Paramount GDPR Statement
Paramount Medical is committed to the protection of personal data and compliant with the General Data Protection Regulation (EU) 2016/679 (GDPR).
We will never sell or lease your data to a third party.
Collection of personal information and its use.
Through our interactions with you which could be collected in person, via phone, via our website, or through email we may collect personal data including (but not limited to):
Name, email, telephone numbers, fax, professional data including place of work, job title hospital size, speciality etc.
For the purpose of (but not limited to):
- Processing orders
- Fulfilling our duties as a supplier to you
- Informing you about product specific information
- Informing you about news of our company
- Informing you about availability of products
- Obtaining feedback on our products and services
- Conducting market research
- Communicating with you when necessary including marketing, newsletters, product launches, or responding to your questions.
- Providing support or training
- Contract Management
- Performing due diligence
complying with legal or regulatory obligations (for example informing you of adverse incidents)
We contact you for the above on the legal grounds that we:
- Have collected your consent (all records of consent contain manner in which it is collected and date it was collected)
- Need to collect and process your personal data to comply with regulatory obligations
- Are in or working towards a contract with you
We only collect data necessary to perform the above and we only retain your information as long as needed to provide you/your company/ hospital/ department with the information above.
Your personal details are deleted when no longer necessary in communicating the above information.
If you would like to change your consent, or make a complaint or request to our GDPR team please click here.
Transfer of Information
We do not transfer any personal data to any other companies or individuals within or outside the European Union except for cloud based service providers that perform core processes like post market surveillance, processing orders and invoicing (CRM and ERP Systems).
From time to time we may be asked for references in which case we will always seek your permission prior to using you as a reference.
Your GDPR Rights:
You have the right to:
- Have access to your data: You can request the data we have and how we use it.
- Data rectification: If we have innacurate or incomplete personal data, please let us know and we will rectify it.
- Have your data deleted: you have the 'right to erasure' if you would like your personal data deleted from all of our systems.
- Request restricted processing: you can ask that we restrict use of your data to certain activities.
- Data portability: you can ask for your data to be transferred to another company.
- Object: you can object to your data being used for various uses including direct marketing.
- Withdraw your consent.
To exercise any of these rights, please click here. If you are not satisfied with our response, or believe we’re not processing your personal data in accordance with the law, you can lodge a complaint with the relevant authority:
For the UK regulator: www.ico.org.uk/concerns.
For a list within Europe: edpb.europa.eu/about-edpb/about-edpb/members_en.
Systems and Security
We take security seriously.
To protect personal data and fulfil our obligations under the GDPR we have detailed systems and policies in place that are updated, and staff trained on them regularly. Staff, systems and processes are accountable to our data privacy officer who oversees compliance including granting user access to data.
Our physical locations are secure with mortice lock doors, alarmed and monitored remotely and with CCTV.
Computers, Software and Cloud Security
Only approved software or cloud services are used. All cloud based services have robust security systems including complex passwords and multi-Factor authentication in place to protect stored personal data and include audit trail of use.
Only windows 10 or Mac computers are used and email is only done with office 365, the industry standard for business email.
No personal data is kept on non-compliant systems.
All portable laptops and mobile phones have remote delete features allowing for system wipes if lost or stolen.
When Software is added or updated testing is performed to ensure functionality and compliance.
Internal network protected by state of the art Netgear devices with robust security that records details of access, attempted access and network threats. The networks have firewalls and antivirus protection which detect, alert and neutralise threats
All files containing personal data are encrypted and password protected limiting access to only users with permission. Keys and passwords are managed with a strong password policy.
As part of their induction (and periodically) staff are trained on GDPR and security policies including their role in protecting personal data. Their employment is subject to abiding by these policies. When an employee leaves the company all access and accounts are immediately withdrawn prohibiting further access. Any company laptops or phones have all data deleted and re-set to factory settings. Staff may not store any data on removable drives such as USB sticks or similar.
Policies are in place to ensure staff follow best practice for email, internet safety, and other forms of data collection/communication/ retention and deletion.
Data Retention and Deletion
As a company we are trying to go paperless, therefor all personal data that is left in paper form is either captured digitally if we have permission and/or securely shredded.
For Regulatory purposes in line with the MDR we retain any information relating to business activities for 10 years. Personal data is deleted as soon as requested or as soon as it is no longer legally obligatory to keep or no longer needed.
Testing and Monitoring
As part of our commitment to protecting personal data, Paramount periodically test the effectiveness of our policies and systems in place to protect personal data. Testing includes vulnerability management and penetration testing, data loss, and cyber attacks.
For more information or if you would like to speak to our GDPR team please email [email protected]