Our website address is: http://spinach.co.uk.
The General Data Protection Regulation (GDPR) becomes law in the UK on 25 May 2018. It strengthens the rights of individuals to control the way in which their personal information is used and It increases the obligations on businesses to ensure that any personal data they collect is dealt with in a fair and transparent way.
In most cases, the information provided during this research will not be shared with the sponsor in an identifiable form and no answers will be attributable to you as an individual. Some information you have provided may be identifiable and anonymization will not be possible e.g. video or photographs. In the event that you can be identified, the following will apply:
How do we use your personal information?
Your personal information will be processed only for the purposes of this research and if applicable, the reporting of any adverse events.
What personal information do we collect about you?
Your personal information that you have provided, which may include: your name (including name prefix or title); gender; home address; age and date of birth; email address; social media username; phone number(s) and special categories of personal information including medical diagnostic data; other health related information provided by you (such as health information, information concerning sex life and sexual orientation, disability and disability type, health risk factors, personal exposure and surveillance data); biometric data; and relationship to a person.
How do we obtain your personal information?
Any personal information about you that we process is provided by you [or collected in recordings, photos, diary exercises], with your permission.
On what legal basis do we use your personal information?
Your consent: We use your consent to allow us to use your personal information for the purpose of this research. You have various rights where we are processing your information on the basis of your consent.
To comply with our legal obligations: For example where you report an adverse event during the research, processing of personal information about you is required so that we can comply with our legal obligation to monitor and report adverse events.
For the establishment, exercise or defence of legal claims or proceedings.
Because it is necessary for reasons of substantial public interest, on the basis of applicable laws.
How long will we keep your personal information?
Any recordings, edited footage, pre or post-task or other materials that might include personal data will be stored securely in hard copy and/or electronic format by Spinach for up to 12 months from project completion, in accordance with MRS guidelines and data protection legislation.
In the case of and adverse event, a period of 10 years after a license for the relevant product has expired or was cancelled anywhere in the world.
After 12 months, or earlier if no longer needed, all footage and other research materials containing any personal data will be securely destroyed. Under no circumstances will any personal data be broadcast, put in the public domain, used for any purpose other than what was originally given consent for, or transferred to parties unconnected to the research without prior consent.
With whom do we share your personal information?
Your personal information will be accessible to our employees, as well as to authorised employees of certain suppliers of ours who provide us with support services. In addition, we may need to transfer your personal information to our professional advisors and auditors, and certain regulatory agencies, governments and law enforcement authorities. Customarily patients are not identified by name in reports to regulatory agencies.
Transfers of your personal information outside of your home country
Your personal information may be transferred to countries outside the European Economic Area. The countries to which we transfer personal information may not have data protection laws that provide an adequate level of protection to your personal information
We therefore take steps (which may include entering into data transfer agreements based on the model clauses approved by the European Commission) to ensure that third parties to whom we transfer data in those countries commit to ensure an adequate level of protection for your personal information.
Protecting your personal information
We may share your personal information with suppliers following appropriate due diligence, in accordance with our policies and procedures, and under a written agreement which commits the suppliers to appropriate safeguards in relation to the handling of your personal information (including in relation to maintaining confidentiality of your personal information and implementing appropriate technical and organisational security measures).
We will take appropriate legal, organisational and technical measures to protect your data consistent with applicable privacy and data security laws.
You may be entitled to:
- request information regarding the processing of your personal information, including to be provided with a copy of your personal information;
- request the correction and/or deletion of your personal information, or object to the processing of your personal information;
- request the restriction of the processing of your personal information;
- request receipt or transmission to another organisation, in a machine-readable form, of the personal information that you have provided to us;
- withdraw your consent to the processing of your personal information (where the sponsor is processing your personal information based on your consent); and
- complain to your local data protection authority, or to a court of law, if your data protection rights are violated. You may be entitled to claim compensation for damages or distress incurred or suffered in consequence of unlawful processing of your personal information.
Where you are given the option to share your personal information with us, you can always choose not to do so. If you object to the processing of your personal information, we will respect that choice to the extent this would not prejudice our ability to meet our legal obligations.
After you have chosen to withdraw your consent the sponsor may be able to continue to process your personal information to the extent required or otherwise permitted by law, in particular in connection with defending legal claims and our obligations under the rules on adverse effect reporting.
If you would like to exercise your rights, please let us know by getting in touch using the contact details below.
Spinach adheres strictly to the MRS Code of Conduct and data protection legislation.
Spinach is registered with the ICO and further details can be found at https://ico.org.uk
If you have any questions or concerns, please do contact us at firstname.lastname@example.org.