General Data Protection Regulation Policy
1 Introduction
Atlantic Healthcare plc, (‘’Atlantic’’) together with its holding companies, subsidiaries and associated companies, holds information which has to be managed in accordance with the General Data Protection Regulation (GDPR). This policy describes the actions we take to ensure compliance with the policy.
We recognise that it is not our data to use as we wish, but it is your data that we are merely custodians of. We fully respect that you have entrusted your data with us and we will take care to ensure that your data is fully protected.
This policy ensures we:
- comply with data protection law and follow sound practice
- ensure the rights of staff, customers, and business partners are adhered to
- are open about the way we process and manage information
- reduce the risk of a data breach
- are able to respond quickly in the event of a breach
2 Scope
This policy applies to all Atlantic activities irrespective of location, all staff, and direct contractors.
3 Why we hold data?
We hold personal data and sensitive personal data to enable us to:
- manage our employees
- manage our statutory books and fulfil the legal requirements of a company having private shareholders
- make information available to shareholders and other interested people via our website, letters and press releases
- follow up enquiries about our products from potential patients and customers
4 On what basis do we hold and process data?
We will only use personal information for lawful business purposes set out under the GDPR.
Wherever possible we will not rely on consent to hold data; we will identify another ground to justify holding data.
We will only hold and process data on the basis that we have explained; We will not seek to process data in a way which is different from the original intent.
5 Sensitive Personal Data
We will not hold or process sensitive personal information unless the security and management arrangements of the GDPR higher standards have been met.
We will undertake a Data Protection Impact Assessment (DPIA) and Risk Assessment to determine the appropriate measures to be taken to protect any Sensitive Personal Data that we hold or process.
6 Children
At Atlantic we do not hold or process data about children.
If in the future we do process data on children, we will hold and process it at the higher standard.
7 Notices
We will be open, accurate, and clear in explaining how personal data will be used.
Notices will be made available to staff, shareholders and other interested parties via a notice on our web site.
8 Individuals Rights
We will provide requested data as promptly as we can, and in accordance with timescales set out under the GDPR. Processes for contacting us to request data that we hold will be clearly available and easy to understand.
We aim to acknowledge all requests for data within 24 hours.
9 Data Management
9.1 Minimisation of Data
We will hold the minimum amount of data that is necessary for the function of our business.
9.2 Accuracy
We will keep information up to date and correct any inaccurate data that is identified.
9.3 Retention of Data
We will not hold data longer than is necessary for our business purposes. Our information retention policy is located in the Appendix.
Version: Issue 1.0 2/8 May 2018
9.4 Transferring Data Overseas
We will not export your data overseas without ensuring appropriate data protection arrangements are in place.
9.5 Automated Decision Making
We will not use automated decision making solely when making a decision which will have a direct impact on an individual.
10 Protective Measures
10.1 Security of Data
We will ensure that we apply appropriate industry standard security measures when securing and handling personal data.
We will take specialist advice, where necessary, to ensure our security measures are providing the expected level of protection.
10.2 Incident Reporting
We will treat all security incidents as a serious matter and provide appropriate resources to their investigation. We will report security incidents as required by the GDPR and the Information Commissioner’s Office (ICO). Staff and direct contractors are required to report any incidents or breaches of this policy as soon as possible. Any findings as a result of a security incident will be used to improve our systems, processes, and training.
10.3 New Systems and Processes
We will ensure privacy is considered at the outset of any new information processing systems and business processes.
10.4 Third Parties We Work With
Depending on the type of supplier, we undertake one of the following:
review their terms and conditions to ensure they protect data in accordance with GDPR requirements
provide details of the information we hold and process, ensure they understand their responsibilities in helping us secure it, and formally agree the arrangements
11 Direct Marketing
When obtaining marketing data, we will ensure it is from a GDPR compliant supplier.
11.1 Business to Business (B2B)
We will ensure that B2B marketing communications have a clear method of opting out of further communications from us.
Version: Issue 1.0 3/8 May 2018
We will take care when adding details to our mailing lists to ensure we treat sole traders and partnerships as Business to Client (B2C) parties.
11.2 Business to Client (B2C)
We will ensure we gain consent prior to adding you to our mailing list.
We will ensure that B2C marketing communications have a clear method of opting out of further communications from us.
12 Complaints
We will investigate complaints or disputes conceding the holding or processing of personal data promptly
If necessary, we will cooperate with the ICO in the investigation and resolution of complaints and will aim to comply with any recommendations.
Any enquiries, complaints or requests for information should be addressed to the Data Protection Officer: Dawn Brailsford – [email protected]
Office – 0044 1799 512055
10 Rose and Crown Walk, Saffron Walden, Essex, CB10 1JH
13 Compliance
13.1 Failures
Failure to comply with this policy by staff will be dealt with under our disciplinary procedures.
Failure to comply with this policy by direct contractors will be dealt with under the terms of the contract between us, which could include termination.
13.2 Training
We will train our staff on the GDPR and provide refresher training as required.
14 Accountability
We will have documentary evidence to support our GDPR compliance, including:
- analysis of data types and their flows
- the locations (logical and physical) where data is held
- the people with access to the information
- assessment of the suitability of the security controls applied
- details of arrangements we have with our suppliers to maintain protection
Privacy Notice
1 Introduction
Atlantic Healthcare plc (‘’Atlantic’’) together with its holding companies, subsidiaries and associated companies is an emerging trans-Atlantic pharmaceutical group. Under GDPR we are a Data Controller. This means we decide how your personal data is processed and for what purposes.
At Atlantic we know that employee and shareholder data can be highly sensitive. We don’t sell personal data or make it available to any other organisation. Our Privacy Policy sets out the way in which we protect and manage your data.
We know that the data is not ours – we are merely custodians of your valuable information.
2 What do we hold data for?
We do not hold any data on Children.
2.1 As a Data Controller:
To manage our employees To manage our shareholders
We hold some information classed as special category information under GDPR Article 9. This is health and welfare related and is held to help us discharge our duty of care for employees’ wellbeing whilst employed by us.
3 How do we Process Data?
We comply with our obligations under the GDPR by:
Ensuring personal data is accurate and correcting inaccuracies discovered or notified to us
Not collecting excessive amounts of information
Only retaining information for as long as is necessary, and in accordance with our retention policy
Providing appropriate protection of data confidentiality against unauthorised access and disclosure through appropriate technical, physical, and procedural measures
4 What is the Legal Basis for Processing Data?
We send information by email on the basis of Legitimate Interest. We do not need consent for this, but we ensure people have an easy way to opt out of any communications.
Our employee data is managed on the basis of Legitimate Interest and Contract of Employment. Processing data is required for carrying out responsibilities under Employment Law.
5 Transfer Overseas
We do not knowingly transfer personal data overseas. Our major IT providers, Microsoft all have operations within the European Union and claim to be fully GDPR compliant.
6 Data Retention
We have a Data Retention Policy which can be found with our GDPR Policy. Retention periods are typically based around statutory and legal requirements. A small number are based on industry best practice.
7 Sharing your Personal Data
Your personal data is treated confidentially and is not sold. It may occasionally be necessary for us to share certain information with other providers, to ensure we fulfil our duty of care to staff. In this case, the staff member will be asked for permission to do this and the data shared will be the minimum necessary. We will seek assurance that the third-party provider is GDPR compliant.
8 Website
Our website does not impact on privacy. Individuals may request details of our trial(s) and/or newsletter by completing an online form with their name and email address, with the option to add their phone number, Town/City/Country. When submitting the form, the individual agrees to consent to the company contacting them. All information sent via email allows the individual to ‘unsubscribe’ at any point.
9 Cookies
Cookies are used for the following purposes and are categorised according to the International Chamber of Commerce. More information can be found on our website.WHERE IS THIS?
| Category | Used on our Web Site atlantichc.com |
| Category 1: strictly necessary cookies | _gat, uncodeAI.screen, uncodeAI.images, uncodeAI.css |
| Category 2: performance cookies | None |
| Category 3: functionality cookies | _ga , _gat, _gat_product. The cookies relate to Google Analytics and help us understand the usage of our site. |
| Category 4: targeting cookies or advertising cookies |
None |
10 Your Rights and Your Personal Data
To make a Subject Access Request, please write to us detailing the information that you seek. Please try to be as specific as possible, because as a small company searches can be expensive. We will charge a reasonable fee based on the administrative cost for searches that we deem to be excessive or unfounded. We will charge a fee for repeat searches, even if the original search was free. Requestors should not assume we have received the request until they have received an acknowledgement.
To make a request for deletion or rectification, please write to us or speak to us, detailing the information that you believe needs correcting, and evidence of why the data we hold is incorrect. We will confirm receipt of the request in writing.
Version: Issue 1.0 1/8 May 2018