitting of that equipment.

We will never share your personal data or sensitive personal data with any third party unless it is necessary for the effective delivery of medical treatment to either you or person for whom you are responsible, without your express itemised consent.

We do not knowingly collect personal data or sensitive personal data relating to child patients without the knowledge of their parent or guardian.

For your convenience, we have made an overview of what data we collect, who we collect it from, how we collect it, why we collect it and the basis for doing so. This appears below labelled Table 1.

TABLE 1 - Personal Information That We May Collect

Data Subject	Personal Information Collected	Mode of Collection	Purpose
Patient - Indirect	Name, Age, Gender & Measurements	From Business i.e. Health Trust verbally or via email	To facilitate the correct supply of specific and necessary medical equipment and product support for which we have been contracted to deliver
Patient - Direct	Name, Address, Date of Birth, Gender & Measurements	Verbally, electronically, in writing or via our website	To discuss specification, installation, maintenance, effectiveness or performance monitoring of medical equipment or other contracted item or matter
Surgeon	Name, Email, mobile telephone	Verbally, electronically or via letter	To facilitate discussion about medical equipment or an operation pursuant to contract
Medical Service Practical Staff	Name, Email & telephone	Verbal or email from Subject, Website or their Internal Business Colleague	To discuss the logistics of delivery, use and return of medical equipment being pursuant to contract
Medical Service Point of Contact	Name, Email & Telephone	Verbal or email from Subject, Website or their Internal Business Colleague	To confirm the details of orders, delivery and return. To discuss timings and pursue late payment being pursuant to contract.
Private Business Associate	Name, Position held, Email, Personal Mobile & Business Landline	Verbal or email from Subject, Website or their Internal Business Colleague.	To discuss and negotiate business matters, including contractual details.
Strawberry Medical Staff	Name, Address, Mobile Telephone, Email, Current Bank Account	Employment Application Form and Payroll	To pay wages being pursuant to contract. Send Formal and Legal Notifications. Fulfil legal obligations. i.e. National Insurance and Pension Contributions

Sharing Data with others

We will never share your personal data or sensitive personal data with any third party unless it is necessary for the effective delivery of medical treatment to either you or person for whom you are responsible and you have given your consent for the treatment to take place. Where this sharing involves Sensitive Personal Data, it will only be done with your express written consent.

Please note that where we supply equipment with or without installation or maintenance support via a third party, we will seek to fulfil our contractual obligations by obtaining any personal data or sensitive personal data about you, in an anonymised or pseudonymised form.

Storage and Security of Data

Where we obtain Personal information in respect of any person, it will stored in a secure place, and protected by appropriate security measures, to prevent it from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Once stored, all Personal information will only accessed by Strawberry Medical staff, either by a Processor (User such as an Office Administrator) or the company appointed Data Controller (person who determines the purpose of gathering, holding and using personal data and the means of processing it) and Business Manager, Jason Hewitt. This access will only be for a lawful reason.

Data Security Breaches

In the event of any security breach occurring, which leads to the destruction, loss, alteration, unauthorised disclosure of or access to personal data, we are obliged by law, to consider and if appropriate, notify yourself without undue delay (if there is a high risk of the breach threatening your individual rights and freedoms) and the relevant supervisory authority of it within 72 hours of us becoming aware of it. Records of all breaches must be recorded and retained.

Period of Retention

We will only retain Personal Data or Sensitive Personal Data for as long as is necessary to fulfil the purpose(s) for which we collected it, including satisfying related short and long term health considerations of any patient or patients and any legal, accounting or reporting requirements. The legal requirements will include 7 years for all financial data and employees, 3 years in respect of health & safety matters and 6 months in respect of all applicants for employment, who ultimately, have not been successful in their quest. All Personal Data or Sensitive Personal Data retained by us will be subject of at least an annual (if not shorter) review or ‘weeding process’ conducted by our ‘Data Controller’.

Selling Personal Data or Sensitive Personal Data

We will never sell or seek to sell any personal data or sensitive personal data of any person for marketing or any other reason.

Third Party Data Processors

Sometimes our business involves business partners, who provide products or services and require personal data or sensitive personal data to fulfil their contractual obligations effectively. These are defined as ‘Third Party Data Processors’. We acknowledge that as the Data Controllers, we are responsible for their ‘compliance’ (what they do with the data that we provide them with) together with the ‘guarantees’ we are obliged to require of them in respect of GDPR and the protection of the personal and sensitive personal data and rights of patients. This must be done using the form of a written guarantee. As ‘Processors’, they may also be liable to a sanction, if they fail to comply.

There are also occasions, when Strawberry Medical Limited itself acts as a ‘Third Party Data Processor’. When we do, we will respect our obligations, responsibilities and agree in writing to conform to any guarantees required by the ‘Data Controller’. As far as practicable, we will minimise the instances and volume of Personal Data or Sensitive Data we require. Where practicable, this will include the use of anonymised or pseudonymised data.

Marketing

We will never 'cold call' (make contact without prior formal consent and arrangement) by any mode, with anyone to sell or seek to sell our products.

However, may still contact you if you are a health professional or acting on behalf of a health professional, who has previously used or shown an interest in our products or services.

The purpose of this contact will be to inform you about field related innovation, new developments or treatments.

Naturally, we may also highlight related innovation, new developments and alternative products during case related discussion, if it may be in the best interests of a patient to do so.

Should you wish us to cease contact, we will do so. All we ask is that you please activate the 'opt out' facility on our website.

Website and Cookies

Our website uses cookies. We may track and record which products are of interest to browsers, who the browsers are and how many times they visit our site.

A cookie is a small text file that is sent to your computer via your web browser when you visit a website. It enables us to recognise when you come back to the site so that we can tell how often you visit us and help us to retain information such as the most recent medical equipment you viewed. The information is not linked to your personal details. Some of these cookies are essential to make our site work and have already been set. Others help us improve by giving us some insight into how the site is being used or help to improve the experience of using our site.

Rights of Persons Whose Personal Data We Hold

Rectification - If we hold your Personal Data or Sensitive Personal Data, you have the right to request a correction to the detail if it is inaccurate or incomplete. Though, we may need to verify the accuracy of any new data to satisfy a legal requirement or protect our business from being a victim of Fraud.

Erasure - Persons whose Personal Data or Sensitive Personal Data we hold, may also request that we erase some or all of their Personal Data, or Sensitive Personal Data where there is no good reason for us to continue retain it.

Withdrawal of Consent - Where persons have consented to us processing or holding their Personal Data or Sensitive Personal Data, they may withdraw that consent at anytime. If this occurs, it will not affect the lawfulness of any processing that took place prior to that withdrawal.

The actual removal of any Personal Data or Sensitive Personal Data may not be instant, as any request for removal will require balancing with other legal requirements and due consideration in association with the law by our ‘Data Controller’, who may not be immediately available. It will be done as soon as practicable though.

Portability - Persons whose Personal Data or Sensitive Personal Data we hold, may request that we transfer their data to them or a third party that they nominate. If requested in electronic form, such transfers will be made in a structured, commonly used and machine readable format.

Copy of Information Held - Persons whose Personal Data or Sensitive Personal Data we hold, may also request a copy of the data we hold on them (known as a ‘Data Subject Access Request’). Any such application, should be made in writing to our “Data Controller’, Business Manager, Jason Hewitt, Strawberry Medical Limited, Unit 8, Wornal Park, Menmarsh Road, Worminghall, Buckinghamshire HP18 9PH.

No fee will usually be required for this service, unless an individual makes multiple or unreasonable applications, in which case a reasonable fee will be charged. Generally, we undertake to respond to ‘Data Subject Requests’ within one month. However, it may take longer if your request is particularly complex or you have made a number of requests. As part of the process, we may need to verify the identity of the applicant in order to ensure that there is no disclosure of Personal Data or Sensitive Personal Data to an unauthorised person. Any identification verification would require production of two forms of identity.

Complaints

In the event that you are dissatisfied with our actions or response to a request you have made to us, please contact our Business Manager, Jason Hewitt in the first instance, with a view to reaching an amicable settlement. If you are still dissatisfied, you may wish to seek advice or formally complain to the Info1rmation Commissioner, Wycliffe House, Wilmslow, SK9 5AF.