Privacy Statement for Healthcare Professionals (HCPs) using the Direct-To-Patient Sample Service
This Privacy Statement provides information on how personal data is processed when you are a healthcare professional (HCP) completing this form on behalf of a patient receiving samples using the Fresenius Kabi Direct-To-Patient Sample Service. Information on your privacy rights and how to exercise these or raise any questions or concerns is provided below.
We may, from time to time, update this privacy notice when it is necessary to do so, the notice was last updated in October 2022, the previous version dated June 2020 can be found here - https://www.freseniuskabi.com/gb/documents/EN_Patient_Sample_Service_Privacy_Statement.pdf
Who are we?
The Fresubin Direct-To-Patient Sample Service is provided by Fresenius Kabi Limited who is the controller and responsible for the processing of the personal data that is provided via the Fresubin Direct-To-Patient Sample Service website www.samples.fresubin.com/uk.
Fresenius Kabi Limited has appointed a Data Protection Officer; if you have any questions about your data or how it is processed you can contact them using the information in the ‘How to Contact Us’ section below.
What personal data do we collect?
When you place a Direct-To-Patient Sample Service order as an HCP we will collect and process both the patient and HCP personal data that you provide us with as part of the order process.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect the following types of personal data when you place an order on our website:
• HCP first and last name
• HCP job title and location information
• HCP Email address
• Patient delivery address including postcode
• Patient first and surname
• HCP Address including post code
• Details of the product that the patient requires a sample of – this is classed as sensitive data
Why do we collect and use your data?
We need to collect and process the patient address and name to fulfil and deliver the patient’s sample service order.
We need to collect and process the HCP personal data for the following reasons:
• To track deliveries and communicate directly with the HCP any changes needed to enable the order to be processed
• To create, verify and fulfil your online HCP account
• To allow you to review the status of your orders and your order history
• To recommend products and services that may be of interest to you (providing you have provided us with your consent to receive marketing communications)
We may also use patient and HCP personal data on an anonymized basis for planning and managing the Direct-To-Patient Sample Service.
We will only process your personal data where the law allows us to. The main legal ground we rely on is the consent obtained by the HCP from the Patient to process their data to fulfil the sample service order. You have the right to withdraw this at any time. However, when consent is withdrawn, we can’t process personal data to fulfil the sample order. We may also rely on our legitimate interests to process data; when doing so, we ensure that they are not overridden by your data protection interests or fundamental rights and freedoms.
For any health-related data that we obtain, such as your Direct-To-Patient sample order product, we need to meet an additional condition for processing, which is the processing is necessary for the provision of healthcare and treatment.
There may also from time to time be circumstances where we process your data under other legal grounds for example:
• In relation to a dispute or legal claim
• To enable us to comply with a legal obligation
• If it is in the public interest, for instance to assist certain bodies to investigate deficiencies in the standards of care provided
• You have provided your explicit consent to specific processing activity
How we share your information
Fresenius Kabi will share the personal data that is provided to us within our group companies (for example if you are an HCP and have consented to receiving marketing information from us) and with our selected third-party service providers, to enable us to process and delivery your sample order.
These third parties include:
• Our Direct-To-Patient Sample Service Distribution provider who fulfills the requests for samples on behalf of Fresenius Kabi Limited
• Our Delivery Partners, who deliver the sample order to the patient directly
Our third-party application and hosting providers who ensure that our website and systems function correctly for your use and to ensure the sample service runs well. We only send your data to a third party when we have a legal agreement with them, to ensure that the personal data we send will only be used for the purposes that we provide it for (such as fulfilling the sample service order) and will be kept secure and confidential.
The Security of your data
We process your personal data in line with relevant data protection laws and use appropriate technical and organisational measures to protect the personal data that we collect and process about you, e.g. data separation and encryption. We also comply with the NHS Toolkit standard. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal data.
How long do we store your data for?
Your personal data will only be used for the purposes stated above and will be retained by Fresenius Kabi for as long as we have an ongoing legitimate business need to do so, e.g. until the sample has been provided to the patient and there is no other reason to retain the data.
As long as an HCP actively uses the Fresubin Direct-To-Patient Sample Service their data should be stored. If they are inactive for a period of 24 months, the HCP data should be deleted.
Patient data (delivery address) and order history will be deleted after 6 months.
We cleanse the data every year to ensure the removal of inactive HCPs and patient data following the above time periods.
Transfers: No specific onward transfer of your data to third countries (countries outside the European Economic Area) is foreseen. If we do need to transfer your data outside of the EEA, we will put relevant safeguards in place, for example an International Data Transfer Agreement, or EU Standard Contractual Clauses.,
You have the right to ask us to do various things with your data, you have the right to request access, for rectification or erasures of your personal data. You also have the right to object to processing your personal data, to request the restriction of processing of your personal data or request data portability. You can also withdraw your consent to process your personal data. If you wish to exercise any of your personal data rights, or raise a complaint about how Fresenius Kabi has handled your data you can do so by contacting us using the contact details in our ‘how to contact us’ section below.
How to contact us:
You can enquire about or exercise these rights by sending an e-mail to data.protection-UK@fresenius-kabi.com or contacting our Data Protection Officer (email@example.com).
You may lodge a complaint with the Information Commissioners Office the UK data protection authority on their website (https://ico.org.uk/).