Medivents Ltd values your privacy and always aims to demonstrate transparency and fairness in the collection and use of client/personal data. This policy is in compliance with the latest GDPR requirements.
1. What is GDPR?
The GDPR was adopted by the EU Parliament to:
- Create consistency within all the member states of the EU as to the rules regarding data protection, implementation of the law, and how the rules are enforced.
- Modernise the principles laid out in the 1995 Data Protection Directive (Directive 95/46/EC), which was written before the advent of social media, ‘smart’ mobile devices that now can access things like cameras and geo-location information, and the ubiquity of online services and communications.
- Reinforce the rights of individuals to control and protect their personal data.
- Strengthen the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.
2. Who does the GDPR apply to?
The GDPR applies to:
- Organisations located within the EU;
- Organisations located outside of the EU if they offer goods or services to (even for free), or monitor the behaviour of, EU residents; and Organisations processing and holding personal data of EU residents, regardless of the Organisation’s location.
3. What is personal data under the GDPR?
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person (‘data subject’) who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria.
4. Data controller
A Data Controller is an organisation that determines the purposes, conditions, and means of the processing of personal data. A Data Processor is an organisation that processes personal data on behalf of a Controller. Third party processors with which Medivents Ltd works includes, but is not limited to, providers of: IT systems and website/email hosting, accounting systems, secure file storage systems, contracted business services, HR/payroll, event venues, transport/courier services.
Medivents and their Registration System Agency (Supplier) are both Data Protection registered under the Information Commissioner Regulations as first laid down in the Data Protection Act. Medivent’s supplier is ISO 9001 and ISO 27001 accredited and has been for a number of years. The regulating ISO organisation is CQS.
The Data Protection Officer (DPO) for Medivents Ltd is Karen Anthony who can be contacted at karen@medivents.co.uk
5. How we use personal data
Medivents Ltd uses your data for the following legitimate purposes:
- To enable our business to respond to your enquiries and contacts about the quotation/provision of event services.
- To enable provision of contracted event services according to your instruction, or the instruction of nominated contacts in your organisation.
- To keep in touch with you during the planning and delivery stages of the services you have contracted us to provide.
- To instruct third parties, where appropriate, who may be assisting us in the provision of the event services you have contracted.
- We may contact you by email/letter to follow up about the service(s) you have received or to inform you of our other services that may be relevant to you.
- You will be invited to opt-in to our mailing list and you can unsubscribe at any time. We never share our mailing list contact details with third parties.
- To enable us to manage delegate attendance at the event they have registered for. As part of this process, delegates are required to confirm acceptance of their data being used for the purpose of managing their attendance at the meeting and subsequent even-related communication such as evaluation and certificates of attendance. We do not share delegate data with third parties.
6. How long do we keep personal data?
We will keep your personal data on our secure CRM system for a minimum of three years from the last time you have contracted services from us, unless you request removal according to your rights under the GDPR.
7. Security of event/client data
We operate a ‘safe file’ system in our offices and site locations and our staff are fully trained in data security. This applies to all client files and contacts whether securely stored in physical files or held on desktop/hand-held devices. Non-essential paperwork is routinely shredded and recycled.
Data in transit is encrypted from clients to Medivents server. There’s no access to the server possible without either being at the office physically, or using a dial-in vpn (protected with MFA). The server is backed up using Altaro – onsite copy to NAS, then copied to an offsite data-centre once a day.
Office 365 is backed up real-time for all mailboxes, Teams and OneDrive.
All Medivents staff are prohibited from saving work related materials to individual devices, on the local drive on the desktops. However, laptops are encrypted so if stolen no data, emails nor files can be accessed and retrieved to ensure that no data breaches occur.
Crowdstrike Falcon Pro performs Medivents Endpoint protection – installed on all laptops/desktops and servers.
8. Payment/financial security
When making credit card payments to Medivents Ltd, your details are destroyed after payment has been processed through our payment terminal. If providing us with other financially sensitive company details, for instance for credit references, that data is securely stored according to our ‘safe file’ system.
9. Your rights under the GDPR
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
- The right to request a copy of your personal data which Medivents Ltd holds.
- The right to request that Medivents Ltd corrects any personal data if it is found to be inaccurate or out of date.
- The right to request your personal data is erased where it is no longer necessary for Medivents Ltd to retain such data.
- The right to withdraw your consent to the processing of personal data at any time.
- The right to request that the data controller provides the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability).
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
- The right to object to the processing of personal data.
- The right to lodge a complaint with the Information Commissioner’s Office.
10. Contact details
To exercise all relevant rights, queries or complaints please in the first instance contact our Data Protection Officer: Karen Anthony karen@medivents.co.uk
Or write to: Medivents Ltd., Spirella Building, Bridge Road, Letchworth, SG6 4ET, UK.
Last updated December 2023.