This policy is for your information. It outlines what information will be collected from customers of Inuvi and the visitors to our website, why it is required and how the information will be used under the General Data Protection Regulations (GDPR). GDPR imposes strict guidelines to secure a data subject’s right to privacy with regard to their personal information. The new rules of GDPR have introduced additional changes to create the UK Data Protection Act 2018.

The GDPR’s data protection principles are similar to those under the Data Protection Act, except there are 6 instead of 8. Under the principles, organisations must be able to demonstrate that any personal data they handle is:

• Processed lawfully, fairly and transparently
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary
• Accurate and, where necessary, kept up to date
• Kept for no longer than is necessary where data subjects are identifiable
• Processed securely and protected against accidental loss, destruction or damage

Who this policy applies to

Customers of Inuvi from whom we collect medical evidence in the form of answers to a medical questionnaire, examinations and laboratory tests, as well as visitors to our website.

Definitions under GDPR

Data Subject – means an individual who is the subject of personal data.

Data Controller – A person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data is, or is to be, processed.

Data Processor – In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Personal Data – Any information relating to any person that can be used to identify them either directly or indirectly, such as their name, identification number, address, web browsing data or other factors specific to physical, psychological, genetic, mental, economic, cultural or social identity of that person.

Sensitive Personal Data – Information on racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation, and genetic or biometric data.

Lawful grounds for processing

Inuvi may process personal data lawfully for a number of reasons, including in order to:

• Carry out a task as instructed by the data controller, as necessary for the performance of a contract
• Respond, with your consent, to a message you have sent us through the website
• Comply with a legal obligation
• Carry out a task in the public interest, or in exercising official authority vested in Inuvi
• Protect the legitimate interests of Inuvi or a third party, except where this is overridden by your own interests or rights, Name and Address of the Controller and Processor

Data Controller for Medical Evidence Collection

The data controller is the organisation that you engaged with to provide a service to you. It may be an insurance company providing life insurance, but equally could be any organisation that requires medical information about you in order to provide you with a service. The contact details of the controller will vary depending on the organisation you are using to provide you with the service. From herein, the data controller will be referred to as your service provider.

Data Processor for Medical Evidence Collection and Controller for the Website

In terms of the collection of medical evidence from you, the data processor is:

Inuvi
Unit 10 Millars Brook Business Park
Molly Millars Lane
Wokingham
RG41 2AD
Phone: +44 118 467 0555
Website: www.inuvi.co.uk
E-mail: [email protected]

The website is owned and operated by Inuvi and we are therefore the designated data controller for it. You can contact Inuvi via post, a contact form on our website, by telephone or email.

Data Protection Officer

The data protection officer can be contacted at:

Inuvi
Unit 10 Millars Brook Business Park
Molly Millars Lane
Wokingham
RG41 2AD

Phone: +44 118 467 0555
E-Mail: [email protected]

You may at any time contact our data protection officer directly with all questions and suggestions regarding this policy and data protection in general at Inuvi.

Medical Evidence Collection – How your information will be used

As a Data Processor, Inuvi keeps and processes information about you if we are instructed by your service provider to conduct a medical examination and/or perform laboratory tests on samples taken from you if, for example, you have applied for either life insurance or a health assessment service. The information that we hold and process will be shared with your service provider who is the Data Controller. You should review your service providers’ own privacy policy for a description of how they use this information.

If you choose not to provide the information that is asked of you during your medical examination then we may in some circumstances be unable to comply with our obligations to the data controller. Your service provider will inform you of the implications of that decision.

The sort of information we hold may include, but not be limited to; your name, postal address, E-Mail address, telephone contact numbers, GP details, the answers to medical questions, the results of medical examinations and laboratory tests, and correspondence including emails and phone call recordings with you or where you are discussed.

Personal and Sensitive Data

Personal data is any information relating to any person who can be identified either directly or indirectly, such as their name, or an identification number, a location, online data or through factors specific to physical, psychological, genetic, mental, economic, cultural or social identity of that person.

Under GDPR, it is legitimate to process sensitive personal data where necessary. For example – if you have applied for a life insurance policy and consented to your medical information being used for the purposes of an underwriting decision. What counts as sensitive personal data remains broadly the same as that under the Data Protection Act. In terms of your relationship with Inuvi, we will collect sensitive personal information relating to your health only as directed by your service provider.

Sharing and transferring personal data

Inuvi will only disclose information about you to third parties if we are legally obliged to do so. Where we need to comply with our contractual duties to the service provider, sub-processors will be used. For example, a laboratory when a lab test is required, or a nurse or doctor to undertake the medical examination. Otherwise, we do not pass any of your information to a third party.

If there is a requirement in the future to process your data for a purpose other than for which it was collected, your consent will be required. You will be provided with notice, the information on that purpose and any other relevant information.

Record keeping and Data retention periods

We will maintain clear and accessible records of all data processing activities.

Data will only be kept for as long as is required through our contractual obligations to the service provider. If you request for your personal data to be erased through your service provider, we will comply with their requests when certain circumstances are met. You should review the service provider’s privacy policy for information on their data retention policies.

Phone Call Recording

Inuvi may record telephone calls with you to:

• Establish facts and check for mistakes relating to you and the medical examination to be completed with you
• Provide evidence of communication with you for your service provider
• Assist in quality monitoring and training of staff
• Investigate and resolve a complaint

We may be asked to share a call recording with your service provider in order for them to respond to a request or a complaint. You may request that your call isn’t recorded. In this situation, you’ll normally be advised to contact us either in writing or by email.

Data relating to phone call recordings are stored securely for 3 months, at which point they are securely destroyed.

Inuvi Website – How your information will be used

The use of the pages on the Inuvi website is possible without any indication of personal data other than the public IP address that you are browsing from; however, if you want to send Inuvi a message, processing of personal data will become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we will obtain consent from you.

Inuvi has implemented numerous technical and organisational measures to ensure the most complete protection of personal data processed through this website. However, you are free to transfer personal data to us via alternative means, e.g. by telephone.

Inuvi acts as both the data controller and processor in respect to the data received through our website. No information is passed on to third parties or sub-processors unless additional consent is collected first, for example, during a job application that results in the offer of employment from Inuvi.

Cookies

The Inuvi website uses cookies. Cookies are text files that are stored in a computer system via an Internet browser.

Many Internet sites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited Internet sites and servers to differentiate the individual browser of the visitor from other Internet browsers that contain other cookies. A specific Internet browser can be recognised and identified using the unique cookie ID.

The most common reason cookies are being used would be for tracking, e.g. Google analytics which measures web traffic and browsing from different sources, however this is not currently installed on the site. The technology used as the basis of the Inuvi website creates cookies, but the cookie itself is not used for any purpose whatsoever.

You may, at any time, prevent the creation of cookies through our website by means of a corresponding setting of the Internet browser used, and may thus permanently deny the setting of cookies. Furthermore, already set cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If you deactivate the setting of cookies in your web browser, all functions of our website will continue to be usable.

Collection of General Data and Information

The website of Inuvi collects a series of general data and information, when a data subject or an automated system calls up the website. This general data and information is stored in the log files of the server. Collected data may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the date and time of access to the website, (4) an Internet protocol address (IP address), (5) the Internet service provider of the accessing system and (6) any other similar data and information that may be used in the event of attacks on our information technology systems.

When using this general data and information, Inuvi does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimize the content of our website as well as its advertisement, (3) ensure the long-term viability of our information technology systems and the technology of our website, and (4) provide the law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, Inuvi analyses these anonymously collected data and information, on one hand, statistically and besides with the aim of increasing the data protection and data security of our enterprise and, ultimately, to ensure an optimal level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

The General Data and Information collected (as outlined above) is stored for a period of one year.

Quick Contact and Sending an E-Mail (e.g. Contact Us and Work with Us sections)

It is possible to send a message using a built-in form on the website (as well as through a standard E-Mail application) with the provisions of personal data. The personal data transmitted to us is determined by the information you entered but at a minimum will include your full name and email address. The personal data is collected and stored exclusively for internal use and specifically for responding to the message and its contents.

By using the contact form, your external IP address and the date / time of when the message was sent is also stored. The storage of this data is a security measure that takes place as a way to prevent the misuse of our services and, if necessary, to make it possible to investigate committed offenses. This data is not passed on to third parties, unless there is a statutory obligation to pass on the data to serve the aim of a criminal prosecution.

We use the data collected when a message is sent to us for responding to the message and its contents. You are free to request a change of the personal data specified within the form at any time, or to have the data completely deleted from our systems.

The information collected as part of our correspondence with the data subject is only stored for as long as it is required to complete the correspondence and satisfy the query.

Your Rights

Under the General Data Protection Regulation (GDPR) you have a number of rights with regards to your personal data. In summary, these are:

• Right to be informed about the processing of your personal data
• Right to rectification if your personal data is inaccurate or incomplete (requests to amend data will normally have to be processed within 1 month)
• Right of access to your personal data and supplementary information, and the right to confirmation that your personal data is being processed
• Right to be forgotten by having your personal data deleted or removed on request where there is no compelling reason for an organisation to continue to process it again (Inuvi has to respond without undue delay or and within 1 month of the request)
• Right to restrict processing of your personal data, for example, if you consider that processing is unlawful or the data is inaccurate
• Right to data portability of your own personal data for your own purposes (you will be allowed to obtain and reuse your data)
• Right to object to the processing of your personal data for direct marketing, scientific or historical research, or statistical purposes

Where Inuvi are acting as a Data Processor providing medical evidence collection services, the above rights should be requested through your service provider. Inuvi will support the service provider in implementing the requests.

Where Inuvi is acting as a Data Controller for data provided through the website, you have the right to request from us access to and rectification of your data as well as for it to be erased and to restrict processing of your data in certain circumstances.

Inuvi will take reasonable steps to create an accurate record of any personal data submitted to us and created by us. Should any factual data held be noted to be incorrect, and Inuvi are notified of this, we will take appropriate steps to rectify this information without undue delay.

If you have provided consent for the processing of your data you have the right to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent has been withdrawn.

You have the right to access all information held about you and/or to request partial or total erasure of your data in accordance with the General Data Protection Regulations. Where Inuvi are holding data related to provision of medical evidence, this data may also be requested through your service provider as outlined above. You can make a request in writing to [email protected] or via the postal address in the processors section above. We may require valid forms of identification in order to action your request.

You also have the right to lodge a complaint with the information Commissioners Office (ICO) if you feel that we have not complied with GDPR requirements regarding your personal data.

Consent

Under GDPR, the current methods of requesting consent to collect and process your data have been reviewed. In certain situations, consent is not required (for example, if there is a legal obligation or we are performing a contract). However, for most other scenarios, data will not be collected or processed without your consent. We always ask for your consent when processing personal data that we have received through our website.

Data security breaches

As outlined above, Inuvi takes management of your personal data seriously and takes all reasonable steps to appropriately secure your data. In the event that a data security breach occurs, it is the responsibility of the Data Controller to notify you without undue delay if there is likely to be a high risk to your rights and freedoms.

For website collection issues, the responsibility would lie with Inuvi. Information will be provided regarding the nature of the breach and action being taken. Concurrently to this, Inuvi will notify relevant parties such as the ICO and/or law enforcement agencies to ensure appropriate action is taken, unless the personal data breach is unlikely to result in a risk to your rights and freedoms.

For medical evidence collection issues, this responsibility would lie with your service provider.

Review

This policy may be updated as required to ensure its compliance with data protection legislation and to exercise best practice. We recommend regular review of this policy to ensure you are happy and in agreement with our policy and associated practices.