Who we are
Pillans Group Ltd (12498567) are the joint data controller with our subsidiary company Q Medical Technologies Ltd (05339771). Throughout this notice the terms ‘we’, ‘us’ and ‘PGL’ are used to refer to the joint data controllers. We are registered with the UK Information Commissioner’s Office (UK ICO).
If you have any questions regarding this privacy notice, then please contact us by phone so we can discuss them with you in full prior to you submitting any personal information to us.
If you wish to exercise any of your rights with regards to your personal information, please contact qara@qmedical.co.uk.
This privacy notice is effective from 1st June 2022.
If you are a PGL employee, please refer to the Employee Privacy Notice available internally.
When you contact us through our website, by email, phone or post we might collect various pieces of your personal information. When our employees meet you in person, we might collect various pieces of information.
These might include:
Your name
Your job title
Your personal mobile phone number
Your personal email address(es)
Your work email address(es)
Your work phone number(s)
Your work address(es)
You might also supply us with ‘third party’ personal information such as (but not limited to):
Your medical secretary’s name
Your medical secretary’s phone number
Your medical secretary’s email address
If you choose to supply third party personal information, it is your legal responsibility to ensure you do so in compliance with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR). You might be required to provide a copy of this privacy notice to the third party if they are not directly employed by you or if you do not have the same employer.
You have different rights depending on which lawful bases we are using to process your personal information. This means, we have to inform you, of the lawful bases we are using, so you can be certain of your rights at all times. Where we refer to ‘processing’, this means collecting, storing or disclosing personal information e.g. within software used for fulfilling orders, managing customer relations or sending emails.
Up until a request is made for a quote relating to our products and/or services, all personal information is processed on the lawful basis of legitimate interest. This means that we have genuine business reasons for processing the personal data and can do so, provided that we comply with the rules and regulations of the DPA, and the UK GDPR.
Once a request is made for a quote relating to our products or services, the lawful basis for our processing becomes ‘contract’. This means that there is a firm and reasonable expectation that we are required to process personal data in order to fulfil a contractual agreement with you. Please note that while no physical contract may be in place at this stage of business, requesting a quote for products and/or services is sufficient under UK GDPR to satisfy the lawful basis of ‘contract’.
Once a quote has expired, the lawful basis for our processing of your personal information will revert to legitimate interest, to allow us to continue to process your data even if you do not proceed to make a purchase from us.
Please note that if you or the company you are employed by will not be entering into a contract with us because purchasing is completed by a third party, we will continue to process your personal data on the basis of legitimate interest at all stages.
As an ISO certified distributor of medical devices, it might be necessary to process some personal information on the basis of legal obligation. This applies in circumstances where we must comply with standards, rules or regulations set by an authorized body such as the MHRA.
If you are a patient who contacts us to register for our patient promise, some of the information we use is called special category data, as it refers to your health information. This means that we have to have a secondary legal basis for processing this data. Your personal data is used on the basis of contract and consent, that is we are fulfilling a contract with you and you have consented to our use of your personal data for that purpose, and that purpose alone.
Like most companies we use personal information to maintain records of how and when we communicate with our customers and our potential customers. We use personal information to fulfill orders, to maintain financial records and to personalise our contact with you.
We might also use your personal information where we are legally obliged to maintain records; such instances might relate to ‘do not call’ lists of phone numbers (if you are TPS or CTPS registered, for example) or ‘do not email’ lists of email addresses (if you have requested not to be contacted for marketing purposes by email).
If we are acting as a sales agent, and not in our usual capacity as a distributor, we might be required to provide your information to a third party organisation who will fulfill your order and who may or may not enter into a customer contract with you directly.
If you have contacted us to request information about our products or services, we will utilise your personal information to respond to your enquiry. At the time you supply this information to us, you will have the opportunity to opt out of future marketing contact.
If you are engaged in a conversation via email with a member of our customer services team or with a sales representative, we will use your personal information. These emails may not contain unsubscribe links or marketing opt out links, however at any point you can exercise your rights by making your requests in writing.
If you place an order with us, we might use your personal information to confirm receipt of the order, to notify you of delivery information, to issue an invoice or to chase up a late payment.
If you receive a marketing email from us to inform you about products or services that might be of interest, you will have the opportunity to opt out of future marketing contact and might be able to update your marketing preferences.
If you were added to a marketing database without contacting us, your first email from us will allow you to opt out of marketing with us and notify you that you can object to being part of our internal database.
We are committed to minimising the amounts of personal information utilised across our administrative processes and have robust internal policies for assessing and authorising data processing activity. We carefully select the products and/or services we use to process your personal information in order to meet the standards set out in UK GDPR.
We have put in place suitable physical, electronic and managerial procedures to safeguard and secure the personal information we process. This ensures your personal information is protected using current, up to date security software and IT protection including firewalls.
We do not sell your personal information to third parties. We only share your personal information where it is necessary and reasonable for us to do so. There will always be a contract between us and those we share your data with that enforces our and your legal rights, as appropriate.
Sharing personal information just means that we don’t always have sole control over the data, it doesn’t mean we are giving it away for others to use how they want. When we share personal information, it must be used how we have specified and only for the specific purposes we have put in place.
If we use cloud-based software, for example, and we include your personal information in a document or file, this is technically sharing your personal information. The software provider does not have permission to extract your personal data from the files and then to contact you. They can only use your personal data as part of the delivery of their cloud-based software services to us, which in this example would mean storing the information within their software for us to access and use as necessary.
We evaluate all the software suppliers, marketing agencies and third parties we use to process your personal information prior to contracting with them, in order to ensure using their products and/or services maintains our compliance with UK GDPR.
You should expect that all the personal information you supply to us may be shared either in full, or in part, with our chosen third parties, in order to facilitate some or all of the following:
Remember, even using your details in a text document is considered sharing, even though the software provider cannot use the information in the file other than for providing the software services to us.
Everyone has the same basic legal rights under UK GDPR, with additional rights being dependent upon the lawful bases under which we have chosen to process the information, your basic rights are:
This privacy notice informs you of how we process your information, why we process it and what your rights are regarding that information. This effectively satisfies your right to be informed as it provides the information in a transparent, easy to understand and concise way. If you do not feel fully informed about how and why we process your personal information or require more detail after reading this privacy notice in full, please contact us in the first instance.
In order to exercise your right of access, you can contact us to make a ‘subject access request’ (SAR). This means you can request copies of your personal information and we are obliged to provide it to you. We cannot charge for this service unless your request is ‘excessive’ (e.g. for a duplicate of information previously supplied) or unless we believe the request is ‘manifestly unfounded’, (e.g. made with malicious intent). Where we do charge, not only must we inform you of the charge in advance, but this must also be reasonable relative to the administration costs of providing the information. You might be required to provide ID before we can release any data to you.
Your right to rectification means you have the right to correct any inaccurate personal information we have. Personal information is defined as inaccurate if it is incorrect or misleading as to any matter of fact. You can request a correction to any personal information in writing, by phone or in person. We must respond to your request within one month. It may be necessary for us to record both the inaccurate information and the correct information, for example, in cases where a mistake is rectified, the record of a mistake is a matter of fact and should therefore be documented provided the rectification is also documented.
You can request we restrict processing at any time. This effectively means you are requesting that we continue to store your personal information, but you no longer wish for us to process your information for any other purpose. In most cases, we would expect you to exercise this right alongside one or more of your other rights, such as the right of access or the right of rectification, to effectively put our data processing on hold until you have received (and assessed) the personal information we hold or we until have corrected it. You can exercise this right without invoking others, however it might not be the most suitable option, depending on your overall intent.
This right allows you to question any decision that results from an automated decision making process. This is most commonly applied where businesses use automated systems to evaluate data supplied in an online form (e.g. a loan application). You can also challenge any customer profiling or use of ‘big data’ and machine learning if it is being used to make decisions about how we process your personal information and to predict your preferences or patterns of behaviour.
We do not currently utilise any automated individual decision making or profiling within our business, however we are legally obliged to inform you of your rights related to this.
We can refuse to comply with your right to access, your right to rectification or your right to restrict processing. In all cases there must be either a legal exemption that applies (as defined by the DPA) or we must be able to show that the request is manifestly excessive or unfounded. In such instances, we must notify you of our decision to not comply alongside our reasons. We must also notify you of your right to raise the issue directly with the ICO and your ability to seek to enforce your rights through the courts.
The right to erasure (or the right to be forgotten)
You can request we erase your personal information if we are processing it on the legal bases of contract or legitimate interest. This means if you write to us, phone us or see us in person and request that you want us to delete your personal information from our systems, we are obliged to do so, except where we have a legal obligation to maintain the information (e.g. to maintain transparent traceability protocols in the medical device supply chain).
The right to object
You can only exercise this right when we are processing your personal data on the lawful basis of legitimate interests. It allows you to object to our processing activity and to question the veracity of the legal basis we are applying to process your data; if we concur with your objection we must stop processing your data, though this does not necessarily mean we have to erase all the data, as we might have to maintain suppression lists such as ‘do not call’ or ‘do not email’ lists.
We must notify you if we decide not to comply with your request regarding erasure or objection, explaining our decision and notifying you that you can raise the issue directly with the ICO and that you can seek to enforce your rights through the courts.
Where we process your information on the basis of legal obligation, you do not have the right to erasure or the right to object.
The issue of your rights and our rights in relation to them is highly complex. In order to comply with our obligations to be clear and concise in how we explain this to you, we have inevitably chosen to omit some information relating to the many exemptions there are to how and when we can refuse your requests. We’ve also omitted information around the additional lawful bases that we have not applied in processing your personal information and any rights that are not applicable based on the current lawful bases. Should a change in our processing activity affect the lawful bases on which we process information, we will amend this privacy notice to reflect this.
The examples of how or when we might use your personal information are also not exhaustive but do highlight some key scenarios that you should be aware of with regards to your personal information. We’ve tried to highlight scenarios that we think will be of most interest to you, particularly with reference to marketing emails. As a business operating directly (and almost exclusively) with other businesses, it is reasonable to expect that we use your personal data – in your capacity as a representative of a business – to fulfil many of our business functions. If you have found the privacy notice too concise, you have the right to request further information as part of your right to be informed.
The information we’ve omitted does not prevent you from exercising your rights.
To keep things simple, we have implemented a soft opt in policy for marketing communications via email. This means that at the point at which you contact us, we will provide you the opportunity to opt in to receiving marketing emails and that when we send marketing emails, they will offer you the chance to opt out of receiving further emails. You can also contact us by phone to update your marketing preferences.
If you were added to a marketing database without first contacting us, we will notify you of this when we email you for the first time and provide you an opportunity to opt out of future marketing emails. We will also notify you that you have the right to object to us processing your personal information for this purpose.
We recommend you always use your own work or personal email address when opting in to marketing communications, as all emails sent to medical secretaries will include an unsubscribe link and we are legally obliged to comply if they choose to unsubscribe, even if you have personally requested the information.
Our obligations to you fall under the Privacy and Electronic Communications Regulations (PECR) as well as UK GDPR and the DPA.
If you have any questions regarding this privacy notice, please contact us by phone so we can discuss them with you in full prior to you submitting any personal information to us.
If you would like to exercise any of your rights with regards to the personal information we process about you, please contact us in writing at the address below or via email to qara@qmedical.co.uk
F.A.O. QARA Team (DP)
Pillans Group Ltd
Unit 1A, Summerlands Trading Estate,
Endmoor
Kendal
LA8 0FB
If you are unhappy with our response to your enquiry or require clarification following an enquiry, you can contact the ICO via their website: www.ico.org.uk/
If you are based in the EU and we collected your personal information prior to 1st January 2021, this information is considered legacy data and is therefore subject to EU GDPR as it was written and enforced on the 31st December 2020. This might be referred to as ‘frozen GDPR’.
On the 28th June 2021 the EU published its adequacy decision regarding the UK GDPR. The EU adequacy decision states that the UK provides adequate protection for personal data transferred from the EU to the UK under EU GDPR. This decision will remain under review, but is expected to be effective until 27th June 2025, with review and renewal taking place approximately every four years.
This means the EU has declared the UK GDPR an equivalent of the EU GDPR.
While your data is processed by us in the UK the adequacy decision provides peace of mind that we will process your personal information and manage your privacy to the same standards you would expect within your own country under EU GDPR.
We will retain your personal information for 7 years after termination of our relationship unless there is a legal requirement for us to retain this information for longer, or unless you exercise your right to erasure.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added, and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Our website may contain links to other websites of interest. We do not have control over other websites and therefore we cannot be held responsible for the content of those websites, nor for the protection of privacy of any information you submit while visiting those websites. You should refer to other websites’ privacy notices prior to submitting any information to them. A privacy notice might also be referred to as a privacy statement or a privacy policy.
Summerlands Trading Estate, Endmoor, Kendal, Cumbria LA8 0FB
Call: 07974 571 296 • Email: info@pglconsultancy.co.uk