This privacy notice will help you understand how Mirada Medical Limited uses and protects your personal data.
We are both a Data Controller and Data Processor for the purposes of the Data Protection Legislation. A “data controller” is an entity that controls how and why personal data is processed and a “data processor” uses, handles or works with the data under the instruction of the controller, typically one of our clients.
You can contact our voluntarily appointed Data Protection Officer, Simon Ghent at email@example.com if you have any concerns or wish to exercise your rights.
If you prefer you can write to us at New Barclay House, 234 Botley Road, Oxford, OX2 0HP
EU Data Subjects
For the purposes of EU Representation we have an establishment in France that will serve as our contact point under Recital 80 of the GDPR. The details are as follows:
SASU Mirada Medical Europe, a company registered in France under registered number [850 071 937] having its principal place of business at Ilot Quai 8.2, Bâtiment E1, Rue d’Armagnac, Bordeaux, 33800, France
If you are an EU Data Subject you can contact our EU-based office at firstname.lastname@example.org. If a revision meaningfully reduces your rights, we will notify you.
Mirada never forget it’s your right to total transparency and control on how we use your data. As such we give you these promises:
We will only collect data about you that is relevant and necessary;
Your data will only be held on systems that meet compliance standards;
Your data will only be accessed by those who need it and we will minimise the amount of data that is processed, wherever possible;
We will always remember that it is your personal data, not ours. As such we will ensure complete transparency and openness with you wherever possible.
We respect your rights as outlined in the next section and will respond to all requests promptly
You have the following rights over any data we hold about you:
Right to object to processing at any time
Right to opt out of marketing at any time
Right to have inaccurate data corrected
Right to erasure of personal data from our database
Right to export of personal data
You can read more about your rights here.
You may opt out of marketing emails using the “unsubscribe” link within the email or by contacting us directly.
If you would like to uphold your rights then please contact our Data Protection Officer at email@example.com
If you are in dissatisfied with our response you also have the right to lodge a complaint with the Data Protection Authority. This can be done at https://ico.org.uk/concerns/
How we Collect your Data
We collect information about you in the following ways:
Direct Contact – you give us information when you email us, call us, meet one of us at events or meetings
Third Parties – this is data about you that we may hold from referrals, resellers, purchasing data lists where we have Legitimate Interests or proactive marketing activity. Your personal data may also be provided to us by your employer.
Clients - Our main business activity involves patient data being shared with us by our clients for the purpose of fulfilling our contracts with them. As such we may be given your data by them if they have the correct legal basis to do so.
What Data we Collect
We try and minimise the data held and the exact data elements we hold will be dependent on your journey with us. Typically, data elements we collect is restricted to:
Your personal contact details – email address, phone numbers, and source of your data;
Your company details – as above but also address, website and other public held information including credit rating and invoicing details if relevant;
Transmitted information – such as emails, texts, messaging, phone call information, CVs and recordings, voice mails, email and meeting notes
If you are a patient of one of our clients we may process medical information such as scans along with your name, date of birth, patient number and the origin of your data. This special category of data is strictly controlled and you should contact your health provider directly should you wish to discuss further.
Calls may also be recorded for information holding, quality and training purposes.
Why we Process your Data
The primary legal basis that we process your data is for the fulfilment of Contract. Normally this means an Contract with your healthcare provider.
The information that we collect is essential for us to be able to carry out the services that you require from us effectively.
Data gained from marketing our services or other business activities are processed for our Legitimate Interests.
How we Process your Data
Data is processed/stored mainly on encrypted cloud services such Microsoft 365 including Azure, Salesforce and AWS. We only store “special categories of data” on our platforms that demonstrate high standards of security.
As such, data will either be in the UK, EEA or US data centres. We may also process your data in countries outside the UK or European Union from time to time in other aspects of our business.
Further to Section 119A of the Data Protection Act 2018 and noting Case C-311/18 in the European Court of Justice, if your data is transferred or processed outside of the UK or EEA where adequacy decisions are not in place we ensure the safeguards of International Data Transfer Agreements (IDTAs) or Addendums are enforced. Where this is not possible, we ensure that appropriate UK or European Standard Contractual Clauses are entered.
For data transfer between the USA we may rely on the Data Privacy Framework or the UK Extension Data Bridge. We regularly review suppliers for data security compliance to ensure your data is safe and track where your data is held.
All our processes are subject to various internal policies to ensure that your data privacy and security is upheld.
What we use your Data for
We process your data for several reasons:
To fulfil a contractual obligation or service to you or our clients
To improve our services and products.
To send invitations to events and follow these up if you have signed up to them.
To send occasional promotional emails containing the information we think you will find interesting.
We always ensure we have a “legal basis” to use your data for the purpose we have collected it for.
Due to our class leading development program we may de-identify your data to the extent possible and use this for the purposes of research.
We will never sell your personal data for marketing purposes to third parties. To fulfil marketing initiatives we may need to work with marketing partners or use marketing platforms such as Pardot.
We will only share information for use where agents, resellers, or suppliers are involved in the delivery of your service. In such cases we will first attempt to anonymize the data or minimize it to the fullest extent possible.
In some cases we may need to share data where we are under a legal duty to comply with any legal obligation or in order to enforce or apply our terms and conditions. We may also share data between our various group entities.
Our website and other materials sent to you may contain links to other third party websites. We’re not responsible for the content or your data privacy these sites provide through their tools or sites.
Dependent on the data you provide us and for what purpose it is provided we may need to retain your data based on your journey with us. Typically, we will retain data for 6 years following the last engagement with us.
If we are processing data as part of working on clients data we will delete the data we hold no more than 90 days from completion of the project or end of contract, whichever happens later.
If you wish to find out more about your specific data retention, please contact us.
We seek to uphold our legal obligations as covered by the Data Protection Act 2018, General Data Protection Regulation 2016 and the Privacy and Electronic Communications Regulations. Our Data Protection Authority is designated as the Information Commissioners Office (UK) (Registration ZA828834).
Due to our global reach, we do not warrant compliance with all legal obligations in countries that we operate in outside of the United Kingdom, European Union, and United States of America.