Effective Date: 05 October 2022
This privacy notice is provided by MDE Services Group Limited and its affiliated companies (collectively “We”). We specialise in solutions which support the effective delivery of clinical trials. Services include personalised patient and caregiver support, mobile health and decentralised trial visits, site analysis and management, travel and logistics, expense reimbursement and clinical trial meetings management. We also specialise in the recruitment of agency healthcare and research professionals into patient health services and clinical trials.
This notice describes how we as data controllers, collect, use and manage the Personal Data they hold about you, including how the Personal Data may be shared and how the confidentiality of Personal Data is maintained. This notice applies to all employees, workers and contractors of mdgroup.
We share and process your Personal Data with certain third parties as described in the “Data Sharing and Transfers” section below. Full details of our Affiliates can be found at section 1.10.
The “At a Glance” section contains some very important information that will help explain what Personal Data we process and why. Capitalised terms used in this notice are defined in Personal Data Types (section 1.12) and Affiliates (section 1.13).
AT A GLANCE
1.1 When do we collect Personal Data?
When we refer to Personal Data in this notice, we mean information that can or has the potential to identify someone as an individual.
We will collect and process Personal Data about an individual at the following stages:
|Enquiry||When you enquire about a potential vacancy by visiting one of our websites or speaking to us over the telephone.|
|Application||When you submit an application for consideration and an assessment of your suitability is undertaken. This may involve collecting your Personal Data from you directly or from third parties including employment/recruitment agencies, referees, former employers and background checking authorities.|
|Contract and ongoing employment relationship||When you have successfully passed the vetting and on boarding process and have signed a contract of employment and during the course of your ongoing employment.|
1.2 What Personal Data may we collect from you and why?
We will largely rely on our ‘Legitimate Interests’ to process your Personal Data with the exception of those areas marked with an (*) below where we will require your ‘Consent’.
|Data Category||Reason for Processing|
|To communicate with you regarding your initial enquiry.|
|To retain your personal information and to contact you regarding future career opportunities.|
|Internal record keeping and administration.|
We will largely rely on our ‘Legitimate Interests’ to process your Personal Data with the exception of those items marked with an (#) below where we will rely on ‘Compliance with a Legal Obligation’ and items marked with a (*) below where we will require your ‘Consent’. Where we process Special Category Data (marked with a (+) below) we do so to comply with obligations under employment law.
|Data Category||Reason for Processing|
|To communicate with you regarding your application for employment.|
|To assess your suitability (skills, strengths, behaviours for the role).|
*Third Party Information
|To verify the information that you have provided, in particular relating to your previous work history, education and professional qualifications.|
+Special Category Data
|To undertake activities needed to complete the on-boarding and screening process should your application be successful.|
Contract and ongoing employment relationship
We will largely rely on ‘Contractual Necessity’ to process your Personal Data with the exception of those areas marked with an (#) below where we will rely on ‘Compliance with a Legal Obligation’
Where we process Special Category Data (marked with a (+) below) we do so to comply with obligations under employment law, to assess working capacity on health grounds or for reasons of substantial public interest.
|Data Category||Reason for Processing|
|General management of personnel and work activities inc. appraisals, performance management, managing disciplinary matters, grievances and terminations, planning and monitoring of training requirements and career development activities and creating and maintaining one or more internal employee directories etc.|
Special Category Data
Third Party Information
|To carry out our obligations and benefits to you arising from any contract inc. payroll processing, healthcare, pensions, loans, business expenses and reimbursements etc.|
+Special Category Data
Third Party Information
|For internal audit and accounting purposes together with the preparation and review of management information.|
+Special Category Data
|To comply with legal and other requirements, such as income tax and national insurance deductions, UK right to work verifications, record-keeping and reporting obligations, physical access policies, conducting audits, management and resolution of health and safety matters, such as accident and insurance claims, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, responding to and controlling infection outbreaks, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims, conducting investigations and complying with internal policies and procedures.|
For further details of the Personal Data types contained within each category please refer to the Personal Data Types which can be found in section 1.11
Your decision to provide any Personal Data described above to us is voluntary. In addition, we will only contact third party referees if you give consent for us to do so. If you chose not to provide any of the Personal Data requested, or do not consent to us contacting third party referees regarding your application, our ability to consider you as a candidate may be limited, we may not be able to perform your contract of employment (such as paying you or providing a benefit) and we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
If you are offered a position at mdgroup, you will be required to complete an application form for the Disclosure and Barring Service, and to provide a copy of any certificate conferred by the Disclosure and Barring Service to us. We are allowed to use your Personal Data in this way to carry out our legal rights and obligations in connection with employment and we have in place an appropriate policy and safeguards which are required by law to maintain when processing such Personal Data. If you fail to provide a satisfactory certificate issued by the Disclosure and Barring Service to us, this may lead to rejection of your application for employment or immediate termination of your employment if it has already commenced.
FURTHER DETAILED INFORMATION
1.3 Data sharing and transfers
In the usual course of business, we may disclose Personal Data which will include health information as recorded below (to the extent necessary) to (i) our Affiliates, and (ii) certain third-party processors we have retained to perform services on our behalf and pursuant to our instructions. This may include sharing with:
- Affiliates for the provision and delivery of services, IT application support, internal audits and investigations, quality control, program monitoring, management reporting and other internal purposes.
- Affiliates to deal with any legal and compliance matters, providing assessment results, for record keeping, internal audit, reviews, management information, operational, administrative purposes.
- auditors, lawyers, accountants, consultants, and other professional advisors,
- business partners, suppliers, and sub-contractors for the provision of the contracted services such as travel companies and airlines,
- organisations providing IT systems support and hosting in relation to the IT systems on which your Personal Data is stored,
- third parties in connection with a disposal of assets, restructuring, merger or sale activities,
- delivery companies for the purposes of transportation,
- third party service providers who perform services on our behalf based on our instructions, for instance, for the purposes of storage of Personal Data and confidential destruction, for the purposes of providing background checking, payroll and benefits services. We do not authorise these service providers to use or disclose the Personal Data except as necessary to perform services on our behalf or comply with applicable legal obligations,
- NHS test and trace to help minimize the transmission of COVID-19 and support public health and safety.
Where a third-party data processor is used, we ensure that they operate under contractual restrictions regarding confidentiality and security, in addition to their obligations under data protection laws.
We may also disclose your Personal Data (iii) if we are required to do so by law or legal process, or (iv) in response to lawful requests from public authorities, including to meet national security, public interest, or law enforcement requirements. We also reserve the right to transfer Personal Data in the event of an audit or if we or any of our Affiliates sell or transfer all or a portion of their business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution, or liquidation).
1.4 Third country data transfers
Due to the global nature of our operations, we may transfer the Personal Data we collect about you to recipients in countries other than the country in which your Personal Data originally was collected. For example, we may disclose Personal Data to our Affiliates based in the U.S. or other offices worldwide.
Where we transfer the Personal Data to a country which may not have the same data protection laws as the country in which they were initially provided (such as the U.S.), each such party will protect that Personal Data as described in this Privacy Notice and will comply with applicable local legal requirements providing adequate protection for the transfer of Personal Data to recipients in countries other than the one in which you provided the Personal Data.
Where Personal Data is transferred to a country that does not have adequacy, we have implemented appropriate safeguards to ensure an adequate level of data protection, including by concluding data transfer agreements incorporating the European Commission’s Standard Contractual Clauses under Article 46 of the GDPR. You may contact the Privacy Office as indicated below to obtain further information on the transfer mechanism.
1.5 How we protect Personal Data
We maintain appropriate technical and organisational measures designed to protect Personal Data against loss or accidental, unlawful, or unauthorised, alteration, access, disclosure, or use.
1.6 Retention period
We retain Personal Data for as long as we reasonably require it for legal and business purposes. In determining data retention periods, we also take into consideration local laws, relevant regulations, and the contractual obligations or instructions that are specifically given by the study sponsor.
1.7 Data subject rights
At any point while we are in possession of or processing Personal Data, you have the following rights:
- Right of access – the right to request a copy of the Personal Data that we hold about you. We reserve the right to charge a reasonable fee based on our administration costs where further copies are requested.
- Right of rectification – the right to correct Personal Data that we hold that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can request the Personal Data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply you have the right to request that we restrict the processing.
- Right of portability – in certain circumstances you have the right to have the Personal Data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing and profiling – you have the right to object to automated processing and profiling
All the above requests will be forwarded on should there be a third party involved in the processing of the Personal Data.
If you would like to exercise any of your data subject rights, please contact us using one of the methods highlighted below.
1.9 Contact Information
Any questions about this notice or the processing of Personal Data by us or any of our Affiliates, should be directed to the Privacy Office:
- By email at firstname.lastname@example.org or
- By writing to us at Privacy Office, mdgroup, Building 329, Doncastle Road, Bracknell, Berkshire, RG12 8PE United Kingdom
If you wish to make a complaint about how your Personal Data is being processed by us (or third parties as described in 1.3 & 1.4 above) you should contact the Privacy Office at either of the address detailed above.
If you are not satisfied with how your complaint has been handled, you have the right to lodge a complaint directly with the relevant supervisory authority.
The UK regulator can be contacted at the Information Commissioners Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel 0303 123 1113
Our designated EU regulator is the Irish Data Protection Commission (DPC) who can be contacted at 21 Fitzwilliam Square, South Dublin 2, D02 RD28 Tel 017650100 / 1800437737
1.11 Personal Data types & items which may be processed
|Data Type||Data Items|
|Personal Identifiers||National Insurance Number
Online Identifiers (IP Address)
|Personal Information||Date of Birth
|Financial Information||Bank Details
Employment Loan Details
Life Assurance Details
|Employment Information||Absence Details
Employment Details (Current)
Employment Details (Historic)
Disciplinary and grievance records
Qualification and Training Details
|Special Category Data||Ethnic Origin
Health Information inc. Covid-19 and other infectious test results
|Third Party Information||Children’s Details
In relation to MDE Services Group Limited or any Affiliate, any subsidiary or holding company of that entity and any subsidiary or holding company of that entity.
|Jurisdiction||Company Name||Company Number|
|UK||MDE SERVICES GROUP LIMITED||09954663|
|UK||MDE HEALTHCARE SERVICES LIMITED||05450419|
|UK||PATIENT PRIMARY LIMITED||10372696|
|UK||MDE TRAVEL LIMITED||09954028|
|IRELAND||MDE HEALTHCARE SERVICES EUROPE LIMITED||604758|
|USA||MDE TRAVEL U.S. LIMITED||201914174|
|USA||MDE HEALTHCARE SERVICES, INC.||4109251|
|SINGAPORE||MDE HEALTHCARE SERVICES PTE. LTD||201529133k|
|HONG KONG||MDE HEALTHCARE SERVICES HONG KONG LIMITED||1808783|
|USA||MDE Horreum, Inc.||6207778|
|USA||Seacole Health, Inc||6042198|
|UK||Seacole Health, Ltd||10247381|
|UK||MDE Horreum Ltd||13329821|
|NETHERLANDS||MDE Horreum, BV||83089098|
|FRANCE||MD HEALTHCARE SERVICES FRANCE SAS||897 1 751|
1.13 Lawful Basis of Processing
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:
In certain circumstances, we are required to obtain your consent for the processing of the Personal Data in relation to certain activities.
Article 4 of the GDPR states that (opt-in) consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.” In plain language, this means that you:
- have to give us consent freely;
- have to know what they are consenting to;
- should have choice over which processing activities you consent to and which you don’t; and
- need to take positive and affirmative action in giving us your consent
We will keep records of the consents that we have received.
Where consent has been provided you have the right to withdraw it. This can be exercised at any time by contacting our privacy office recorded in section 1.10 above.
1.13.2 Contractual Necessity
Article 6 of the GDPR states that we can process Personal Data on the basis that such processing is necessary to enter or perform a contract.
The ’Contractual Necessity’ lawful basis permits the processing of Personal Data in two different scenarios:
- Situations in which processing is necessary for the performance of a contract to which you are a party. This may include, for example, processing your financial details for the processing of reimbursement claims.
- Situations that take place prior to entering a contract such as pre-contractual relations.
1.13.3 Compliance with a Legal Obligation
Article 6 of the GDPR states that we can process Personal Data on the basis that we have a legal obligation to perform such processing. Processing is permitted if it is necessary for compliance with a legal obligation.