Introduction

This General Privacy Notice (“Notice”) explains how we may collect and use information that Sterling Pharma Solutions Limited (“SPSL“) obtains about you, and your rights in relation to that information.

Please read this Notice to understand how we will collect, use and process your personal data and the rights you have in relation to your personal data. This Notice may be amended from time to time. Please visit this page if you want to stay up to date, as we will post any changes in our approach to data privacy here. This policy is effective from 14th February 2019.

By visiting our website, by using our products and/or services and/or by your provision of information to us, you acknowledge the terms of this Notice and the use and disclosure of your personal data as set out in this Notice.

If you have any questions in relation to this Notice, please contact us at the contact details found in section 12.

In this Notice, references to “GDPR” refer to the EU General Data Protection Regulation which came into force across Europe on 25 May 2018.

Scope of notice

This Notice applies to our processing of personal data in relation to the provision of any of our products and/or services, including:

  • when you request information from us;
  • when you engage with us in relation to the provision of services or supply of products;
  • where you apply for a job or work placement; and
  • when you use our websites (including our associated sites).

How your personal data is collected

Business contacts and suppliers

We collect certain limited personal data about our business contacts, including individuals associated with our customers, suppliers and subcontractors, and service providers (including professional advisors and individuals associated with our service providers). Personal data collected in this context usually includes (but may not exclusively be limited to) name, employer name, contact title, phone, email and other business contact details.

SPSL website

When you use or visit our website, we may collect the following information from you directly and/or automatically:

  • demographic information such as postcode, preferences and interests;
  • information you provide to us if you contact us, for example to report a problem with our website or raise a query or comment; and
  • details of visits made to our website such as the volume of traffic received, logs (including, the internet protocol (IP) address and location of the device connecting to the online services and other identifiers about the device and the nature of the visit) and the resources accessed.

Careers and Recruitment

If you apply for a job or work placement you may need to provide information about your education, employment, nationality, and state of health. We may also carry out screening checks (including reference, background, directorship, financial probity, identity, eligibility to work, vocational suitability and criminal record checks) and consider you for other positions. We may disclose your personal data (including diversity and equal opportunities data) to academic institutions, recruiters, screening check providers, health service providers, professional and trade associations, law enforcement agencies, recruitment analytics and diversity research providers, referees and your current and previous employers. We may also collect your personal data from these parties in some circumstances. Without your personal data we may not be able to progress considering you for positions with us.

Visitors to our offices and facilities

We have security measures in place at our offices and facilities, including CCTV and building access controls.

There are signs in our office showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident). CCTV recordings are typically automatically overwritten after a short period of time unless an issue is identified that requires investigation (such as a theft).

We require visitors to our offices or facilities to sign in at reception or security guard house and keep a record of visitors for a short period of time. Our visitor records are securely stored and only accessible on a need to know basis (e.g. to look into an incident).

Why we collect your personal data

Providing products and/or services

We provide a range of product and/or services. Some of our products and/or services require us to process personal data in order to provide such products and services and to carry out our obligations arising from our contracts with you.

Receiving services

We process personal data in relation to our suppliers, service providers and their staff as necessary to receive the services in question.

Administering, managing and developing our businesses and services

We process personal data in order to run our business, including:

  • managing our relationship with customers;
  • developing our businesses and services (such as identifying customer needs and improvements in service delivery);
  • promoting our goods and services;
  • maintaining our own accounts and records;
  • maintaining and using IT systems;
  • hosting or facilitating the hosting of events; and
  • administering and managing our website and systems and applications.

Security, quality and risk management activities

We have security measures in place to protect your information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake. For example, automated scans to identify harmful emails.

We collect and hold personal data as part of our customer engagement and acceptance procedures. As part of those procedures we carry out searches using publicly available sources (such as internet searches and sanctions lists) to identify politically exposed persons and heightened risk individuals and organisations and check that there are no issues that would prevent us from working with a particular customer (such as sanctions, criminal convictions (including in respect of company directors), conduct or other reputational issues).

Providing our customers and suppliers with information about us and our range of services

We use customer and supplier business contact details to provide those individuals with information that we think will be of interest about us and our services.

Complying with any requirement of law, regulation or a professional body of which we are a member

We may be subject to legal, regulatory and/or professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.

Marketing

We may contact you for marketing purposes via direct messages, post, telephone and email.

This marketing may relate to:

  • Products and services we feel may interest you;
  • Information about other goods and services we offer that are similar to those that you have already used or enquired about; and
  • Upcoming events, promotions and new products and/or services or other opportunities.

If you do not wish to receive marketing communications from us, please let us know.

Who do we share your personal data with

We may share your personal data with the following categories of recipients:

Related entities

Your personal data will be used by us and may be disclosed to our group companies.

Service providers

In order to provide our products and services, we work with service providers who may, in the course of providing their services, receive and process personal data on our instruction and on the basis of a contractual data processing agreement.

Professional advisors and auditors

We may disclose your personal data to professional advisors (such as legal advisors and accountants) or auditors for the purpose of providing professional services to us.

Regulatory bodies/industry bodies

We may disclose your personal data to a regulatory authority, government agency or law enforcement body with jurisdiction over our activities.

Replacement providers

In the event that we sell or buy any business assets, we may disclose your personal data to the prospective seller or buyer of such business or assets. If SPSL or substantially all of its assets are acquired by a third party, personal data held by us about our clients will be one of the transferred assets.

How we safeguard your personal data

We care about protecting your information and put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data. These include measures to deal with any suspected data breach.

We are committed to taking all reasonable and appropriate precautions and steps to protect the personal data that we hold from misuse, interference and loss, unauthorised access, modification or disclosure.

We do this by having in place a range of appropriate technical and organisational measures, including, for example, the protection of passwords using industry standard encryption, measures to preserve system security and prevent unauthorised access and back-up systems to prevent accidental or malicious loss of data.

We may use third party data storage providers to store personal data electronically. We take reasonable steps to ensure this information is held as securely as information stored on our own equipment.

Unfortunately, there is always risk involved in sending information through any channel over the internet. If you send information over the internet, this will be entirely at your own risk. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted over the internet and we do not warrant the security of any information, including personal data, which you transmit to us over the internet.

If you suspect any misuse or loss of or unauthorised access to your personal data please let us know immediately. Details of how to contact us can be found in section 12.

How long we keep your personal data

We will not keep your personal data for longer than is necessary for the purposes for which we have collected it, unless we believe that the law or other regulation requires us to keep it (for example, because of a request by a tax authority or in connection with any anticipated litigation) or if we require it to enforce our agreements. The precise length of time will depend on the type of data, our legitimate business needs and other legal or regulatory rules that may require us to retain it for certain minimum periods.

In determining the appropriate retention period for different types of personal data, the amount, nature, and sensitivity of the personal data in question, as well as the potential risk of harm from unauthorised use or disclosure of that personal data, the purposes for which we need to process it and whether we can achieve those purposes by other means are considered.

Once we have determined that we no longer need to hold your personal data, we will delete it from our systems. While we will endeavour to permanently erase your personal data once it reaches the end of its retention period, some of your personal data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists in the electronic ether, our employees will not have any access to it or use it again.

Your rights

Under the GDPR, you have various rights in relation to your personal data which we hold, as set out below.

If you wish to exercise any of these rights, please contact us (see section 12). We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.

Right to object

This right enables you to object to us processing your personal data where we do so for one of the following reasons:

  • because it is in our legitimate interests to do so (for further information please see the section on our legal bases for processing below);
  • to enable us to perform a task in the public interest or exercise official authority;
  • to send you direct marketing materials; or
  • for scientific, historical, research, or statistical purposes.

Right to withdraw consent

Where we have obtained your consent to process your personal data for certain activities (for example, for marketing), you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.

Data Subject Access Requests

You may ask us for a copy of the information we hold about you at any time, and request us to modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this unless permitted by law. If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.

Right to erasure

You have the right to request that we “erase” your personal data in certain circumstances. Normally, this right exists where:

  • the data are no longer necessary;
  • you have withdrawn your consent to us using your data, and there is no other valid reason for us to continue;
  • the data has been processed unlawfully;
  • it is necessary for the data to be erased in order for us to comply with our obligations under law; or
  • you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.

We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so. When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.

Right to restrict processing

You have the right to request that we restrict our processing of your personal data in certain circumstances, for example if you dispute the accuracy of the personal data that we hold about you or you object to our processing of your personal data for our legitimate interests. If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.

Right to rectification

You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.

Right of data portability

If you wish, you have the right to transfer your personal data between service providers. In effect, this means that you are able to transfer the details we hold on you to another third party. To allow you to do so, we will provide you with your data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the data for you.

Right to complain

You also have the right to complain to your applicable data protection authority. Contact details for data protection authorities in the EU are available at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period for which we hold your data.

Storage and transfer of your data internationally

In order for us to carry out the purposes described in this Notice, your data may be transferred to the following recipients located outside of your jurisdiction:

  • to third parties (such as advisers and suppliers to the SPSL business or providers of benefits);
  • to overseas customers;
  • to customers within your country who may, in turn, transfer your data internationally;
  • to a cloud-based storage provider; or
  • to other third parties, as referred to in this Notice.

We will only transfer data outside of the European Economic Area or EEA (i.e. the Member States of the European Union, together with Norway, Iceland and Liechtenstein) where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data.

To ensure that your personal information receives an adequate level of protection, we have put in place appropriate procedures with the third parties we share your personal data with. to ensure that your personal information is treated by those third parties in a way that is consistent with the law on data protection.

Cookies

Cookies are small data files sent by a website to your computer that are stored on your hard drive when you visit certain online pages of our website.

Cookies allow the website to identify and interact with your computer (for example so we can remember what content you may have viewed on past visits). We do not use cookies to retrieve information that was not originally sent by us to you in a cookie.

You can set your browser to accept or reject all cookies, or notify you when a cookie is sent. If you reject cookies or delete our cookies, you may still use our websites, but you may have reduced functionality and access to certain areas of our websites or your account (if applicable).

In addition to the express notice provided on our website when you first visit, your continued use of our website is your acceptance of our continued use of cookies on our website.

Legal basis  for USING your personal data

There are a number of different ways that we are lawfully able to process your personal data. We have set these out below.

Where using your data is in our legitimate interests, except where such interests are overridden by your interests or fundamental rights or freedoms which require protection of personal data

We are allowed to use your personal data where it is in our interests to do so, and those interests are not outweighed by any potential prejudice to you.

We believe that our use of your personal data is within a number of our legitimate interests, including but not limited to:

  • To help us satisfy our legal obligations and compliance with any law and regulations that may be applicable to us or our businesses;
  • To help us understand our customers better and provide better, more relevant services to them; and
  • To ensure that our service and/or our relationship runs smoothly.

You have the right to object to us processing your personal data on this basis. We have set out details regarding how you can go about doing this in section 8 above.

Where you give us your consent to use your personal data

We are allowed to use your data where you have specifically consented.

When you engage our services and/or purchase our products, enter into a relationship with us, apply for a job or work placement, use our websites or online services or register for an account with us (as may be applicable), we may ask you for specific consents to allow us to use your data in certain ways. If we require your consent for anything else in the future, we will provide you with sufficient information so that you can decide whether or not you wish to consent.

You have the right to withdraw your consent at any time.

Where using your personal data is necessary for us to carry out our obligations under our contract with you

We are allowed to use your personal data when it is necessary to do so for the performance of our contract with you. For example, we need to collect your business contact details in order to be able to process orders for services and/or products.

Where processing is necessary for us to carry out our legal obligations

As well as our obligations to you under any contract, we also have other legal obligations that we need to comply with and we are allowed to use your personal data when we need to in order to comply with those other legal obligations.

Our contact details

If you have any questions, comments or complaints about our use of your personal data, please contact us using the following contact details:

HR Director, Sterling Place, Dudley, Cramlington, Northumberland, NE23 7QG, United Kingdom

Alternatively, you can send an email to enquiries@sterlingpsl.com.