Data Privacy Statement

• Clients/Sponsor – Individuals and entities to which we supply medical communication and continuing medical education services as part of a contractual agreement
• Faculty members – Individuals and entities we work with for the delivery of medical communication and continuing medical education services and for whom we arrange attendance, travel and accommodation at events we are supporting globally on behalf of our clients
• Delegates – Individuals and entities we are supporting to attend events and for whom we arrange travel and accommodation globally on behalf of our clients
• Suppliers – Individuals and entities we engage with to supply services and assist with arrangements for the events
• Candidates – Prospective employees, or agencies on behalf of prospective employees, who have shared their details to apply for a position within the Obsidian Healthcare Group
• Employees – People employed by the Obsidian Healthcare Group to deliver our services, and support the company in doing so, using information required to contract, manage, reward and pay employees. This includes data classed as sensitive
• Visitors – Individuals viewing information about our company and services on our website, personal identifying information relating to this policy is maintained in website analytics and management systems to support development of our services and the use of our website as further described in this policy

For some information, we are the Controller – we decide the purpose and means of the data use and how it should be processed.

Such information includes but is not limited to: our own recruitment, employee information, our people’s arrangements for travel, pay roll, benefits, and health and performance monitoring of our employees.

Also see third party services section of this statement for information on where we have support and data are processed by others.

We may also be a Joint Controller for some information, for example, but not limited to, where we support and host a website for a client or sponsor this may be set up as a Joint Controller between us and the pharmaceutical company. For example, Obsidian Healthcare Group acting as a Controller through our service of managing the website operation and making arrangements to invite or register people on to the site, with the Pharmaceutical client company also being a Controller and using the information to select appropriate speakers or consultants from the website.

For other information, we are a Processor of the information – we process and use the information as instructed by the Controller, often a Pharmaceutical client or sponsor company. Such information includes, but is not limited to:

• Information on faculty databases and Speaker Knowledge websites administered on behalf of another organisation
• Payments on behalf of a client to faculty members for an event
• An application to run an event on behalf of a client company
• Our clients may give us access to information to aid the running of an event (eg for logistics or accommodation) that may have personal information or may require us gaining such information as part of this process

• Personal information we collect to run and manage events and provide services includes, but is not limited to: Name, Organisation, Email Addresses, Unique Country Identifiers, curriculum vitae (CV) and Biographies, Occupation, Roles, Skills and Experiences, Fax Number, Telephone Numbers, Social Media Identification, Dietary and Health Requirements, Gender
• We also collect personal information where we need to arrange further services as part of a contract or for employment, passport details, bank and health details required for employment, accommodation or travel arrangements. This may include information classified as sensitive or special category
• From your correspondence with us in planning for attendance at events on behalf of clients, congresses or in our own right, this may include location, travel arrangements, passport and visa details, and health information
• For employment, we also collect details such as gender, marital status, dependants, next of kin, emergency contact details, photographs, and health and sickness information, along with payments, tax, National Insurance number, salary, leave, start and end dates of employment, job title, work history, hours, records of compensation, performance, disciplinary and grievance information, location of workplace, closed-circuit television (CCTV) footage, information about your use of information and communication systems, benefits, pension, and other legally required information. These data include sensitive or special category data
• For recruitment, we collect rights to work documents, references, CVs, cover letters, emails and test scores as part of the application process
• We collect this information directly from the individuals as provided to us
• We also receive information from third parties for candidates for employment from agencies
• We gain information through social media connections for recruitment of employees in line with this policy and LinkedIn terms and conditions
• We also receive some delegate and faculty information directly from our Pharmaceutical industry clients
• For visitors to our website we collect data from cookies. Information collected automatically may include browser and device information, internet protocol (IP) address collected through cookies, web beacons and other technologies
• We may use third party web portals to collect and manage information as part of arranging events and supporting those registered with such portals
• We also collect information as part of feedback following our services including name, role, event attended and likes and dislikes about the event and any future learning you would like to see included
• For business purposes only, research using Google Alerts and Twitter Advanced Search may return publicly available information containing personal details
• For employees Clockify software for project hours and costs can include – email , name, hours spent on project, GPS location, Screenshot function, URL web tracking.

• Information is provided because you have completed registration forms, logistics forms, emails or forms in web portals and alike
• Candidates’ information from agencies for recruitment purposes
• We also collect information as part of post-event surveys and feedback to support future learning, research and event development following an event you have attended
• Information collected as part of details of transactions carried out with us in the delivery of services
• We are provided some information by clients or sponsors of the service or event, such as names and contact details including email and address information, to arrange further support to the individual to provide a service (Faculty) or attend an event (Delegate) or provide a service (Clients)

• You have given consent for us to process the data for one or more specific reasons, for example you have consented on a logistics form for us to book travel and accommodation on your behalf
• We need to process your data as you are party to a contract or to arrange a contract with you, for example collecting your bank details included in the contract to make payment to you for work you carried out
• To comply with a legal obligation, for example disclosing payments, travel and accommodation costs to a sponsoring company so that it can be placed on a disclosure payments website
• To protect your vital interests, for example providing your next of kin details if you were involved in an accident
• To carry out a task that has the purpose of the legitimate interests of the Controller or third party, for example providing your name and role to a design and print company to include on an agenda for a conference, or to provide services related to the business of the Group
• An individual data subject can obtain further information on the legitimate interests and balancing of interests of their data where legitimate interests is the lawful reason for processing the data on request to dataprivacy@obsidianhg.com

• To provide medical communications and independent/continuing medical education (IME/CME) services such as written information for clinical, disease awareness and educational usage and/or arrangement and delivery of events on a global, regional or local basis
• To manage and arrange logistics, travel and accommodation for faculty, delegates, clients and our own people at such events
• To present our services to clients, arrange accounts and set up contracts
• To manage applications, provide customer service and process payments for faculty, delegates and clients
• To provide clients with information about events, history, services and experience
• To apply for funding for grants for medical education from companies, where experience of services may include names and roles
• To provide and enable systems to pay, charge and reimburse: suppliers, clients, faculty and delegates for services and costs associated with managing logistics, events and services including the use of Clockify software
• To provide information required by laws related to transparency for payments and services delivered as required by local country laws, requirements, codes and rules
• Notify clients, faculty, delegates and suppliers about any changes to codes or legal requirements affecting the service or events
• To communicate with all classes of individual by: telephone, email, fax, post and other electronic means about services we are providing or future opportunities that may be of interest to them. We do not share information with third parties for the purposes of marketing
• For medical communications, we share information about individuals attending events and receiving services with our clients that are sponsoring/funding the event or service to facilitate the running of the event, also to provide evidence of compliance
• We share information with our clients (Controller) about the events – faculty and delegate, name, address, CV, email, payments and expenses, travel, accommodation, disclosure via shared drives, cloud storage and individual company portal systems for reporting and approval of events
• To provide users of our website and services with enhanced experiences in line with their interests and preferences
• To facilitate the use of technology for support and to enhance services at events, by way of question and answer (Q&A) apps and feedback by use of electronic surveys and other information and feedback collection systems
• To provide selected audio-visual and conference services we work with third party companies to deliver the best digital services and may need to share names and email addresses with them to facilitate these services
• To perform research and analyse the use of, or interest in, our products, services and content
• To support our business with tasks such as data analysis, audits, fraud monitoring and prevention, developing new products, improving or enhancing our services, identifying new trends and developments, research, determining effectiveness of our work and services and operating and expanding our business activities
• We may on occasion share personal data with other companies within Clanwilliam Group to deliver, support or enhance our services
• As we believe it to be necessary or appropriate under applicable law, including outside of the country of residence to comply with legal process, to respond to requests from the public or government authorities, including outside of the country of residence, or to comply with specific code(s) related to the industry requirements and disclosure
• To carry out Human Resources (HR) tasks, pay roll tasks, people management tasks, recruitment and selection of employees for the Obsidian Healthcare Group of companies, including the processing of sensitive health data
• Employee special categories of personal data, such as health or disability data, are processed for Health and Safety, to assess for adjustments, to decide fitness to work, and manage sickness absence, which we process to comply with legal obligations and legitimate interests
• In provision of third party benefits to employees and arrangements for various types of leave
• To carry out our obligations to enforce terms and conditions applicable to our services and those in our agreements including billing and collection purposes
• To protect our business and operations, rights, privacy, safety and property and to allow us to pursue available remedies or limit damages we may sustain
• To manage and audit our processes and procedures to ensure compliance, this includes cooperating with a Data Controller where we are a Processor of information, or a Supervisory Body, for example, where required by the Information Commissioner’s Office (ICO)
• To protect the safety and property of our employees and others including where we rent shared office space, including security pass and CCTV systems. To monitor our Information Technology (IT) and Communication systems to ensure compliance with our policies and to ensure network and infrastructure security
• To comply with our Health and Safety obligations
• To protect against and identify fraudulent transactions, including where reasonably necessary for fraud protection and credit risk reduction exchange of information
• In other ways which we describe when you provide the information to us
• To fulfil other purposes for which you provide personal data, or with your explicit consent
• We may contact individuals and companies via email, telephone or direct mail about services that may be of interest to them. Where required we will seek and obtain explicit authorisation before we do this. We do not share information with third parties so that they can contact you for advertising purposes. We include an option to opt out or unsubscribe to such emails, please follow the link in the email or contact us at dataprivacy@obsidianhg.com

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law.

In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we require and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

Where we process under the conditions for consent, we consider this a lawful reason for processing in accordance with the GDPR. We retain consent for 2 years unless instructed to the contrary by the individual or data Controller.

• Your rights include: rights to request from a Controller access to, rectification, erasure or restriction of processing of your personal data and a right to portability subject to certain conditions within the GDPR
• Where processing is based on consent, the existence of the right to withdraw consent at any time
• You have the right to lodge a complaint with a supervisory authority
• Where you are required to provide data of a contractual or statutory nature, failure to do so could result in us being unable to supply a service to you, make payments, or be unable to comply with a legal obligation resulting in civil or criminal liability
• If additional or further processing by the Controller is required, you will be informed prior to processing and will be provided with the required additional information on the processing

You have the right to object to the processing of your data where the Obsidian Healthcare Group is the Controller of the information – please contact dataprivacy@obsidianhg.com

• We disclose aggregate information about users and services and other information that does not identify individuals without any restriction
• We disclose personal information to our clients (Controller), so they can comply where required by code or legal act with regards to payments and sponsorship, such personal information as name, country unique identifier, address, occupation, work address, payments and expenses for disclosure and transparency where required to do so by country laws in the manner identified by the country
• We may disclose personal information described and identified within this policy to: companies sponsoring our services, companies supporting or managing events, and conferences where required for registration purposes
• We may disclose information to suppliers of logistical services for travel, visa and accommodation arrangements for the event and suppliers of materials required for the event or support such as printing, design, IT, websites and web hosting
• Disclosure for payment and bank services to provide payments and expenses for the services provided
• Disclosure to our internal employee resourcing to ensure the event or service is achieved
• We disclose information when we are a Processor as described in contracts and under instructions from the Controller, without ignoring our responsibilities under the GDPR
• If the processing is based on your consent we will disclose the information once you have specifically consented to the disclosure
• We may disclose information in the event of a merger, divestiture, restructure, reorganisation, dissolution, or other sale or transfer of all or part of the Obsidian Healthcare Group
• Personal data maybe disclosed in relation to legal proceedings or in response to a law enforcement access request

• Your rights include: rights to request from a Controller access to, rectification, erasure or restriction of processing of your personal data and a right to portability subject to certain conditions within the GDPR
• Where processing is based on consent, the existence of the right to withdraw consent at any time
• You have the right to lodge a complaint with a supervisory authority
• Where you are required to provide data of a contractual or statutory nature, failure to do so could result in us being unable to supply a service to you, make payments, or be unable to comply with a legal obligation resulting in civil or criminal liability
• If additional or further processing by the Controller is required, you will be informed prior to processing and will be provided with the required additional information on the processing

You have the right to object to the processing of your data where the Obsidian Healthcare Group is the Controller of the information – please contact dataprivacy@obsidianhg.com

We use other companies’ services for some situations where we are the Controller of the data and at the request of or on behalf of our clients or sponsors if we are the Processor.

• This Data Privacy Statement does not address, and we are not responsible for, the privacy, information or other practices of third parties such as Google, Microsoft, app developers, social media platforms or other providers of support to events or registration services
• We may share personal data details with third parties to: arrange or support logistics, travel, visa applications or accommodation
• Authorisation for attendance from professional bodies, registration for attendance with conference websites, companies sponsoring events, companies providing design and or print, copyright holders and companies providing IT or web hosting support to events or services
• We use third parties to provide support to our employment function including pay, HR functions and candidate online tests and training
• Our Office space at 25 Wilton Road, Victoria, London, SW1v 1LW, UK has support for facilities, security and CCTV from WeWork
  • Link to WeWork Privacy statement - https://www.wework.com/en-GB/legal/privacy
• Our office space at Wolfelands, High Street, Westerham, Kent, TN16 1RQ, UK has facilities, security and CCTV provided by Wolfelands Limited
• We may be required to share personal data with clients to facilitate approval, legal or code requirements and are required to use shared/cloud storage/web-based portals with the client or approver
• Where we use third parties to process personal data such as HR functions and internal communication functions, we have contracts which specify and instruct on what they can do with the information and how they should process it. They will hold personal data securely and retain it for a period we instruct in line with this statement
• Clockify for employees data privacy link https://clockify.me/privacy

Cookies help us to: Make our website work as you would expect, remember your settings during and between visits, improve the speed/security of the website, continuously improve our website for you.

We do not use cookies to: Collect any personally identifiable information (without your express permission), collect any sensitive information (without your express permission), pass data to marketing networks, or pass personally identifiable data to third parties. You can learn more about the cookies we use below.

For more information about cookies please visit www.allaboutcookies.org

Turning cookies off: You can usually switch cookies off by adjusting your browser settings to stop them accepting cookies. However, doing so will likely limit the functionality of a large proportion of the world's websites, including ours, as cookies are a standard part of most modern websites.

A session cookie lasts only for the amount of time you use our website, persistent cookies remain on your device until you reactive it when you revisit the site, or it expires, or it is deleted.

Web beacons are invisible files imbedded in web pages and emails to track online users, for example, counting the number of visits to a web page or how long you spend on a page.

Analytics: We use the information from cookies, web beacons and Google analytics to customise the experience of your visit to our web pages or media site to meet your interests, preferences and to improve our knowledge and research of visitor’s interactions with our web and media sites. If we wish to collect any personal information we will be clear at the time and identify what we intend to do with these data.

Obsidian Healthcare Group does not use automated decision making or automated profiling technology.

Our own website and those we support on behalf of clients are developed, hosted and supported by various third parties and the information regarding cookies and data analytics applies. We use a third-party service to help maintain security and performance of the websites. In delivering this it processes IP addresses of visitors to the sites.

We may use third parties including their apps and tools to gain information for surveys following an event or service. We use this information to review the service and learn for future services. We may pass on the non-personal analytics of the feedback on performance to the sponsors of the services.

We may on occasion require the use of a translation service. The third party that provides this does not keep or retain any personal details.

All emails sent to us, including attachments, may be monitored by us for security and compliance with our policies. Email monitoring and blocking software are used.

We use third party software and support for functions including payroll, internal communication and HR functions, the information may be stored in locations in the UK and wider EU (European Economic Area EEA) area.

Link to PeopleHR data privacy statement https://www.peoplehr.com/privacy.html

We use Clockify for billing of correct hours of employees to clients

Upon request, Obsidian Healthcare Group will provide information on whether we hold any of your personal information. You may send us an email at dataprivacy@obsidianhg.com to request access to (Right of access), correction of (Right to rectification), or deletion of (Right to be forgotten) personal information that you have provided to us in accordance with and specified in the GDPR. Please ensure your request clearly identifies what personal data information you would like us to change. We may for your protection verify your identity before implementing your request. We will respond to your request within one (1) month and if we cannot do so we will inform you of why this cannot be achieved. We may not be able to accommodate your request if we believe the change or deletion would violate a law or legal requirement or cause the information to be incorrect. Under the GDPR some of the rights are relative and where we cannot comply with a request we will inform you within the specified timescales of the reason for not complying with a request. Other rights, such as a right to object or restrict processing, and the right to data portability also apply to personal data we hold.

We retain information if it is necessary and relevant for our operations. In addition, we retain personal information to comply with applicable laws, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, enforce our Terms of Service, and other actions permitted by law. When your personal information is no longer needed for our business purposes, we dispose of it subject to applicable laws.

Specific examples Include:

• Candidates’ CVs, test scores and interview information to apply for a job with Obsidian Healthcare Group are kept for 12 months following application
• General employee information such as: qualifications, references, health questionnaires, next of kin details, contact details, signed policies and contracts are kept for the term of employment and then for an additional 6 months after leaving before being destroyed
• Other employee information such as: name, date of birth, proof of identity documents, information for wages and pay, the last two appraisal outcomes, CV, parental leave, personal injury, and statutory sick pay purposes for an additional 8 years, this is to ensure we meet legal requirements such as the Parental Leave Acts 1998–2006, Companies Acts 1997, National Minimum Wage Act 2000, Limitation Act 1980 (c.58), and statutory sick pay records
• Employees’ previous performance appraisals are kept until leaving, when the last two remain on file for 8 years before being destroyed
• Payments to clients, employees, suppliers and faculty for 7 years to meet our accountancy and transparency rules
• Project files for clients are kept for 10 years after working with a client for evidence or to provide support with such evidence in the event of code or legal challenges – or in line with the contractual requirement of the client or Controller
• We keep contact details (names and email contacts) for clients whilst we are contracted and actively working with you and then with project files for 5 years – or in line with the contractual requirement of the client or Controller
• We keep healthcare professionals and other persons we work with details (name and email) with the project files for 2 years after they are involved – or in line with the contractual requirement of the client or Controller
• Items that are certified by Pharmaceutical companies are kept for a minimum of 3 years for the UK under the Association of British Pharmaceutical Industries (ABPI) code
• Disclosure records for healthcare professional payments in the UK (ABPI code) are kept in the public domain for 3 years and company records for 5 years
• Tax records in line with Her Majesty’s Revenue and Customs (HMRC) guidance of 6 years beyond processing year end
• Pensions records for employees are kept until a pension is actively drawn
• We delete posts and tweets once they are no longer required for the purpose they were placed, this removes the personal data associated with the posts or tweet such as likes and comments

As defined in the UK children are persons under 13 years old. Under the GDPR they are defined as under 16 years old. Our service is not intended for children. We do not collect, keep or process personal information obtained from children. If you believe we may have any information obtained from or about a child under the age of 16, please contact our Data Privacy Officer using the contact information at the end of this Data Privacy Statement.

Obsidian Healthcare Group is headquartered at Wolfelands, High Street, Westerham, Kent, TN16 1RQ, UK and may store and transfer data outside the country of your residence, which may have different data protection rules than those of your country.

• Obsidian Healthcare Group transfers data for logistics such as events, travel, visas and accommodation for clients, employees, faculty and delegates and to suppliers to assist with this process
• Obsidian Healthcare Group may need to transfer information to meet legal requirements such a disclosure and transparency requirements under pharmaceutical codes such as the European Federation of Pharmaceutical Industries and Associations (EFPIA) and laws such as the Physician Payments Sunshine Act (part of the US Affordable Care Act) or to the police, regulatory bodies or for legal advice
• Information to arrange events with clients across all global locations for such events we are supporting. Data can include (but are not be limited to) name, address, date of birth, country travelling from, nationality, gender and passport or visa numbers
• Transfer can include within the UK and EU to countries identified as adequate and wider global countries with the use of legal mechanisms such as Standard Contractual Clauses
• We may transfer your data for any other purpose to which you explicitly consent having been informed of any associated risks, such as logistics and event support, or to carry out a contract in other countries as required by the event location

Internet and data privacy best practice are constantly developing. We update this Data Privacy Statement to reflect changes to our practice and we reserve the right to revise this policy and publish the changes on the privacy page of our website. We encourage you to review this privacy page periodically to ensure you are aware of what information we collect and how we process it. This policy was updated on 8 June 2022.