FESTIMED PRIVACY NOTICE
INTRODUCTION AND SCOPE
Festimed UK & IRL is a dedicated event medical company with a team of health care professionals who provide extensive medical infrastructure for large events and festivals. Our team has vast experience in providing medical services. We strive to offer the very best service possible.
Processing personal data in a secure, fair, and transparent way is extremely important to us . We know that your privacy is important to you especially when it comes to matters concerning your health. This notice explains how we collect and use your information, who we share it with and your legal rights.
This notice applies to our use of your information in connection with our medical services and all our related website, domains, and apps that may be accessed by our patients and employers (collectively the “Services”).
WHO WE ARE
Festimed UK & IRL (“Festimed”, “we”, “us” or “our”) is the provider of the Services and is data controller for your information.
WHO THIS NOTICE APPLIES TO
We collect and process information relating to individuals using the Services, including customers, employers, healthcare professionals and others.
Read this Privacy Statement to understand your rights and how we process your personal data.
If you are a healthcare professional or employer, please also check the contracts between us: they may contain further details on how we collect and process your data.
If you provide us with personal information about other people, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. By submitting the information, you confirm that you have the right to authorise us to process it on your behalf in accordance with this Privacy Statement.
INFORMATION WE COLLECT AND HOW WE GET IT
In the course of providing the Services, we collect or receive information in different ways and relating to various groups of individuals, including:
We collect and use information relating to you. This information may include information relating to your health, clinical history, details of your current healthcare professional or employer through whom you are using the Services as well as images taken of you. This information is provided to us by you, your guardian, your employer or healthcare professional. We may also collect and use information you provide to set up your account if applicable. This information may include your name, date of birth, address, mobile phone number and email address. We will also collect payment information as part of our administrative, financial and operational process.
- Employees / Third Party Contractors
We collect and use information relating to you. This information may include your name, job title, email address, registered body / organisation, professional details, medical history, employment history, training records and mobile phone number. We will also collect information about employees (our patients) from you and you should try to limit the personal information you give us to what you think is necessary for us to provide the Services.
If you visit any of our websites or use our apps, we will collect certain information relating to you. Generally, unless you submit information to us, such as via an online form, we only collect technical and device-related information from your use of our website and apps.
HOW WE USE THIS INFORMATION
We use this information for the purposes described below.
- Providing the Services:
We process your information (including your health information) as necessary to provide the Services requested. For example, we collect information from you (or from your healthcare professional or employer) in order to provide the Services. We also store this information on our platform so you (and your healthcare professional or employer) can access your results and other information, where you have given consent. This may include sending you patient advice leaflets or contact requests by email / SMS.
Lawful basis: Contract
- Account set up and payment:
We process your information in order to set up a profile for you on our platform and as part of our administrative, financial and operational processes, such as taking payment, issuing invoices, etc. where you pay for the Service directly.
Lawful basis: Contract
- Service improvement and development:
We process your information in order to improve our Services and for business planning purposes. For example, we may process information about how you use our Services in order to troubleshoot technical issues, predict service level demands and understand the features of the Services that are most popular. We also process your information in order to develop new products and services. For example, as part of our work with our commercial partners, we may share anonymised data that does not identify you but which reveal trends, patterns or other information about how we provide the Services that is useful to our commercial partners. We may send you out feedback forms to complete post utilising our services by email / SMS.
Lawful bases: Contract & legitimate interests
- Safety and security:
We process your information as necessary to ensure we offer safe and secure Services, including to detect and prevent fraudulent and other illegal behaviour.
Lawful bases: Contract & legitimate interests
- Legal and regulatory:
We process your information as required (a) for compliance with our legal and regulatory obligations (b) to detect, investigate, prevent, and address fraud and other illegal activity, security, or technical issues; (c) to protect our rights, property, or safety; (d) to enforce any contracts we have with you; (e) to prevent physical injury or other harm to any person or entity, including you and members of the public; and (f) for regulatory compliance and investigations. For example, we may be legally required to share information with public bodies e.g. NHS / HSE, CQC / PHECC, HMRC / Revenue, Police / An Garda Siochana, etc.
Lawful basis: Legitimate interests
- Marketing (with your consent)
We may send you updates, invites and marketing materials relating to the Services. If we do so, we will also collect information on your interaction with such communications.
Lawful basis: Contract
If you are a patient, due to the nature of the Services we provide, it is necessary that we process data concerning your health and medical history. To avail of the Services, you will be requested to provide information relating to your health and medical history. Such data shall only be processed based on your explicit consent. If you wish to withdraw your consent, please contact us via the contact details at the bottom of this notice.
OUR LEGAL BASES
In order to collect, use, share, and otherwise process your information for the purposes described in this notice, we rely on a number of legal bases, some of which are mentioned above, including where:
- necessary to perform a contract we have with you, and to provide the Services;
- you have consented to the processing (in which case you may withdraw your consent at any time). When processing your health information we rely on your explicit consent and honesty;
- necessary for us to comply with a legal obligation;
- necessary to protect your vital interests, or those of others;
- necessary in the public interest;
- necessary for the purposes of Festimed UK & IRL’s or a third party’s legitimate interests, for example for marketing, improving or developing the Services and keeping the Services safe and secure, provided that those interests are not overridden by your interests or fundamental rights and freedoms.
SHARING YOUR INFORMATION
In the course of providing the Services, we share information with various third parties such as your employer (with your consent), relevant government departments and bodies (including the HSE and other public health bodies), our service providers or regulators (where legally required).
We do this based upon the legal bases and exceptions mentioned in this notice for the following purposes.
- Providing the Services:
If you are a patient, we may share the information provided by you with our service providers in order to provide the Services. We will share the results of your consultation with your employer or healthcare professional if you have consented.
- Keeping our Services safe and secure:
We use your information in certain instances as necessary to pursue our and your legitimate interests of keeping some of our Services, such as our domains, websites, apps, offices and events, safe and secure. For example, we collect IP addresses and process log files to ensure our website and apps are not subject to fraudulent access.
- Legal and safety reasons:
We may share your information with law enforcement, public health bodies, regulators and others if we have a good-faith belief that it is reasonably necessary to (a) respond, based on applicable law, to a legal request (e.g., a subpoena, search warrant, court order, or other request from government or law enforcement); (b) detect, investigate, prevent, and address fraud and other illegal activity, security, or technical issues; (c) protect our rights, property, or safety; (d) enforce any contracts we have with you; (e) prevent physical injury or other harm to any person or entity, including you and members of the public; (f) for regulatory compliance and investigations.
- Service providers and professional advisers:
We may share your personal information to help us provide our services and communicate with you. Categories of service providers include IT software, laboratory testing service providers, commissioning bodies of our services (with your consent) swabbing service providers and hosting providers and records-storage companies. We may also share your personal information where we need advice and support from our professional advisers, such as accountants, lawyers and insurance providers. Where such third parties are processors, these third parties are contractually required to use it only to provide their service to us and are contractually barred from using it for their own purposes.
- Business re-organisation:
In instances where our business is subject to a re-organisation, such as a merger or acquisition of some or all of its assets, we may, in accordance with our legitimate interests, need to share information in the course of the transaction. In such circumstances, your information may be disclosed, where permitted by applicable law, in connection with a corporate restructuring, sale, or assignment of assets, merger, or other changes of control or financial status of Festimed UK & IRL.
In certain cases, we need to transfer your information to recipients outside the European Economic Area (“EEA”), such as where it is necessary to provide the Services.
Where we transfer your information, we do so in accordance with EU data protection law. We only transfer personal information to these countries when it is necessary for the services we provide you, or it is necessary for the establishment, exercise or defence of legal claims or subject to safeguards that assure the protection of your information.
When Festimed UK & IRL engages in such transfers of personal information, it relies on i) Adequacy Decisions as adopted by European Commission on the basis of Article 45 of Regulation (EU) 2016/679 (GDPR), or ii) Standard Contractual Clauses issued by the European Commission. For more information, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. Festimed UK & IRL also monitors the circumstances surrounding such transfers in order to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR.
Following the Court of Justice of the European Union’s invalidation of the EU-US Privacy Shield Framework in Case C-311/18, Festimed UK & IRL will no longer rely on the EU-US Privacy Shield as a mechanism of international data transfer until further notice. Festimed UK & IRL & IRL will however remain committed to maintaining its self-certification under the EU-US Privacy Shield Principles and respect its principles, as an additional measure of protection of its users’ privacy, until further notice.
Please note that the privacy protections in some of these countries may not be the same as in your home country. We will only transfer information as permitted by law.
For further information, including obtaining a copy of the documents used to protect your information, please contact us on firstname.lastname@example.org.
We may retain your information for as long as necessary in light of the purposes set out in this notice, including for the purposes of satisfying any legal, accounting, or reporting requirements and, where required for Festimed UK & IRL to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. For example, we have specific legal obligations to retain medical information in accordance with our statutory requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. For example, we retain any sample or DNA data you provide to us for the minimum period required to provide the Services, which will be less than two weeks after which it is safely and securely destroyed.
In the absence of a national policy on the retention of healthcare records, Festimed UK & IRL recommends the minimum retention periods set out below.
Ireland (Irish College of General Practitioners)
UK (British Medical Association)
Healthcare records of an adult
8 years after last treatment or death
Retain medical records for a patient’s lifetime. Upon a patient’s death or emigration (excluding EU countries), files must be kept for three to 10 years depending on the care involved. However, electronic records should be kept indefinitely.
Children and young people
Until the patient’s 25th birthday, or 26th if the young person was 17 at the conclusion of treatment, or eight years after the patient’s death
Until the patient’s 25th birthday, or eight years after their death
25 years after the birth of the last child
25 years after the birth of the last child
Records of a mentally disordered patient
20 years after last treatment or eight years after death
20 years after last contact or ten years after death
The recommended minimum retention periods are guidelines only and it may sometimes be necessary to take an individual approach to some records and retain for longer periods, despite requests by the patient to have the records erased. At all times the interest of the patient must be to the forefront. If it is not in the interest of the data subject, then the medical records should not be deleted.
You have a number of rights in relation to your information that we process. To exercise these rights, please contact us at email@example.com.
While some of these rights apply generally, certain rights apply only in specific circumstances. We describe these rights below.
You have the right to request access to your information that we control.
You have the right to request that some of your personal information that you initially provided to us is returned to you or another controller in a commonly used machine readable format.
Rectify, Restrict and Delete:
You have the right to ask us to restrict the processing of your information or to rectify or delete your information. Please note that despite a deletion request, we may continue to process your information if we have a legal basis to do so.
If we process your information based on our legitimate interests explained above, or in the public interest, you can object in certain circumstances. In such cases, where legally required to do so, we will cease processing your information unless we have compelling legitimate grounds to continue processing or where it is needed for legal reasons. Where we use your data for direct marketing, you can always object using the unsubscribe link in such communications or by contacting us at firstname.lastname@example.org.
Where you have previously provided your consent, you have the right to withdraw your consent to our processing of your information at any time. For example, you can withdraw your consent to email marketing by using the unsubscribe link in such communications or contacting us at email@example.com. In certain cases, we may continue to process your information after you have withdrawn consent if we have a legal basis to do so or if your withdrawal of consent was limited to certain processing activities.
You have the right to submit a complaint about our use of your information with your local supervisory authority, the Data Protection Commission (Ireland) or the Information Commissioner’s Office (UK).
Festimed UK & IRL has the right to override a data subject’s request to be forgotten / erasure in certain circumstances. Below are the reasons cited in the GDPR that override the right to forgotten / erasure.
- The data being processed is necessary for public health purposes and serves in the public interest.
- The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.
- The data is being used to exercise the right of freedom of expression and information.
- The data is being used to comply with a legal ruling or obligation.
- The data is being used to perform a task that is being carried out in the public interest or when exercising an organisation’s official authority.
- The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing.
- The data is being used for the establishment of a legal defence or in the exercise of other legal claims.
You have the right to lodge a complaint regarding our use of your data. Please tell us first, so we have a chance to address your concerns. If we fail in this, you can address any complaint to the Data Protection Commission (Ireland) or the Information Commissioner’s Office (UK). The details are listed below:
The Data Protection Commission (Ireland)
Commissioner: Helen Dixon
Postal Address: Canal House, Station Road, Portarlington, R32 AP23, Co. Laois, Ireland
Telephone: +353 57 8684800 or +353 76 1104800
Lo Call Number: 1890 252 231
Fax: +353 57 868 4757
The Information Commissioner’s Office (UK)
Commissioner: John Edwards
Postal Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England
Telephone: +44 (0)303 123 1113
Fax: +44 (0)1625 524510
THIRD PARTY SERVICES
Our websites, domains and apps may contain links to other websites and services, which are managed and controlled by third parties. Please note that this notice does not apply in those cases and we are not responsible for the privacy practices of such third parties.
AMENDING THE NOTICE
From time to time, we may amend this notice. This might happen, for example, where we make changes to the Services. If we make material changes to the notice, we will take steps to notify you, such as by posting a notice on our website. The notice was last updated at the date indicated further below.
If you want to exercise you rights (described above), or if you have any questions about this notice, please contact our Data Protection Officer on the below contact details.
Data Protection Officer: Laura Curtin
Postal Address: Unit 6 Ashbourne Retail Park, Ashbourne, Co Meath, Ireland
Telephone +353 (0)1 969 7112
Last updated: 10th August 2022