P1vital Limited and P1vital Products Limited (“P1vital”) – Privacy Notice
INTRODUCTION AND PURPOSE OF THIS PRIVACY NOTICE
Welcome to P1vital’s privacy notice.
P1vital respects your privacy and is committed to protecting your personal data.
This privacy notice tells you what to expect when P1vital collects personal information and is intended to inform you about your privacy rights and how the law protects you. It applies to information we collect about:
- visitors to our websites;
- healthcare sector clients, suppliers, contractors and other business associates;
- study participants involved in P1vital or client sponsored clinical research studies where such study participants will also have provided their express consent under a Patient Information Sheet or equivalent form of notice;
- patients and healthcare providers who use our technologies in a healthcare setting or in a research study;
- GENERAL INFORMATION
The P1vital Group is currently made up of two separate legal entities, P1vital Limited and P1vital Products Limited. P1vital Limited is a company incorporated and registered in England and Wales with company number 5268536 and P1vital Products Limited is a company incorporated and registered in England and Wales with company number 7417662. The registered office and address of both P1vital entities is Manor House, Howbery Park, Wallingford, Oxfordshire, OX10 8BA. This privacy notice is issued on behalf of the P1vital Group so when we mention P1vital, “we”, “us” or “our” in this privacy notice, we are referring to the relevant company in the P1vital Group responsible for processing your data. We will let you know which entity will be the controller for your personal data at the point that we collect it.
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.
DPO contact details (these contact details should be used if you are contacting P1vital and are based in the United Kingdom or outside of European Union (EU) and European Economic Area (EEA)):
- P1vital Limited and P1vital Products Limited
- Email address: email@example.com
- Postal address: Manor House, Howbery Park, Wallingford, Oxfordshire, OX10 8BA
- Telephone number: +44 (0)1865 522030
As we process personal data of individuals in the EU and EEA but do not have an establishment in the EU or EEA, we have appointed DataRep as our Data Protection Representative (DPR) under General Data Protection Regulations (GDPR) Article 27.
If we have processed or are processing your personal data, you may be entitled to exercise your rights under GDPR in respect of that personal data. You may address DataRep if you are located in the EU and want to raise a question, or otherwise exercise your rights in respect of your personal data using details set out below:
DPR contact details (these contact details should be used if you are contacting P1vital and are based in the EU and EEA):
- Name of DPR: DataRep
- Email address: firstname.lastname@example.org (send an email quoting ‘P1vital’ in the subject line)
- Postal address: click below to contact DataRep directly at the most convenient of their addresses
If you have any concerns over how DataRep will handle the personal data they will require to undertake their services, please refer to their privacy notice at www.datarep.com/privacy-policy.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
2. THE DATA WE COLLECT ABOUT YOU
What personal data do we collect?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data including, but not limited to, first name, last name, username or similar identifier, marital status, title, date of birth, gender.
- Contact Data including, but not limited to, address, email address, telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from you.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile Data includesyour username and password, preferences, feedback, study and test responses.
- Usage Data includes information about how you use our website and services
- Sensitive Data includes health information and personal information about your employment record and other sensitive details pertaining to your personal history and preferences.
- Marketing and Communications includes, where we elect to communicate with you for marketing purposes in your capacity as a healthcare sector client, supplier, contractor or other business associate, information on your communication preferences. If we do send you marketing emails you will always be able to unsubscribe.
As a medical device and health research company we do sometimes collect and process Sensitive Data about you (this includes information about your health). When we do this we will always obtain your express, informed consent usually by way of a Patient Information Sheet.
If you fail to provide personal data – Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with an account required to access our products or services). In this case, we may have to cancel the contract you have with us but we will notify you if this is the case at the time.
How is your personal data collected?
We use different methods to collect data from and about you including through:
a. Direct Interactions
You may give us your personal data when you are required to set up a user account and use our technologies as part of a research study, as part of your healthcare or otherwise. This includes personal data you provide when you:
- Agree to participate in a research study;
- Complete the account set up in advance of participating in the research study;
- Complete the account set up at a primary care centre or GP surgery;
- Use our technologies in a healthcare setting or in a research study; and
- Become an employee, or supplier or apply for any position at P1vital as an employee or contractor.
b. Visitors to our website
When someone visits www.p1vital.com and www.p1vital-gains.com (for P1V-GAINS-IN01 study), we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
This website is not intended for children and we do not knowingly collect data relating to children.
Third-party links – This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
To find out about the privacy notice for i-spero.co.uk please go to https://www.i-spero.co.uk/privacy-notice
Security and performance – P1vital uses a third party service to help maintain the security and performance of the www.p1vital.com and www.p1vital-gains.com websites. To deliver this service it processes the IP addresses of visitors to the website.
To find out more about security and performance of i-spero.co.uk please go to www.i-spero.co.uk/cookies and www.i-spero.co.uk/privacy-notice
c. People who email us
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government recommended best practice. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
d. People who contact us by phone
Where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
3. PROCESSING YOUR DATA
How we use your personal data?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
What is the purpose of processing?
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please Contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate Interest|
|To register and enrol you as a participant in a research study – please see section 3.a below on how we use personal data in health and care research studies.||(a) Identity|
(c) Sensitive Health Information
|(a) Performance of a contract with you.|
(b) To enable health and care research serving the public interest.
(c) Regulatory compliance.
|To allow patients and healthcare providers use our technologies in a healthcare setting Please see section 3.b below on how we use personal data in a healthcare setting.||(a) Identity|
(c) Sensitive Health Information
|(a) Performance of a contract with a healthcare provider (data controller).|
(b) Performance of a contract with you.
(c) To enable health and care research serving the public interest.
(d) Regulatory compliance.
|To manage our relationship with you which will include:|
(b) Asking you to leave a review or to provide feedback or, where you are a healthcare sector client, supplier, contractor or other business associate, to provide you with information about our services and products and to conduct auditing, accounting, financial and economic analyses; facilitate business communications, negotiations, transactions, conferences and compliance with contractual and legal obligations; and to provide goods and services, including clinical studies, to our health sector clients
(d) Marketing and Communications
|(a) Performance of a contract with you.|
(b) Necessary to comply with a legal obligation.
(c) Necessary for our Legitimate Interest (to keep our records updated and to study how customers use our products/services and to provide interested business associates with relevant information).
|To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||(a) Identity|
|(a) Necessary for our Legitimate Interest (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise).|
(b) Necessary to comply with a legal obligation.
|To use data analytics to improve our website, products/services, marketing, customer relationships and experiences||(a) Technical|
|Necessary for our Legitimate Interest (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy).|
|To make suggestions and recommendations to you about our products or services that may be of interest to you||(a) Identity|
|Necessary for our Legitimate Interest (to develop our products/services and grow our business)|
|To consider your application for a job at P1vital and to manage our employer/employee relationship with you|
Please see section 3.c below on how we will process and store your personal data when you apply for a position with us
| (a) Identity|
(c) Sensitive Data disclosed by CV or as part of the recruitment process
|(a) Necessary for our Legitimate Interest and to meet legal and regulatory requirements and to protect our rights and your rights.|
(b) Contractual performance.
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by Contacting us.
a. Study participants involved in P1vital or client sponsored clinical research studies
P1vital is the data controller for the information you provide during a study where P1vital is acting as the Sponsor, and P1vital is the data processor for the information you provide during a study where P1vital is acting as the CRO or a service provider.
Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. We do this by following the UK Policy Framework for Health and Social Care Research.
We use personally-identifiable information to conduct research to improve health and care. As a provider of products and services to healthcare organisations we have a legitimate interest in using information relating to your health and care for research studies, when you agree to take part in a research study. This means that we will use your data, collected in the course of a research study, in the ways needed to conduct and analyse the research study. Your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible.
The Participant Information Sheet for the research study will provide more detailed information on what information is collected and why.
b. Patients and healthcare providers using P1vital’s technology in a healthcare setting
Your healthcare provider is the data controller and P1vital is the data processor for the information you provide when using P1vital’s technology in a healthcare setting.
You can find out more about how your healthcare provider uses your information by contacting them directly.
P1vital stores your information in a secure manner within P1vital’s technology but does not have access to your personally identifiable information. We will process your pseudonymised or anonymised information for health and care research purposes. Your pseudonymised or anonymised information will not be transferred outside of P1vital.
You can delete your account at any time which will permanently delete your personally identifiable data from P1vital’s technology, including data backups in accordance with P1vital’s retention policy statement.
If you wish to raise a complaint on how we have handled your personally identifiable data, you can contact our DPO (if you are based in the UK or outside of EU) or DPR (if you are based in the EU) as set out in section 1 who will investigate the matter. If you are not satisfied with our response or believe we are processing your personally identifiable data in a way that is not lawful, you can complain to the Information Commissioner’s Office (ICO).
Use of data processors by P1vital – Data processors are third parties who provide elements of our services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us without our consent and only then on the basis that we are satisfied that the sub-processors they use are subject to equivalent obligations relating to the security of your data and subject to a GDPR compliant Data Processing Agreement. They will hold it securely and retain it for the period we instruct.
c. Job applicants
P1vital is the data controller for the information you provide during the process unless otherwise stated.
What will we do with the information you provide to us?
All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
What information do we ask for, and why?
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
Application stage – When hiring staff, P1vital may post a job vacancy online on our website, or through a university or other job related website, or engage an employment agency.
We provide a detailed job description for each position and require potential candidates to provide a current Curriculum Vitae if they believe that they are suitable for the position. Personal details are necessary and these vary depending on whether the applicant comes direct to the company or via an agency.
For applicants via an agency: We require the candidate to provide a Curriculum Vitae with their name, previous work experience and education details. If you are shortlisted for a telephone interview, a contact number would be required. If you are shortlisted for a face to face interview, in order to reimburse travelling expenses, your bank details would be requested. Only if an offer of employment was made, would we ask you for your email address and postal address.
If you applied for a role directly through an online advertisement, we would require your telephone and email contact details together with your Curriculum Vitae at the application stage.
Shortlisting – Hiring managers would be provided with a copy of your Curriculum Vitae.
Assessments – We might ask you to attend an interview. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by P1vital.
If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise.
Conditional offer – If an offer of employment is made to you and you have been introduced to P1vital by an agency, the offer is disclosed to the agency and then the agency would discuss this with you. Once the offer has been accepted verbally, we would ask you to provide P1vital with your personal email address and postal address in order for P1vital to process your application further.
When taking up employment with P1vital, you would be asked to provide the following: names and addresses of referees, proof of identity (passport/driving licence/utility bills), proof of qualifications, bank details if not already provided and emergency contact details. You might also be asked to prove you have the right to work in the UK.
Use of data processors – Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Retention period – If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment.
If you are unsuccessful at any stage of the process, the information you have provided until that point may be retained for 6 months from the closure of the campaign.
Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
How we make decisions about recruitment? – Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.
You are able to ask about decisions made about your application by speaking to your contact within our recruitment team or by emailing email@example.com.
P1vital is the data controller for the information you provide during the process unless otherwise stated.
4. DISCLOSURE OF YOUR PERSONAL DATA
We may have to share your personal data with the parties set out below:
- Internal Third Parties being other companies in the P1vital Group.
- External Third Parties being (a) service providers who provide clinical trial support services, IT, software development and system administration services; (b) professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services; (c) data controllers where P1vital is acting as a data processor (d) employee’s personal information may be shared with clients if required for legitimate business reasons and (e) HM Revenue & Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
We will not share your information with any third parties for the purposes of direct marketing.
We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
In some circumstances we are legally obliged to share information. For example under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.
5. INTERNATIONAL TRANSFERS
Personal data controlled or processed by P1vital and collected in the UK may be disclosed/transferred outside of the UK subject to UK ‘adequacy regulations’ in relation to the country or territory where the receiver is located (i.e. a decision that a particular non-UK country’s laws provide an adequate level of protection for personal data) or subject to ‘appropriate safeguards’ being put in place such as a legally binding and enforceable instrument, UK Binding Corporate Rules, Standard Contractual Clauses etc., and subject having unambiguously consented to the disclosure/transfer.
Personal data controlled or processed by P1vital and collected in the EU may be disclosed/transferred outside the European Economic Area (EEA) subject to EU ‘adequacy decision’ by the European Commission in relation to the country or territory where the receiver is location, or subject to ‘appropriate safeguards’ being put in place, and subjects having unambiguously consented to the disclosure/transfer.
Personal data controlled or processed by P1vital and collected outside of the UK and the EU may be disclosed/transferred outside of the country in which they were collected subject to ‘transfer compliance mechanisms’, including EU-US Privacy Shield framework and other country-specific data protection regulations, or subject to ‘appropriate safeguards’ being put in place, and subjects having unambiguously consent to the disclosure/transfer.
6. DATA SECURITY
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. DATA RETENTION
How long will we use your personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. A record of P1vital’s processing activities involving personal data is maintained via Data Processing Log / Record of Processing Activities (ROPA).
In some circumstances you can ask us to delete your data: see ‘Right to erasure’ below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) or pseudonymise your personal data (so that it can no longer be associated with you without the use of additional information) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
8. YOUR LEGAL RIGHT
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
- Right of access to your personal data (commonly known as a “Data Subject Access Request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. If you make such a request we will:
- Give you a description of it
- Tell you why we are holding it
- Tell you who it could be disclosed to
- Let you have a copy of the information in intelligible form
- Protect data provided to you as a response to your Subject Access Request at a level appropriate to the sensitivity of the information.
- Right to rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Right to erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that this right of erasure does not apply to personal data collected as part of the health and care research studies that we undertake. Also we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Right to restriction of processing of your personal data where you are concerned about the accuracy of the data or how it is being used. If necessary, you can also stop us deleting your data. Together, these opportunities are known as your ‘right to restriction’. You can temporarily limit the use of your data when your challenges to the accuracy of your data or an objection to the use of your data are being considered. You may ask to limit the use of your data rather than delete it if the data is processed unlawfully but you do not wait it deleted or the data is no longer needed but data is needed for legal claims.
- Right to object to processing of your personal data where we are relying on a Legitimate Interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Right to data portability of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent nor prevent us from continuing to process personal data collected in the course of a health research study. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact our DPO or DPR (EU) as set out in section 1.
No fee usually required – You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you – We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond – We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
9. COMPLAINTS OR QUERIES
P1vital tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of P1vital’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the DPO or DPR (EU) as set out in section 1.
Disclosure of personal information – In many circumstances we will not disclose personal data without consent. However, when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies.
10. EFFECTIVE DATE
We keep our privacy notice under regular review. This privacy notice was last updated on 9th August 2021.