It is the policy of GenderGP to meet all the requirements of the “Personal Data (Privacy) Ordinance” and endeavour to ensure our compliance with the European Union 2016/679 General Data Protection Regulation (“GDPR”) to the extent it applies. We put in place appropriate systems and ensure compliance by our staff with the standards of security and confidentiality prescribed by law.
GenderGP is concerned to ensure that all personal data submitted through GenderGP are handled in strict adherence to the relevant provisions of the Personal Data (Privacy) Ordinance (PD(P)O). https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html
This Statement explains our privacy practice.
If you are not happy for your information to be used in the ways described here, you should stop using GenderGP and cancel any appointments you have.
If you have any questions about the use of your data please visit our Help Centre and get in touch.
This privacy notice tells you what to expect us to do with your personal information when you contact us or use one of our services. It applies to everyone who uses GenderGP.
Personal information is any information that can be linked to you or another living person. We have used links to help you get to the information you are interested in. In some places we have provided links to other websites, for example the Information Commissioner’s website. We are not responsible for the accuracy of any other websites.
GenderGP is responsible for keeping the personal information we use safe and making decisions about how it can be used. You may contact GenderGP at any time using our Help Centre or by submitting a letter to Harland International Limited which has its headquarters at its registered office, Rm 22B, 22/F Kiu Yin Commercial Building, 361-361 Lockhart Road, Wanchai, Hong Kong.
You can contact our Data Protection Officer via our Help Centre or by writing to the Data Protection Officer, at the address above for any queries about your personal information.
What does GenderGP use my personal information for?
We use your personal information to provide you with GenderGP services.
For example we may use your personal information to:
- send you a text message requesting that you validate your GenderGP account and/or to reset your username and password if required
- administer our site, for example to allow you to log in and log out of your account
- notify you about changes to this privacy notice or our services
- ensure that content from our Website or apps is presented in the most effective manner for you
- allow you to use our interactive features
- respond to any queries you raise with us and to provide customer support
- ask for feedback from you, if they have agreed to this
- help maintain the quality of and improve GenderGP services
For example we may use your personal information to:
- create anonymous information that we can use to help develop our services or provide to other organisations with an interest in our services, like regulators
- anticipate demand for our services
- monitor the performance of our Website and applications
- quality assure the services provided by GenderGP Practitioners and members of GenderGP staff
If you have agreed, we may also use your personal information to let you know more about our services and offers, or those of third parties and to understand the effectiveness of our advertising. This may include using your medical information, so we can offer services that are relevant to you. For example, we may ask you some questions relating to your general health, or you may choose to share your data from wearable devices, monitors or other apps with us. If you are paying for GenderGP services and we hold your medical data, you may also choose to allow us to use this to personalise recommendations from GenderGP and selected third parties. You can control how we use your personal information by letting us know your preferences.
We may sometimes need to use your personal information to:
- co-operate with regulators
- comply with a legal obligation, like a court order requiring us to release information
- deal with disputes and legal claims, for example if you make a legal claim against one of our Practitioners
- deal appropriately with any risk to public health
Under data protection laws, each purpose for which we use your personal information must comply with one of the conditions for processing. You can find out more about the conditions we rely on below.
When we are using personal information we must meet one of the conditions set out in Article 6 of the General Data Protection Regulation (GDPR).
Under the GDPR there is some personal information that is so sensitive that it gets extra protection. This special data is any personal information about someone’s:
- health (including mental health);
- sex life;
- sexual orientation;
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs
- trade union membership.
It also includes genetic data and biometric data if that information is used to identify an individual.
When we are using special data we must also meet one of the conditions set out in Article 9.
We have set out in the table below which conditions we are relying on when we use your personal information.
We have set out below the conditions that we are relying on in order to use your data.
|Purpose||Article 6 condition||Article 9 condition|
|co-operate with regulators||
Article 6(1)(e) – public task
Article 6(1)(c) – compliance with a legal obligation
|Article 9(2)(g) – substantial public interest|
|comply with a legal obligation, like a court order requiring us to release information||Article 6(1)(c) – compliance with a legal obligation||
Article 9(2)(f) – establishment, exercise or defence of legal claims
Article 9(2)(g) – substantial public interest
|deal with disputes and legal claims, for example if you make a legal claim against one of our Practitioners||Article 6(1)(f) – legitimate interests (we have a legitimate interest in being able to deal with disputes and legal claims)||Article 9(2)(f) – establishment, exercise or defence of legal claims|
deal appropriately with any risk to public health
Article 6(1)(e) – public task
Article 6(1)(c) – compliance with a legal obligation
Article 9(2)(h) – healthcare and social care purposes
Article 9(2)(i) – public health
|provide you with GenderGP services||Article 6(1)(b) – performance of a contract||Article 9(2)(h) – healthcare and social care purposes|
help maintain the quality of and improve GenderGP services
|Article 6(1)(f) – legitimate interests (we have a legitimate interest in maintaining and improving the quality of GenderGP services)||Article 9(2)(h) – healthcare and social care purposes|
|obtain payment from you for our services||Article 6(1)(b) – performance of a contract||No special data used|
|let you know more about our services and offers||
Article 6(1)(a) – consent
|Article 9(2)(a) – consent|
|let you know more about the products and services of third parties that may be relevant to you||Article 6(1)(a) – consent||Article 9(2)(a) – consent|
There are extra rules that apply to information about criminal allegations and convictions. We do not use this type of information very often, for example you might tell us about a drug-related conviction or time in prison. Our use complies with Article 10 of the GDPR because it meets the condition set out in the Data Protection Act 2018, Schedule 1, Part 1, paragraph 2 (health or social care purposes).
How does GenderGP get my personal information?
Most of the personal information we use is provided to us directly by you so that you can access our services. For example, you provide us with your contact details. Please let us know if there are any changes to your personal details while you are registered with us
This includes personal data you provide when you:
- search for one of our apps or our website
- download one of our apps
- create a GenderGP account on-line;
- purchase services through our Website or one of our apps;
- log in to GenderGP and use the Services;
- report a problem with a GenderGP app or website;
- request marketing to be sent to you;
- enter a competition, promotion or survey; or
- give us some feedback.
We also gather technical information about your visit, like what device you are using to access GenderGP services. More detail about what we collect is set out in the section below (What personal information about me does GenderGP use?)
We collect information about your location if you are using a computer, tablet or mobile phone that has GPS enabled.
We use information about your location to advise you where your nearest pharmacy is.
You can stop us using your location information at any time by turning off the GPS setting in your device.
If you pay for GenderGP services you will provide us with information about your health.
GenderGP Practitioners store the medical record of your appointment (including any diagnosis or treatment prescribed by the GenderGP Practitioner) on our systems.
What personal information about me does GenderGP use?
We use the following personal information:
- Your contact details and account details
- This includes the information that you provide us with when you register and other profile information
- This includes:
- Your name
- Your title
- Your address
- Your email address
- Your mobile telephone number
- Your username
- Your password
- Answers to security questions to check your identity
- Any personal description provided by you
- Any photograph provided by you
- Any personal interests provided by you
- Your communication preferences
- Any feedback or survey responses provided by you
- Biographical information
- This is information like your date of birth, nationality, gender, marital status and dependants
- Information about your health and social circumstances
- This includes:
- Recordings of your online appointments
- Notes and reports relevant to your health, including any information you have told us about your health.
- Details of your treatment and care, including any diagnosis, medical advice, comments and care plan from your GenderGP GP and other staff who have cared for you.
- Results of investigations, such as laboratory tests and x-rays.
- Relevant information from health and social care professionals, relatives or those who care for you.
- Information about your ethnicity, sexual orientation, sex life, religious beliefs or opinion or genetic data where this is relevant to your care or is information that you have provided to us as part of your care.
Information about your next of kin and carers – This includes their contact details, relevant medical history if required and emergency contact information.
Communications with or about you – This includes referrals and prescriptions
Information about your use of the GenderGP app or the Website – This includes:
- Whether you are using a computer, mobile phone or tablet to access our services.
- Your mobile operating system, the type of mobile internet browsers you use and data about the way you use our app and/or website
- Information that identifies the computer, mobile phone or tablet that you use to access our service.
- This includes your I.P. address, any unique device identifiers placed by us or our service providers, the unique identifier assigned by GenderGP to your computer, mobile phone or tablet
- Information about your visit.
- This includes full uniform resource locators (URL); clickstream to, through and from the GenderGP app and Website (including date and time); services you viewed or searched for; page response times; download errors; length of visits to certain pages; page interaction information (such as scrolling, clicks and mouse-overs); methods used to browse away from the page
- Consultation length, how often you visit and any phone number used to call our customer services
- Information stored on your mobile phone, tablet or computer that you choose to share with your GenderGP GP during your on-line appointment
If you are using a computer, tablet or mobile phone that has GPS enabled, your location. You can stop us using your location information at any time by turning off the GPS setting in your device.
If you provide us with feedback, we will use information from feedback information and survey responses from you. This may include demographic information, such as where you live and your income, if you choose to provide it. It may also include your opinions about our services.
We anonymise this information before we use it to improve our services.
Payment and financial information –
This includes your purchases and orders, the charges you have incurred, payments you have made, your payment card details, any credit reference checks and any information from debt collection agencies.
Your marketing preferences.
Who does GenderGP share my personal information with?
To provide you with GenderGP services we need to share your personal information with GenderGP Practitioners and our healthcare team.
GenderGP Practitioners work in partnership with GenderGP as self-employed contractors.
GenderGP Practitioners are responsible for maintaining the privacy of your personal information. All GenderGP Practitioners have to demonstrate they have completed training in personal information handling before they can start consulting with GenderGP clients.
We employ a clinical team, who are part of GenderGP. They may need to access your personal information so that we can provide you with services, for example if you have a query or concern about your consultation or treatment, or if the information is needed to assist the Practitioners with quality assurance. Only those employees of GenderGP who need access to information in order to do their jobs are allowed access.
We also need to share information with partner organisations that help administer GenderGP accounts.
- Our IT suppliers, including suppliers of data storage services
- Contractors who provide our telephone services
- Suppliers of web hosting services
- Organisations that we use to obtain feedback from patients who have agreed to do this
We have vetted these organisations to ensure that they will deal with your personal information responsibly.
We do not allow these partner organisations to use your personal information for their own purposes. We only permit them to use your personal in accordance with our instructions.
We may also share information with our partner organisations who provide data analysis services, to help improve our services. This does not include information about your health.
Sometimes we need to share information with regulators.
With your agreement, information can be shared with relatives, partners or friends who act as a carer for you. We will only share information once the person you have asked us to share the information with has provided us with proof of their identity.
We may share information with anyone you have given as an emergency contact, for example your next of kin. You can find out more by contacting GenderGP at any time via our Help Centre or by submitting a letter to Harland International Limited which has its headquarters at its registered office, Rm 22B, 22/F Kiu Yin Commercial Building, 361-361 Lockhart Road, Wanchai, Hong Kong.
We may also share information with anyone else that you authorise us to, however, GenderGP Practitioners will not discuss individual cases with employers, insurers or other third parties.
There are some other rare occasions where we may share your data with other organisations.
We may share information with the police, fire and rescue services if:
- There is an immediate risk of harm to you or other people
- There is a legal requirement to do so e.g. where a road traffic offence has been committed or the police have obtained a court order requiring us to provide information
We may share information with bodies with public health responsibilities to control infectious diseases such as meningitis, tuberculosis (TB) or measles and manage public health incidents.
We may share information with our professional advisors, including lawyers and accountants, if this is necessary to take and receive professional advice (including legal advice), or to bring or defend a legal claim or threatened claim.
We may share information with our insurers and the insurers of other organisations where this is necessary to investigate insurance cover and to handle a claim or threatened claim.
We may share information with individuals or organisations if we are legally required to, for example if this is specified in a warrant or court order.
Where we, or substantially all of our assets, are merged or acquired by a third party, in which case this information may form part of the transferred or merged assets.
We may share your personal information with other organisations that help provide medical or social care.
These organisations include:
- Your own doctor, for example so that they have a record of your on-line appointment. If you would like to know more about what your GP practice does with the information we share with them you should look at your GP practice’s patient privacy notice. This is normally available on your GP practice’s website.
- Organisations that help deliver medical services outside of hospital
- Private sector organisations that deliver healthcare such as private hospitals, dentists, opticians and pharmacists
- Out-of-hours providers e.g. organisations providing out of hours medical services
- Voluntary sector organisations that deliver healthcare such as charities
- Local councils if social workers are part of your care team, education services, children’s services, housing or benefit offices
- Organisations that provide diagnostic tests
- Organisations that provide ambulance or patient transport services
- Other organisations involved in the delivery of medical care, social care or the protection of public health.
If you have agreed to receive information about our services and offers, we may share your information with marketing organisations.
For example we may share you contact information with companies that we use to send marketing emails. Although we will not share information about your health with these organisations, it may be possible for them to infer this information due to the content of the marketing email. For example, if we are sending you information about how we can help you manage your diabetes, our partners will be able to infer that you have this condition.
If you have agreed to receive information about the products and services of third parties that may be relevant to you, we won’t share information about you with those third parties. Instead we will let you know information about them so that you can use their products or services if you wish.
If you ask us to, we will share the record of your on-line consultation with your doctor. We will not share your information with any other providers of medical care.
Our IT suppliers will also include our IT service provider, who ensures your medical records are stored securely.
If you have agreed to receive information about our services and offers, we may share your information with marketing organisations.
Where is my data stored?
Most of the time your personal information stays within the European Union.
Sometimes your personal information may be transferred to our partners in the United States, Hong Kong and Singapore. Our partners have signed up to the Privacy Shield. This ensures that your personal information and your privacy rights are protected.
The European Commission (part of the European Union) has ruled that the EU-US Privacy Shield provides adequate protection to allow personal information to be transferred to the United States.
If you would like more information about partners we may use who store data outside of the EU please contact us.
How long does GenderGP keep my personal information for?
Clinical information will be stored on GenderGP systems. This information will be deleted in accordance with the Records Management Code of Practice for Health and Social Care.
Account information for individuals (including people who have completed the on-line registration process) who have not used our consultation services will be deleted after two years, unless we are required to retain such information for any legal or regulatory reason.
Account information about individuals (for example your name, log in details, summary details of the GenderGP services you have used, any complaints you have made about our service) who have accessed our services will be kept until two years after they last accessed the services or communicated with us, whichever is later.
If you have let us know that you are happy to receive marketing information, we keep the information we need for marketing for a maximum of 2 years from when you last accessed the GenderGP Website or app.
How does GenderGP keep my information secure?
At GenderGP we take security and the secure storage of personal data seriously. We encrypt and store all personal data on secure servers using the latest technologies which are protected by several layers of security.
We do not store any of your personal health data on your mobile device or within your web browser storage permanently. We may collect some personal data and store it temporarily on your mobile device or within your web browser storage (e.g. your post-code during the sign-up process) but this data is not kept on your device after the process for which it is being used has ended.
When using the GenderGP app or website, all your personal data is transmitted through the internet using Secure Socket Layers (SSL) technology. SSL is an industry standard technology designed to prevent any third party from capturing and viewing your personal data while in transit.
You are required to go through a two-step identity verification process to create your account. Access to your account is protected with a password that you create. You are responsible for keeping this password confidential. We strongly recommend that you do not disclose your password to anyone else and GenderGP will never ask you for your password in any unsolicited communication (including unsolicited correspondence such as letters, phone calls, emails or text messages). You will only ever be able to reset your password using a two-step identity verification process.
For more information on how we keep your data secure, please contact us via our Help Centre.
What rights do I have over my personal information?
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which mean you may not always receive all the information we have about you.
To access a copy of your electronic medical records or other information that GenderGP holds about you, please contact us via our Help Centre.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
We will not usually amend medical records. This is because it is important that we have a copy of the information available to Practitioners at the time they are treating you. Instead we usually add a note to your record to highlight the information you consider to be incorrect.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances.
Again, we will not normally delete information from medical records. This is because it is important that we have a copy of the information available to doctors at the time they are treating you.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of public tasks or is in our legitimate interests.
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.
Your right to withdraw consent
You can control whether or not your personal information is used for marketing and inform us of your preferences. All accounts are set up so that the user does not agree to the use of their personal information for marketing unless they opt in.
You have the right to withdraw your agreement to the use of your personal information for marketing at any time. You can do this by contacting us. Doing this means that we cannot use your personal information in the future unless you opt in again.
You are not required to pay any charge for exercising your rights.
Please contact us via our Help Centre if you wish to make a request.
We may ask you to provide us with identification so that we can be sure that we are dealing with the right person. This is a security measure. We may also contact you to ask you to put your request into writing and/ or for further information in relation to your request to speed up our response.
We try to respond to requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In these cases, we will notify you and keep you up to date about when we expect to be able to respond.
If you have any questions, want to exercise your rights or need further information about what we do with personal information, our Data Protection Officer can be contacted via our Help Centre.
You have the right to make a complaint at any time if you are not happy with the way that we have dealt with your personal data or a request from you to exercise your privacy rights.
We would appreciate the chance to deal with your concerns in the first instance so please contact us via our Help Centre.
Updating this notice
We may update this notice from time to time. If we plan to update the policy we will let you know through the GenderGP website. When you log on to your account we will also let you know if the notice has been updated since you last accessed GenderGP services. You should stop using our Website and apps if you do not agree to any changes.
This notice was most recently updated on 25 August 2019.
A cookie is a small text file that may be placed on your computer or Device when you visit the Website or Portal. When you next visit the Website or Portal the cookie allows us to distinguish you from other users.
There are two categories of cookies: (a) ‘persistent cookies’ that remain on your computer or Device until deleted manually or automatically; and (b) ‘session cookies’ which remain on your computer or Device until you close your browser, when they are automatically deleted.
The cookies GenderGP uses:
- Essential cookies are required for the operation of the Website or Portal and without them the Website or Portal can’t operate properly.
- Performance cookies allow us to see and count the number of visitors to the Website or Portal and what they do during their visit. We use the information from these cookies to improve the Website or Portal’s performance. The data from these cookies doesn’t allow us to identify you.
- Experience cookies allow the Website or Portal to remember your choices, which means we can personalise your experience of the Website or Portal. Data collection by experience cookies is used by our analytics systems (including third party systems) to monitor and enhance the Website or Portal’s user-friendliness.
- Marketing cookies track and record your visits to the Website or Portal, including but not limited to the actual pages you visit and the links you have clicked or followed. We use this data to make the content of the Website or Portal more relevant to/for you based on what we know about you. We do share information about your activity on the Website or Portal that is stored by these cookies with our agents, agencies and other third party ad networks and this information can be used to advertise products to you on other sites. Any data we share is anonymous and cannot be used to identify you.
GenderGP hereinafter referred to as (GGP]’ ‘We’, ‘Us’ or ‘Our’, have created this privacy statement (‘Statement’) in order to demonstrate Our firm commitment to the privacy of the details that You provide to Us when using the GGP Site.
We are committed to protecting and respecting Your privacy and Your Personal Data. For the purpose of the Data Protection Act 1998 (and the GDPR as from the 25th May 2018), Katie Tiplady-Startin is the Data Controller (ICO registration number: ZA227187).
For all matters relating to privacy and data protection, please contact Katie Tiplady-Startin, Data Protection Manager by visiting our Help Centre.
In this Statement, references to ‘You’, ‘Your’ and ‘GGP User/ Customer’ are references to visitors who use the GGP Site. When You use the GGP Site to access the GGP Services, You are consenting to the practices set forth in this Statement.
We aim to be as clear as possible in this Statement in respect of Your Personal Data. This Statement applies to Your Personal Data that We collect about You when You use the GGP Site, how and when it is used, how We protect it and who has access to it (the ‘Terms’).
Unless otherwise stated, any defined terms in here shall have the meaning set out in the Service Standards
YOUR ACCEPTANCE OF THIS PRIVACY STATEMENT
This Statement governs Your use of the GGP Services, including any dispute concerning privacy. By using the GGP Services, You accept this Statement in full. You should read the Statement carefully and ensure that You understand its effect before proceeding to use the GGP Site to access the GGP Services. We reserve the right to make reasonable changes to any of the Terms herein at any time. Any changes We do may make will be posted on this page and, where appropriate, notified to You by email, or, when You next log in, the new Terms may be displayed on-screen and You may be required to read and accept them to continue.
Personal Data and Special Category Personal Data are defined in accordance with the Data Protection Legislation. In this Privacy Statement, Personal Data shall include the meaning of Special Category Personal Data.
WHAT PERSONAL DATA IS COLLECTED & HOW?
PERSONAL DATA SUBMITTED VOLUNTARILY BY YOU TO US:
In order for Us to provide You with the GGP Services, We collect various types of Personal Data. We are committed to ensuring that the information We collect and use is appropriate, relevant and proportionate for the stated purpose. Some types of Personal Data may be voluntarily provided by You which is to be shared with Us and GGP Service Providers as applicable in respect of yourself (or in respect of one or more other individuals where lawful authority is granted to You by those other individuals) which shall include as follows:
|What Personal Data is processed?||Where is it collected from/via?||What is the ‘purpose’ of processing||What is the lawful basis for processing?||Retention: For how long is it held?|
Personal contact details
Website contact form
In order to be able to respond and contact the enquirer
Article 6(1)(b) GDPR
No end date due to medical nature
|Medical history||To assess suitability for treatment||No end date due to medical nature|
|Blood test results||Email/Post||To assess suitability for treatment and ongoing safety of treatment||No end date due to medical nature|
|Contact details of other interested parties||To keep all involved specialist up to date||Article 6(1)(b) and 9(1)h GDPR||No end date due to medical nature|
Some of the information collected in the table above is essential for Us to provide You with the GGP Services but it is Your choice whether You provide all the information We request. Not providing information may affect Our ability to provide all the GGP Services to You.
We will retain your Personal Data only for as long as is necessary to provide the GGP Services which You request and in accordance with the retention periods set out in column 4 of the table at Clause 2.1. We shall then delete it unless you ask Us not to, or We have a legitimate reason to retain it. We need to retain sufficient information about You in compliance with legal or statutory requirements, for example, in the event of a legal or insurance claim in the future so that We can identify You.
We may from time to time offer a range of additional services.
We may need to collect additional information about You as part of this. This may include but us not limited to promotions, prize draws, competitions and surveys. Additional notices about the information that We collect and how We will use it will be provided to You at the point that You are invited to avail of these additional services.
Where We state that We rely on consent under Article 6(1)(a) to process Your Personal Data for a particular purpose as per column 3 of the table at Clause 2.1, You have the right to withdraw Your consent at any time. This will not affect the lawfulness of processing carried out by Us which was based on consent before its withdrawal.
PERSONAL DATA AUTOMATICALLY COLLECTED BY US:
• Your visits to the GGP Site and the GGP Content that You download;
• Your IP address;
• Your geographical location;
• Your browser type and version;
• Your operating system;
• Your referral source;
• Your length of visit;
• Your page views and Site navigation and exit;
GGP agrees and warrants that it will adhere to all Data Protection Legislation and will take appropriate technical and organisational security measures against the unauthorised or unlawful processing of Your Personal Data and against accidental loss or destruction of, or damage to Your Personal Data.
GGP shall process Personal Data list in the table at Clause 2.1 only to the extent, and in such a manner, as is necessary for the sole purpose of fulfilling the GGP Services (including making improvements to the GGP Services). For the avoidance of doubt, GGP is the exclusive owner (or lawful licensee) of the GGP Site as well as the GGP Content.
FINANCIAL PERSONAL DATA
Each monetary transaction made via GGP Site shall be processed by a third-party payment processing partner who is a GGP Service Provider – Chargedesk, Stripe, and/or PayPal. You will be required to provide Chargedesk, Stripe, or PayPal with Your Personal Data including financial data in order to use the payment processing services.
To make and complete a financial purchase or to receive a payment via the GGP Site the policies of named in the relevant section shall apply.
You are subject to the terms and conditions of those named in the relevant section.
HOW IS YOUR DATA USED?
GGp will process i.e. collect, store and use the Personal Data You provide in a manner that is compatible with the Data Protection Legislation.
We will endeavor to keep Your Personal Data accurate and up-to-date and not keep it for longer than is necessary. Our aim is not to be intrusive and We undertake not to ask irrelevant or unnecessary questions. Moreover, the information You provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.
You acknowledge that, Your Personal Data may be used by GGP to contact You when necessary in connection with Your use of the GGP Site to access the GGP Services as follows:
|What type of Non-Marketing Communication?||Method of presentation/sending?||Legal Basis for processing?|
|Administration related – to set up and continue to provide ongoing support services||We do not need Your explicit consent for this as the “processing is necessary for the performance of a contract” under Article 6(1)(b) GDPR.|
|Blood test requests and results – required as part of the ongoing service provision.||We do not need Your explicit consent for this as the “processing is necessary for the performance of a contract” under Article 6(1)(b) GDPR.|
|Appointment arrangement – should you require an appointment we will need to arrange this||We do not need Your explicit consent for this as the “processing is necessary for the performance of a contract” under Article 6(1)(b) GDPR.|
From time to time and with Your permission, GGP may contact You and send you Marketing Communications that We believe may be of interest to You which shall be of the type (and via the method(s)) referred to in the table. By looking at Your participation profile as well as any additional information which You have agreed can be shared with Us, We can identify news, offers and services that are most likely to be most relevant and will meet Your needs. When We send You a Marketing Communication, We may monitor whether You have opened the communication and clicked on any included links. This will enable Us to track and analyse Your level of engagement/ interest in the communication We are sending to You and will provide Us with further insight on what type of communications are of most interest to You.
|What Type of Marketing Communication?||Method of presentation/sending?||Legal Basis for processing?||How can you opt out of continuing to receive direct marketing communications?|
|Email newsletter||We will only send You these where You have provided Us with specific consent for this specific purpose as permitted under Article 6(1)(a) GDPR
where You have purchased from Us and have not opted out of, or objected to, receiving Marketing Communications under Article 6(1)(f) GDPR.
|In the email footer and manage send preferences in Mailchimp|
If You agree to receiving any of the above Marketing Communications but later change Your mind, You can opt out at any point, by using the ‘unsubscribe’ link at the end of any Electronic Mail communication received by You.
LEGITIMATE INTERESTS TO PROCESS YOUR PERSONAL DATA:
We process Personal Data about You where We have a legitimate interest to do so. In some cases, this may require Us to collect additional information from You or from other sources. Where We do rely on legitimate interests under Article 6(1)(f) GDPR to process Your Personal Data, You have the right to object to any of the processing We undertake. If You wish to object please complete Our Objections Form. Please bear in mind that if You object, this may affect our ability to provide to You the benefits of the GGP Services.
We may from time to time use publicly available demographic information to determine who We target for specific events or marketing campaigns so as to avoid contacting individuals unnecessarily.
WHO HAS ACCESS TO YOUR DATA?
To minimise the risk of unauthorised access to Your Personal Data, We use some of Your Personal Data to authenticate Your identity when You use the GGP Site to access the Services.
We have a legitimate interest in sharing Your Personal Data with Our GGP Service Providers who We engage to provide some of Our business and daily operational functions on Our behalf to ensure the GGP Services. Consequently, We need to disclose Your Personal Data to them for the sole purpose of fulfilling the GGP Services only (including making improvements to the GGP Services) and not for the purposes of those GGP Service Providers sending Marketing Communications to You. We limit the Personal Data that We share to the minimum required to provide the service and the GGP Service Provider will only be able to use Personal Data for the specific purposes for which it was shared. We do not need Your express consent for this as We rely on legitimate interests under Article 6(1)(f) GDPR in addition to the fact that the “processing is necessary for the performance of a contract” under Article 6(1)(b) GDPR
Disclosure of Your Personal Data in Compliance with Laws or by way of a Legal/Statutory Obligation
You should be aware that We may release Your Personal Data when We believe it is necessary to comply with laws or regulations, to assist law enforcement, to enforce the terms under which You transact or communicate with GGP or to protect the rights, property or safety of GGP, a GGP User/ Customer or other third parties. We may need to process Personal Data about You to comply with a legal or statutory obligation including but not limited to:
- accounting, auditing, compliance and administration practices; and,
- the maintenance of amendments to consents and to create suppression lists to ensure GGP Users/ Customers who object to processing are excluded from the relevant processing activity in the future.
Transfer of Your Personal Data
From time to time, We may transfer Your Personal Data to a related company, agent or contractor (also known as GGP Service Providers) in order to improve Our GGP Services or to assist our security, credit risk or fraud protection activities and as permitted by Data Protection Legislation from time to time.
Some or all of Your Personal Data is transferred and stored within the European Economic Area (the “EEA”) (The EEA consists of all EU member states, plus Norway, Iceland, Liechtenstein) in compliance with the Data Protection Legislation. Should We need to transfer Your Personal Data outside of the UK or EEA in the future, it will be in compliance with the GDPR requirements for external transfer and all details will be added to Our Privacy Statement.]
Transfer of Personal Data in the Event of the Sale of GenderGP or its Assets
In the event that GGP is sold or transfers some of its assets to another party, Your Personal Data could be one of the transferred assets. If Your Personal Data is transferred, its use will remain subject to this Privacy Statement. Your Personal Data will be passed on to a successor in the event of a liquidation or administration.
Other Websites and their Privacy Policies and Cookie Policies
The GGP Site may contain links to other websites or applications. GGP is not responsible for the privacy practices or the content of such websites or applications or for the privacy policies, cookie policies and practices of other third parties, so You should be careful to read and understand those policies independently.
HOW DO WE PROTECT YOUR PERSONAL DATA & FOR HOW LONG?
We aim to ensure Our GGP Services are fully inclusive and accessible to everyone. To make this possible We need to collect (and may provide to prospective GGP Service Providers) information on Your usage of the GGP Services which will help us review the accessibility of, and Your usage of, the GGP Services. This information is very important to Us as it also enhances Our understanding of the GGP User needs and helps Us to aid the technical administration of [GGP Site to better understand how the GGP Site is functioning and to draw conclusions upon demographic information. Such information is provided in anonymised and aggregate form and do not include any individually identifiable data.
How long We keep Your Personal Data collected through the GGP Site depends on the context in which You provide it and the purpose for which We use it. We will only retain it for as long as is necessary for such purposes. GGP uses it discretion to decide retention periods in consultation with the advice provided by any organisation by which We are a member of or regulated or governed by as referred to at the top of this Privacy Statement. Our retention periods are set out in the table at Clause 2.1.
We may record calls, both inbound and outbound, as it helps Us to understand the contents of the conversations better especially when they involve work requests/ instructions from You. These recordings may also be used for training and quality control to ensure that We continuously monitor and improve Our service standards. Sometimes, We need to listen to a call over and over again to save Us contacting You again for the same info! If We record calls, they are recorded and stored using the services of a Third Party Service Provider called justcall.io. Sometimes We will download it to a computer file. All recordings are deleted from Our computers as soon as We determine that We no longer need it. This may be immediately following the call. Our legal basis for processing Personal Data in this way is supported by Article 6(1)(b) GDPR or where contract does not apply, We rely on Our legitimate interests under Article 6(1)(f) GDPR
YOUR RIGHTS UNDER DATA PROTECTION LEGISLATION
|What is your right under the GDPR?||How do we honour your right?|
|The right to be informed||
We must provide ‘fair processing information’, typically through a privacy statement such as this describing how and why We collect and use Your Personal Data.
Read more guidance from the ICO on what information we should supply to You and when You should be informed (which shall differ depending on whether or not We obtained the Personal Data directly from You or a third party).
|The right of access||
We try to be as open and transparent as We can be in terms of giving You access to the information that We hold on You. You are entitled to be able to check the lawfulness of any processing of Your Personal Data. You can find out if We hold (and process) any other Personal Data by making a ‘Data Subject Access Request’ (DSAR). To make a DSAR to access Your Personal Data that We may hold, You need to put the request in writing addressing it to the postal address provided or You can send it electronically to the email address below. We will action Your request without delay and at the latest within one (1) month of Your request subject to any extensions granted. Alternatively, if You agree, We will try to deal with Your request informally, for example, by providing You with the specific information You need over the telephone.
If We do hold information about You, We will:
Read more guidance from the ICO.
|The right of rectification||
You are entitled to have Your Personal Data rectified if it is inaccurate or incomplete. If We have disclosed this to third parties, We will inform You. We have one month initially to rectify it subject to a possible extension.
Where We decide not to rectify, We shall provide an explanation as to why We are not making changes and inform You of Your further rights.
Read more guidance from the ICO.
|The right of erasure||
You haYou have a legal and personal “right of erasure”, the extension of which is also known as the “right to be forgotten”. Upon Your request, We will close Your Account and remove Your Personal Data as soon as reasonably possible from all of Our records unless a lawful reason exists for Us to retain some or all of it.
Read more guidance from the ICO.
|The right to restrict processing||
You have a right to ‘block’ or ‘suppress’ the processing of Your Personal Data under certain circumstances but We are still entitled to store just enough of Your Personal Data to ensure that the restriction is respected in future.
Read more guidance from the ICO.
|The right to object||
Read more guidance from the ICO.
|The right to data portability||
You are entitled to obtain (in a commonly used and machine readable form) and reuse Your Personal Data that You have provided to Us (via consent or contract performance) and which We process by automated means for Your own purposes across different services and free of charge. We must respond to a request without undue delay, and within one month whether or not We decide to action Your request. Where We decide not to, We shall inform You of Your further rights.
Read more guidance from the ICO.
|Rights related to automated decision making and profiling||
Subject to any exceptions, We should not take a potentially damaging decision concerning You as a result of using automated processing operations without human intervention. We must ensure that You have the opportunity to:
Read more guidance from the ICO.
COMPLAINTS OR QUERIES
If You have a complaint about the way in which GGP has processed Your Personal Data or a general request for information about Our Privacy Statement or a Data Subject Access Request, please contact the person named in the introduction in writing or by email.
GGP tries to meet the highest standards when collecting and using Personal Data. For this reason, We take any complaints We receive about this very seriously. We encourage You to bring it to Our attention. We are happy to provide any additional information or explanation needed in respect of Our processing activities upon request. If You are still not happy with the way in which Your Personal Data is being processed by Us, please contact the UK’s supervisory authority to whom You can lodge a complaint – www.ico.org.uk.
DEFINITIONS & INTERPRETATIONS
Article 6(1)(a) GDPR: You have given Your consent to the processing of Your Personal Data for the specific purpose(s).
Article 6(1)(b) GDPR: the “processing is necessary for the performance of a contract”.
Article 6(1)(c) GDPR: processing is necessary for compliance with a legal obligation to which We as a Data Controller are subject.
Article 6(1)(d) GDPR: processing is necessary in order to protect the vital of You or another natural person.
Article 6(1)(e) GDPR: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Us as a Data Controller.
Article 6(1)(f) GDPR: processing is necessary for the purposes of the legitimate interests pursued by Us as a Data Controller or by a third party and such interests are not overridden by Your interests or fundamental rights and freedoms of the data subject which require protection of Personal Data.
Data Subject Access Request or ‘DSAR’: refers to right of access as further described in the table at Clause 7.
Electronic Mail: includes email, text, video, voicemail, picture and answerphone messages (including push notifications.
Intellectual Property Rights: patents, rights to inventions, copyright and neighbouring and related rights, trademarks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets) and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.
Marketing Communication(s): refers to any communication whether by an Electronic Mail method or otherwise that We send to You (either directly or via a GGP Service Provider) which may include but are not necessarily limited to relevant newsletters and magazines, information about opportunities, products, services and events and relevant information.
Non-Marketing Communication(s): refers to any communication which is functional/ administrative only and are not Marketing Communications.
Partner Organisation: refers to a third party (as distinct from GGP Service Provider) with whom We may share Your Personal Data from time to time subject to Your consent who may then contact You directly with Marketing Communications or Non-Marketing Communications subject to Your permission.
GGP Content: the content including all Intellectual Property Rights therein residing on the GGP Site (which may or may not include Personal Data).
GGP Services: refers to the GGP Services We may provide to You.
GGP Service Providers: refers to the external third party data processors (as distinct from Partner Organisations) with whom We work with from time to time as a necessary part of providing the GGP Services and with whom We therefore need to share Your Personal Data with from time to time which shall include professional and legal advisors GGP [insert Company Abbreviation] Site.
Special Category Data: is defined under Article 9 of the GDPR as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
CHANGES TO THIS STATEMENT
We keep Our Statement under regular review. This Statement was last updated on 15th May 2018
Third Party Data Processors
We use Google Cloud to store your personal information in compliance with data protection regulations. You can read about how they protect your information here.
We use 10to8 to facilitate appointments bookings. Their legal policy can be found here.