1. Our details
For the purposes of our business we are the data controller.
In respect of processing that we undertake on behalf of our clients we are the data processor and our client is the data controller who determines the purpose and means of the processing of personal data which they provide us with. There may be instances where we are a joint data controller with our client.
2. How we use your information
The following sections set out why we are processing your information, what information we collect, the legal basis for and duration of our processing of your information and (if applicable) who your information will be shared with and where those recipients are based.
Which information do we process and for what purpose?
We process the following information from you:
- Information you give us. Information that you provide by filling in forms on our site prema.co.uk (our site). This includes information you provide when you register to use our site, request marketing information, use our online chat feature, enter a competition, promotion or survey and when you report a problem with our site. The information you give us may include your name, address, company name, email address, Date Of Birth and phone number.
- Details of Your Visit to our Website. We collect non-personally identifying information of the sort that web browsers and servers typically make available. This includes, but is not limited to, traffic data, location data, weblogs and records of how you navigate the pages on our site and how you interact with the pages.
- IP addresses. We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.
We process information you give us and that we collect about you for the following purposes:
- To ensure that content from our site is presented in the most effective manner for you and for your computer.
- To provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
- To carry out our obligations arising from any contracts entered into between you and us.
- To allow you to participate in interactive features of our service, when you choose to do so.
- To notify you about changes to our service.
What are the grounds for processing your information?
We are processing your data on the following ground(s):
- you have previously given your consent to us processing your data the purposes stated in section 2.2, above; and/or
- the processing is necessary for achieving our legitimate interest in respect of the goods or services you have requested or purchased. In accordance with data protection law, we have carefully weighed your interests and fundamental rights and freedoms against our interest to process your information and are satisfied that we are justified in processing your information for this purpose.
- for the fulfilment of contract GDPR Article 6.1(b)
- processing health and social care data under GDPR Article 9.2(h)
Duration and further processing
We will regularly review the personal data which we are holding about you, and will delete it as appropriate. We will store your personal data for no longer than is necessary for us to fulfil the purpose for which it was obtained and given consent for provided that we have a reasonable commercial case for doing so.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Who is your information shared with?
It may be possible that we will share your information with other partner organisations if this is required and we will apply very strong controls. The current organisations who we share data with includes:
- Partner Private Hospitals
- Electronic Records Management Provider
- Invoice & Billing Partner
- Referring specialists/Opticians
- NHS Trusts
It is noted that the above list is not exhaustive, and we may contract with other external organisations to undertake processing of your personal information. These 3rd party organisations will abide with our stringent contractual conditions regarding the protection of personal data. In some cases, you will be requested to provide positive consent if we intend to share your personal details with other organisations.
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If prema Ltd or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
We will not share your personal information with or sell it to third-party marketers.
We may use the following third-party service providers named below to process and store your data:
The data that we collect from you will not be transferred to or stored at a destination outside the European Economic Area (“EEA”) without your prior consent.
Automated decision making. As part of our practice management software, your data may be subject to automated processing in order to generate letters and email communications relating to your treatment and aftercare. This is carried out under our legitimate interest in doing so in order to complete any obligations under contracts or services entered into by you with us. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Automated decision making
As part of our practice management software, your data may be subject to automated processing in order to generate letters and email communications relating to your treatment and aftercare. This is carried out under our legitimate interest in doing so in order to complete any obligations under contracts or services entered into by you with us.
Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmission to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
3. Your rights
Under data protection law you have the following rights:
- the right to be informed as to what we do with your information. This includes but is not limited to the right to know what information we gather, process and store, what we do with it, who we share it with and how long we keep it for;
- if we are processing your data on the basis of your consent then you have the right to withdraw that consent at any time. Consent can be withdrawn by notifying us using the details set out in section 8 below. The lawfulness of our historic processing based on your consent will not be retrospectively affected by your withdrawal of consent;
- the right to access a copy of your information which we hold. This is called a ‘subject access request’. Additional details on how to exercise this right are set out in section 5, below;
- the right to object to processing of your information where it is likely to cause or is causing damage or distress. You can notify us of your objection to us processing your personal data using the contact details set out in section 8;
- the right to prevent us processing your information for direct marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us using the details set out in section 8, below;
- the right to object to decisions being made about you by automated means. We will inform you if your information is subject to automated processing;
- the right, in certain circumstances, to have your information rectified, blocked, erased or destroyed if it is inaccurate;
- the right, in certain circumstances, to claim compensation for damages caused by us breaching data protection law;
- enhanced rights to request that we erase, rectify, cease processing and/or delete your information; and
- in certain circumstances, the right to request the information we hold on you in a machine readable format so that you can transfer it to other services. This right is called ‘data portability’. Additional details on how to exercise this right are set out in section 5, below.
We use “cookies” to gather statistical information that helps us understand what users find interesting and useful on our website. Users can decline the cookies by adjusting the “accept cookies” setting on their browser, however, this may affect the functionality of the website. We do not use this code to collect any personally identifiable information.
3rd Party Cookies
We use this to understand how the site is being used in order to improve the user experience. User data is all anonymous. You can find out more about Google’s position on privacy as regards its analytics service here
5. Access to information
You have the right to access information held about you by making a written request to us. You must send us proof of your identity, or proof of authority if making the request on behalf of someone else, before we can supply the information to you. Requests should be sent to firstname.lastname@example.org. In certain circumstances, you will be entitled to receive the information in a structured, commonly used and machine readable form.
We will be allowed to charge you for our reasonable administrative costs in collating and providing you with details of the requested information which we hold about you, if your request is clearly unfounded or excessive.
You have the general right to complain to us (in the first instance) and to the Information Commissioner’s Office (if you are not satisfied by our response) if you have any concerns about how we hold and process your information. Our contact details are set out in section 8, below. The Information Commissioner’s Office website.