top of page

Data Protection & Privacy Policy

Data Protection and Privacy Policy- Caremax 24/7 Commitment​

Caremax 24/7 UK Ltd is fully committed to safeguarding personal data and ensuring that all data processing activities comply with the latest legal frameworks, including the UK GDPR, Data Protection Act 2018, and PECR. Our organisation is dedicated to implementing best practices in data management, offering transparency, and maintaining strict compliance with our legal obligations.

​

Scope of Data Protection and Privacy Policy​

This policy therefore provides a framework for ensuring that Caremax 24/7 UK Ltd meets its obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 18) and the Privacy and Electronic Communication Regulations 2003 (PECR)

The detailed way in which this policy operates day to day is set out fully within Clause 8 of our Terms and Conditions of Contract and our Service Charter. This includes all the operational activities undertaken and actions required under the six data protection principles which are set out under. The company has also published a Privacy Notice and a full copy can be obtained on request. It is profiled in Section 7 below.

In summary, this policy applies to all the processing of personal data carried out by the company including processing carried out by joint controllers, contractors, and processors.

The terms of this Policy may change from time to time. We shall publish any material changes to this Policy through appropriate notices either on this Website or contacting you using other communication channels.

The company is registered with the Information Commissioner as a Data Controller under reference Caremax 24/7 UK Ltd, ZB301505 and has paid the appropriate annual registration fee.

The company may sometimes act as a joint Data Controller with clients and/or stakeholders. It will only do so in full accordance with this policy.

The company will sometimes act as a Data Processor for other Data Controllers and/or as a Third-Party Processor. It will only do so in full accordance with this policy.

Any individual who contracts with the company is a Data Subject and their data will only be processed in full accordance with this policy.

The Secondary Data Subjects of Data Subjects will only have their data processed in full accordance with this policy.

The company complies with data protection legislation guided by the six data protection principles and using the definition of “Consent” set out in law for both the UK GDPR and PECR.

​

The Six Principles​

In summary, based on the foregoing the laws require that personal data is: 

  1. processed fairly, lawfully and in a transparent manner.

  2. used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes.

  3. adequate, relevant, and limited to what is necessary.

  4. accurate and, where necessary, up to date.

  5. not kept for longer than necessary; and

  6. kept safe and secure

The company is fully committed to these six principles. It has a procedure in place for individuals (Data Subjects) to make Subject Access Requests and will meet any such valid requests within the statutory time limits prescribed by law.

The company will use the six principles as a further benchmark when evaluating its performance under PECR, set out later below.

​

Breaches of Data​

In the event of a data breach, the company fully understands and will meet its obligations as a Data Controller in reporting such breaches (if appropriate) to the Information Commissioner within the prescribed time limits and take all proportionate remedial action to swiftly inform those affected as well as fully reviewing and resolving any failures in security measures that have caused the breach. 

These requirements will also apply if the company is acting as a Joint Data Controller, and it will ensure that there is complete clarity and agreement in a given joint situation where lead compliance responsibility for reporting breaches should be operationally applied.

When acting as a Data Processor or Third Party itself, the company will fully meet its responsibilities in swiftly reporting the facts of any breach to the Data Controller within the statutory time limits and in full accord with agreed service delivery standards. It will also fully co-operate with the Data Controller in taking remedial action to resolve any security or other lapses that gave rise to the breach itself.

The company will also expect that all its own contracted Data Processors and Third Parties fully meet these obligations.

​

Definition of Personal Data and Sensitive Data​

The company understands and accepts that the UK GDPR definition of "personal data" includes any information relating to an identified or identifiable natural living person.

Pseudonymised personal data is covered by the legislation, however anonymised data is not regulated by the UK GDPR, providing the anonymisation has not been done in a reversible way. 

The company by the nature of its business processes data about a wide range of individuals.

Some personal data is more sensitive and is afforded more protection, this is information related to: 

  • Race or ethnic origin.

  • Political opinions.

  • Religious or philosophical beliefs.

  • Trade union membership.

  • Genetic data.

  • Biometric ID data.

  • Health data.

  • Sexual life and/or sexual orientation; and

  • Criminal data (convictions and offences.

​

PECR and Privacy​

The company is fully committed to and will fully comply with the Privacy and Electronic Communications Regulations. (PECR)

The UK GDPR sits alongside PECR. PECR rules apply and use the UK GDPR standard of consent. The six principles of the UK GDPR will be used as a clear benchmark for privacy issues as well observing fully the points of divergence.

There are some points of divergence from GDPR with security, privacy, breaching, time limits and penalty issues. The company fully understands its responsibilities in these divergent areas and will fully comply with the required legal standards.

​​

How PECR applies to Caremax 24/7 Ltd​

By the nature of its business therefore, the company recognises that the following divergent activities governed by PECR will specifically apply to it: -

  • Marketing by electronic means, including marketing calls, texts, emails, and faxes.

  • The use of cookies or similar technologies that track information about people accessing a website or other electronic service. 

  • Security of public electronic communications services

  • Privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (e.g., caller ID and call return), and directory listings. 

The company has a Privacy Policy Notice which will be published on its website and all appropriate in-house communications.

If you require a copy, please get in touch with our Data Protection Officer whose details appear below.

In summary, our Privacy Policy covers: -

  • Your contact details

  • The type of personal information we collect

  • How we get the personal information and why we have it

  • The basis on which you gave us consent to process your data

  • How we store your personal data

  • Your right of access

  • Your right to be forgotten

  • Your right to erase and/or amend your data*

  • Your right to restrict processing of your data

  • Data Portability

  • How to complain to us and the ICO

 

*It is the responsibility of Data Subjects to inform the company of any personal changes and/or errors they may have made in submitting data to us.

​

Data Protection and Privacy Officer​

The Caremax 24/7 Ltd Data Protection Officer (DPO) is primarily responsible for advising on and assessing our compliance with the DPA, UK GDPR and PECR and making recommendations to improve compliance. This includes oversight of organisational issues such as record keeping and training. It also covers oversight of technical issues such as data security and the website. The company DPO is William Chadwick, and they can be contacted at info@caremax247.co.uk 

Compliance with this policy will be monitored on an annual basis and/or earlier if required via the DPO and any other responsible officer of the company.

You can also complain to the ICO if you are unhappy with how we have used your data.

​

The ICO’s address:         

Information Commissioner’s Office

Wycliffe House,

Water Lane,

Wilmslow,

Cheshire,

SK9 5AF.

 

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

​

See also our related Cookies Policy.

​

July 2024​

bottom of page