Introduction
- MSL Medical Services Limited (MSL) understands that your privacy is important to you and that you care about how your personal data is used. MSL, respect and value the privacy of all our associates and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.
- The European Union (EU) General Data Protection Regulation (GDPR) places obligations on a controller of personal data (MSL) to ensure the protection of that data when they are processed by a third party i.e., MSL, a processor (sub-contractor). In forming a controller/processor relationship, the GDPR is quite specific about the fact that a contractual agreement must be in place between the two parties, and that it should specify key items of information about the personal data involved and how it is processed.
Addressing Compliance to the GDPR
- The following actions are undertaken to ensure that MSL complies at all times with the
accountability principle of the GDPR:
- The legal basis for processing personal data is clear and unambiguous.
- A Data Protection Officer is appointed with specific responsibility for data protection in the
organisation.
- All staff involved in handling personal data understand their responsibilities for following good
data protection practice.
- Training in data protection has been provided to all staff.
- Rules regarding consent are followed.
- Routes are available to data subjects wishing to exercise their rights regarding personal data
and such enquiries are handled effectively.
- Regular reviews of procedures involving personal data are carried out.
- Privacy by design is adopted for all new or changed systems and processes.
United Kingdom’s withdrawal of the European Union
GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018.
Information about us
- MSL Medical Services Limited is a limited company registered in England & Wales under company number 08185414.
Registered address:
MSL Medical Services Limited. The Forum. 277 London Road, Burgess Hill. West Sussex. RH15 9AQ.
Data Protection Officer: Paul Clarke
Email address: enquiries@mslmedicalservices.co.uk
Telephone number: 01444 240203.
Postal Address: MSL, The Forum. 277 London Road, Burgess Hill. West Sussex. RH15 9AQ.
MSL are regulated by Information Commissioners Office
Registration Number: Z3312893
What Does This Notice Cover?
- This Privacy Information explains how MSL use your personal data within its operational business activities: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.
What is Personal Data?
- Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
- Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
- The personal data that MSL use is set out in “How do You Use My Personal Data” What Are My Rights?
- Under the GDPR, you have the following rights, which MSL will always work to uphold:
- The right to be informed about our collection and use of your personal data.
- The right to access the personal data MSL hold about you. Part 494 will tell you how to do this.
- The right to have your personal data rectified if any of your personal data held by us is
inaccurate or incomplete. Please contact us using the details in Point 6 to find out more.
- The right to be forgotten, i.e., the right to ask us to delete or otherwise dispose of any of your
personal data that MSL have. Please contact us using the details in Point 6 to find out more.
- The right to restrict (i.e., prevent) the processing of your personal data.
- The right to object to us using your personal data for a particular purpose or purposes.
- The right to data portability. This means that you can ask us for a copy of your personal data
held by us to re-use with another service or business in many cases.
- Rights relating to automated decision-making and profiling. Point 6 explains more about how
MSL use your personal data, including automated decision-making and profiling.
- For more information about our use of your personal data or exercising your rights as outlined
above, please contact us using the details provided in Point 6.
- Further information about your rights can also be obtained from the Information
Commissioner’s Office or your local Citizens Advice Bureau.
- If you have any cause for complaint about our use of your personal data, you have the right to
lodge a complaint with the Information Commissioner’s Office.
- Our timeline to comply with your rights are documented below:
Data Subject Request Timescale
1. The right to be informed When data is collected (if supplied by data subject) or within one
month (if not supplied by data subject)
2. The right of access One month
3. The right to rectification One month
4. The right to erasure Without undue delay
5. The right to restrict processing Without undue delay
6. The right to data portability One month
7. The right to object
- On receipt of objection
What Personal Data Do You Collect?
- MSL may collect some or all of the following personal data (this may vary according to your relationship with us):
• Name
• Address
• Email address
• Phone number
• Business name
• IP Address
• Job title
• Professional Details
Where deemed appropriate you will be contacted to fulfil BS7858 check requirements. The BS7858 is a code of practice released by British Standards Institution, a business standards company which supports companies in achieving excellence within their field, and continuously boosting performance. This code in particular refers to security screening of individuals employed in a security environment. These checks might include:
• Identity checks
• ID confirmation
• Five years address history
• Financial checks
• Bankruptcy / Insolvency / IVA
• CCJ (Up to £10,000)
• Credit score
How Do You Use My Personal Data?
- Under the GDPR, MSL must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a service (contract) with you or a third party, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it. Your personal data will be used for one of the following purposes:
a. Carrying out a service (contract) for you or a third party. - Carrying out verification of identity checks as required by BPSS and BS7858 checks.
- Providing and managing your case.
- Your personal details are required in order for us to enter into a service (contract) with you to
manage your case.
- Personalising and tailoring our services for you.
- Communicating with you. This may include responding to emails or calls from you.
- Supplying you with information by email or post.
Lawfulness of Processing
- The lawful basis in which we process your data, The European Union (EU) General Data Protection Regulation (GDPR) Article 6 (Personal) data is to allow us to prepare and enter into a contract with you, therefore, for this type of data the legal basis is as follows:
The European Union (EU) General Data Protection Regulation (GDPR) Article 6:
(a) processing is necessary for the performance of a contract to which the data subject is party or
in order to take steps at the request of the data subject prior to entering into a contract
MSL have a duty of care to our end clients, general public and our personnel. The lawful basis in which we process your Article 9 (Special Category) data is in the public interest and in a protective function that we do so, therefore for this type of data the legal basis is as follows:
The European Union (EU) General Data Protection Regulation (GDPR) Article 9:
(b) Processing is necessary for reasons of substantial public interest, on the basis of Union or
Member State law which shall be proportionate to the aim pursued, respect the essence of the
right to data protection and provide for suitable and specific measures to safeguard the
fundamental rights and the interests of the data subject; and as per Union or Member State
law:
- Data Protection Act (2018) Schedule 1, Part 6 (11) Protecting the public against dishonesty.
- MSL may have to process personal data relating to criminal convictions and offences.
- The European Union (EU) General Data Protection Regulation (GDPR) Article 10 data:
Data Protection Act (2018) Schedule 1, Part 6 (11) Protecting the public against dishonesty and Article 9 (g) applies. - In the case exposure is to individuals under the age of 18 or deemed as “at risk”:
Data Protection Act Schedule 1 Part 68 Safeguarding of children and of individuals at risk. - Unless it is necessary for a reason allowable in The European Union (EU) General Data Protection Regulation (GDPR), MSL will always obtain explicit consent from a data subject to collect and process their data. This is as per the ICO Direct Marketing Code of Practice, The Privacy and Electronic Communications (EC Directive) Regulations 2003, The Data Protection Act 2018, and The European Union (EU) General Data Protection Regulation (GDPR).
- Your agreement to this privacy policy is positive affirmation and is the explicit consent.
- In case of children below the age of 16 (a lower age may be allowable in specific EU member states) parental consent will be obtained. Transparent information about our usage of their personal data will be provided to data subjects at the time that consent is obtained and their rights with regard to their data explained, such as the right to withdraw consent. This information will be provided in an accessible form, written in clear language and free of charge.
How Long Will You Keep My Personal Data?
- MSL will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
a. Where contracts and services have been undertaken your data is kept on file for a
minimum of seven years for legal and accounting obligations.
How and Where Do You Store or Transfer My Personal Data?
- MSL takes every effort to store your personal data in the UK within its day to day
business operations. We have acquired service providers that provide this specifically. This
means that the data will be fully protected under the GDPR. - In certain circumstances where we use service providers outside of the UK, we have opted
for EEA service providers. The European Economic Area (the “EEA” consists of all EU
member states, plus Norway, Iceland, and Liechtenstein).
- MSL wherever possible will store your personal data within the European Economic Area (the
“EEA”) where it is having been deemed acceptable to do so. MSL investigates the processing
of data thoroughly and ensures that the correct level of data protection and privacy is there,
with the relevant documentation to say so. This means that your personal data will be fully
protected under the GDPR or to equivalent standards by law.
- Countries Listed within the EEA:
Austria; Belgium; Bulgaria; Croatia; Cyprus; Czech Republic; Denmark; Estonia; Finland;
France; Germany; Greece; Hungary; Iceland; Ireland; Italy; Latvia; Liechtenstein; Lithuania;
Luxembourg; Malta; Netherlands; Norway; Poland; Portugal; Romania; Slovakia; Slovenia;
Spain; Sweden; United Kingdom.
International Transfers of Personal Data
- Transfers of personal data outside the European Union will be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR. This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data applicable in the receiving country and this may change over time.
- Intra-group international data transfers will be subject to legally binding agreements referred to as Binding Corporate Rules (BCR) which provide enforceable rights for data subjects.
Third Countries Service Providers
- Where any of your data is processed outside of the UK and EEA, MSL investigates the processing of data thoroughly and ensures that the correct level of data protection and privacy is there, with the relevant documentation to say so.
- Third countries may not have data protection laws that are as strong as those in the UK and/or the EEA. This means that MSL will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR.
Secure by Design
- The security of your personal data is essential to us, and to protect your data, MSL take a number of important measures.
- We have introduced best practices and procedures in house and when dealing with any personal data of our data subjects.
- Our security measures are kept confidential however our security setup is one of layered security measures, which wherever possible is designed to fail safe, as no security measures can be 100%.
- We have cyber essentials certification and benchmark to ISO:27001 compliance for our internal processes. Wherever possible service providers as a minimum adhere to Article 5 of the General Data Protection Act.
Privacy by Design
- MSL has adopted the principle of privacy by design and will ensure that the definition And planning of all new or significantly changed systems that collect, or process personal data will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments.
The data protection impact assessment will include: - Consideration of how personal data will be processed and for what purposes.
- Assessment of whether the proposed processing of personal data is both necessary and
proportionate to the purpose(s).
- Assessment of the risks to individuals in processing the personal data.
- What controls are necessary to address the identified risks and demonstrate compliance with
legislation.
- Use of techniques such as data minimisation and pseudonymisation will be considered where
applicable and appropriate.
Contracts involving the Processing of Personal Data
- MSL will ensure that all relationships it enters into that involve the processing of personal data are subject to a documented contract that includes the specific information and terms required by the GDPR.
Data Breach & Incident Response
- It is MSL’ policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.
Do You Share My Personal Data
- MSL believe in total transparency and want our associates to know how we interact with their data, along with how we may have to process your data with third parties for our daily business functions.
- In some cases, those third parties may require access to some or all of your personal data that MSL hold. If any of your personal data is required by a third party, MSL will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law.
- MSL contract with third parties and those third parties may sometimes contract with third parties (as described above) that are located outside of the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). If any personal data is transferred to a third party outside of the EEA, MSL will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR, as explained above in Part 25 – 37.
- In some limited circumstances, MSL may be legally required to share certain personal data, which might include yours, if MSL are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
How can I Access My Personal Data?
- If you want to know what personal data MSL have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
- All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 6. There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
- MSL will respond to your subject access request within one month of receiving it.
Normally, MSL aim to provide a complete response, including a copy of your personal data within that time. In some cases, MSL, particularly if your request is more complex, more time may be required up to a maximum of three months from the date MSL receive your request. You will be kept fully informed of our progress.
How Do I Contact You?
- To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the details provided in Part 6 of this document
Changes to this Privacy Notice
- MSL may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if MSL change our business in a way that affects personal data protection. Any changes will be made available on our website within our compliance area.
Signed:
Michelle Levy Director
01.04.2023
Reviewed 11th December 2023