INTRODUCTION

Welcome to Proveca Limited’s Privacy Notice, referred to in this document as “Proveca”, “the Company” or “We”.

Here at Proveca we respect your privacy and are highly committed to protecting your personal data.

When we refer to “your” personal data we are referring to you personally and, where it is applicable, to any individuals who are connected to your business, such as employees, consultants or workers, who you request that we process data for, in the provision of our services and where you supply goods or services to us.

The General Data Protection Regulation (GDPR) is the latest EU data privacy and protection framework which came into force on 25th of May 2018. It was enacted into national law by the Data Protection Act 2018 (DPA).

Proveca Ltd is a pharmaceutical company specialising in identifying, developing and licensing off-patent medicines with unmet priority health care needs, with a focus on the paediatric market. We accept that we are a processor of personal data and, in some cases, special categories of personal data.

We identify that the processing of such data is fundamental to the delivery of our services and commit to complying with data protection law which requires us to process personal data using the following principles;

  1. It will be used lawfully and fairly;
  2. It’s use, storage and removal will be transparent;
  3. It will be collected for valid purposes that have been clearly explained to you and not used for other purposes, unknown to you;
  4. It will be accurate and kept up to date;
  5. It will be kept securely; and
  6. It will only be kept for as long as is necessary.

We are committed to DPA compliance and take our obligations seriously by building them into our day to day and strategic processes, some of which you want to consider when conducting your assessment of Proveca Ltd. from a DPA point of view.

WHO TO CONTACT

This Policy sets out basic information; however, you may have specific questions or wish to exercise your legal rights.

For DPA purposes, please use any of the contact details below;

Full Name Proveca Ltd.
Contact  Jennifer Crompton
Address Wework
No.1 Spinningfields
Quay Street
M3 3JE
Manchester, UK
Telephone +44 (0) 161 468 2627
e-mail info@proveca.com

If you believe that we have collected or processed your personal data incorrectly, you do have the right to make a complaint to the relevant body, the Information Commissioners Office (ICO) (www.ico.org.uk) however we would appreciate the chance to deal with your concerns and so please contact us in the first instance.

WHAT IS “PERSONAL DATA”?

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

SPECIAL CATEGORIES OF PERSONAL DATA

There are also special categories of personal data as identified by the DPA which includes information relating to; racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership status, genetics, biometrics (for ID), physical or mental health, sexual life or sexual orientation and criminal activity, including alleged, proceedings, convictions or sentences.

In general, we do not collect any Special Categories of Personal Data about you, unless you are a Candidate or an Employee, in which case a separate Applicant Privacy Notice and an Employee Privacy Notice are available.

As a client, in particular one who accesses our Medical Information services, it is also necessary to collect and process some special categories of personal data regarding individuals who are connected to our clients, such as patients and carers.

The collection and processing of this data is limited to the provision of Medical Information services to our clients and in fulfilling our duty with them.

WHEN DO WE COLLECT AND PROCESS PERSONAL DATA?

We may collect and process personal data in a variety of ways, the main ways are identified below and are examples, but this may not be an exhaustive list.

When you;

  • Interact with us directly via a telephone call, in-person discussion, networking event, lunch meeting, conference, etc.
  • Visit our website or social media channels;
  • Use our app;
  • Attend one of our events or seminars;
  • Enter into a Health Care Professional (“HCP“) Services Contract with us;
  • Become a prospective customer;
  • Become a client;
  • Apply for work experience or job with us;
  • Become an Employee;
  • Work with us in a business relationship capacity such as a consultant, referrer or similar, supplier or any other third party

KEEPING IT ACCURATE

In fulfilling our DPA commitments, it’s important that the personal data we hold about you is accurate and up to date. As such, please keep us informed of any changes so that we can update our records and maintain our all-important relationship with you.

THE TYPES OF DATA WE COLLECT

We may collect, use, store and transfer a variety of personal data about you during our relationship with you.

We have attempted to group these together however, again this cannot be exhaustive;

Data Type Includes
Account The product you purchase from Proveca and payments made including transactions.
Contact Addresses, e-mail, social media, telephone numbers.
Financial Bank accounts, passwords for access to bank accounts and financial software packages, credit card or other payment methods, financial, amounts and/or value of sums paid to HCP’s, salary and other payroll records.
Identity Data First names, surname, maiden name, usernames, marital status, title, date of birth, gender, photographic ID, national insurance numbers, passport details, driving licence details, details of your medical speciality and role (if relevant) and other special categories of personal data.
Profile Username and passwords.
Technical Your IP address and information about the technology on the devices you use when you access our website or social media platforms.
Usage How you use our dosing app and the dosing calculator on the website.

USE OF COOKIES

A cookie is a small text file which is placed onto your computer (or other electronic device) when you use our website. We use cookies on our website.

This website uses a cookie control system allowing you on each visit to the website to allow or disallow the use of cookies on your computer/device. This complies with recent legislation requirements for websites to obtain explicit consent from users.

For example, we may monitor how many times you visit the website, which pages you go to, traffic data, location data and the originating domain name of a user’s internet service provider, to improve the user’s experience whilst visiting the website, and better understand how you use it.  This information helps us to build a profile of our users. Some of this data will be aggregated or statistical, which means that we will not be able to identify you individually.

You can set your browser not to accept cookies and the websites below tell you how to remove cookies from your browser.

A detailed list of the cookies we use is set out below:

Google Analytics

_ga (visitor identificate)

_gat_gtag_UA_118978082_1

_gid

 

Avia – Stores user cookie consent choices

aviaCookieConsent

aviaPrivacyEssentialCookiesEnabled

aviaPrivacyMustOptinSetting

aviaPrivacyRefuseCookiesHideBar

 

Other Cookies

covid_message

hcp_check

Stores if a user has seen a site specific message (i.e. Covid-19 Statement pop-up and HCP check pop-up)

 

PHPSESSID

General purpose identifier used to maintain user session variables.

FAILING TO PROVIDE PERSONAL DATA

Where we need to collect personal data by law or under the terms of a contract that we have with you, and you fail to provide the data when requested, we may not be able to perform the contract.

In such cases, having exhausted all avenues, we may be unable to start providing services or cancel the services however this will only occur following formal notification with an opportunity to rectify matters.

REASONS WHY WE USE YOUR PERSONAL DATA AND CONSENT

We will only use your Personal Data lawfully and most commonly when we need to perform the contract which we have entered into with you, where we need to comply with a legal or regulatory obligation or where it is necessary for our legitimate business interests (and your interests do not override ours).

If you are a HCP and have consented and signed our Disclosure Form as part of your HCP Services Contract we shall make public disclosures of certain personal data in order to comply with the ABPI Code of Practice.

Other than for HCP’s, we do not rely upon consent as a legal basis for processing your Personal Data.

MARKETING

We generally do not share your personal data with any other company for marketing purposes but in the unusual event that we do, we will obtain your express consent for this.

DISCLOSURE OF YOUR PERSONAL DATA

We may have to share your Personal Data for the purposes of providing our services.

These include, but this list is not exhaustive;

  • Service and software providers such as Microsoft 365 (CRM), Pension Portals, Summ.it, Drug Safety Solutions Limited (DSSL), ProPharma (PPG), Regenold, etc who act as processors;
  • Professional Advisers acting as processors including lawyers, insurance brokers, tax specialists, auditors, insurers, business consultants, recruitment agents, banks and insurers, who provide consultancy, banking, legal, insurance and accounting services;
  • HM Revenue & Customs, European Medicines Agency, ABPI (Association of the British Pharmaceutical Industry (and Disclosure UK) Medicines and Healthcare products Regulatory Agency (MHRA), Regulators, Money Laundering Agents and other authorities who require reporting of processing activities;
  • Third Party providers for marketing or event booking services such as Mailchimp, Surveymonkey, Doodle, Google or similar;

We require all third parties to respect the security of Personal Data and to treat it in accordance with the Law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process it for the specified purposes and in accordance with our strict instructions.

We seek to ensure that all of our chosen third-party providers are DPA compliant or equivalent.

TRANSFERRING DATA OUTSIDE OF THE EEA

We are based in the UK and do not transfer your personal data outside of the EEA except where this is necessary for the performance of our contract with you.

Where we do, we will make sure that suitable safeguards are in place, by agreeing expressed contractual arrangements, to ensure that the provider is DPA compliant or equivalent.

DATA SECURITY

Our IT team will take appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We only engage with a DPA-compliant provider of our cloud system such as Microsoft 365, Dropbox and Amazon where data is held on our cloud providers’ systems.

In addition, our internal controls mean that we limit access to your personal data to those employees, agents, contractors and other third parties on a “need to know” basis.

If they process your personal data as part of their role they do so under a duty of confidentiality.

DATA BREACHES

In the event of any suspected or actual data breach we will ensure that correct procedures are followed.

DATA RETENTION

We will only retain your Personal Data, and that which belongs to individuals connected with our business, for as long as is necessary to fulfil our contract with you or for the purposes of satisfying a commercial and marketing, legal, accounting, medical or regulatory requirement.

We assess retention on a case by case basis however; our minimum periods of retention for retaining personal data are;

  • For the entire period that you are a customer or have a business relationship with us or required to do so by law;
  • For two years after you have ceased being a customer or having had a business relationship with us in which case all personal data will be deleted with the exception of basic information such as client name, services used, main contact name and contact details and any relevant information which we feel may be of mutual benefit in the future;
  • For 6 years plus, current year in the cases of financial or payroll information;
  • For HCP’s 5 years following end of the year in which we last worked with a particular HCP or until the HCP requests that their personal data is deleted, whichever is the sooner. (Note that once disclosed, the ABPI requires that personal information will remain in the public domain for 3 years from the date of disclosure).

In the case of marketing and communications; we will retain and process this indefinitely until such time that you opt out.

In some cases, we may anonymise your personal data so that it can no longer be associated with you, for research or statistical purposes and we may use this information indefinitely without further notice to you.

YOUR LEGAL RIGHTS

The DPA provides the following rights for individuals whose personal data is processed:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object to processing
  8. Rights in relation to automated decision making and profiling (We do not carry out automated decision making and profiling)

HOW TO CONTACT US

You can request a copy of your information which we hold (this is known as a subject access request).  If you would like a copy of some or all of it, please:

  • write to us at: FAO Jennifer Crompton, Proveca Limited, Wework, No.1 Spinningfields, Quay Street, M3 3JE, Manchester, UK;
  • let us have proof of your identity (a copy of your driving licence or passport); and
  • let us know what information you want.

Right to correct any mistakes in your information

You can require us to correct any mistakes in your information which we hold free of charge.   If you would like to do this , please:

  • email or write to us (see ‘How can you contact us?’ below)
  • let us have enough information to identify you
  • let us know the information that is incorrect and what it should be replaced with

Right to remove your details from our records or restrict how we use your information

You can ask us to stop contacting you for particular purposes or remove your information completely from our records.  There may be a legal reason why we need to keep your personal data and in that circumstance we will destroy your personal information as soon as we are legally entitled to do so.  If you would like us to stop contacting you with information about our services, please:

  • email or write to us (see ‘How can you contact us?’ below)
  • let us know what method of contact you are not happy with if you are unhappy with certain ways of contacting you only (for example, you may be happy for us to contact you by email but not by telephone).

Right to lodge a complaint with the Supervising Authority

If you have any concerns or complaints about how we use your personal data we hope you will alert us to these directly (see the Contact Information below).  If you are still unhappy you are entitled to complain to the Information Commissioners Office (ICO) which is the supervising authority in the UK.  Their contact details and the procedure can be found at www.ico.gov.uk.

How to contact us

Please contact info@proveca.com if you have any questions about this privacy policy or the information we hold about you.

If you wish to contact us abot any other matter, please contact us via our online form or write to us at Proveca Limited, Wework, No.1 Spinningfields, Quay Street, M3 3JE, Manchester, UK.

Changes to the privacy policy

We may change this privacy policy from time to time and we will do all we can to ensure continued compliance with the DPA.  You should check this policy occasionally to ensure you are aware of the most recent version that will apply each time you access this website or use our services.

Proveca Limited

November 2020