1.1. Your personal data will be processed in accordance with your consent.
1.2. This privacy notice sets out the manner in which and purposes for which your personal data will be processed and this information is provided to ensure that you are able to provide a freely given, specific, informed and unambiguous indication of consent to processing of your personal data.
1.3. Where your consent is sought this shall satisfy the following requirements:
1.3.1. Consent shall be freely given, specific, informed and unambiguous and shall be demonstrated by a clear affirmative action that confirms your agreement to the processing of your personal data.
1.3.2. Consent shall be time-stamped and recorded and linked to the information available to you at the time your consent was provided.
1.4. Where children’s personal data are processed, additional requirements will apply depending on the nature and extent of the personal data processed. Parental or legal guardian supervision and consent will be required.
Consent Mechanism: Healthcare professional
Consent Type: Explicit
Adult Age: 16
2.1. This privacy notice sets out the full name(s), address and contact details of the natural or legal person, public authority, agency or other body that is responsible for determining the purposes and means of processing your personal data (the ‘controller’) when you provide your personal data.
2.2. This privacy notice sets out the name and contact details of the relevant supervisory authority responsible for ensuring the privacy of your personal data and overseeing the data processing activities of the controller.
2.3. This privacy notice sets out the details of the officer or representative within the controller’s organisation that is responsible for data protection and privacy.
2.4. This privacy notice sets out the country or countries in which your personal data will be processed.
Legal Name: Activinsights Limited
Address: Unit 11, Harvard Industrial Estate, Kimbolton, PE28 0NJ, UK
Contact Name: J. Langford
Telephone: + 44 1480 862 082
Supervising Authority Name: Information Commissioner’s Office
Supervising Authority Website: https://ico.org.uk/
Processing Countries: GB
3. Purposes and types of personal data
1.1. This privacy notice sets out the specific categories of personal data that will be collected and processed.
1.2. This privacy notice will identify whether any of the following special categories of personal data are processed (‘special categories of data’):
1.2.1. racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data that uniquely identifies you; biometric data that uniquely identifies you; data concerning your health; data concerning your sex life or sexual orientation; and
1.2.2. data relating to criminal convictions or offences or related security measures. Processing of such data will be carried out only when such processing is authorised by law.
1.3. Where the controller collects location data, this is stated in this privacy notice and such use will be subject to your consent unless the data is used in an anonymised form.
1.4. This privacy notice sets out, for each category of your personal data that will be processed and the purposes for which such personal data will be processed.
1.5. If the controller processes your personal data for purposes which have not been subject to your consent, it shall be the controller’s obligation to ensure that any such processing is only carried out strictly under applicable laws which permit such processing. Save as set out in this section, your personal data will not be used for any other purposes unless you have provided additional consent for such processing.
1.6. The existence of any automated decision-making including profiling based on your personal data is set out in this privacy notice. This privacy notice provides details of, the logic involved and the significance and consequences of any such processing for you.
Service Purpose #1
Category: 2 – Contracted Service
The purpose of the service is to provide information to you and your healthcare professional about your lifestyle as recorded by our wearables. We may use your data to maintain our records; promote our goods & services and support health & medical research.
Data Type 1
Category: 1 – Biographical
Your healthcare professional will store the information required to deliver the services to you (e.g. your name). There is no requirement for most of these details to leave the clinic. Only non-identifying data such as your year of birth and gender may be used by Activinsights outside the clinic.
Data Type 2
Category: 3 – Biometric
We may use information about your height and weight in our analysis to create reports for you.
Data Type 3
Category: 15 – Behavioral
The GENEActiv is designed to collect only basic behavioural information and associated metrics. It records movement data and environmental light and temperature data.
Automated Decisions?: false
4.1. Your personal data may be processed by other organisations who will process such personal data on behalf of the controller and in accordance with the controller’s instructions.
4.2. The controller will share your personal data with other organisations solely for the purposes of processing such information in connection with the purposes for which they were collected.
4.3. Your personal data will not be shared with other organisations for a new purpose without your consent unless such sharing is expressly required or permitted by any statutory, legal or parliamentary obligation placed upon the party making the disclosure to the third party.
5. Access and Control
5.1. The controller will ensure that your personal data is processed in accordance with your rights as set out in this section. This privacy notice sets out the details of how to contact the controller to exercise these rights.
5.2. You shall have the right to obtain from the controller information on your personal data that is being processed and access to such personal data (‘right of access’).
5.3. If the controller is made aware of any inaccuracies in your personal data or of any incomplete personal data, whether by you or any other means, the controller shall seek to correct such inaccuracies or complete such personal data without undue delay following any notice from you (‘right to rectification’).
5.4. You shall have the right to obtain the erasure of your personal data where one of the following grounds applies (‘right to be forgotten’):
5.4.1. processing is no longer necessary in relation to the purposes for which they were collected;
5.4.2. where you have provided consent on which the processing is based and you subsequently withdraw that consent;
5.4.3. you object to the processing under applicable data protection laws;
5.4.4. the personal data have been unlawfully processed; and
5.4.5. the erasure of the personal data are required for compliance with a law to which the controller is subject.
5.5. You shall have the right to restrict certain processing: (a) where the accuracy of the personal data is being contested; (b) where processing is unlawful and you do not want the personal data erased but want it restricted instead; (c) where you want to preserve the personal data for legal claims but want all other processing to cease; or (d) where the basis for the processing is being contested and you want processing to be restricted during the period in which the basis for the wider processing is being verified. Where any particular personal data are to be restricted, they will then only be processed in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims (‘right to restriction of processing’).
5.6. Where your personal data are being processed for a task carried out in the public interest or in the exercise of an official authority vested in the controller or for the purposes of a legitimate interest pursued by the controller, you shall have the right to object to the grounds for such processing. In such circumstances the controller shall cease to process the personal data, unless the controller can demonstrate compelling legitimate grounds to continue processing which override your own personal interests, rights or freedoms or for the establishment, exercise or defence of legal claims. You shall also have the right to object to any direct marketing (‘right to object’).
5.7. You shall have the right to receive your personal data in structured, standard machine readable format and the right to transmit such personal data to another controller (‘right of portability’).
5.8. The relevant controller shall communicate the notification of exercise of any of the above access and control rights to other recipients of the personal data.
6. Period of storage
6.1. Your personal data will be processed for so long as is required for the purposes for which your personal data were originally collected.
6.2. The period for which your personal data will be stored or, if that is not possible, the criteria used to determine that period you are set out in this privacy notice.
6.3. Your personal data may be kept for longer periods in connection with archiving in the public interest, scientific or historic research purposes, but if this exception applies this will be disclosed to you.
Retention Policy: Review
Retention Period: 10 years
7.1. The controller shall implement appropriate technical and organisational measures, such as pseudonymisation and data minimisation, in order to secure your personal data and protect your rights in respect of your personal data.
7.2. The controller will seek to minimise the extent to which your personal data are processed in a form in which you can be identified from it. This shall include applying the following techniques to your personal data:
7.2.1. Anonymisation: this will ensure that you can no longer be identified from the data; or
7.2.2. Pseudonymisation: this will ensure that your personal data are processed in such a manner that the personal data can no longer be attributed to you without the use of additional information and such additional information is kept separately.
7.3. This privacy notice summarises the security processes adopted by the controller.
Publication Date: 20 Dec 2021 08:02:00