Privacy Notice for Insurers
We are committed to respecting and protecting privacy. The following privacy notice sets out what data GenesisCare UK collects, how that data be used and your legal rights.
About GenesisCare UK
GenesisCare UK is a trading name of Genesis Cancer Care UK Limited. We are a specialist, provider of cancer care diagnostic and treatment services in the UK. Our company registration is 05796994 and our registered office is Wilson House, Waterberry Drive, Waterlooville, Hampshire, PO7 7XX. GenesisCare is registered with the Information Commissioners Office, registration number Z9493925.
When we refer to ‘we’, ‘us’ and ‘our’, this means GenesisCare UK.
What data does GenesisCare UK collect?
We will collect, use and store personal data which we have received from you or acquired in the framework of our cooperative relationship.
We may also process personal data legitimately obtained from publicly accessible sources (such as the internet) or which has been legitimately transmitted to us from third parties in order that we can carry out our services
Relevant personal data are:
- Name and contact details (postal and email addresses and phone numbers)
- Data necessary for the fulfilment of our contractual obligations, such as commission payments (e.g. bank details)
- Details relating to professional registration
- Details of patient feedback which may include complaints and incidents.
Within the scope of our cooperative relationship, you are obliged to provide those personal data which are required for commencing, executing and terminating the cooperative relationship and for compliance with the associated contractual obligations or the collection of which is imposed upon us by law. Without these data, we will generally not be able to enter into agreements with you, to perform under such an agreement or to terminate it.
If you should fail to provide the necessary information and documents, this may be an obstacle to the initiation and implementation of the cooperative relationship.
How does GenesisCare UK use data and on what lawful basis?
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 as follows:
In order to comply with contractual obligations (Art. 6 (1 b) GDPR)
Data processing is carried out to establish, implement or terminate the cooperative relationship in the framework of the existing contract with you (e.g. payment processing) or for performing pre-contractual measures as a result of queries.
Within the scope of legitimate interests (Art. 6 (1 f) GDPR)
Where necessary we may process your data beyond the scope of the actual performance of the contract so as to protect justified interests of our own and of third parties. E.g. to lodge legal claims and defence in case of legal disputes; to collect evidence in cases of fraud.
Other purposes may include:
- Managing engagement activities and events
- Management reporting analysis
As a result of your consent (Art. 6 (1 a) GDPR)
To the extent you have consented to the processing of personal data by us for certain purposes, such processing is legitimate on the basis of your consent. Consent once given may be revoked at any time. Revocation of consent will have an effect only for the future and does not affect the legitimacy of data processed until revocation.
On the basis of statutory regulations (Art. 6 (1 c) GDPR) or in the public interest (Art. 6 (1 e) GDPR)
We are subject to various legal obligations including statutory requirements.
Purposes may include:
- Checks on identity
- Money laundering checks
- Compliance with tax law
- Preventing and detecting crime
- Managing information technology and communications systems
- Conducting ethics and investigations
- Complying with applicable legal obligations, including government reporting and specific local law requirements
- Management of risk
- Managing mergers, acquisitions and divestitures
Who will data be shared with?
Within GenesisCare UK access to data will be granted to relevant staff members in order to comply with our contractual and statutory obligations.
Data will be shared with third parties on a need to know basis and within the Data Protection Legislation framework.
We may share data with:
- Public authorities and institutions
- Regulatory bodies
- Organisations to which we transfer personal data for the implementation of the contract (e.g. for commission payments)
- Service providers with whom we have data processing relationships under contract
- Organisations where you have given your consent
- As part of an investigation or grievance process
We may need to share data without obtaining your explicit consent. This will only occur if the processing is necessary, e.g. in response to a court order, for the purpose of prevention or detection of crime, the apprehension or prosecution of offenders.
International transfers of your personal information
GenesisCare UK is part of a global organisation and we (or third parties acting on our behalf) may store or process personal information within the GenesisCare group of companies for administrative and management purposes. The group companies are located in Spain and Australia and the United States. This processing is based on our own or a third party’s legitimate business interests.
As a global organisation we may engage global suppliers for the provision of services to the GenesisCare Group of companies and such suppliers may also be located outside the UK.
Where we transfer your personal data to a third country or international organisation, we will ensure adequate safeguards and measures are in place to protect your personal data from unlawful use and ensure your fundamental rights are capable of being upheld. We would normally achieve this by:
- Only transferring personal data to countries deemed capable of providing an adequate level of protection; or
- Implementing Standard Contractual Clauses; and
- Adopting technical, organisational and contractual measures, where required.
In certain situations, it may be possible to legitimise the transfer by relying on a derogation. For example, if:
- You have explicitly consented to the proposed transfer; or
- The transfer is necessary for the performance of a contract.
In all cases any transfer of your personal information will be compliant with applicable data protection law. If you would like further information regarding the steps we take to safeguard your personal information when making international transfers, please contact the DPO using the details at the foot of this Privacy Notice.
How we will secure your personal data
We will secure your personal data by:
- Establishing a network of individuals across the organisation who are accountable and responsible for information risk management
- Various organisational measures including policies and procedures, providing regular training in handling personal data lawfully and conducting regular compliance checks
- Technical measures including lockable rooms, cabinets, individual log in credentials, encryption and secure disposal of confidential waste
- Ensuring only appropriate individuals have access to relevant and proportionate data
- Carrying out checks on third parties who process personal data on our behalf
How long do we keep your personal data?
We process and store data whilst it is required to meet our contractual and statutory obligations.
If the data are no longer required for the performance of contractual or statutory obligations, these will be erased on a regular basis unless further processing is necessary (e.g. preservation of evidence).
Data protection rights
If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.
Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have certain rights with regard to your personal data.
You are entitled to:
- A description of the personal information we hold about you
- Why this information is being collected and processed
- Know to whom your information may be disclosed
- Know where the information came from if this is not clear
- Have a copy of the information on request – this is called a subject access request
- Ask for any errors or out-of-date information to be corrected
Unless an exemption applies, you have the following rights with respect to your personal data:
- The right to request a copy of your personal data which GenesisCare UK holds about you
- The right to request that GenesisCare UK corrects any personal data if it is found to be inaccurate or out of date
- The right to request your personal data is erased where it is no longer necessary for GenesisCare UK to retain such data
- Where your consent is relied upon as a processing condition, the right to withdraw your consent to the processing at any time; any such withdrawal will not affect the lawfulness of the processing before your consent was withdrawn
- The right to request that GenesisCare UK provides you with your personal data and where possible, to transmit that data directly to another data controller, (the right to data portability), where applicable
(This right only applies where the processing is based on consent or is necessary for the performance of a contract with you and in either case the data is processed by automated means)
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing
- The right to object to the processing of personal data, where applicable.
(This right only applies to profiling or where processing is based on legitimate interests; the performance of a task in the public interest; direct marketing and processing for the purposes of scientific/historical research and statistics)
For queries or complaints or to exercise relevant rights, in the first instance please contact the Information Governance Manager at firstname.lastname@example.org
If you have any concerns as to how your data is processed you can contact:
The Data Protection Offer at DPO@genesiscare.co.uk
Data Protection Officer
C/O Legal Counsel
69, Alma Road
Independent advice about data protection is available from the UK Information Commissioner’s website at https://ico.org.uk/
You have the right to lodge a complaint with the Information Commissioners Office if you believe that we have not complied with the requirements of the data protection legislation.
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/
or, at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.