- Introduction
1.1. This is a notice to inform you of our policy covering all information that we record about you through our website or when you or your employer contracts with us. It sets out the conditions under which we may process any information that we collect from you, or that you provide to us. It covers information that could identify you (“Personal Data”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information.
We take seriously the protection of your privacy and confidentiality. We understand that all visitors to our website or who use our products and services are entitled to know that their Personal Data will not be used for any purpose unintended by them, and will not accidentally fall into the hands of a third party. We undertake to preserve the confidentiality of all information you provide to us, and ask you to reciprocate in respect of our confidential information. Our policy complies with EU data protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“GDPR”), with The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK Privacy Laws”) and with Statutory Instrument 336 of 2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (together, “Data Protection Laws”). .
By using our website and/or our services and products, you consent to this Privacy Policy and the processing of your Personal Data as described below.
The law requires us to tell you about your rights and our obligations to you in regards to the processing and control of your Personal Data. We do this now, by requesting that you read the information provided at www.knowyourprivacyrights.org. Except as set out below, we do not share, or sell, or disclose to a third party, any information collected through our website. The bases on which we process information about you
The law requires us to determine under which of six defined bases we process different categories of your Personal Data, and to notify you of the basis for each category. If a basis on which we process your Personal Data is no longer relevant then we shall immediately stop processing your data. If the basis changes then if required by law we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information.
Where we process your Personal Data on behalf of one of our medical partner professionals, they shall in the first instance be controlling the means of processing and the purposes for which the Personal Data is processed. In those circumstances it will be the medical professional who is the Data Controller primarily responsible for your Personal Data; we shall be a data processor acting upon the instructions of that medical professional, though in some circumstances where we take control of the information we may in addition be a joint Data Controller. In the first instance you should direct any queries regarding your Personal Data to that medical professional with whom you have a contract. You may be asked by that the relevant medical professional who provides the Personal Data on your behalf to us to read their privacy policy, since they will be your Data Controller.
In addition, this Privacy Policy applies in respect of all applications for the supply of products and services and employment contracts with Myogenes where you or your employer has contracted directly with Myogenes; Myogenes is the Data Controller in respect of your Personal Data in these circumstances.
We do not collect any information from anyone under 18 years of age. Our website, products and services are all directed to people who are at least 18 years old or older.
- Information / Contractual Obligations
2.1. Data Controller/DPO
The Data Controller in respect of your Personal Data is:
Myogenes Limited
Kinetic Business Centre
Theobald St. Hertfordshire
WD6 4PJ
Our Data Protection Officer (“DPO”) can be contacted as follows:
gdpr@myogenes.co.uk
2.2 Information we process because we have a contract with you.
If you join us as a patient or otherwise agree to our terms and conditions, a contract is formed between you and us. In order to carry out our obligations under that contract we must process the information you give to us. Some of this information may be Personal Data, including your name, address, email, telephone number and doctor’s details. Additional special category data is mentioned below.
We may use it in order to:
- Verify your identity for security purposes
Sell products to you.
Provide you with our services
Provide you with suggestions and advice on products, services and how to obtain the most from using our website. - Other direct marketing
We process this information on the basis there is a contract between us, or that you have requested we use the information before we enter into a legal contract. We shall continue to process this information until the contract between us ends or is terminated by either party under the terms of the contract. Additionally, we may anonymise and aggregate this information in a general way and use it to provide class information, for example to monitor our performance with respect to a particular service we provide. If we use it for this purpose, you as an individual will not be personally identifiable and Data Protection Laws are not relevant.
2.3 When you apply to or do join the Myogenes team, Myogenes shall be Data Controller in respect of your Personal Data and this Privacy Policy shall apply. Where you provide your Personal Data to us as a prospective or current member of the Myogenes team, this enables us to fulfil our contractual obligations to you and/or is necessary for legitimate purposes. You will receive GDPR training and this Privacy Policy is an important part of that training.2.4 When you contact or contract with Myogenes as a medical professional, with a few exceptions, we require Personal Data limited to the kinds of information that can be found on a business card: first name, last name, job title, employer name, work address, work email, and work phone number.
2.5 Special Category Data. With your express consent and to fulfil our contract with you, we may collect and process your genetic data or other special category data. Pursuant to Article 9 of the UK GDPR, we only process this Personal Data with your express consent. The UK GDPR defines genetic data in Article 4(13): “‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”. We may also collect other biometric data or data relating to your health. The UK GDPR defines health data in Article 4(15): “‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
The categories of Personal Data described in this clause are recognised by data protection laws as special category data.The presumption is that this type of Personal Data needs to be treated with greater care because collecting and using it is more likely to interfere with your fundamental rights or open you up to discrimination. Therefore all such Personal Data is only processed by us or our suppliers when you complete a patient requisition form and expressly consent to such processing.
- Information which we process with your consent
3.1. Through certain actions when otherwise there is no contractual relationship between us, such as when you browse our website or ask us to provide you more information about our Practice, you provide your consent to us to process information that may be Personal Data. Wherever possible, we aim to obtain your explicit consent to process this information, for example, by asking you to agree to our use of cookies, and via the disclaimer on our contact and referral forms. Sometimes you might give your consent implicitly, such as when you send us a message by e-mail to which you would reasonably expect us to reply. Please note that Personal Data supplied by you to us using our website Contact form or by email is not encrypted until processed in our system.
Except where you have consented to our use of your Personal Data for a specific purpose or have contracted with us, we do not use your information in any way that would identify you personally. If you have given us explicit permission to do so, we may from time to time pass your Personal Data (name and contact information) to selected associates whom we consider may provide services or products you would find useful.
3.2 We continually strive to improve our services and the website offerings based on the information and feedback we receive from you. Your information helps us to respond more effectively to your requests and support your needs. We continue to process your information on this basis until you withdraw your consent. Note: If at any time you would like to unsubscribe from receiving future communications, we include detailed unsubscribe instructions at the bottom of each communication. You may withdraw your consent at any time by instructing us gdpr@myogenes.co.uk. However, if you do so, you may not be able to use our website or our services further.
- Information / Legal Obligation
4.1 We are subject to the law like everyone else. Sometimes, we must process your information in order to comply with a statutory obligation, as necessary to protect the security and integrity of the website and our services or in response to a request for cooperation from a law enforcement or other government agency. For example, we may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order. This information may include your Personal Data. Further, your Personal Data may be used: to permit applications for employment with us and related activities to such applications and contracts for service or services; to establish or exercise legal rights; to bring or defend legal claims; for responsible corporate governance or as otherwise required or permitted by applicable laws and/or regulations; in circumstances in which we believe disclosure is appropriate in connection with fraud prevention and prevention of other illegal, or unlawful activity or any other activity which is or may be contrary to our legal and regulatory compliance obligations.
- Information / Specific Uses
5.1 Personal Data submitted on this website will be used for the purposes specified in this Privacy Policy or in relevant parts of the website.
Information you give to us. We may use this information to:
Send you general and marketing communications;
Send you e-mail notifications;
To notify you about changes to our service;
To ensure that content from our site is presented in the most effective manner for your and for your computer;
Provide third parties with statistical information about users, this information will not be used to identify any individual user;
Deal with enquiries and complaints made by or about you relating to the website;
Information we collect about you. We will use this information:
To administer our site, for internal operations, inc troubleshooting, data analysis, testing, research, statistical / review;
To improve our site to ensure that content is presented in the most effective manner for you and for your computer;
As part of our efforts to keep our site safe and secure;
To measure or understand the effectiveness of advertising we serve to you and others, and deliver relevant advertising to you;
To make suggestions and recommendations to you and other users of our site about services that may interest you or them.
Information we receive from other sources:
We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
We will not, without your express consent or when you are an existing patient or medical professional contact, provide your Personal Data to any third parties for the purpose of direct marketing.
- 1 You have various rights in respect of your Personal Data which can be summarised as follows:
6.1.1 The right to be informed. Where Myogenes intends to collect your Personal Data, where this is not for fulfilling a contractual obligation owed by Myogenes to you, you have a right to consent or object to such collection for the intended purposes. In respect of each intended purpose where your consent is required because it is not otherwise lawful you will be asked to tick box to indicate your consent to each intended purpose for processing of your Personal Data
6.1.2. The right of access. You may request to receive a copy of any Personal Data held by us, which personally identifies you. We may ask you to verify your identity and for more information about your request.
6.1.3. The right to rectification. We will correct or erase inaccuracies in the information we hold about you when we learn of the inaccuracy.
6.1.4. The right to erasure. Personal Data may be erased if we do not have a contractual or legitimate reason for retaining the information. The provision of your Personal Data is voluntary. You can request that we delete it at any time. If you wish us to remove Personal Data from our systems, you may contact us at gdpr@myogenes.com. This may limit the service we can provide to you.
6.1.5. The right to restrict processing.
6.1.6. The right to data portability.
6.1.7. The right to object.
6.1.8. Rights in relation to automated decision making and profiling. Myogenes does not carry out any automated decision making.
6.2 Verification of your Personal Data. When we receive any request to access, edit or delete Personal Data we shall first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information.
6.3 Retention Period for Personal Data. We keep your special category Personal Data securely with appropriate technical and organisational measures for a period of 3 months from your last contact or order for our products or services or from last access by your medical professional, whichever is later. We retain non-special category Personal Data of patients,Personal Data of our suppliers and personnel resources for one year after the relevant contract is terminated. After this time it is anonymised and ceases to be personal Data. We also retain data as necessary on our practice management software which complies with appropriate technical and organisational measures to maintain its security for as long as required by us:
To provide you with the services you have requested;
To comply with other law;
To support a claim or defence in court;
For legitimate purposes.
- Complaints regarding content on our website
7.1 If you have a reason to complain about how your Personal Data has been controlled and processed by us, please in the first instance contact us and we shall endeavour to resolve your queries promptly. If we feel that the complaint is justified or if we believe the law requires us to do so, we shall remove the content while we investigate. If we think your complaint is vexatious or without any basis, we shall not correspond with you about it.7.2 When we receive a complaint, we record all the information you have given to us. We use that information to resolve your complaint. If your complaint reasonably requires us to contact some other person, we may decide to give to that other person some of the information contained in your complaint. We do this as infrequently as possible, but it is a matter for our sole discretion as to whether we do give information, and if we do, what that information is.
7.3 How you can complain
If you are not happy with our Privacy Policy or have any complaint then you should tell us by email. Our address is gdpr@myogenes.co.uk
If a dispute is not settled then we hope you will agree to attempt to resolve it by engaging in good faith with us in a process of mediation or arbitration.
If you are in any way dissatisfied about how we process your Personal Data, please contact us in the first instance, so that we can try and resolve the issue. However, you have a right to lodge a complaint with the Information Commissioner’s Office. This can be done at https://ico.org.uk/concerns/. Please copy any such communication to us so that we can work to resolve any outstanding issues promptly.
- Contacting Us
8.1 When you contact us, whether by telephone, through our website or by e-mail, we collect the Personal Data you have given to us securely in order to reply with the information you need. We record your request and our reply as well as the Personal Data associated with your message, such as your name and email address and other contact details so as to be able to track our communications with you to provide a high quality service. This data will be stored securely for a period of 3 months; we may also record this information within our patient management software.
- Cookies
9.1 This website uses Google Analytics to help analyse how users use the site. The tool uses “cookies,” which are text files placed on your computer, to collect standard Internet log information and visitor behaviour information in an anonymous form. The information generated by the cookie about your use of the website (including IP address) is transmitted to Google. This information is then used to evaluate visitors’ use of the website and to compile statistical reports on website activity.
We will never (and will not allow any third party to) use the statistical analytics tool to track or to collect any Personal Data of visitors to our site. Google will not associate your IP address with any other data held by Google. Neither we nor Google will link, or seek to link, an IP address with the identity of a computer user. We will not associate any data gathered from this site with any Personal Data from any source, unless you explicitly submit that information via a fill-in form on our website.
9.2 We may aggregate information in a general way and use it to provide class information; by using the website or emailing us, you consent to this anonymization of your information. We may collect and anonymise information about your visit to and use of the website, including sales data, traffic data and related site information, for example to monitor the performance of a particular page on our website. We may also collect anonymised information during the course of products and services which we provide. This information helps us to evaluate and improve our website and services and may also be used for investment analysis purposes. As Non-Personal Data does not personally identify you, we may use it for any purpose.
9.3 Please check our Cookies policy for further cookies.
- Personal identifiers from your browsing activity
10.1 Requests by your web browser to our servers for web pages and other content on our website are recorded. We record information such as your geographical location, your Internet service provider and your IP address. We also record information about the software you are using to browse our website, such as the type of computer or device and the screen resolution. This information is recorded by Google Analytics as well as via certain 3rd party plugins installed on our website. We use this information in aggregate to assess the popularity of the webpages on our website and how we perform in providing content to you. If combined with other information we know about you from previous visits, the data possibly could be used to identify you personally, even if you are not signed in to our website.
- Our use of re-marketing
11.1 Re-marketing involves placing a cookie on your computer when you browse our website in order to be able to serve to you an advert for our products or services when you visit some other website. We may use a third party to provide us with re-marketing services from time to time. If so, then if you have consented to our use of cookies, you may see advertisements for our products and services on other websites.
- Our use of Call Tracking
12.1 We may have call tracking installed on our website. This tracking will automatically record certain information about the visitor by using various types of technology including cookies, clear gifs or web beacons. This automatically collected information may include the phone number, IP address or other device address or ID, geographic location of the visitor, web browser and/or device type, the web pages or sites visited just before or just after visiting the site, the pages or other content the visitor views or interacts with, and the dates and times of the visit. Calls may also be recorded.
- Access to your Personal Data
13.1 At any time you may review or update Personal Data that we hold about you by contacting us. To obtain a copy of any information that is not provided on our website you may send us a request at gdpr@myogenes.com After receiving the request, we will verify that you are who you claim to be and then we shall provide to you the information within 30 days. In usual circumstances, no fee is payable..
- Disclosure of Personal Data
14.1 Your information, whether public or private, will not be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, other than for the express purpose of delivering the product or service requested.
14.2 We may disclose your Personal Data within the Myogenes group, your medical advisor (where applicable), other professional advisers, and to such other third parties as may reasonably be required in connection with the purposes referred to in this Privacy Policy, such as operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. The providers of any testing services contracted with you shall have direct access to your Personal Data and the service shall be provided to you by them on our behalf, under our control and at your instruction. We take responsibility for our third party suppliers who process your Personal Data on our behalf and require them to have in place appropriate technical and organisational measures to protect your Personal Data. We reserve the right to disclose any and all pertinent information to law enforcement or other governmental officials as we, in our sole discretion, believe necessary or appropriate.
14.3 The disclosures of your Personal Data described in this Privacy Policy may, if the medical professional contracted with you and/or testing service is outside of the European Economic Area (EEA), or you yourself are based outside the European Economic Area (EEA), involve the transfer, storage or processing of your Personal Data to such country, where the level of data protection is not as high as in the EEA. By providing us with your Personal Data in such circumstances you agree to such transfers of your Personal Data. We will take all steps reasonably necessary to ensure that your information is treated securely and in accordance with this Privacy Policy.
14.4 We may also disclose Personal Data in special cases when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating our deployment Terms of Service, or may be causing injury to or interference with any of our rights or property, other users, or anyone else. We may disclose or access account information when we believe in good faith that the law requires it and for administrative and other purposes that we deem necessary to maintain, service, and improve our products and services.
- Encryption of Personal Data sent between us
15.1 We use Secure Sockets Layer (SSL) certificates to verify our identity to your browser and to encrypt any data you give us. Whenever information is transferred between us, you can check that it is done using SSL by looking for a closed padlock symbol or other trust mark in your browser’s URL bar or toolbar.
- Transfers of personal data outside of UK/EEA
16.1 The Personal Data which we collect from you is stored in one or more databases hosted by third parties located in the United Kingdom. These third parties do not use or have access to your Personal Data for any purpose other than cloud storage and retrieval.
16.2 Where medical professionals contracted by you or our testing service suppliers are based outside of the UK/EEA, information we collect from you may be processed in that country for the purpose of providing to you the product or service that you have requested. Some of these countries have not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR. Myogenes relies on derogations for specific situations as set forth in Article 49 of the GDPR and the testing service’s Privacy Shield (where applicable for USA). In particular, Myogenes collects and transfers to such countries your Personal Data only: with your consent; to perform a contract with you; or to fulfil a compelling legitimate interest of Myogenes in a manner that does not outweigh your rights and freedoms. We endeavour to apply suitable safeguards to protect the privacy and security of your Personal Data and to use it only consistent with your relationship with us and the practices described in this Privacy Policy. For transfers of Personal Data to countries without an adequacy determination by the EU (“Inadequate Protection Countries”), we shall with the relevant third party medical professional or testing service adopt and agree without modification or amendment the EU Standard Contractual Clauses (“Standard Clauses”) for transfers of Personal Data from EU/UK to USA and such other countries. To the extent of any conflict of such Standard Clauses and this Privacy Policy, the terms of the Standard Clauses shall prevail without limitation to such transfers from EU/UK to Inadequate Protection Countries. You consent to this approach where applicable.
- Compliance with Data Protection Law
17.1 Our Privacy Policy has been compiled so as to comply with the law of every country or legal jurisdiction in which we aim to do business. If you think it fails to satisfy the law of your jurisdiction, we should like to hear from you. However, ultimately it is your choice as to whether you wish to use our website, products and services or otherwise contract with us. Myogenes complies with the principles of EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Myogenes is not a registered US company and therefore cannot certify that it adheres to the Privacy Shield principles. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield principles, GDPR as implemented in the UK shall govern. To learn more about the Privacy Shield program please visit https://www.privacyshield.gov/.
17.2 To help protect the privacy of Personal Data processed by us, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We restrict access to your Personal Data to those Myogenes personnel who need to know that information to provide benefits or services to you. In addition, we train our personnel about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees’ privacy responsibilities.
- Review of this Privacy Policy
18.1 We reserve the right, in our sole discretion, to modify, alter or update our Privacy Policy at any time. Such modifications, alterations, and updates shall be effective immediately upon posting. Your continued use of this website following the posting of a modified, altered, or updated Privacy Policy will mean you accept those modifications, alterations or updates.We advise you to print a copy for your records. If you have any question regarding our Privacy Policy, please contact us.
Last Updated 16 August 2021