Our Privacy Notice describes the categories of personal data we process and for what purposes.
We are committed to collecting and using such data fairly and in accordance with the requirements of the General Data Protection Regulations (GDPR).
1.1 We take your privacy seriously and you can find out more here about your privacy rights and how we gather, use and share your personal information – that includes the personal information we already hold about you now and the further personal information we might collect about you, either from you or from a third party. How we use your personal information will depend on the products and services we provide to you.
1.2 Our Data Protection Officer (DPO) provides help and guidance to make sure we apply the best standards to protecting your personal information. Our DPO can be reached by post at 113 Sheen Lane, East Sheen, London SW14 8AE or by email on email@example.com if you have any questions about how we use your personal information.
See section 3 Your Privacy Rights for more information about your rights and how our DPO can help you.
1.3 This Privacy Notice provides up to date information about how we use your personal information and will update any previous information we have given you about using your personal information (also referred to as personal data). If we make any changes affecting how we use your personal information, we will update this web page with an updated date displayed at the top of this page, so please check back regularly for updates. Our website will always show our most up to date version of our Privacy Notice.
2. About us
We are what is known as the ‘controller’ of personal information we gather and use. When we say ‘we’ or ‘us’ in this Privacy Notice, we mean the company Medspack Ltd, trading under the brand ‘Spatetree Pharmacy’. These companies are all registered with the data protection supervisory authority, the Information Commissioner’s Office (ICO), as data controllers.
When we say ‘Group’ in this Privacy Notice, we mean other members of our group of companies, including trading and subsidiary companies.
3. Your privacy rights
3.1 You have the right to object to how we use your personal information. You also have the right to see what personal information we hold about you, to ask us to correct any inaccuracies and to ask for some of your personal information to be provided to someone else. In addition, when permitted by law, you can ask us to delete or restrict personal information we hold about you.
To exercise your right to access your personal information please contact our Data Subject Access Request Team at ‘113 Sheen Lane, East Sheen, London SW14 8AE.’ To exercise any of your other rights in this Privacy Notice please contact our DPO by post at 113 Sheen Lane, East Sheen, London SW14 8AE or by email on firstname.lastname@example.org
More about your privacy rights
You can contact our DSAR Team to access your personal information or our DPO to exercise any of your other privacy rights as follows:
3.2 Right to object:
You can object to our processing of your personal information by providing details of your objection to us.
3.3 Access to your personal information
You can request access to a copy of your personal information that we hold, along with information on what personal information we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can make a request for access free of charge by contacting our Data Subject Access Request team at ‘113 Sheen Lane, East Sheen, London SW14 8AE’. Please make all requests for access in writing, and provide us with evidence of your identity. See Proof of identity checklist – GOV.UK for information on the documents you’ll need to provide.
3.4 Right to withdraw consent
If you have given us your consent to use personal information, you can withdraw your consent at any time.
You can ask us to change or complete any inaccurate or incomplete personal information held about you.
You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.
We have the right to refuse to comply with a request for erasure where the personal data is processed for one of the following reasons:
- we need to use the information to perform a task carried out in the public interest, to provide healthcare or treatment or it is necessary for the reasons of public health in the public health arena;
- we need to use the information to comply with our legal obligations;
- archiving purposes in the public interest, scientific research, historical
- research or statistical purposes; or
- the exercise or defence of legal claims.
You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.
You can ask us to restrict the personal information we use about you where you have asked for it to be erased or where you have objected to our use of it.
3.9 Make a complaint
You can make a complaint about how we have used your personal information to us, by contacting our DPO by post at 113 Sheen Lane, East Sheen, London SW14 8AE or by email on email@example.com. You can also make a complaint to the data protection supervisory authority, the ICO, at https://ico.org.uk.
We will not make any charge for responding to any request from you to exercise your privacy rights, and we will respond to your requests in accordance with our obligations under data protection law.
4. What kinds of personal information we use
4.1 We use a variety of personal information depending on the products and services we deliver to you.
- to provide most of our products and services we need to know your name, address, date of birth, contact details (phone and email address) and details of your GP/surgery;
- to provide many of our products and services which are pharmacy or healthcare related we will need information about your health, your medication and your NHS number; and
- to provide our products and services to you we may need to obtain your payment details.
4.2 Sometimes where we ask for your personal information it is needed to fulfill a contract with you or to meet a legal obligation (such as dispensing a prescription) and we will not be able to provide some of our products or services without that personal information.
4.3 No credit/debit card payment details are stored by us. For any repeat orders of products or services made by you online via our website or app or if you opt to have your details stored for future payments, our third Party Processing Agency securely holds your credit/debit card details and provides us with a unique token that represents that particular card; this token is only valid for payment to us.
More about additional personal information we gather
For some products and services we need to use additional personal information which we will gather about you, or we will not be able to provide any of these products and services to you. See section 5 How we gather your personal information for further details.
5. How we gather your personal information
We obtain personal information:
- directly from you, for example when you fill out a consent form to receive a product or service, when you have a prescription dispensed in one of our pharmacies, or when you use our digital services for dispensing prescriptions or providing products and services where we ask you to give us health related information online;
- indirectly from you, for example when you use our website, digital services or post comments on our Facebook page. We collect certain usage information when you utilize our website such as Internet Protocol (“IP”) addresses, log files, unique device identifiers, pages viewed, browser type, any links you click on to leave or interact with our website and the products and services we offer, and other usage information collected from cookies and other tracking technologies. For example, we collect IP addresses to track and aggregate non-personal information, such as using IP addresses to monitor the regions from which users navigate our website. We may also collect IP addresses from users when they log into our website as part of our log-in and security features. We may also, when you enable location based-services, collect Global Positioning System (GPS) location data and/or motion data;
- from other organizations which hold commercially-available data such as the electoral roll and companies that collate and update data. This helps us to keep our records up to date and learn more about our customers so we can improve our products and services;
- from NHS bodies such as your GP/surgery or hospital and, if we have your consent to do so, from viewing your Summary Care Record;
- information provided by other people on your behalf, for example, if someone books an appointment on your behalf. We will need to ask them basic details about you, which may include health details such as family history of diseases. We will always check with you that any such details provided are accurate when you come to see us; and
- if you are a customer of a pharmacy business that has been taken over by us, we will receive your personal information as part of the handover process. Where this happens, we will place a notice in store to tell you that your personal information is changing hands.
We also may obtain some personal information from monitoring or recording calls and when we use CCTV. We may record or monitor phone calls with you for regulatory purposes, for training and to ensure and improve quality of service delivery, to ensure safety of our staff and customers, and to resolve queries or issues. We may also use CCTV on our premises to ensure the safety and security of our staff and customers.
6. How we use your personal information
We use your personal information:
- to provide our products and services, respond to queries and comments, to collaborate with others to improve our products and services and to provide you with the best possible level of customer service. We may use it to contact you about appointments you have booked or to send you reminders (e.g. about repeat prescriptions or notification that your prescriptions are ready for collection);
- to learn more about you. We’ll consolidate the information we hold about you across the companies in our Group and the different channels you use to interact with us (e.g. in store, via our app, by phone and correspondence etc.). We do this to keep our records accurate and up to date, provide you with a seamless and consistent service and to build a clearer picture of our customers, both individually and as a group. By understanding you better we can offer you the best and most personalized service we can, but don’t worry – we will only send you marketing material if you have agreed that we can;
- to protect our customers, our staff and our business. We may use your personal data to help prevent and detect crime. We use CCTV to record images in our stores and, if requested, we may pass it on to the police; and
- to fulfill our contractual requirements with the NHS. We need to share your personal information with your GP and others in the wider NHS, such as the NHS Business Services Authority, and sometimes Local Authorities to provide you with NHS or Local Authority funded services, to negotiate and check the accuracy of our payments with the NHS or Local Authorities and to ensure that we maintain appropriate professional and service standards and that your declarations and ours are accurate.
7. Automated decision making
We do not use any automated decision making processes.
8. Our legal basis for using your personal information
8.1 We only use your personal information where that is permitted by the laws that protect your privacy rights. We only use personal information where:
- we have your consent (if consent is needed);
- we need to use the information to perform a task carried out in the public interest, to provide health care or treatment or it is necessary for reasons of public health in the public health arena;
- we need to use the information to comply with our legal obligations;
- we need to use the information to perform a contract with you; or
- it is fair to use the personal information either in our interests or someone else’s interests, where there is no disadvantage to you – this can include where it is in our interests to contact you about appropriate products or services or collaborate with others to improve our products and services.
Where we have your consent, you have the right to withdraw it. We will let you know how to do that at the time we gather your consent. See section 12 Keeping you up to date, clause 12.2 for details about how to withdraw your consent to marketing.
8.2 Special protection is given to certain kinds of personal information that is particularly sensitive. This is information about your health status, medication, racial or ethnic origin, religious or similar beliefs, and sex life or sexual orientation. We will only use this kind of personal information where:
- required to deliver pharmacy and healthcare products and services to you;
- we have a legal obligation to do so(for example to protect vulnerable people);
- it is necessary for us to do so to protect your vital interests (for example if you have a severe and immediate medical need whilst on our premises);
- it is in the substantial public interest; or
- you have specifically given us explicit consent to use the information.
More about how we use special categories of personal information for the following purposes:
Health and Medication information
- we will use your health and medication information provided to dispense and deliver to you your prescriptions or provide other healthcare products and services you have requested. We will never use information about your prescriptions for marketing, although we may use it to advise you of other health services/products that might be useful or relevant to you, such as our new medicine service or a medicines use review; and
- if we need to provide you with urgent medical assistance when you are on our premises.
- sometimes prescriptions we dispense for you will reveal special categories of information (such as your health status, religious beliefs and sex life or sexual orientation). This information may be processed by us to dispense your prescriptions to you and will not be used for any other purpose.
9. Sharing your personal information with or getting your personal information from others
9.1 We will share personal information within our Group and with other organizations where we need to do that to make our products and services available to you, to contact you about appropriate products and services, to meet or enforce a legal obligation or where it is fair and reasonable for us to do so. See section 6 How we use your personal information for more information about how we do this. We will only share your personal information to the extent needed for those purposes.
9.2 Who we share your personal information with depends on the products and services we provide to you and the purposes we use your personal information for. For most products and services, we will share your personal information with our own service providers such as our IT Suppliers, couriers, mailing houses, manufacturers and suppliers. See section 6 How we use your personal information for more information on who we share your personal information with and why.
9.3 Most of the time the personal information we have about you is information you have given to us, or is gathered by us in the course of providing products and services to you. We also sometimes gather personal information from and send personal information to third parties (such as NHS bodies) where necessary so we can fulfill our legal obligations as a provider of pharmacy and healthcare products and services. See section 6 How we use your personal information for more information on who we get your personal information from and why.
10. Transfers outside the UK
10.1 We may need to transfer your information outside the UK to service providers, agents and subcontractors in countries where data protection laws may not provide the same level of protection as those in the European Economic Area, such as the USA.
More about how we transfer your data outside of the UK
We may need to transfer your personal information to territories that are outside the EEA. We will only transfer your personal information outside the EEA where either the transfer is to a country which the EU Commission has decided ensures an adequate level of protection for your personal information, or we have put in place our own measures to ensure adequate security as required by data protection law. These measures include ensuring that your personal information is kept safe by carrying out strict security checks on our overseas partners and suppliers, backed by strong contractual undertakings approved by the relevant regulators such as the EU style model clauses. We also use the EU Commission approved EU-US Privacy Shield when personal information is transferred to the US.
You can find out more information about standard contractual clauses as detailed by the ICO. Visit their website at ico.org.uk and search for ‘International transfers’.
Details of any third party data processor we use can be obtained by contacting our DPO by post at 113 Sheen Lane, East Sheen, London SW14 8AE or by email on firstname.lastname@example.org.
11. How long we keep your personal information for
We need your personal information for as long as we have a legal or business reason to do so, which generally means as long as you remain a customer of Spatetree Pharmacy or as requested to meet our legal obligations, resolve disputes or enforce our agreements. To fulfill our obligations to NHS, regulatory or similar bodies, health related personal information may need to be retained for a period of time after you cease to be a Spatetree Pharmacy customer. We will always store it securely and not use it for any other purpose.
12. Keeping you up to date
12.1 We will communicate with you about products and services we are delivering using any contact preferences you have given to us – for example by post, email, text message, social media, and notifications on our app or website.
12.2 Where you have given us consent to receive marketing, you can withdraw consent by contacting our DPO by post at 113 Sheen Lane, East Sheen, London SW14 8AE or by email on email@example.com.
You can also update your contact preferences by contacting our DPO by post at 113 Sheen Lane, East Sheen, London SW14 8AE or by email on firstname.lastname@example.org.
13. Your online activities
13.2 More about cookies and other tracking technologies