Privacy Statement
Last updated: 22 February 2022
1. Introduction
The Diaceutics Group respects your right to privacy and this privacy statement (this "Statement") sets out the basis on which we use, process, store and/or disclose Personal Data that we collect from you, from third parties or that you provide to us directly.
This Statement applies to a variety of situations – to enable you to find the information most relevant to you, we have provided summaries of the key information applicable to your situation in the "Audiences" section 2 below. Unless otherwise notified to you, Diaceutics PLC is the Controller of your Personal Data (with ICO registration number ZA504761).
A glossary of capitalized terms used in this Statement is set out in section 11. If you have any questions, comments or requests regarding the way your Personal Data is used or processed by the Diaceutics Group, please contact us at [email protected].
2. Audiences
This section sets out a summary of the key information applicable to you depending on the nature of your relationship with us, including the Personal Data we process, our reasons for doing so, the legal basis we rely on and any third parties we may share the information with.
Please note that these summaries should be read alongside the remaining sections of the Statement, as these provide additional information regarding our processing of your Personal Data and your rights as a data subject.
Visitors to our Website
Visitors to our Website | What Personal Data do we collect about you? When you access our website (www.diaceutics.com), Personal Data will be collected from you directly and from third parties, including through the use of cookies. This includes information about (i) your device type, operating system, browser, IP address and other information derived from cookies used on the website (please see our Cookies Policy for further information); and (ii) details of your visits to the website such as traffic data, location data and other websites and resources provided by third parties that you access through our website (“Linked Websites”). |
Why (and how) do we process your Personal Data? We use your Personal Data to enable your access to the website; to monitor, test and improve the effectiveness of the website; to monitor metrics such as the total number of visitors and traffic data; and to ensure the content on the website is presented in the most effective manner for you and your device. | |
What legal basis do we rely on for this processing? It is in our legitimate interests to provide you with access to our website and to collect and process your Personal Data for the purposes of improving and monitoring website efficiency and enhancing your use of our website. It is also necessary for the purposes of our legitimate interests to process your Personal Data to respond to any queries or requests submitted by you to us. | |
Who do we share your Personal Data with? We may share your Personal Data with advertising and analytics providers in accordance with our Cookie Policy. We may also share your Personal Data with the third parties set out in section 4 below. |
Social Media Users
Social Media Users | What Personal Data do we collect about you? We may receive information about you from social media platforms, such as Facebook, Twitter, LinkedIn and YouTube, when you make contact with us via such platforms. This is limited to information which you decide to provide such as your name and contact details, email address or telephone number. |
Why (and how) do we process your Personal Data? We will only process your Personal Data to the extent necessary to respond to your query. | |
What legal basis do we rely on for this processing? It is necessary for the purposes of our legitimate interests to process your Personal Data to respond to any queries or requests submitted by you to us. | |
Who do we share your Personal Data with? We may share your Personal Data with the third parties set out in section 4 below. |
Clients and Suppliers (existing and prospective)
Clients and Suppliers (existing and prospective) | What Personal Data do we collect about you? We collect and process your Personal Data:
|
Why (and how) do we process your Personal Data? We collect and process your Personal Data for the purposes of:
| |
What legal basis do we rely on for this processing? Where you are a prospective client or supplier, we process your Personal Data mainly for the purpose of pursuing our legitimate interests. Where you are an existing client or supplier and we have an existing contractual relationship with you, we will process your Personal Data where necessary for the performance of your contract with us (and to fulfill any other legal or regulatory requirements to which we may be subject as a result). Where you are a client, we will only process your Special Category Data based on your explicit consent. | |
Who do we share your Personal Data with? In addition to the third parties set out at section 4 below, we will only share your Personal Data where necessary (and agreed between us) as part of the provision (or, the receipt) of the relevant services and deliverables by us (or, by you) including the potential provision or receipt thereof e.g., as part of your prospective or existing involvement with specified projects and collaborations (including via DXRX). |
DXRX Users
DXRX Users | What Personal Data do we collect about you? What Personal Data do we collect about you? We collect the following Personal Data about you (please refer to the DXRX Terms for definitions of capitalized terms not defined in this Statement):
|
Why (and how) do we process your Personal Data? Why (and how) do we process your Personal Data?
| |
What legal basis do we rely on for this processing? Where you hold an account in your own name, we will process your Personal Data where necessary for the performance of your contract with us. In other cases, we have a legitimate interest in administering, monitoring and improving the DXRX Network and communicating with users in relation to servicing and marketing. | |
Who do we share your Personal Data with? In addition to the third parties set out in section 4 below, we may transfer your Personal Data to a third party where we introduce you to a complimentary service, and may also share your Personal Data with advertising and analytics providers in accordance with our Cookie Policy. |
Healthcare Professionals
Healthcare Professionals | What Personal Data do we collect about you? We collect and process your Personal Data:
The Personal Data we collect and process includes:
|
Why (and how) do we process your Personal Data? We collect and process your Personal Data for the purposes of:
| |
What legal basis do we rely on for this processing? We process your Personal Data mainly for the purpose of pursuing our legitimate interests. Where you have entered into a contract with us, we will process your Personal Data where necessary for the performance of your contract with us. | |
Who do we share your Personal Data with? In addition to the third parties set out at section 4 below, we may disclose your Personal Data as follows: (a) if you provide Personal Data in response to surveys or as part of your involvement with specified projects and collaborations (including via DXRX), we may disclose this information to our customers (such as pharmaceutical or diagnostic companies) and laboratory partners as part of our market research and commercial initiatives; and/or (b) if you are member of our advisory panel or similar role, we will publish biographical information on our website and in other publications to promote our commercial and other activities. |
Patients
Patients | What Personal Data do we collect about you? We may obtain and process data relating to US-resident patients that have been de-identified to the standards mandated by the Health Insurance Portability and Accountability Act ("De-identified Data"). Diaceutics Group cannot identify any individuals from the De-identified Data, which is obtained from commercial and public sources in the US including diagnostics laboratories and publicly available government websites, and contains data relating to the general location of patients, their age, gender, and diagnostic testing and medical claims data. |
Why (and how) do we process your Personal Data? We process De-identified Data for the purpose of conducting scientific research, including on a commercial basis and for the identification of anonymized insights and trends in the field of diagnostic medicine. | |
What legal basis do we rely on for this processing? We process De-identified Data as necessary to undertake scientific research in the public interest. | |
Who do we share your Personal Data with? In addition to the third parties set out at section 4 below, we may occasionally share De-identified Data with selected partners solely in the context of scientific research in the public interest. |
Employment Candidates
Employment Candidates | What personal data do we collect about you? We will collect and process Personal Data that you provide to us as part of the application and recruitment process (either directly or via other platforms such as LinkedIn) which may include the following:
|
Why (and how) do we process your Personal Data? We will use your Personal Data only as necessary for us to conduct our recruitment processes – this may include: assessing your skills, qualifications, and suitability for the role; carrying out background and reference checks, where applicable; communicating with you about the recruitment process; keeping records related to our hiring processes; and complying with legal or regulatory requirements. We will use your Special Category Data in the following ways:
Other potential reasons for processing your Personal Data are listed at section 3 below. | |
What legal basis do we rely on for this processing? It is in our legitimate interests to assess your suitability for a role and to decide whether or not to enter into a contract of employment with you. We will only process Special Category Data where specifically mandated or permitted by applicable employment or other laws. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. | |
Who do we share your Personal Data with? We will only share your Personal Data where necessary as part of the assessment and recruitment process, such as with former employers, referees and background check providers, or to those other third parties set out in section 4 below. |
Employees
Employees | This Statement does not apply to Diaceutics Group employees - please refer to the Diaceutics Employee Privacy Statement provided during the course of your employment. |
3. Additional Purposes of Processing
3.1 In addition to the purposes set out in the relevant summaries above, we may also process Personal Data where necessary for the following purposes:
- to comply with legal obligations to which we are subject;
- to establish, investigate, exercise or defend or settle a legal claim;
- to pursue our legitimate interest or that of a third party, but only where such processing is necessary to achieve the relevant outcome and provided that it is not outweighed by a risk of harm to your interests, rights and freedoms. Examples include maintaining the security and safety of our products and services and preventing fraud and illegal activity; and/or
- in limited cases, we may also rely on your consent (in which case, we will provide additional information regarding the proposed purpose of processing) or where we need to protect the vital interests for you or someone else, or where it is necessary to do so in the public interest.
3.2 The Special Category Data that may be processed by us are set out in the relevant Audience summary applicable to you as set out at section 2 of this Statement. Where we process Special Category Data, it will be justified by a condition set out at section 3.1 above and also by one of the following additional conditions:
- in accordance with paragraph 10 of Schedule 1 of the UK’s Data Protection Act 2018 – for example where we seek to prevent or detect unlawful acts (e.g., fraud or antisocial behavior);
- where necessary to undertake scientific research in the public interest in accordance with Article 9(2)(j) GDPR and paragraph 10 of Schedule 1 of the UK’s Data Protection Act 2018;
- where necessary to protect the vital interests for you or someone else where you are physically or legally incapable of giving consent (for example in exceptional emergency situations, such as a medical emergency), or, where it is necessary to do in the public interest; and/or
- the processing is otherwise permitted by applicable law, such as in relation to legal claims, or in limited cases, based on your explicit consent.
3.3 We will only use your Personal Data for the purpose for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your Personal Data without your knowledge, in compliance with the above rules, where this is required or permitted by law.
4. Sharing Personal Data with third parties
4.1 We will share Personal Data with the third parties as set out in the relevant Audience summary applicable to you as set out in section 2 above. We may also share your Personal Data with the following third parties:
- service providers that we appoint to act as Processors on our behalf - these may include providers of: IT services and infrastructure; data hosting; logistics; information security; marketing services and other services necessary for our business operations;
- professional advisors, such as law firms, accountants, auditors and consultants;
- public authorities, regulatory authorities and law enforcement agencies, and other third parties where necessary to comply with any applicable legal obligation, taxation requirement, court order, summons, search warrants or any other legal or regulatory obligation or request to which we are or may become subject;
- a potential or confirmed investor, purchaser, liquidator or administrator of a member of the Diaceutics Group;
- other members of the Diaceutics Group, to enable or support us in providing our services;
- legal authorities or enforcement bodies where disclosure is necessary to exercise, establish or defend the legal rights of Diaceutics Group; and/or,
- other companies and organizations to protect the rights, property or safety of the Diaceutics Group, our customers, or others, such as for the purposes of security, fraud protection and credit risk reduction.
5. Security
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed without authorization, or otherwise altered or disclosed. We limit access to your Personal Data to those employees, agents, and contractors who have a business need to know.
All our third-party service providers and members of the Diaceutics Group are required to take appropriate security measures to protect your Personal Data in line with our information security policies, and we only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
Although we take reasonable steps to protect the Personal Data you provide to us, the transmission of information via the internet is not completely secure, and we cannot guarantee the security of any information you transmit to us. Any such transmission is at your own risk. Once we have received your information, we use physical, electronic and procedural safeguards designed to prevent unauthorized access.
6. Data Export
Some of the entities with whom we may share your Personal Data (including members of the Diaceutic Group) are based outside the UK and/or the European Economic Area (“EEA”).
In accordance with the GDPR, whenever we transfer your personal data out of the UK and/or EEA, we ensure an equivalent degree of protection is afforded to it by ensuring appropriate safeguards have been implemented. If you would like further information on the specific safeguards used by us when transferring your Personal Data out of the UK and/or EEA, please contact [email protected]
7. Retention
We will only retain your Personal Data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements including applicable statutory limitation periods.
At the end of the applicable retention period, we will securely destroy your Personal Data. In some circumstances, we may anonymize your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
8. Profiling and automated decision making
We undertake some limited profiling where set out in the relevant summaries in section 2 above.
However, you will not be subject to decisions that have a significant impact on you based solely on automated decision-making.
9. Specific information and rights relevant to specific audiences
9.1 GDPR
The table below sets out the additional rights applicable to you where the GDPR applies to our processing of your Personal Data.
Right | Further Information |
---|---|
Right to be Informed | You have the right to know whether your Personal Data is being processed by us, how we use your Personal Data and your rights in relation to your Personal Data. |
Right of Access (“Data Subject Access Request”) | You have the right to request a copy of the Personal Data held by us about you and other information relating to the processing of your Personal Data. |
Right to Rectification | You have the right to request that we correct any incomplete or inaccurate information we hold about you, though we may need to verify the accuracy of the new data you provide to us. |
Right to Erasure | You have the right to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing or withdraw consent (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. |
Right to Restriction of Processing | You have the right to ask us to restrict processing your Personal Data in the following situations: where you contest the accuracy of your Personal Data; where the processing is unlawful, and you do not want us to delete your Personal Data; where we no longer need your Personal Data for the purposes of processing, but you require the data in relation to a legal claim; or, where you have objected to us processing your Personal Data pending verification as to whether or not our legitimate interests override your interests, or, in connection with legal proceedings. When you exercise this right, we may only store your Personal Data but will not further process it unless you consent, or the processing is necessary in relation to a legal claim or to protect the rights of another person or legal person or for reasons of important public interest. We will inform you before the processing restriction is lifted. Please note that this may potentially result in reduced services or availability, for example, in certain instances where you ask us not to process your Personal Data, you may not be able to use our website or DXRX services. |
Right to Data Portability | You may request us to provide you with your Personal Data which you have given us in a structured, commonly used and machine-readable format and you may request us to transmit your Personal Data directly to another Controller where this is technically feasible. This right only arises where we process your Personal Data on the legal bases of your consent or where it is necessary to perform our contract with you. |
Right to Object | You have a right to object at any time to the processing of your Personal Data where we process your Personal Data on the legal basis of pursuing our legitimate interests, or those of a third party. However, we may be able to demonstrate that we have compelling legitimate grounds to continue to process your information which override your objection. You also have the right to object where we are processing your Personal Data for direct marketing purposes. |
Right to Withdraw Consent | You can withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. |
You can exercise any of these rights, or request any additional information by submitting a request to [email protected] or by mail marked for the attention of Global Compliance Officer at: Diaceutics PLC, First Floor, Building Two, Dataworks at Kings Hall Health and Wellbeing Park, Belfast, Co Antrim, BT9 6GW.
We will provide you with information on any action taken upon your request in relation to any of these rights without undue delay and at the latest within one month of receiving your request. We may extend this by up to two months if necessary, however we will inform you if this arises.
Please note that we may ask you to verify your identity when you seek to exercise any of your data protection rights. We may also contact you to ask you for further information in relation to your request to speed up our response.
While we hope to be able to resolve any concerns you have about the way that we are processing your Personal Data, you have the right to lodge a complaint with a supervisory authority if you believe that your Personal Data has been processed in a way that does not comply with the Data Protection Legislation or have any wider concerns about our compliance. For the UK, you can lodge such a complaint with the Information Commissioner's Office (ICO) by calling the ICO helpline on 0303 123 1113 or via their website here.
9.2. CCPA
The California Consumer Privacy Act (CCPA) requires that we provide California residents with certain specific information about how we handle their Personal Information, whether collected online or offline. The table below sets out generally the categories of Personal Information about California residents that we collect, disclose and sell to others for a business purpose. We collect these categories of Personal Information from the sources and for the purposes explained in this Statement. Our collection, disclosure and use of Personal Information about a California resident will vary depending upon the circumstances and nature of our interactions or relationship with such resident.
Categories of Personal Information | Do we collect? | Do we disclose for a business purpose(s)? | Do we sell? |
---|---|---|---|
Name, Contact Info and other Identifiers: identifiers such as a real name, alias, address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers. | Yes | Yes | No |
Customer Records: paper and electronic customer records containing Personal Information, such as name, signature, address, telephone number, education, current employment, employment history, bank account number, credit card number, debit card number, or any other financial or payment information. | Yes | Yes | No |
Protected Classifications: characteristics of protected classifications under California or federal law such as race, color, sex, age, religion, national origin, disability, citizenship status, and genetic information. | No | No | No |
Purchase History and Tendencies: commercial information including records of personal property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies. | No | No | No |
Biometric Information: physiological, biological or behavioral characteristics that can be used alone or in combination with each other to establish individual identity, including DNA, imagery of the iris, retina, fingerprint, faceprint, hand, palm, vein patterns, and voice recordings, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. | No | No | No |
Usage Data: internet or other electronic network activity information, including, but not limited to, browsing history, clickstream data, search history, and information regarding a resident’s interaction with an internet website, application, or advertisement, as well access logs and other activity information related to your use of any company websites, applications or other online services. | No | No | No |
Geolocation Data: precise geographic location information about a particular individual or device. | No | No | No |
Audio, Video and other Electronic Data: audio, electronic, visual, thermal, olfactory, or similar information such as, CCTV footage, photographs, and call recordings and other audio recording (e.g., recorded meetings and webinars). | Yes | Yes | No |
Employment History: professional or employment-related information. | Yes | Yes | No |
Education Information: information about education history or background that is not publicly available personally identifiable information as defined in the federal Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99). | No | No | No |
Profiles and Inferences: inferences drawn from any of the information identified above to create a profile reflecting a resident’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | No | No | No |
Residents of California also have the following rights:
- Do-Not-Sell. California residents have the right to opt-out of the sale of their Personal Information. We will only share your Personal Information with advertising and analytics providers where you have consented to this in accordance with our Cookie Policy – you can opt out again at any time via our cookie preference tool.
- Notice at Collection. At or before the point of collection, notice must be provided to California residents of the categories of Personal Information collected and the purposes for which such information is used.
- Verifiable Requests to Delete & Requests to Know. Subject to certain exceptions, California residents have the right to make the following requests, at no charge:
Request to Delete: California residents have the right to request deletion of their Personal Information that we have collected about them and to have such Personal Information deleted, except where an exemption applies.
Request to Know: California residents have the right to request and, subject to certain exemptions, receive a copy of the specific pieces of Personal Information that we have collected about them in the prior 12 months and to have this delivered, free of charge, either (a) by mail or (b) electronically in a portable (and, to the extent technically feasible, readily useable format that allows the individual to transmit this information to another entity without hindrance).
California residents also have the right to request that we provide them with certain information about how we have handled their Personal Information in the prior 12 months, including the:
- categories of Personal Information collected;
- categories of sources of Personal Information;
- business and/or commercial purposes for collecting and selling their Personal Information;
- categories of third parties with whom we have disclosed or shared their Personal Information;
- categories of Personal Information that we have disclosed or shared with a third party for a business purpose; and
- categories of third parties to whom the residents’ Personal Information has been sold and the specific categories of Personal Information sold to each category of third party.
California residents may make Requests to Know up to twice every 12 months.
- Submitting Requests. Requests to Know, and Requests to Delete may be submitted by emailing us at [email protected] or by mail marked for the attention of Global Compliance Officer at: Diaceutics PLC, First Floor, Building Two, Dataworks at Kings Hall Life Sciences Park, Belfast, Co Antrim, BT9 6GW. We will respond to verifiable requests received from California residents as required by law.
- Right to Non-Discrimination. The CCPA prohibits discrimination against California residents for exercising their rights under the CCPA.
10. Changes
If we amend this Statement, in whole or part, any changes will be posted on our website, and we will take reasonable steps to bring this to your attention where appropriate.
11. Definitions and Interpretations
CCPA: means the California Consumer Privacy Act of 2018 (CCPA);
Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data (Article 4(7) GDPR);
Data Protection Legislation: means, as applicable, any law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution, to the extent applicable to either Party relating to data security, data protection and/or privacy, including (amongst others) the General Data Protection Regulation and the Data Protection Act 2018;
Diaceutics Group: means Diaceutics Plc and all of its subsidiaries from time to time, including:
Diaceutics Inc.
Diaceutics Ireland Ltd.
Diaceutics Pte. Ltd.
Diaceutics Pte. Ltd. - Japan branch
Diaceutics Pte. Ltd. - South Korea branch
Diaceutics Precision Medicine Technology (Guangzhou) Ltd.
EEA: refers to the European Economic Area which consists of all EU member states, plus Norway, Iceland, Liechtenstein;
Electronic Mail: includes but is not limited to email, text, video, voicemail, picture and answerphone messages (including push notifications and in-platform notifications);
General Data Protection Regulation or GDPR: includes the General Data Protection Regulation (EU) 2016/679) implemented in the EU (EU GDPR) and also includes (where appropriate) reference to the version of the GDPR implemented in the United Kingdom (UK GDPR);
Personal Data: under the GDPR, this refers to any information relating to an identified or identifiable natural person ("data subject");
Personal Information: defined by the CCPA to refer to any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. It does not include publicly available data as defined by the CCPA.
Processor: means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller (Article 4(8) GDPR); and
Special Category Data: means Personal Data revealing the following: political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data (where used for identification purposes); data concerning health; data concerning a person’s sex life; and data concerning a person’s sexual orientation.