Privacy Notice

 This Notice applies to Personal Information related to physical persons within these categories:

• “Website Users”: healthcare professionals or other users visiting the pages of the Company’s website www.mindrayuk.com (the “Website”).
• Suppliers: any supplier, service provider, former supplier or contractor of the Company (each a “Supplier”).
• Clients: any client of the Company or potential client, reseller, dealer, distributor or representative of a healthcare organisation, either in the public or private sector, or other subjects contracting with the Company.

Specific sections of this Notice are dedicated to a single category of Data Subject where expressly indicated.

This Notice may need to be modified from time to time as necessary in the future to reflect changes in circumstances. We shall provide Data Subjects with a new version when any substantial updates are made. The Data Subjects can access the most recent version at any time by visiting the Company Website, or by contacting the Company at the address or contact details indicated in the Notice.

a) Cookies and browser data (Website Users)

When visiting and using the Website for information purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server, which are technically necessary for us to display our website to you and to guarantee stability and security.

We transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Mindray Group or to external service providers, contractors (e.g. hosting, content management system) in accordance with the purposes required (for displaying the website and setting up its content).

Legal basis: Art. 6 (1) b GDPR.

In addition to the aforementioned data, cookies and other similar storage technologies are stored on your computer when visiting and using our website. Please refer to our Cookies Policy available on www.mindrayuk.com for further information about cookies.

b) Administrative information (clients and suppliers)

Throughout a Client or Supplier relationship with the Company and for as long a period as is necessary following the termination of such relationship, the Company will generate, collect and keep records that may include, without limitation, all or some of the following categories of Personal Information for the purposes described below:

• Name, postal address, phone number, mobile phone number; personal email address;
  
• Date of birth;
• Passport Number or State ID Number;
• Immigration information, if applicable;
• Professional identification;
• Details of terms of employment or relationship; contractor agreement;
• Correspondence with the Company and other information provided by the Data Subject to the Company;

We collect administrative information of Suppliers and Clients to:

– select Suppliers and Clients;

– negotiate, enter into or execute a contract;

– fulfill obligations established by law, by regulations and by community legislation, including tax and/or accounting obligations;

– acquire information preliminary to the conclusion of contracts;

– fulfill, before the conclusion of the contract, specific requests from the Supplier or Client;

– perform obligations deriving from the contract concluded;

– provide a service or allow the supply of the same;

– answer questions and requests for information,

– exercise rights in court, in case of judicial proceedings, requests from courts and competent authorities or in relation to other legal obligations and if Company in good faith believes that the processing of Personal Data is necessary to fulfill obligations deriving from the legislation applicable and to protect and defend Company’s rights and property.

Legal basis: we process this information on the basis that it is necessary for the performance of the contract (Art. 6 (1) (b) GDPR), or that it is required by law (art. 6 (1) (c) GDPR), or that it is in the Company’s legitimate interests to do so to ensure its business is run efficiently (Art. 6 (1) (f) GDPR).

c) Financial information (clients and suppliers)

The Company may collect and keep records that may include, without limitation, bank account details or other account where Clients or Suppliers receive their payments.

We collect financial information to pay a Client or Supplier in accordance with the terms of their contract. We process this information on the basis that it is necessary to perform the contract (Art. 6 (1) (b) GDPR), or it is necessary to comply with the Company’s legal obligations under tax legislation (Art. 6 (1) (c) GDPR).

d) Personal information for inquiry and marketing purposes

The Company may collect the following information for contact purposes

• Name
• email address
• postal address
• phone number, mobile phone number
• personal data submitted during the conversation or message

When contacting or communicating with us, e.g. by email or via the contact form on our website, the data you provide will be stored and processed by us in order to answer your questions, requests or for the purpose of business related correspondence. We delete the data arising in this context once storage is no longer necessary, unless statutory retention obligations exist or periods of limitation must be observed.

We may transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Mindray Group, distributors or to external service providers, contract processors (e.g. cloud hosting, service providers) if necessary and in accordance with the purposes required (e.g. for establishing contacts, business related correspondence, customer care, etc.).

Legal basis: Art. 6 (1) b and (f) GDPR.

– Newsletter and marketing communications

With your explicit consent, when required, we may process Personal Information to send the Company’s Newsletter or other marketing communications. Consent may be provided by you in various ways, e.g. through the specific Website section, in writing to member of our staff during events, etc. Consent for the newsletter is optional and not necessary to receive other services from Mindray.

The newsletter contains news and further information on the Mindray products.

By subscribing to the newsletter or providing your consent for marketing purposes you may receive personalized information about the products, services or events of the Company by email or phone, according to the preferences selected.

The data may be forwarded to our cloud management system and customer platform, which other Group Companies and/or service providers may also access to support and implement the marketing communications.

The collected data are deleted after 12 months or in the lack of a new consent as requested. If you no longer wish to receive the newsletter, you can unsubscribe at any time. Click on the link contained in each newsletter, you will then be guided through the unsubscribe process, or send us your withdrawal by email.

Legal basis: Consent (Art. 6 (1) (a) GDPR) and art. 6 (1) (f) GDPR in case there is no consent requirement.

e) Sensitive personal data of data subjects for purposes of due diligence or client relationship management

During the Supplier’s selection process, the relationship with Clients, or the interaction with Website Users, the Company may receive Personal Information that contains Sensitive Personal Data, namely:

• Racial or ethnic origin, political opinions, religious or philosophical beliefs;
• Trade union membership;
• Genetic data, biometric data for uniquely identifying a natural person;
• Data concerning physical and mental health; and
• Data concerning a natural person’s sex life or sexual orientation.

Sensitive Personal Data are collected merely if received by the Data Subjects (Art. 6 (1) (a) GDPR, art. 9 (2) a, art. 9 (2) (b) GDPR).

We may also collect a limited amount of criminal convictions data where the law allows us to do so and to extent allowed. This will usually be where such processing is necessary to carry out our legal obligations or ethical due diligence and provided we do so in line with our data protection and retention policy.

How we collect personal information

We generate, collect and maintain Personal Information in connection with the Data Subject’s relationship, and as permitted or required by applicable law, for the legal bases identified above.

We obtain most Personal Information in the forms and applications that the Data Subject fills out in connection with his/her relationship with the Company.

We may obtain some Personal Information from third parties, including when we receive contact details for marketing purposes or where local law requires Data Subjects to provide his/her name to our service providers. In these cases, we inform Data Subjects of this Notice and use of the data at the time of first contact or no later than 1 month after receiving the personal data.

From time to time, we may need to disclose some Personal Information we process about Data Subjects to relevant third parties as listed below, in order to perform our obligations under a contractual relationship, in order to comply with our legal obligations or on the basis that it is in our legitimate interests to do so, in ensuring our business is run efficiently.

Any recipient or third party receiving the data by the Company, is a data processor duly authorised by us or an autonomous data controller, with the only exceptions provided by the Data Protection Laws.

• Tax authorities: We may transfer Personal Information if legally obliged to do so by the tax authorities;
  
• Group companies: We may transfer Personal Information to another entity within the Company’s Group or to one of our service providers for purposes connected with a Data Subject’s relationship with Company, and to the extent required for such purposes;
• Sale of the Company: Personal Information will be disclosed to buyers or prospective buyers of parts of the Company’s businesses and their advisors if and to the extent required in connection with such transaction;
• Government request: We will also disclose specified Personal Information to third parties in response to an administrative or judicial order, including subpoenas and search warrants, or similar information requests from government authorities;
• Litigation: We will disclose Personal Information if and to the extent required to establish or exercise our legal rights or to defend the rights, property, or safety of our organisation or others; or if and to the extent required in connection with litigation in response to a discovery request to the extent permitted by applicable Data Protection Laws. This information may be disclosed by the Company or by the service provider or the entity in the Mindray Group that holds the data in its servers;
• International transfer: If one or more of the following conditions are satisfied, we may transfer Personal Information to non-EU jurisdictions that may or may not have sufficient laws protecting the use of Personal Information;
             a) The non-EU jurisdiction is on the EU Commission’s adequacy decision list; or
             b) The Company has taken measures by way of appropriate safeguards for the Data Subject, which may consist of binding corporate rules approved the                     supervisory authority, standard data protection clauses adopted by the EU Commission or adopted by a supervisory authority and approved by the EU                       Commission, codes of conduct approved by a supervisory authority or the EU Commission, certification mechanism approved by supervisory authority, or                 contractual clauses authorised by a supervisory authority
  Please note that in the absence of an adequacy decision pursuant to Article 45(3) of the GDPR, or appropriate safeguards pursuant to Article 46 of the GDPR, the Company may still transfer Personal Information to non-EU jurisdictions only on one of the following conditions:
             a) The Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Data Subject               due to the absence of an adequacy decision and appropriate safeguards;
             b) The transfer is necessary for the performance of a contract between the Data Subject and the Company or the implementation of pre-contractual                             measures taken at the Data Subject’s request;
             c) The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Company and another             natural or legal person;
             d) The transfer is necessary for important reasons of public interest;
             e) The transfer is necessary for the establishment, exercise or defence of legal claims;
             f) The transfer is necessary to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of                 giving consent;
             g) The transfer is made from a register which according to the European Union or Member State law is intended to provide information to the public and                   which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the                     conditions laid down by European Union or Member State law for consultation are fulfilled in the particular case.
  Personal Information may be transferred to and processed by, or on behalf of, entities in the Mindray’ Group that are based outside of the European Union. Each such entity has adopted, for the protection of our Data Subjects’ Personal Information, a notice and procedures that are consistent with the provisions of this Notice.

• National security: In exceptionally rare circumstances where nation, state, or company security is at issue, we may share Personal Information with appropriate government authorities as required or as permitted by the law.

From time to time we may transfer Personal Information to third parties outside of the European Union but only if the third party (whether controller or processor) has provided appropriate safeguards. The appropriate safeguards may be provided for by: (1) binding corporate rules or (2) the European Commission’s standard data protection clauses.

When the Company shares Personal Information with another entity, the Company requires this other entity to agree in writing:

• To use Personal Information solely for the purpose for which the information is being shared,
  
• Not to share this Personal Information with any third party outside of the Company,
• To use reasonable security measures to protect the Personal Information, and
• To comply with all applicable legal requirements.

The Company has appropriate technical and organisational measures in place to maintain physical, procedural, and technical security in its offices, information systems, and information storage facilities to protect Personal Information from loss, misuse, unauthorised access, erroneous disclosure, alteration, or destruction. We restrict access to Personal Information to those individuals who need access to that information to assist us in performing our duties and obligations.

The Company requires employees with access to Personal Information to keep it strictly confidential, to access it only on a need to know basis, and not to use it or to disclose it to third parties other than as permitted under this Notice, or as permitted or required by the applicable law. Failure to do so, such as unauthorised, inappropriate, or excessive disclosure of Personal Information about individuals, will be regarded as serious misconduct and will be dealt with in accordance with the Company’s disciplinary procedures.

Data Subjects acknowledge that transmission over the Internet is never completely secure or error-free. Because of this, we cannot and do not guarantee the security of Personal Information that the Data Subject provides to us when in transit through the Internet. Thus, when submitting Personal Information to the Company through an Internet connection, the Data Subject must weigh both the benefits and the risks before submission.

The Company is committed to collecting only Personal Information that is relevant for the purposes for which it is to be used as listed above. The Company is also committed to ensuring that Personal Information is not processed in a way that is incompatible with the purposes for which it has been collected or subsequently authorised by a Data Subject.

To the extent necessary for these purposes, the Company takes reasonable steps to ensure that all Personal Information is reliable, accurate, complete, and current.

According to Data Protection Laws and within its limits, the Data Subject has the following rights:

• to access and ask for a copy of the Personal Information about him/her that we hold (subject to certain restrictions);
  
• to ask for the amendment or correction of Personal Information that is demonstrated to be inaccurate or incomplete, to the extent permitted or required by applicable law;
• to obtain the erasure or deletion of his/her Personal Information;
• to object, to the collection and processing of his/her Personal Information;
• to withdraw consent to the processing of their Personal Information if the processing is based on consent;
• to file a complaint with his/her local data protection authority of his/her country regarding the processing of their Personal Information;
• to move, copy or transmit Personal Information from the Company’s database to another one; and
• to request the restriction of Personal Information processing;

If the Data Subject wishes to exercise any of the above rights the Data Subject should contact us as set forth in the section “How to Contact Us” below. We will process all requests within the time frames defined by applicable law (and if no such time frames are specified, within a reasonable time period).

We retain Personal Information and dispose of it in paper and electronic format, in a form that allows the identification of the Data Subjects, for a period of time not exceeding the achievement of the purposes for which they are processed or in accordance with Data Protection Laws and this Notice. Personal Information may also be stored in a cloud environment with a server located in a EU member state.

We will also retain certain Personal Information if necessary to prevent fraudulent activity, to protect ourselves against liability, permit us to pursue available remedies, or limit any damages that we may sustain, or if we believe in good faith that an order, law, regulation, rule or guideline requires such retention.

SHENZHEN MINDRAY BIO-MEDICAL ELECTRONICS CO. LTD. and Mindray UK Ltd are the joint controllers of the Personal Information, pursuant to art. 26 GDPR.

The address of SHENZHEN MINDRAY BIO-MEDICAL ELECTRONICS CO. LTD. is: Mindray Building, Keji 12th Road South, High-tech Industrial Park, Nanshan, Shenzhen 518057, P.R. China.

The address of Mindray UK Ltd is: Mindray House, Kingfisher Way, Hinchingbrooke Business Park, Huntingdon, Cambs, PE29 6FN.

To exercise any of the rights mentioned in section 11 and contact the Data Controller, please write at privacy.uk@mindray.com or at the address indicated above.