Privacy Notice: Event Management

Version: 3

Effective Date: 17 May 2023

Last Review: May 2023

INTRODUCTION

The statement below (“Notice”) is directed to individuals (“You”/”Delegate(s)”) who:

Have been invited to attend to an event (“Event”) organised by MDE Healthcare Services Limited and/or its affiliates (“we”/“us”/ “mdgroup”) on behalf of its clients (“Sponsor”)
Have been invited by the Delegate as a guest to either attend to the Event or merely accompany the Delegate.

When you register to an event organised by us or otherwise liaise with us or use our mobile applications, you trust us with your personal data. We are committed to keeping that trust and this starts with helping you understand how your personal may be used.

We are following the principles of the General Data Protection Regulation and the Data Protection Act 2018. We are registered with the Information Commissioner’s Office.

We will only be contacting you once the Sponsor has communicated your personal data and therefore authorised us to do so. Sponsor may rely on different legal reasons to use your personal data (for example its legitimate interests).

We have a legitimate interest in using your personal data as this would be necessary for us to be able to facilitate your attendance to the Event and perform our contractual obligations towards the Sponsor.

You may contact the Sponsor directly for more information about the use of your personal data. You can also contact our Data Protection Officer on the following email address for more information about our use of your personal data by contacting us at: privacy@mdgroup.com.

We may change this Notice from time to time. The most recent version of the Notice is the one provided to You when you register to an event.

AT A GLANCE

1.1 When do we collect Personal Data?

When we refer to Personal Data in this notice, we mean information that can or has the potential to identify someone as an individual.

We will collect and process Personal Data about an individual at the following stages:

Stage	Description
Event Registration	The purpose of this stage is for the events team to engage with patients and to help enrol them onto events by completing and returning the appropriate documentation to us.
During & Post Event	The purpose of this stage is to respond to questions and requests from individuals attending or having attended one of our events.

1.2 What Personal Data may we collect from you and why?

Identity of the organisations

We are managing the organisation of the event on behalf of the Sponsor and as such:

Sponsor is the controller of your personal data.
We are the processor of your personal data.

Sponsor information: the Sponsor details will be provided on the invitation to the Event you receive from us.

In the United States of America, our company details are:

MDE Healthcare Services Inc. 575 East Swedesford Road Suite 101 Wayne, PA 19087 United States of America.

In Europe, our company details are:

MDE Healthcare Services Ltd Building 329 Doncastle Road, Bracknell, Berkshire, RG12 8PE United Kingdom.

Event Registration:

During this stage we rely on your ‘Consent’ to process an individual’s Personal Data.

Data Category	Reason For Processing
Personal Identifiers Contact Details	To provide the individual or a responsible party with information about events, products and services that are requested from us.
Personal Information Special Category Data Third Party Information Other Information	To understand the type of service and or level of care required.
Personal Identifiers Contact Details Personal Information Third Party Information Other Information	For internal record keeping and administration.

During & Post Event:

During this stage we will largely rely on ‘Contractual Necessity’ to process your Personal Data apart from Personal Data marked with a (#) below where we will rely on ’Compliance with a Legal Obligation’.

Data Category	Reason For Processing
Personal Identifiers Contact Details Personal Information Third Party Information Other Information	To carry out our obligations to you arising from any contract. Responding to queries and everyday needs.
Personal Identifiers Contact Details Personal Information Third Party Information Other Information	To support your registration to an event and to facilitate travel requirements. To provide you with feedback and services after the event.
#Personal Identifiers #Contact Details #Personal Information #Special Category Data #Third Party Information #Other Information	To respond to requests where we have a legal or regulatory obligation to do so.
Personal Identifiers Contact Details Personal Information Financial Information Special Category Data Third Party Information Other Information	To Assess the quality and type of service received and to investigate any concerns or complaints that may raise.
Personal Identifiers Contact Details Personal Information Financial Information Third Party Information Other Information	For internal record keeping and administration.
Personal Identifiers Personal Information	To administer our web site and Apps and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes. To allow individuals to participate in interactive features of our service, when they choose to do so.
Personal Identifiers Contact Details Personal Information Financial Information Third Party Information Other Information	For the purposes of internal and external audit and accounting purposes together with the preparation and review of management information.

Any decision to provide any Personal Data described above to us is voluntary. If individual’s choose not to provide any of the Personal Data requested or does not consent, we may not be able to provide them with our services and we may be prevented from complying with our legal obligations.

Further Detailed Information

1.3 Data sharing and transfers

In the usual course of business, we may disclose Personal Data which will include health information as recorded below (to the extent necessary) to (i) our Affiliates, and (ii) certain third-party processors we have retained to perform services on our behalf and pursuant to our instructions. This may include sharing with:

Affiliates for the provision and delivery of services, IT application support, internal audits and investigations, quality control, program monitoring, management reporting and other internal purposes.
Affiliates to deal with any legal and compliance matters, providing assessment results, for record keeping, internal audit, reviews, management information, operational, administrative purposes.
Medical sites when seeking approval in relation to your reimbursement claim or to confirm when travel is arranged, and accommodation requirements are met.
Auditors, lawyers, accountants, consultants, and other professional advisors.
Business partners, suppliers, and sub-contractors for the provision of the contracted services such as travel companies and airlines.
Organisations providing IT systems support and hosting in relation to the IT systems on which your Personal Data is stored.
Third parties in connection with a disposal of assets, restructuring, merger or sale activities.

Where a third-party data processor is used, we ensure that they operate under contractual restrictions regarding confidentiality and security, in addition to their obligations under data protection laws.

We may also disclose your Personal Data (iii) if we are required to do so by law or legal process, or (iv) in response to lawful requests from public authorities, including to meet national security, public interest, or law enforcement requirements. We also reserve the right to transfer Personal Data in the event of an audit or if we or any of our Affiliates sell or transfer all or a portion of their business or assets (including in the event of a merger, acquisition, joint venture, reorganisation, dissolution, or liquidation).

1.4 Third country data transfers

Due to the global nature of our operations, we may transfer the Personal Data we collect about you to recipients in countries other than the country in which your Personal Data originally was collected. For example, we may disclose Personal Data to our Affiliates based in the U.S. or other offices worldwide.

Where we transfer the Personal Data to a country which may not have the same data protection laws as the country in which they were initially provided (such as the U.S.), each such party will protect that Personal Data as described in this Privacy Notice and will comply with applicable local legal requirements providing adequate protection for the transfer of Personal Data to recipients in countries other than the one in which you provided the Personal Data.

Where Personal Data is transferred to a country that does not have adequacy, we have implemented appropriate safeguards to ensure an adequate level of data protection, including by concluding data transfer agreements incorporating the European Commission’s Standard Contractual Clauses under Article 46 of the GDPR. You may contact the Privacy Office as indicated below to obtain further information on the transfer mechanism.

1.5 Health information collected during the provision of services

Special category data (including information relating to your health) will only be disclosed to third parties in accordance with this Privacy Notice, and only when necessary. That includes third parties involved with providing you with accessibility to our events, or in accordance with applicable laws and guidelines of appropriate professional bodies.

Where applicable, it may be disclosed to any person or organisation who may be responsible for providing treatment and or care.

1.6 How we protect Personal Data

We maintain appropriate technical and organisational measures designed to protect Personal Data against loss or accidental, unlawful, or unauthorised, alteration, access, disclosure, or use.

1.7 Retention Period

We retain Personal Data for as long as we reasonably require it for legal and business purposes. In determining data retention periods, we also take into consideration local laws, relevant regulations, and the contractual obligations or instructions that are specifically given by the study sponsor.

1.8 Data subject rights

At any point while we are in possession of or processing Personal Data, you have the following rights:

Right of access – the right to request a copy of the Personal Data that we hold about you. We reserve the right to charge a reasonable fee based on our administration costs where further copies are requested.
Right of rectification – the right to correct Personal Data that we hold that is inaccurate or incomplete.
Right to be forgotten – in certain circumstances you can request the Personal Data we hold about you to be erased from our records.
Right to restriction of processing – where certain conditions apply you have the right to request that we restrict the processing.
Right of portability – in certain circumstances you have the right to have the Personal Data we hold about you transferred to another organisation.
Right to object – you have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing and profiling – you have the right to object to automated processing and profiling.

All the above requests will be forwarded on should there be a third party involved in the processing of the Personal Data.

If you would like to exercise any of your data subject rights, please contact us using one of the methods highlighted below.

1.9 Cookies

We may use cookies to distinguish the user from other users of our Website, App, App Site or App store. This helps us to provide a good experience when individuals browse our website, use the Apps, and also allows us to improve our services.

1.10 Contact Information

Any questions about this notice or the processing of Personal Data by us or any of our Affiliates, should be directed to the Privacy Office:

By email at privacy@mdgroup.com or
By writing to us at Privacy Office, mdgroup, Building 329, Doncastle Road, Bracknell, Berkshire, RG12 8PE United Kingdom

1.11 Complaints

If you wish to make a complaint about how your Personal Data is being processed by us (or third parties as described in 1.3 & 1.4 above) you should contact the Privacy Office at either of the address detailed above.

If you are not satisfied with how your complaint has been handled, you have the right to lodge a complaint directly with the relevant supervisory authority.

The UK regulator can be contacted at the Information Commissioners Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel 0303 123 1113

Our designated EU regulator is the Irish Data Protection Commission (DPC) who can be contacted at 21 Fitzwilliam Square, South Dublin 2, D02 RD28 Tel 017650100 / 1800437737

1.12 Personal Data types & items which may be processed

Data Type	Data Items
Personal Identifiers	National Insurance Number NHS Number Online Identifiers (IP Address, IMEI number, Mac address) Passport Number Immigration documents Visa Records App Registration Information
Contact Information	Name Address Email Telephone Emergency Contact Details
Personal Information	Date of Birth Gender Marital Status Photograph Nationality
Financial Information	Bank Details Payment Card Details Receipts Claim Submissions & Values
Special Category Data	Race & Ethnic Origin Biometric data used to identify an individual Genetic data Health Observation Information Disability Mobility Requirements Dietary Requirements
Third Party Information	Enquirer Details NOK Details Responsible Party / Carer Details Spouse Details Hospital Details
Other Information	Operating System & Version App Access Dates & Times Travel Preferences & Details Date of Time of Requests Details of Incident

1.13 Affiliate

In relation to MDE Services Group Limited or any Affiliate, any subsidiary or holding company of that entity and any subsidiary or holding company of that entity.

Jurisdiction	Company Name	Company Number
UK	PATIENT PRIMARY LIMITED	10372696
UK	MDE TRAVEL LIMITED	09954028
IRELAND	MDE HEALTHCARE SERVICES EUROPE LIMITED	604758
USA	MDE TRAVEL U.S. LIMITED	201914174
USA	MDE HEALTHCARE SERVICES, INC	4109251
SINGAPORE	MDE HEALTHCARE SERVICES PTE. LTD	201529133k
HONG KONG	MDE HEALTHCARE SERVICES HONG KONG LIMITED	1808783
USA	MDE Horreum, Inc.	6207778
USA	Seacole Health, Inc	6042198
UK	Seacole Health, Ltd	10247381
UK	MDE Horreum Ltd	13329821
NETHERLANDS	MDE Horreum, BV	83089098
FRANCE	MD HEALTHCARE SERVICES FRANCE SAS	897 1 751

1.14 Lawful Basis of Processing

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

1.14.1 Consent

In certain circumstances, we are required to obtain your consent for the processing of the Personal Data in relation to certain activities.

Article 4 of the GDPR states that (opt-in) consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.” In plain language, this means that you:

have to give us consent freely;
have to know what they are consenting to;
should have choice over which processing activities you consent to and which you don’t; and
need to take positive and affirmative action in giving us your consent;

We will keep records of the consents that we have received.

Where consent has been provided you have the right to withdraw it. This can be exercised at any time by contacting our privacy office recorded in section 1.10 above.

1.14.2 Contractual Necessity

Article 6 of the GDPR states that we can process Personal Data on the basis that such processing is necessary to enter or perform a contract.

The ’Contractual Necessity’ lawful basis permits the processing of Personal Data in two different scenarios:

Situations in which processing is necessary for the performance of a contract to which you are a party. This may include, for example, processing your financial details for the processing of reimbursement claims.
Situations that take place prior to entering a contract such as pre-contractual relations.

1.14.3 Compliance with a Legal Obligation

Article 6 of the GDPR states that we can process Personal Data on the basis that we have a legal obligation to perform such processing. Processing is permitted if it is necessary for compliance with a legal obligation.

Cookie	Duration	Description
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
_cfuvid	session	Cookie is used to allow the Cloudflare WAF to distinguish individual users who share the same IP address.
_GRECAPTCHA	5 months 27 days	Google Recaptcha service sets this cookie to identify bots to protect the website against malicious spam attacks.
_hjClosedSurveyInvites	365 days	Set when a user interacts with a Link Survey invitation modal. Ensures the same invite does not reappear if it has already been shown. 365 days duration. List of Survey IDs, URL encoded.
_hjCookieTest	Deleted almost immediately after it is created	Checks to see if the Hotjar Tracking Code can use cookies. If it can, a value of 1 is set. Deleted almost immediately after it is created. Under 100ms duration, cookie expiration time set to session duration. Boolean true/false data type.
_hjDonePolls	365 days	Set when a user completes an on-site Survey. Ensures the same Survey does not reappear if it has already been filled in. 365 days duration. List of Survey IDs, URL encoded.
_hjHasCachedUserAttributes	session	Enables us to know whether the data set in _hjUserAttributes Local Storage item is up to date or not. Session duration. Boolean true/false data type.
_hjLocalStorageTest	Data stored in _hjLocalStorageTest has no expiration time, but it is deleted almost immediately after it is created.	Checks if the Hotjar Tracking Code can use Local Storage. If it can, a value of 1 is set. Data stored in _hjLocalStorageTest has no expiration time, but it is deleted almost immediately after it is created. Under 100ms duration. Boolean true/false data type.
_hjMinimizedPolls	365 days	Set when a user minimizes an on-site Survey. Ensures that the Survey stays minimized when the user navigates through your site. 365 days duration. List of Survey IDs, URL encoded.
_hjSession_{site_id}	30 minutes duration, extended on user activity.	Holds current session data. Ensures subsequent requests in the session window are attributed to the same session. 30 minutes duration, extended on user activity. JSON data type.
_hjSessionStorageTest	Data stored in _hjSessionStorageTest has no expiration time, but it is deleted almost immediately after it is created.	Checks if the Hotjar Tracking Code can use Session Storage. If it can, a value of 1 is set. Data stored in _hjSessionStorageTest has no expiration time, but it is deleted almost immediately after it is created. Under 100ms duration. Boolean true/false data type.
_hjSessionUser_{site_id}	365 days	Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Hotjar does not track users across different sites. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type.
_hjShownFeedbackMessage	One day	Set when a user minimizes or completes a Feedback widget. Ensures the Feedback widget will load as minimized if the user navigates to another page where it is set to show. One day duration. Boolean true/false data type.
_hjTLDTest	session	We try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. Enables us to try to determine the most generic cookie path to use, instead of page hostname. It means that cookies can be shared across subdomains (where applicable). After this check, the cookie is removed. Session duration. Boolean true/false data type.
_hjUserAttributes	No explicit expiration	Stores User Attributes sent through the Hotjar Identify API. No explicit expiration. Base64 encoded JSON data type.
_hjUserAttributesHash	2 minutes duration, extended every 30 seconds	Enables us to know when any User Attribute has changed and needs to be updated. 2 minutes duration, extended every 30 seconds. Content hash data type.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-non-necessary	1 year	GDPR Cookie Consent plugin sets this cookie to record the user consent for the cookies in the "Necessary" category.
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category along with the status of CCPA.
hjActiveViewportIds	Stores an expiration Timestamp	Stores user active viewports IDs. Stores an expiration Timestamp that is used to validate active viewports on script initialization. JSON data type.
hjViewportId	session	Stores user viewport details such as size and dimensions. Session duration. UUID data type.
PHPSESSID	1 day	This cookie is native to PHP applications and is used to store and identify a users' unique session in order to manage user sessions on the website.
viewed_cookie_policy	1 year	This primary cookie monitors the user’s consent to the use of cookies when they click on the following buttons: "Accept": to give consent. "No": to deny consent. No personal information is collected by this cookie and its activation depends only on response to the user’s action (Accept/No).

Cookie	Duration	Description
__hstc	5 months 27 days	Hubspot set this main cookie for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.

Cookie	Duration	Description
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_fbp	3 months	Facebook sets this cookie to measure, optimise and build audiences for ad campaigns.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
datr	1 month 4 days	Facebook sets this cookie to measure, optimise and build audiences for ad campaigns.
fr	3 months	Facebook sets this cookie to measure, optimise and build audiences for ad campaigns.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
sb	1 month 4 days	Facebook sets this cookie to measure, optimise and build audiences for ad campaigns.
usida	session	Facebook sets this cookie to measure, optimise and build audiences for ad campaigns.
wd	7 days	Facebook sets this cookie to measure, optimise and build audiences for ad campaigns.