This Privacy Notice (“Notice”) defines the manner in which SHENZHEN MINDRAY BIO-MEDICAL ELECTRONICS CO., LTD., based in Shenzhen, China and its affiliate Mindray (UK) Ltd a company organised under the laws of England and having its registered office at Mindray House, Kingfisher Way, Hinchingbrooke Business Park, Huntingdon, Cambs, PE29 6FN (“Company” or “we/us”) process Personal Information (as defined below) that pertains to Suppliers, Clients and Websites Users, as respectively defined below (collectively, the “Data Subjects” or “you/your”).
This Notice does not apply to Employees (i.e. employees, temporary workers, secondees, agents or former employees of the Company or candidates whom the Company may potentially employ or contract with).
This Notice applies to all categories of personal data of Data Subjects received and generated by the Company whether in electronic, paper or oral recorded format (“Personal Information”).
We collect and process your personal data in accordance with all applicable data protection laws and regulations, including, without limitation, the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 (“GDPR“), the Data Protection Act, as well as the laws, orders and guidelines issued by the competent data protection authorities, as applicable (the “Data Protection Laws“).
a. We will not collect Personal Information without the Data Subjects’ knowledge or without a legal basis to do so. This Notice sets forth the purposes for which we collect and use Personal Information, how to contact us with any enquiries or complaints, the types of third parties to which we disclose the information, Data Subjects’ rights in respect of their Personal Information and the choices and means available for limiting its use and disclosure.
b. We will not disclose Personal Information to third parties except as provided in this Notice.
c. We may transfer Personal Information outside of the European Union, to other jurisdictions that may or may not have equivalent laws protecting Personal Information; if we transfer Personal Information outside of the European Union, we will take appropriate measures to abide by the originating company’s local laws and to protect the Personal Information we transfer.
d. We have appropriate technical and organisational measures in place to protect the security of Personal Information we hold from loss, misuse and unauthorised access, disclosure, divulgence, alteration and destruction.
e. We will allow Data Subjects to exercise their rights in accordance with Data Protection Laws and within its limits including, without limitation the rights to access, correct or remove Personal Information upon request.
f. We will regularly review how we are meeting these privacy promises, and we will provide an independent specific way to resolve complaints about our privacy practices.
This Notice applies to Personal Information related to physical persons within these categories:
Specific sections of this Notice are dedicated to a single category of Data Subject where expressly indicated.
This Notice may need to be modified from time to time as necessary in the future to reflect changes in circumstances. We shall provide Data Subjects with a new version when any substantial updates are made. The Data Subjects can access the most recent version at any time by visiting the Company Website, or by contacting the Company at the address or contact details indicated in the Notice.
When visiting and using the Website for information purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server, which are technically necessary for us to display our website to you and to guarantee stability and security.
We transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Mindray Group or to external service providers, contractors (e.g. hosting, content management system) in accordance with the purposes required (for displaying the website and setting up its content).
Legal basis: Art. 6 (1) b GDPR.
In addition to the aforementioned data, cookies and other similar storage technologies are stored on your computer when visiting and using our website. Please refer to our Cookies Policy available on www.mindrayuk.com for further information about cookies.
Throughout a Client or Supplier relationship with the Company and for as long a period as is necessary following the termination of such relationship, the Company will generate, collect and keep records that may include, without limitation, all or some of the following categories of Personal Information for the purposes described below:
We collect administrative information of Suppliers and Clients to:
– select Suppliers and Clients;
– negotiate, enter into or execute a contract;
– fulfill obligations established by law, by regulations and by community legislation, including tax and/or accounting obligations;
– acquire information preliminary to the conclusion of contracts;
– fulfill, before the conclusion of the contract, specific requests from the Supplier or Client;
– perform obligations deriving from the contract concluded;
– provide a service or allow the supply of the same;
– answer questions and requests for information,
– exercise rights in court, in case of judicial proceedings, requests from courts and competent authorities or in relation to other legal obligations and if Company in good faith believes that the processing of Personal Data is necessary to fulfill obligations deriving from the legislation applicable and to protect and defend Company’s rights and property.
Legal basis: we process this information on the basis that it is necessary for the performance of the contract (Art. 6 (1) (b) GDPR), or that it is required by law (art. 6 (1) (c) GDPR), or that it is in the Company’s legitimate interests to do so to ensure its business is run efficiently (Art. 6 (1) (f) GDPR).
The Company may collect and keep records that may include, without limitation, bank account details or other account where Clients or Suppliers receive their payments.
We collect financial information to pay a Client or Supplier in accordance with the terms of their contract. We process this information on the basis that it is necessary to perform the contract (Art. 6 (1) (b) GDPR), or it is necessary to comply with the Company’s legal obligations under tax legislation (Art. 6 (1) (c) GDPR).
The Company may collect the following information for contact purposes
When contacting or communicating with us, e.g. by email or via the contact form on our website, the data you provide will be stored and processed by us in order to answer your questions, requests or for the purpose of business related correspondence. We delete the data arising in this context once storage is no longer necessary, unless statutory retention obligations exist or periods of limitation must be observed.
We may transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Mindray Group, distributors or to external service providers, contract processors (e.g. cloud hosting, service providers) if necessary and in accordance with the purposes required (e.g. for establishing contacts, business related correspondence, customer care, etc.).
Legal basis: Art. 6 (1) b and (f) GDPR.
– Newsletter and marketing communications
With your explicit consent, when required, we may process Personal Information to send the Company’s Newsletter or other marketing communications. Consent may be provided by you in various ways, e.g. through the specific Website section, in writing to member of our staff during events, etc. Consent for the newsletter is optional and not necessary to receive other services from Mindray.
The newsletter contains news and further information on the Mindray products.
By subscribing to the newsletter or providing your consent for marketing purposes you may receive personalized information about the products, services or events of the Company by email or phone, according to the preferences selected.
The data may be forwarded to our cloud management system and customer platform, which other Group Companies and/or service providers may also access to support and implement the marketing communications.
The collected data are deleted after 12 months or in the lack of a new consent as requested. If you no longer wish to receive the newsletter, you can unsubscribe at any time. Click on the link contained in each newsletter, you will then be guided through the unsubscribe process, or send us your withdrawal by email.
Legal basis: Consent (Art. 6 (1) (a) GDPR) and art. 6 (1) (f) GDPR in case there is no consent requirement.
During the Supplier’s selection process, the relationship with Clients, or the interaction with Website Users, the Company may receive Personal Information that contains Sensitive Personal Data, namely:
Sensitive Personal Data are collected merely if received by the Data Subjects (Art. 6 (1) (a) GDPR, art. 9 (2) a, art. 9 (2) (b) GDPR).
We may also collect a limited amount of criminal convictions data where the law allows us to do so and to extent allowed. This will usually be where such processing is necessary to carry out our legal obligations or ethical due diligence and provided we do so in line with our data protection and retention policy.
We generate, collect and maintain Personal Information in connection with the Data Subject’s relationship, and as permitted or required by applicable law, for the legal bases identified above.
We obtain most Personal Information in the forms and applications that the Data Subject fills out in connection with his/her relationship with the Company.
We may obtain some Personal Information from third parties, including when we receive contact details for marketing purposes or where local law requires Data Subjects to provide his/her name to our service providers. In these cases, we inform Data Subjects of this Notice and use of the data at the time of first contact or no later than 1 month after receiving the personal data.
From time to time, we may need to disclose some Personal Information we process about Data Subjects to relevant third parties as listed below, in order to perform our obligations under a contractual relationship, in order to comply with our legal obligations or on the basis that it is in our legitimate interests to do so, in ensuring our business is run efficiently.
Any recipient or third party receiving the data by the Company, is a data processor duly authorised by us or an autonomous data controller, with the only exceptions provided by the Data Protection Laws.
a) The non-EU jurisdiction is on the EU Commission’s adequacy decision list; or
b) The Company has taken measures by way of appropriate safeguards for the Data Subject, which may consist of binding corporate rules approved the supervisory authority, standard data protection clauses adopted by the EU Commission or adopted by a supervisory authority and approved by the EU Commission, codes of conduct approved by a supervisory authority or the EU Commission, certification mechanism approved by supervisory authority, or contractual clauses authorised by a supervisory authority
Please note that in the absence of an adequacy decision pursuant to Article 45(3) of the GDPR, or appropriate safeguards pursuant to Article 46 of the GDPR, the Company may still transfer Personal Information to non-EU jurisdictions only on one of the following conditions:
a) The Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Data Subject due to the absence of an adequacy decision and appropriate safeguards;
b) The transfer is necessary for the performance of a contract between the Data Subject and the Company or the implementation of pre-contractual measures taken at the Data Subject’s request;
c) The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Company and another natural or legal person;
d) The transfer is necessary for important reasons of public interest;
e) The transfer is necessary for the establishment, exercise or defence of legal claims;
f) The transfer is necessary to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent;
g) The transfer is made from a register which according to the European Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by European Union or Member State law for consultation are fulfilled in the particular case.
Personal Information may be transferred to and processed by, or on behalf of, entities in the Mindray’ Group that are based outside of the European Union. Each such entity has adopted, for the protection of our Data Subjects’ Personal Information, a notice and procedures that are consistent with the provisions of this Notice.
From time to time we may transfer Personal Information to third parties outside of the European Union but only if the third party (whether controller or processor) has provided appropriate safeguards. The appropriate safeguards may be provided for by: (1) binding corporate rules or (2) the European Commission’s standard data protection clauses.
When the Company shares Personal Information with another entity, the Company requires this other entity to agree in writing:
The Company has appropriate technical and organisational measures in place to maintain physical, procedural, and technical security in its offices, information systems, and information storage facilities to protect Personal Information from loss, misuse, unauthorised access, erroneous disclosure, alteration, or destruction. We restrict access to Personal Information to those individuals who need access to that information to assist us in performing our duties and obligations.
The Company requires employees with access to Personal Information to keep it strictly confidential, to access it only on a need to know basis, and not to use it or to disclose it to third parties other than as permitted under this Notice, or as permitted or required by the applicable law. Failure to do so, such as unauthorised, inappropriate, or excessive disclosure of Personal Information about individuals, will be regarded as serious misconduct and will be dealt with in accordance with the Company’s disciplinary procedures.
Data Subjects acknowledge that transmission over the Internet is never completely secure or error-free. Because of this, we cannot and do not guarantee the security of Personal Information that the Data Subject provides to us when in transit through the Internet. Thus, when submitting Personal Information to the Company through an Internet connection, the Data Subject must weigh both the benefits and the risks before submission.
The Company is committed to collecting only Personal Information that is relevant for the purposes for which it is to be used as listed above. The Company is also committed to ensuring that Personal Information is not processed in a way that is incompatible with the purposes for which it has been collected or subsequently authorised by a Data Subject.
To the extent necessary for these purposes, the Company takes reasonable steps to ensure that all Personal Information is reliable, accurate, complete, and current.
According to Data Protection Laws and within its limits, the Data Subject has the following rights:
If the Data Subject wishes to exercise any of the above rights the Data Subject should contact us as set forth in the section “How to Contact Us” below. We will process all requests within the time frames defined by applicable law (and if no such time frames are specified, within a reasonable time period).
We retain Personal Information and dispose of it in paper and electronic format, in a form that allows the identification of the Data Subjects, for a period of time not exceeding the achievement of the purposes for which they are processed or in accordance with Data Protection Laws and this Notice. Personal Information may also be stored in a cloud environment with a server located in a EU member state.
We will also retain certain Personal Information if necessary to prevent fraudulent activity, to protect ourselves against liability, permit us to pursue available remedies, or limit any damages that we may sustain, or if we believe in good faith that an order, law, regulation, rule or guideline requires such retention.
SHENZHEN MINDRAY BIO-MEDICAL ELECTRONICS CO. LTD. and Mindray UK Ltd are the joint controllers of the Personal Information, pursuant to art. 26 GDPR.
The address of SHENZHEN MINDRAY BIO-MEDICAL ELECTRONICS CO. LTD. is: Mindray Building, Keji 12th Road South, High-tech Industrial Park, Nanshan, Shenzhen 518057, P.R. China.
The address of Mindray UK Ltd is: Mindray House, Kingfisher Way, Hinchingbrooke Business Park, Huntingdon, Cambs, PE29 6FN.
To exercise any of the rights mentioned in section 11 and contact the Data Controller, please write at firstname.lastname@example.org or at the address indicated above.