Diomed Developments Limited, and companies within the group controlled by Diomed Developments Limited (“Diomed Group”, “we” or “us”), are committed to protecting your privacy and personal information. The companies within the Diomed Group include:
- Dermal Laboratories Ltd
- Diomed Developments Ltd
- Aeropak (Chemical Products) Ltd
- Diomed Direct Ltd
The Diomed Group company that corresponds with you or receives your information is the ‘data controller’ and is responsible for determining why and how your personal information is processed. Please see the section at the end of this policy for our legal information and contact details.
This policy describes the way we handle and use the personal information that we obtain from all the different interactions you may have with us as a business, including:
- when you visit our social media pages;
- any of our corporate or product websites;
- when you use our mobile applications (“apps”);
- when you contact us and provide us with information;
- or where information is disclosed by someone to us who is duly authorised by you to act on your behalf, including where you contact us regarding Diomed Group products purchased through third parties;
- where you contact us by responding to our Reply Paid Cards;
- subscribe to our newsletter;
- take part in research studies;
- when healthcare professionals collaborate with us
Should you take part in a research study, we will provide you with additional information about the particular study that will explain how your data is being processed.
Updates: This policy is subject to review and amendment regularly and when necessary. Please check this policy frequently to identify any changes and contact us using the details found in Section 11 should you have any queries regarding the relevant changes. You may be required to read and accept any updated versions of this policy to continue your use of the website.
Please contact us via firstname.lastname@example.org if you have any questions.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed and this will be classified as anonymous data. Some examples of personal information include: name, location data (e.g. IP address), telephone number.
Personal information relating to special categories of data, including race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation will be classified as ‘sensitive personal data’. The law imposes higher standards of protection on those who process special category data as it is more sensitive.
We receive personal information about you that you give to us, from sources such as those included in Section 1. We only collect personal information which we need and that is relevant for the purposes for which we intend to use it. Outlined below are the points of data collection, the data we collect and why we collect this data.
3.1 Personal information that you give to us
We collect the following information if you choose to give it to us for example, when you contact us following a purchase of one of our products from a third-party store or via a contact form on one of our websites:
- your name, address, e-mail address, telephone number or other contact details, when you register for an account with us or make a purchase via our website;
- the opinions and other information you provide when responding to customer surveys and/ or questionnaires;
- where you purchase a Diomed Group product via our website, very limited payment information (e.g. payment method) is collected by our website. Please note, we do not have access to Cardholder Data, this is processed by fully PCI Compliant Third Party Suppliers (see Section 5.2);
- any information you include in correspondence with us or in forms you submit to us when using our website, apps or social media pages;
- any information you provide to us via telephone, email, letter or fax;
- any additional sensitive personal data that you choose to share with us, for example when contacting us in relation to usage of a Diomed Group product we manufacture or sell via our website;
- in respect of qualified healthcare professionals only, any information you include in correspondence you send to us in forms or if you return a Reply Paid Card to us;
- in respect of qualified healthcare professionals, when you access the ‘Healthcare Professionals Resources’ area of our websites, we will collect confirmation from you as to your qualification as a healthcare professional working in the UK
3.2 Information that we collect about you
When you visit one of our websites or use our apps, we automatically collect:
- the internet protocol (IP) address of your device and details regarding the type of device and browser software you use to access the website;
- details of your use of our websites and apps, namely traffic data, weblogs and statistical data, including where and when you clicked on certain parts of our website, including which of our products you have viewed, and details of the webpage from which you visited it;
- where relevant, your unique login information and purchase history (where you have created an account with us)
When you visit our social media pages, we collect:
- the information you post on those pages;
- information regarding your interactions with the content we post; and
- statistical information regarding all our followers’ activities (but from which we cannot identify you as we only have access to this information in aggregated form)
When you agree to take part in a research study, we collect:
- the minimum information identifying you needed for the purposes of the research project;
- information about your health, for example in a questionnaire or obtained as part of your clinical care while in the study. In other cases, the information may be copied from your health records. You will be given more precise information about this when you agree to take part in a study
We may process your personal information for a number of reasons. We will always ensure we have a valid legal ground to process your personal information. We use your personal information in the following ways:
4.1 Where you have provided CONSENT
Where you have provided your consent, we may process your personal information in ways such as the following:
- to contact you via email or telephone (as you have indicated) with marketing information about our products and services (see Section 4.6 ‘Marketing’ for further details);
- to publish your information in line with ABPI Codes of Practice
- to respond to your enquiries
You may withdraw your consent for us to use your information at any time. Please see Section 10 ‘Your rights in relation to your personal information’ for further details.
4.2 Where necessary to comply with our LEGAL OBLIGATIONS
We will use your personal information to comply with our legal obligations:
- to meet legal, regulatory, pharmacovigilance and compliance requirements, and in particular to respond to government authority requests for information;
- to handle and resolve any complaints we receive relating to the services we provide;
- to keep a record of your preferences relating to how we process your personal information
4.3 Where necessary for us to pursue a LEGITIMATE INTEREST
We use and process your personal information where it is necessary for us to pursue our legitimate interests as a business for the following purposes:
To promote our business, brands and products and measure the reach and effectiveness of our campaigns:
- for analysis and insight conducted to inform our marketing strategies, and to enhance and improve your website visitor experience;
- to tailor and personalise our marketing communications based on your attributes;
- to send you advertising which we believe will be appropriate and of interest to you based on the information we hold about you;
- to reply to correspondence you send to us and fulfil the requests you make to us;
- to respond to changing market conditions and the needs of our visitors to our website;
- to analyse, evaluate and improve our services so that your visit and use of our website, apps, social media pages are more useful and enjoyable (we will generally use data amalgamated from many people so that it does not identify you personally);
- for product development purposes
To operate the administrative and technical aspects of our business efficiently and effectively:
- to administer our website, apps and our social media pages and for internal operations, including troubleshooting, testing, statistical purposes;
- for the prevention of fraud and other criminal activities;
- to verify the accuracy of data that we hold about you and create a better understanding of you as an account holder or website visitor;
- for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access;
- to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request);
- for the purposes of corporate restructure or reorganisation or sale of our business or assets;
- for efficiency, accuracy or other improvements of our databases and systems, for example, by combining systems or consolidating records we hold about you;
- to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings;
- to inform you of updates to our terms and conditions and policies; and
- for other general administration including managing your queries, complaints, or claims, and to send service messages to you
For research studies:
As a healthcare company we have a legitimate interest in performing health and care research in accordance with the UK Policy Framework for Health and Social Care Research:
- to improve individual care;
- to understand more about disease;
- to improve diagnosis;
- to develop new treatments; and
- to improve patient safety
4.4 Where necessary for us to carry out PRE-CONTRACT STEPS you have requested or for the performance of our CONTRACT
We will use your personal information where this is necessary for us to perform our contract with you or to carry out any pre-contract steps you’ve asked us to so that you can enter into that contract, for the following purposes:
- to process any of your orders for our products via our websites;
- to process any returns forms relating to products purchased via our websites;
- to aid in the processing of your payments or refunds by a PCI-compliant third-party payment processor
4.5 Where processing is in your VITAL INTERESTS
We will use your personal information where this is in your vital interests for the following purposes:
- to notify you of any product recall or product safety issues;
- to monitor the safety or quality of our products where you have raised a product safety or quality concern;
- where you have raised a concern regarding one of our products either by letter, email, fax, telephone, through our websites, through our social media pages or by any other means and we need further information, we will contact you as appropriate via telephone, email, letter or by sending you a safety/quality questionnaire for your response to send us by email or post
We process your personal information for direct marketing purposes on the basis that it is necessary for us to pursue our legitimate interests as a business (see above in this section for further details).
We try to tailor and personalise any marketing communications that we send to you, for example, by notifying you of products, services, offers or promotions that apply to your interests and/or location. If you do not wish to receive marketing communications from us, you can unsubscribe at any time by using the unsubscribe link inside the email or by sending an email to email@example.com or using your email settings (to unsubscribe from marketing emails).
If you unsubscribe from receiving marketing communications from us, we keep your email address on our suppression list for a defined period to ensure that we comply with your wishes. The periods for which we retain your personal information are shown in Section 6.
We do not intend to collect data from minors under the age of 16 other than in accordance with our legal obligations or for research purposes or where it is in the child’s vital interests as detailed above, for example, where a concern has been raised regarding the safety of one of our products. We recognise that children’s use of the internet, email and social media raise special concerns regarding privacy and security of information. We remind and encourage all parents to help us protect the privacy of their children by ensuring that children never send or submit personal information to us without parental permission.
When there is a legitimate interest in including children in research studies, this will be explained when agreeing to take part in the study.
We never sell your personal information to third parties. We only disclose your personal information outside our business to third parties in a limited number of circumstances. Where we share personal information, we will put in place a contract that requires recipients to protect your personal information, unless we are legally required to share that information. Any third party contractors or agents that work for us will be obliged to follow our instructions.
5.1 Group companies
We may share your personal information with other companies in our group in order to facilitate processing of orders and to process your information.
5.2 Third parties - Suppliers
We contract with third party service providers, agents and subcontractors (Suppliers) to supply products and services on our behalf, including the operation and maintenance of our websites. When we use suppliers, we ensure we only disclose to them personal information that is necessary for them to provide their services and only where we have a contract in place that requires them to keep your information safe and secure.
Our Suppliers can be categorised as follows:
Recipient/ relationship to us Industry sector (& sub-sector) Location Banks, payment processors and financial services providers Finance (banking & payment processing) EEA Delivery and mailing services providers Logistics (delivery service) EEA Facilities and technology service providers including scanning and data destruction providers IT (data management) EEA Social media platforms Media (social media) EEA & USA Legal, security, tax, accountancy and other professional advisers and consultants Professional services (legal & accounting) EEA Advertising and agencies Media (advertising & PR) EEA Market and customer research providers Media (market research) EEA Website and data analytics platform providers IT (data analytics) EEA Website and app developers IT (software development) EEA Fulfilment and distribution Logistics (delivery service) EEA & India Ecommerce website provider IT (ecommerce services) EEA & USA Payment processing providers IT (payment processing) EEA & USA Research partners CROs, investigators, statisticians, universities EEA Sales and marketing partners Sales and marketing EEA
5.3 Other third parties
We may disclose your personal information to other third parties as follows:
- any third party who is restructuring, selling or acquiring some or all of our business or assets or otherwise in the event of a merger, re-organisation or similar event; and
- if we are under a duty to disclose or share your information in order to comply with any legal or regulatory obligation or request, including by the police, courts, tribunals or regulators, including to monitor or report the effect of our products or for any other required reason
5.4 Transfer of your personal information outside of the EEA
Some of the information you provide to us may be transferred to countries outside the European Economic Area (EEA). These countries may not have similar data protection laws to the UK. The non-EEA countries to which we transfer your personal data are listed in the table above. For example, if you use our services whilst you are outside the EEA, your information will be transferred outside the EEA in order to provide you with those services.
Where we transfer your information outside of the EEA in this way, we take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected in the ways required by data protection law as outlined in this policy. These steps include imposing contractual obligations on the recipient of your personal information or ensuring that the recipients are subscribed to ‘international frameworks’ such as EU/US Privacy Shield that aim to ensure adequate protection. Please contact us using the details at the end of this policy for more information about the protections that we put in place.
We will not hold your personal information in an identifiable format for any longer than is required for the purposes for which we collected it. We retain your personal information for the following periods:
Type of personal information When do we receive your personal information? How long do we keep your personal information after we receive it? Name, email address, telephone number, postal address, date of birth, names and ages of your friends and family, your marketing preferences When you place an order for one of our products via one of our relevant websites 5 years from the date of order Social media handles When you follow our social media account or page Until you stop following our social media account or page Location and frequency of your orders for products placed When you sign up for our apps or register with us for an account 5 years from the date you sign up if you are an inactive app user, indefinitely if you are an active app user Information included in any correspondence to us via email, telephone, letter, our websites through our contact us form, via our apps or social media pages When we receive the correspondence Indefinitely if necessary to establish or defend legal claims.
Please note, depending on the nature of the possible concern raised, for example, where there appears to have been a complaint made on behalf of a child, the personal information will be retained for longer.
Details of your orders When our systems record your order 25 years Where you are a healthcare professional, confirmation and information relating to and confirming your status and registration in the UK When we receive a submitted form via our website, or where you return a Reply Pay Card, or otherwise provide the information to us 5 years Health and care information about you When you take part in research studies Information about you will be kept indefinitely.
The only exceptions to the periods mentioned above are where:
- you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law (see Section 10 ‘Your rights in relation to your personal information’ for more information);
- you exercise your right to require us to retain your personal information for a period longer than our stated retention period (see Section 10 ‘Your rights in relation to your personal information’ for more information);
- we bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings have concluded and no further appeals are possible;
- we archive the information, in which case we will delete it in accordance with our deletion cycle; or
- in limited cases, existing or future law or a court or regulator requires us to keep your personal information for a longer or shorter period
We take the security of your personal information seriously and use a variety of measures based on good industry practice to keep it secure. We and our business partners and service providers have implemented technical, administrative and physical procedures designed to protect personal information from access by unauthorised persons and unlawful processing, accidental loss, destruction and damage.
When we have provided (or you have chosen) a password or pin allowing you access to certain parts of our websites or our apps, you are responsible for safeguarding it and keeping it confidential and you promise not to allow it to be used by third parties. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do everything reasonably possible to protect your personal information, we cannot guarantee the security of any personal information during its transmission to us online. You accept the inherent security implications of using the internet and will not hold us responsible for any breach of security unless we are at fault.
Where you provide us with any personal data through the private messaging function on these social media platforms, we will collect and process that data in accordance with this policy.
Under data protection law, you have a number of rights in relation to your personal information. Please note, in relation to certain rights, we may ask you for information to verify your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within 30 days after we have received this information or, where no such information is required, after we have received full details of your request.
You have the following rights:
- to be informed about the processing of your personal information (this is what this policy sets out to do);
- to have your personal information corrected if it is inaccurate and to have incomplete personal information completed;
- The accuracy of your information is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us in any of the details outlined in Section 11.
- to object to processing of your personal information;
- Where we rely on our legitimate interests as the legal basis for processing your personal information for particular purposes, you may object to us using your personal information for these purposes by emailing or writing to us at the address outlined in Section 11. Except for the purposes for which we are sure we can continue to process your personal information, we will temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data.
- You may object to us using your personal information for direct marketing purposes and we will automatically comply with your request. You can unsubscribe to email marketing communications using the unsubscribe link found in the email. You can also object by contacting us using the details outlined in Section 11.
- to withdraw your consent to processing your personal information;
- Where we rely on your consent as the legal basis for processing your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this policy. If you would like to withdraw your consent to receiving any direct marketing to which you previously opted-in, you can also do so by following the unsubscribe link in any marketing communication email. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.
- to restrict processing of your personal information;
You may ask us to restrict the processing your personal information in the following situations:
- where you believe it is unlawful for us to do so,
- you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings.
- to have your personal information erased;
- In certain circumstances, you may ask for your personal information to be removed from our systems by emailing or writing to us at the address at the end of this policy. Unless there is a legitimate reason that the law allows or requires us to use your personal information for longer, we will make reasonable efforts to comply with your request. It is important to be aware that if you were to request deletion of your data before we have completed our contractual obligations to you (e.g. delivered products that you have ordered), we may be unable to fulfil your original request. It is also important to be aware that there may be some instances, for example if we have a legal obligation or some other legitimate reason, where we are unable to delete your data.
- to request access to your personal information and information about how we process it;
- You have the right to ask for a copy of the information that we hold about you by emailing firstname.lastname@example.org or using the details outlined in Section 11 of this policy. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
- to electronically move, copy or transfer your personal information in a standard, machine-readable form; and
- You may ask us to provide you with a copy of the information that we hold about you in a structured data file. We will provide this to you electronically in a structured, commonly used and machine-readable form, such as a CSV file. You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
- rights relating to automated decision making, including profiling;
- You may also contest a decision made about you based purely on automated processing by contacting us using the details at the end of this policy.
To exercise these rights, please contact us using the details at the end of this policy.
It is important for you to be aware that if you are taking part in research, or information about you is used for research, your rights to access, change or move information about you are limited. This is because researchers need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from a study, we will keep the information about you that has already been obtained.
You have the right to lodge a complaint with a data protection regulator in Europe, in particular in a country you work or live or where your legal rights have been infringed. The contact details for the Information Commissioner’s Office (ICO), the data protection regulator in the UK, are available on the ICO website, where your personal information has or is being used in a way that you believe does not comply with data, however, we encourage you to contact us before making any complaint and we will seek to resolve any issues or concerns you may have.
If you have any questions or concerns regarding the data we hold about you, the way in which you believe that data is being used or this policy or to exercise any of your rights in relation to your personal information, please contact us by emailing email@example.com.
For anything else, including general enquiries, please contact us by post addressing your correspondence to the relevant Diomed Group company from the list below at:
Preston Road, Gosmore
Diomed Group Companies:
Diomed Developments Ltd
Dermal Laboratories Ltd
Diomed Direct Ltd
Diomed Pharmaceuticals Ltd
Aeropak (Chemical Products) Ltd