MD INTERNATIONAL LTD, 38 BERKELEY SQUARE, LONDON, W1J 5AE, (“Docly” or “we”) is a company established in England and Wales, and as such, we comply with applicable data protection legislation in the UK, comprising the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
We believe that personal privacy is important and we take your privacy extremely seriously.
Personal data that is processed
Personal data refers to data that can be traced back to you. We may process the following types of personal data that can be traced back to you, including:
Contact details (“Account information”) such as name, e-mail address and telephone number.
Users' behaviour including digital behaviour (for example, behaviour within the app, how you use the search functions) (“Digital behaviour”).
Technical data (for example, the unit's ID, IP address) (“Technical data”).
When you make use of our service, including your meeting with a doctor, you may end up sharing personal details about your previous and current physical and mental health. These details may include, though without being limited to, information that you are suffering from a disease, your medical history or your physiological or biomedical condition (“Health data”). Health data that relates specifically to you may also be provided by the doctor you come into contact with when you use our service. As a data processor, Docly only processes Health data on written instructions from Your Practice. We do not share Health data with third parties outside our service, except where such provision is in accordance with the law or where we are instructed to do so in accordance with our contract with Your Practice.
Purpose of the processing and legal basis
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform our contract with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Where we rely on legitimate interests for our processing, the relevant interest is identified above.
- Where we need to comply with a legal obligation.
- Otherwise, with your consent.
We may also use your personal data in the following situations, which are likely to be rare:
- Where we need to protect your vital interests (or someone else's interests).
- Where it is needed in the public interest.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.
We will only use your personal data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will contact you and explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Special categories of particularly sensitive data require higher levels of protection. We need to have further justification for collecting, storing and using the following types of personal data.
- physical or mental health, including any medical condition or disability;
- genetic information and biometric data.
We may process special category information:
- relating to a health condition or disability in order to make reasonable adjustments in the provision of our services;
- where it is needed to protect your vital interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public; and
- to ensure meaningful equal opportunity monitoring and reporting. We make every effort to anonymise such information.
The purpose of data processing and the legal basis for processing of various personal data categories are as follows:
- We process Account information in order to be able to offer Docly's services (i.e. in order to be able to fulfil the agreement between us), also allowing us to contact you in order e.g. to follow up on your user experience. If you agree, we may also use Account information for our legitimate interests in conducting marketing activities, e.g. for distribution of newsletters.
- We process Digital Behaviour information for our legitimate interests in improving the Platform and the mobile app, understanding and analysing users' behaviour and in order to improve the user experience.
- We process Technical Data based on our legitimate interests in understanding users and for marketing purposes.
Personal data is kept for no longer than necessary in order to fulfil the purpose for which it was collected (including the purpose of fulfilling Docly's legal obligations). Personal data stored on the basis of your consent will be deleted if consent is withdrawn, unless we are required to retain the information to comply with applicable laws. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Where a minimum retention period is required by law (such as retaining records for HMRC purposes) we comply with that minimum period plus up to 12 months to allow time for us to anonymise or delete information in accordance with our internal data management processes.
Once personal data is no longer needed for the purpose it was collected we may anonymise the data and retain it for business development research into automised healthcare. Anonymised data can no longer be traced back to you, and we may use such data without further notice to you.
In order to enable improvements to our services and your online experience, our software automatically collects information from your computer (or mobile device), your web browser, including your public IP address and domain name, cookie information, hardware properties (e.g. the unit's ID), websites you have visited, videos and images you have viewed on our website, URLs of the websites' referral traffic and after navigating to our websites, date and time of your visit and your geographical location. The data is collected in order to help us develop a better understanding of behavioural patterns and trends within our services. In order to do so, we use web logs or apps that recognise your computer and gather information about its activity online. We also work together with certain third parties in order to collect and analyse parts of this information.
We use both sessions and permanent cookies on our websites. A cookie is small package of data, often including an anonymous, unique identifier, which is sent from a website to your web browser. If your web browser is set to accept cookies, the cookie is saved to your computer's hard drive. Your web browser will authorise access to cookies that the website has sent to your computer.
Our cookies provide information that makes it easier for you to use our website. Our cookies gather information about how you use our website during a session and over time, your computer's operating system and type of web browser, your geographical location, the website you visited before our website, and links you used to leave our website. On some pages, cookies allow our websites to remember information about our visitors' language choices and countries of origin. You can change the way we collect information by changing the setting for cookies in your web browser.
Sharing information with third parties and transferal to third countries
We may share your personal data with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We may share your information with third parties for the purpose of providing the service to you including:
- Your Practice and any other medical practice from which you receive services via the Platform;
- Your insurance company.
We may disclose your personal data to third parties:
- in the context of a sale or negotiations for a sale of our business or assets, in which case we may disclose your personal data to the prospective buyer of such business or assets;
- for the purposes of fraud protection and credit risk reduction.
Where we share your information with third parties as data controllers they are responsible to you for their use of your personal data and compliance with data protection legislation.
If you object to our sharing or continuing to use your personal data with any specific third party please contact us at email@example.com.
The following activities are carried out by third-party service providers (“data processors”) on our behalf: IT support and maintenance; hosting our website (including analytics); marketing campaigns; carrying out surveys and obtaining feedback on our services; archiving and records management; confidential waste disposal.
All our data processors are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our data processors to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may share personal data with our data processors for the reasons given above. Some of these data processors may be established outside the European Economic Area (EEA). We ensure that the data processors we work with maintain an adequate security standard. In order to guarantee an adequate security standard, we only transfer information outside the EEA where adequate security measures are in place, such as adopting the EU standard clauses for the transfer of personal data, or (if data is transferred to the USA) by ensuring that the data processor is certified as Privacy Shield compliant.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are available upon request.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
You are entitled to withdraw your consent for the processing of personal data which is based on your consent. You are entitled to information if we process your personal data, if such personal data is transferred to a third country and, if relevant, who has received your personal data. You are entitled to have any incorrect information about you corrected. In certain circumstances, including when it is confirmed that we are processing personal data without legal grounds or if the processing is no longer necessary in order to fulfil the purpose, you will be entitled to have the data deleted (the right to be forgotten). If the accuracy of the personal data or the legal basis for data processing is questioned, you can request that data processing be restricted.
You are entitled to object to data processing that takes place on the basis of Docly's legitimate interests. In case of such an objection, Docly is obliged to show legal grounds for continued processing of the personal data. You can state at any time that your data may not be used for marketing purposes. You are entitled to receive any of the personal data you have provided, in a commonly used electronic format. You are entitled to transfer such data to another personal data processor. We are obliged to conduct our activities in accordance with the principles as set out above in order to ensure that the confidentiality of your personal data is protected and maintained.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
In order to update, correct or delete data we have about you, exercise your rights according to the above, or to get in touch with our personal data compliance officer, please contact us at firstname.lastname@example.org.
These general conditions are applicable as of and including December 4th 2018.