Privacy Policy
Introduction
This is one Privacy Notice for Arjo UK, an integral part of the Arjo group of organisations focusing on our business interests in The United Kingdom. This Privacy Notice relates to the processing of personal data of representatives of customers suppliers, leads and Arjo Academy platform users. Arjo UK provides information to the relevant stakeholders about the who, what, why, when, where and how of our data processing activities, as well as setting out what rights individuals have in relation to these processing activities.
Who is processing the personal data?
As indicated above, the data controller for the processing of your personal data is Arjo UK. To make this notice easier to read, Arjo UK is referred to as Arjo for the rest of this document. As the data controller, if you have any questions, comments or queries about your personal data, we can be contacted using the details below:
Arjo UK Limited
ArjoHuntleigh House, Houghton Hall Business Park, Houghton Regis LU5 5XF
Arjo aims to be compliant in everything we do. As such, we invite you to contact us whenever you feel it is necessary so we can partner with you in addressing any comments or concerns you might have. We have appointed a local Data Protection Lead who is also able to support you with any queries you may have. For Arjo UK, this is:
James Stone
Data Compliance Manager
What personal data are we processing?
The type of personal data we process about you depends on the type of data subject and the nature of our relationship with you. The processing of your personal data could include the following:
Customer representatives, supplier representatives, leads, prospects and contacts:
- Identifiers –
- Name
- Job title
- Contact data –
- Phone number
- Email address
- Location data –
- Address
- IP address
- Financial data –
- Banking details
Webinar platform users:
- Identifiers –
- Name
- Job title
- Contact data –
- Email address
- Location data –
- Address
- IP address
- Audio / visual data –
- Photos (only when provided by the platform user).
Please note, the contact and location information processed relates to data used in a professional capacity and may come directly from you or from the facility you are working for. In some instances, customers provide us patient information which is processed only where necessary to fulfil the purpose for which it was provided.
Why are we processing personal data?
Arjo processes personal data for the reasons listed below.
Representatives of customers, contacts and suppliers
- Managing the production and distribution of our products and equipment via our logistics supply chain.
- To fulfil our customer orders and requests, as well as to provide support to customer representatives in the event of a complaint or issue or handling claims.
- To manage our legal, regulatory and statutory obligations as well as to maintain accurate and reliable administrative and accounting records, which include managing queries, concerns and investigations.
Leads and prospects
- The pursuit of our commercial interests through marketing activities.
No automated decision-making is undertaken, with the exception of monitoring the success of marketing activities and when using the MyArjo portal. This includes generating a profile based on the use of our online resources which performs an evaluation. This information is only used to better inform how Arjo can support you and manage the layout of the MyArjo portal. The information is only used for these purposes and no individual data protection or statutory rights are infringed in this process. Any evaluation is subject to human review. If you have any questions or concerns about the potential use of automated decision-making, please contact dataprivacy@arjo.com.
Which lawful basis do we use for processing personal data?
Arjo only process personal data if there is a legal basis for the processing. For the processing described in this privacy notice, Arjo uses the following lawful basis for processing:
Lawful basis for processing |
Processing activities |
Your explicit consent. You are able to withdraw your consent at any time. You can do this by contacting dataprivacy@arjo.com. |
Marketing activities including direct marketing. |
Legal obligation. |
Activities linked to our regulatory and statutory requirements. |
Legitimate interests. |
Marketing activities including managing our relationship with you as a contact of Arjo. Processing of customer representatives’ personal data is necessary to manage and distribute products and equipment via our logistics supply chain and to fulfil our customer orders and requests. |
Where we rely on a legal obligation to justify the processing of your personal data, this is to ensure that our regulatory and statutory requirements are fulfilled. This is important in order to maintain the quality of the service and products that many stakeholders rely on.
There may also be times when legitimate interest is the appropriate justification for processing your personal data. In this situation, we have undertaken a legitimate interests assessment where the needs, expectations, rights and freedoms of all parties have been considered. Before relying on legitimate interest, we have made sure that our interests are compelling enough and will not cause any unwarranted harm.
For how long do we process your personal data?
We save information for as long as the information is necessary to fulfil the purposes for which the information was collected. The information can be saved for a longer period of time if it is required by applicable law, such as the European Union Medical Device Regulation. Arjo have established routines to ensure that we do not store unnecessary information about you.
Information regarding representatives of customers and contacts
- Most commercial, customer or financial information, relating to e.g. purchase, order and order history, is retained for five years.
- As a global organisation in a highly regulated field, we need to retain information relating to production, distribution, quality, or performance of any of our products for 15 years in accordance with strict European and global regulatory obligations. The personal data contained to these records is usually limited to low risk personal data where there is any personal data at all.
- Information relating to a customer service case is saved until the matter is resolved and retained in a de-identified format for 15 years.
- Information collected after consent is saved for as long as it is relevant or no later than within six months after consent is revoked.
Information regarding prospects and leads
- Information collected after consent is saved for as long as it is relevant or no later than within six months after consent is revoked.
Where are we processing personal data and who do we transfer personal data to?
We may on occasion transfer your personal data outside of the UK through the use of a particular processor. Where this is relevant, we will aim to only transfer and process personal data in countries where an adequacy decision has been established. This means that the legislative framework in the third countries provides the same level of legal protection as the United Kingdom. To learn more about countries with adequacy decisions, please see the Information Commissioner’s Office website. There are occasions where we need to process personal data outside of such countries as we work with processors who process personal data in India. In these instances, we have undertaken privacy impact assessments and transfer impact assessments to identify appropriate additional measures to implement, prior to establishing data processing agreements including approved standard contractual clauses. In the event that the contractual and organisational measures are still inadequate, we will seek your consent to undertake the proposed processing.
We use different systems and platforms to manage the data we process, and a list of the key data processors are listed below:
- Advanced Applications
- AWS
- Bishopsgate
- CEVA
- Digital Space
- MyMediset
- ON24
- Salesforce
- Tech Mahindra.
- Other subsidiaries of the Arjo group as part of global functions.
Additionally, we use Microsoft Office storage and productivity tools to process personal data in the course of our commercial, production, logistical, operational, research and administrative activities.
We may also share personal data with partners and in line with our regulatory or statutory obligations. In all instances, data will only be shared in line with an appropriate lawful basis for processing. Data sharing is frequently undertaken following a privacy impact assessment and a transfer risk assessment to ensure the necessary safeguards and control measures are in place prior to any data sharing.
How are we processing personal data?
Arjo have adapted the following to enable secure and compliance towards handling and processing data:
- Arjo have an IT policy, Information Security Directive, Acceptable Use of IT Devices Directive as well as a Data Protection Compliance Policy.
- Access management based on least privilege with access reviews performed on a quarterly basis, additionally each user will have unique and individual usernames where none are shared.
- Admin access only given to system and database owners who have the correct skills and training, normally senior IT staff.
- Robust change management process.
- All systems for which the hosting solution is determined by Arjo can only be accessed via our VPN solution. In all cases, all data and systems are encrypted at rest and in transit, and require a unique username and password to access the data each user is authorised to access.
- All Third Parties that host or work on Arjo systems are subject to a Risk Assessment on a yearly basis.
- Arjo also have an overall Incident management process which is run by our Service Management team.
- Patch management; as part of our service management.
- Pen testing and vulnerability management.
- IT audits performed by a third party annually.
What are your rights in relation to this data processing?
Under data protection law, you have rights including:
- Your right of access – You have the right to ask us for copies of your personal information that we process about you. Through this copy you will be able to understand which of your personal data we have and process. The right of access is applicable when a record contains information where an individual can be identified, and the information is about them. This means that records that are accessible to you will have the personal data about other people redacted where appropriate, in order to protect their right to privacy. Your personal data will be redacted if someone else requests access to a record containing your personal data. Legislation provides other exemptions that may be applicable such as records where legal privilege needs to be observed or there is an obligation of confidentiality in specific circumstances. Any exemption applied will have a relevant legal basis and will be explained to you were necessary.
- Your right to be informed – You have the right to be informed of how we process your personal data. This Privacy Notice is an initial means of informing you about the processing of your personal data. Additional methods of keeping you informed include through FAQs, contractual agreements and through discussions – if you have a question about how we are processing your personal data, you can contact us by writing to dataprivacy@arjo.com.
- Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. Any request to rectify your personal data will also be transferred and actioned by any processor with whom your personal data has been shared. This process is managed by us and will not require any additional action from you for your right to be exercised in full.
- Your right to erasure – You have the right to ask us to erase your personal information when the information is no longer necessary to fulfil the purpose of processing the information or keeping it or if you retract your consent. Arjo is obliged to keep extensive records in accordance with our legal obligations. As such, Arjo may not be able to delete every record that is processed about you, however this will be explained where relevant. Any request to be forgotten will also be managed by Arjo with any processor that is processing your personal data on our behalf.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances such as if the personal data is not relevant to fulfil our legal obligations.
- Your right to object to processing – You have the right to object to the processing of your personal data. The right can be invoked when the legal basis is legitimate interest, including profiling. If an objection is made, Arjo must show compelling legitimate interests to continue processing personal data for that specific purpose.
- Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation. This enables you to transfer it in a machine-readable format to another recipient. The right to data portability applies to personal data that is processed based on your consent or to perform a contract. It applies only to such personal data that you have provided Arjo with yourself.
- Your right regarding automated decision-making – You have the right to request that a review of any profiling that is undertaken using your personal data to be undertaken by a human.
- Your right to withdraw consent – You have the right to withdraw consent where this is the lawful basis established for the processing of your personal data i.e. when collected for certain marketing activities.
For more information about your data protection right, please see the webpage of the UK Authority for Privacy Protection.
You are not required to pay any charge for exercising your rights in most instances. If you make a request, we have one month to respond to you.
Please contact us using any of the details below if you wish to make a request.
Arjo UK Limited
ArjoHuntleigh House, Houghton Hall Business Park, Houghton Regis LU5 5XF
Finally, you have the right to complain to a data protection authority. For Arjo UK, the relevant supervisory authority is Information Commissioner’s Office and can be reached using the details below:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5A]
0303 123 1113
If this isn’t also your local data protection authority, you can contact your local data protection authority who will advise as to how best to proceed.