v.2.0 effective September 23rd 2020
We know you value your privacy. And when you make an enquiry, give us feedback, apply for a job or visit our website to learn more about us, you shouldn’t have to worry that we’re learning more than we need to about you, or using your personal data in ways that make you uncomfortable.
GAMA Healthcare Ltd. is part of the GAMA Corporation Ltd. (UK) group of companies. We are registered as a data controller (registration no. ZA308362) with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. This Notice is issued on behalf of our UK-based entities: GAMA Healthcare Ltd., Carell Ltd., and Aga Nanotech Ltd. (UK), and Fellows Research Centre Ltd. (UK), so when we refer to ‘GAMA’ we refer to this group of companies.
This notice describes how and why we collect the personal data of:
Candidates, Freelancers, Agency Workers, Consultants
Business customers or prospects
It describes our privacy commitment and explains how we comply with data protection law. You should read it along with any other notices we’ve provided in specific contexts, for example at a conference.
We’ll alert you to important changes to our privacy notice by posting them here or contacting you directly where appropriate. For more information please contact email@example.com.
We’re committed to protecting the privacy and security of your personal data, only processing what’s necessary, and ensuring we strike the right balance between our business objectives and your privacy. We want to ensure you understand your rights and our responsibilities. We process your personal data:
Lawfully: Only if we can justify it on one of the GDPR’s Lawful Bases (see Lawful Bases table below).
Fairly and transparently: we strike the right balance between our interests and yours and we tell you what we do with your personal data.
For a specific purpose: we won’t use your personal data for another incompatible purpose unless the law permits or requires us to.
Using the least amount reasonably necessary.
Ensuring it is accurate, complete and up-to-date.
For a limited time: Only for as long as reasonably necessary, and then we either destroy it or de-identify it so it can’t be linked back to you.
Securely: managing our people and designing our processes and technology to ensure end-to-end confidentiality, integrity and availability.
With your rights in mind: We make it easy for you to exercise your rights (see table below).
Within the UK/EEA: we don’t transfer your personal data outside the EEA except as permitted under Data Protection Law. We use appropriate safeguards to ensure consistent protection by third parties who support our work. Find out more in the Your Data At-a-Glance table below.
You can contact our Privacy Manager to ask questions, express concerns or exercise your rights via e…Read More
The information we process about you will depend on our relationship and how we interact. For exampl…Read More
We get most information directly from you, for example when you fill out a form, or indirectly, for …Read More
Sometimes we need to share your information outside GAMA, for example with vendors who support us. W…Read More
Find out more about third parties we use to support our website by clicking on the ‘Manage cookie pr…Read More
We’ve embedded an Amazon tracking pixel on our website so we can retarget visitors who may be intere…Read More
ADM involves a computer making a decision without human involvement that could have significant lega…Read More
‘Special Data’ like health-related information or information revealing your religion, ethnicity or …Read More
We conduct Legitimate Interests Assessments (LIA’s) whenever we rely on Legitimate Interests and, wh…Read More
If we can’t process this personal data, or if it’s inaccurate, it will be difficult to optimise your…Read More
We’ve implemented measures to prevent your personal data from accidental loss, unauthorised use, acc…Read More
|Lawful basis||What this means|
|Consent||You have given us permission, which you can withdraw at any time. We need your Explicit Consent to process sensitive data like health-related data (Special Data) or to transfer your Personal Data outside the EEA where we don’t have another basis for doing so, or for any Automated Decision Making (‘ADM’) that has significant legal or other effects unless an exception applies.|
|Legitimate interests||To help fulfil a legitimate business objective (see the ‘We use this data to...’ column of the Your Data At-a-Glance table) after confirming we’ve only used what’s reasonably necessary and proportionate to meet that objective and struck the right balance between our interests and yours (LIA).|
|Contractual necessity||To enter into or fulfil our contract, including to generate a quote.|
|Legal obligation||To comply with the law (e.g. tax reporting).|
|Vital interests||In rare instances where one of the others don’t apply but we need your personal data to protect your vital interests or those of another person. Highly unlikely.|
Below are the additional conditions we may rely on to process your Special Data along with examples:
|Special Data Conditions||Examples|
|To fulfil legal obligations and exercise specific rights in connection with workplace health and safety and employment laws or monitoring of products for safety issues.||Use information about possible COVID status or exposure; to provide adjustments for candidates; to record Adverse Reactions to a product.|
|To meet workplace diversity / equal opportunities requirements||Use statistics about e.g. race, ethnicity, gender reflected in our workplace to monitor and achieve workplace diversity, equal opportunity / pay under equal opportunities laws.|
|To establish, exercise or defend legal claims||To defend ourselves against a wrongful dismissal, personal injury or discrimination claim.|
|To protect your vital interests or those of another person||Get the help of medical professionals, your emergency contact or bystanders in a life-threatening emergency (e.g. a severe allergic reaction, heart attack).|
|Where you have made the information manifestly public||E.g. you are the public face of an advocacy group promoting LGBT rights (sexual orientation) or a religious community association (religion) or you publicly self-identify as such.|
You have various rights with respect to your personal data:
|Right||What this means|
|Access||Receive a copy of the personal data we hold about you and confirm we’re lawfully processing it by making a Data Subject Access Request (DSAR). It’s free of charge unless your request is clearly unfounded or excessive.|
|Rectification||Ask us to update, complete or correct your personal data at any time if you detect an inaccuracy. In fact, we encourage you to do so.|
|Portability||Get any personal data you’ve given us in electronic form on the basis of Consent (or Contractual Necessity) in a common machine-readable format. We can also transfer it to a third party if you ask.|
|Erasure||Ask us to delete or remove personal data where there is no good reason or Lawful Basis for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to Objection. We are allowed to refuse in certain circumstances. Find out more, here.|
|Objection||Object to any processing we do based on Legitimate Interests. You also have the right to object where we are processing your personal data in certain circumstances.|
|Automated processing||Not to be subject to ADM that has significant legal or other affects.|
|Restriction||Suspend the processing of some of your personal data, for example if you want us to establish its accuracy or the reason for processing it.|
|Withdrawal of consent||Withdraw consent at any time and we will stop processing it unless we have another legitimate basis for doing so in law. Where we rely on your consent we also explain how you can easily withdraw it.|
We will need to confirm your identity and your right to access the information or exercise any of your other rights. This is to prevent personal data being disclosed to anyone who has no right to receive it. You can find out more about your rights by visiting the Information Commissioner’s Office website.
We want to learn what brings you to our website, what products, services and information interest you, how you engage with our content, what worked… and what didn’t. But we also want to respect your privacy and your choices. Right now, we’re focused on the bigger picture, not the individual website visitor’s activity. So we only collect what we need to help us get a general understanding of how our visitors engage with our website and we make it easy for you to manage your preferences using Metomic, our privacy platform.
We don’t process a lot of personal data about our website visitors. As we continue to develop our site and begin to use different tools to measure engagement, we may find we need more personal data or prefer a more personalised approach, but we’ll let you know and make sure you’re okay with this. Note that our services are not intended for children and we do not knowingly collect data relating to children. Find detail about our website data collection and manage your preferences using our Metomic Cookie Widget.
|When you...||We use this data to...||We get it from...||We rely on (Lawful Basis)||We share it with...||It's stored in...||We keep it for this amount of time...|
|Set your cookie preferences||Cookies & other technologies to remember your preferences and collect proof of consent.||The selections you make (opt-in or out).||Legal obligation||Metomic||UK||See our cookie widget|
|Visit our site from Australia||IP Address (to detect you are in Australia) to direct you to the correct site where information approved for Australian audiences is found.||Your router||Legal obligation||IP Stack||We don't store it.||We don't store it.|
Get full details in our Metomic Cookie Widget. Click on the ‘Manage cookie preferences’ link in the webpage footer.
Categories of Personal Data (Website Visitors):
|Category of Data||Details|
|IP address||Internet Protocol address.|
|Browser Data||Browser types and version.|
|OS||Operating System and platform.|
|Device ID||Device ID, MAC address.|
|Location||Location – we generalise location to country-level or region.|
|Time Zone||Time zone setting.|
|Cookies & other technologies||We use a cookie widget on our website powered by Metomic which details the cookies we use and allows website visitors to manage their preferences. Manage your preferences and find out more at any time by clicking on the ‘Manage cookie preferences’ link in the webpage footer.|
|Web analytics||Standard internet log information and visitor behaviour patterns obtained using Google Analytics and Hotjar. We get aggregated statistics of |
We process personal data to support our talent management activities, from advertising positions and seeking out potential candidates, to screening your application, to creating a shortlist, to convening you for an interview, reviewing your fit, making an offer, negotiating the contract and welcoming you to GAMA. Over the course of these activities we also aim to satisfy any special needs you may require.
|When you...||We use this data to...||We get it from...||We rely on (Lawful Basis)||We share it with...||We keep it for this amount of time...|
|See one of our job adverts or are contacted by a recruiter||Application; Social Media; photo; internet search: see privacy notices of the recruiters you engage with. Impressions Work Product Statistics (number applied, length of campaign, etc.): to measure campaign effectiveness.||MaxAd; LinkedIn. |
MaxAd advertises jobs on the major job boards, job aggregator sites & social media.
It also proactively searches its own CV database & major job boards, specialist sites & social media (incl. Total Jobs, Job Site, CV Library, Monster, Reed, Indeed, LinkedIn) to find potential matches.
MaxAd can see all the Impressions with the job ad but generates anonymised statistics & metrics to share with GAMA to ensure campaign success.
|Legitimate Interests||MaxAd||6 months from the end of the recruitment phase.|
|Apply for a position||Application; Social Media; photo; internet search: to get an overall sense of you as a candidate.||MaxAd; LinkedIn. |
You have either given your Personal Data to MaxAd directly by uploading your CV or MaxAd received it indirectly from the above sources. Or you apply through GAMA’s website using our processor Natural HR’s widget.
MaxAd uses Vacancy Filler as its processor for uploading CVs.
For other data, GAMA only gets access to what MaxAd shares with us. See ‘Vetting’, below.
|Contractual Necessity||MaxAd. We give MaxAd access to GAMA’s Job Board accounts to do its search, post our job ad; deal with applications & monitor campaign success. |
Vacancy Filler (to upload CVs)
HR staff can access all applications. Hiring managers can only access those for their own vacancies when HR staff share it through Natural HR or the Recruitment Site, or via PDF.
|6 months from the end of the recruitment phase.|
|Reviewing your Application||Application; Social Media; photo; internet search; references: to get an overall sense of your as a candidate||MaxAd; LinkedIn; You. |
GAMA HR staff may access your profile in our Job Board accounts searching name, industry, employer, etc. Your privacy settings determine what we see, but it’s generally only your profile. Note that LinkedIn profiles usually include your photo.
Natural HR: stores personnel data but also has a widget for candidates to securely upload their applications when they apply directly through our website.
|Contractual Necessity||MaxAd (who will vet job ad responses). |
Natural HR (the processor that operates our HR database).
|Are being vetted for a position||Name; Contact; Application; Social Media; Photo; Correspondence: to advance your application.||MaxAd: MaxAd reviews potential matches to find the applications that are the best fit & triages them based on requirements for the role. |
MaxAd contacts promising potential matches to ask more detailed questions as part of the vetting process. Creates a shortened list to give to GAMA for review.
GAMA creates a Natural HR candidate profile (if not already created) to administer the recruitment process & documentation.
|Contractual Necessity||MaxAd shares with GAMA. |
Natural HR for administering applications & process.
|Attend an interview||Name; Contact; Application; Work Product (MaxAd & GAMA – interview notes); Reasonable Adjustments: to ask you questions, get a sense of ‘fit’ and get additional information.||GAMA reviews the applications internally to create an Interview List - from MaxAd, Recruitment Manager & Hiring Manager. |
Directly from you (for Reasonable Adjustments + correspondence + answers to interview questions).
Second interview with Managing Director.
|Contractual Necessity. Legal Obligation (employment law) + Art. 9(2)(b), GDPR + Sch. I, Pt. 1(1), DPA 2018 for Special Data||Natural HR for administering applications & process & capturing notes.||6 months|
|Undergo an assessment||Name; Contact; test date; test result; Interview (Assessor): to confirm you have the skills, knowledge or qualities for the role.||We send you a link from the assessment provider (Skills Arena) via email & you do the test directly with them. We assess your grammar & numerical reasoning. Candidates for more senior roles also do a psychometric test (Hogan Assessment) administered by Syzygy + interview with assessor.||Contractual Necessity.||Natural HR for administering applications & process & capturing notes||6 months|
|Undergo reference & background checks||Referee Contact; Application; Referee Correspondence.||You.||Contractual Necessity.||Natural HR for administering applications & process & capturing notes||6 months|
|Receive an offer||Name; Contact; Application; DBS Check results (clear or not); Offer Letter with Compensation, Benefits, etc; Correspondence: to make you a conditional offer and answer questions, negotiate some aspects of the offer.||A conditional offer will be made for a role that requires a successful DBS check (e.g. Sales). |
We offer you the job & negotiate the details. We ask you to fulfil any additional pre-conditions & verify your information.
|Contractual Necessity. Legal Obligation (DBS)||Natural HR for administering applications & process & capturing notes||6 months. DBS check: report result & code are logged and original (if we receive it) is disposed of promptly.|
|Don’t receive an offer||Application||We inform you that you have not been selected. We retain your Application long enough to defend against legal action.||Legal Obligation. Contractual Necessity. Legitimate Interests for job bank||Natural HR (processor)||3 months for all (in case of complaint).|
Job bank: up to 12 months in case a new position arises, though you can object.
|Undergo Right to Work due diligence||Right to Work: to confirm you are legally entitled to work with us.||You. References. Background check services.||Legal Obligation||Natural HR; Background Check services||Up to 3 months if no pass. |
For duration of employment + retention period if successful.
|Make it official||Employment details. Declarations / Acknowledgments||You (signature). HR.||Contractual Necessity||Natural HR||For duration of employment + retention period.|
Categories of Personal Data (Candidates, Freelancers & Agency Workers & Interns):
|Category of Data||Details|
|Acknowledgments||Signed acknowledgments of key documents (e.g. this notice, the Data Privacy Charter, the Health and Safety Policy). These are usually tracked through our HR platform – Natural HR.|
|Agency Contract||Name and Contact. Agency name. Key terms (rate, hours of work, payment details).|
|Application||Work history, cover letter, LinkedIn profile, profile on recruitment sites, test results, interview notes, references, samples of work (if provided) and other information relevant to your application.|
|Bank||Bank account and transaction details.|
|CCTV||CCTV footage both inside the premises and at the entrances / exits and immediate surroundings, where applicable.|
|Claims / Expenses||Claims for business and travel expenses with supporting documents|
|Company ID||ID badge, employee ID number, photograph.|
|Company Name||Freelancer or consultant’s company name.|
|Compensation||Your rate (hourly, daily, deliverable).|
|Consultancy Contract||Project proposal, scope of work, deliverables, rate, start / end dates (duration), Name and Contact of individual(s) who will do the work, company name, consultant’s title, etc.|
|Contact||Postal address, email address and telephone numbers, next-of-kin name.|
|Correspondence||Emails, letters, text messages.|
|COVID-Related||COVID-related data, e.g. temperature checks, symptom questionnaires, reports of possible exposure, contact tracing info (if on premises).|
|Departure||Reason for departure (e.g. term ended; contract / project cancelled etc.). Conditions of departure (if any), e.g. non-disclosure agreement.|
|Emergency contact||Next-of-kin or other individuals you would like us to contact in the event of an emergency if you provide them. It is your responsibility to inform them of the purpose for the information and bring this notice to their attention.|
|Entry/Exit||Key fob records of entry/exit to the premises. People: for employees entering and exiting using. Parking: for entry/exist to the parking for parking pass holders|
|Feedback||Feedback anyone shares with GAMA that may relate to you or your role, or feedback that you share.|
|Health & Safety||Health-related Special Data, e.g. self-assessment and any adjustments requested, accident logs for Health and Safety (kept in the Accident Book and Treatment Record where it occurred), Health and Safety Committee decisions relating to you specifically or an incident involving you (e.g. injury).|
|Invoices||Invoices, day / hourly / project rates, VAT number, billing information, Bank Data, remittances for freelancer in Company Name or own name (as applicable), or in Agency name for Agency Workers.|
|Name||First name, last name|
|Performance||Metrics / KPIs attributable to you, your team or your project (e.g. sales numbers, website content clicks / downloads, complaints resolved), company distinctions or awards attributable to you or your team.|
|Photo(s)||Image(s) of an Individual or group of Individuals.|
|Reasonable Adjustments||Special Data about e.g. religious or philosophical beliefs, race / ethnicity, sexual orientation information or Health-Related Special Data (e.g. disabilities, allergies) if you provide it when making a request for a reasonable adjustment under the Equality Act 2010. Our Lawful Basis is Legal Obligation (Art. 691)(c), GDPR) and the condition we rely on to process Special Data is the employer’s obligation in employment law (Art. 9(2)(b), DPA 2018, Sch. I, Part 1(1), DPA 2018).|
|Social Media||Profiles, posts, handles, likes, articles, other activity; your personal blogs or website if: |
|Technical / IT||Details of your corporate IT and network access and usage – Internet protocol (IP) address, browser activity, username and credentials (login data), access logs, remote login details, device ID for mobile devices, corporate mobile device usage data, software application usage (e.g. documents you have created, edited, uploaded to Dropbox plus metadata from document uploads, edits: time and date, document type, title, last modified date and created by details), e-signatures.|
|Training Records||Training logs: proof of attendance (e.g. e-learning modules for privacy, security, H&S), completion / non-completion and pass/fail details or grades for mandatory training (e.g. GDPR training).|
|Voice recordings||For example, in a training video if you provide voice over.|
|Work Product||__GAMA work product generated by or attributable to you__: Internal and external communications with other employees, customers, prospects; documents, content or work product you create or edit that is or can reasonably be associated with you in relation to your tasks (diaries, address books, other documents of any description, external storage, files, mobile phones or computers) of any kind relating to the Company’s business. Contributions to or Impressions of Company Social Media, website, or other communications or media activity attributable to you (e.g. creating, sharing or liking a post from our Twitter account using your own Social Media profile).|
We mostly sell our products and services to businesses or organisations who either use the products themselves (e.g. hospitals and surgeries) or to other resellers who then sell to other organisations or directly to product users. We have Distribution Partners across Europe and in other parts of the world. They may engage in their own research (lead generation) to identify potential customers. We instruct them to collect only the personal data required to fulfil these objectives and to ensure any processing is consistent with Data Protection Law. We also engage in lead generation activities to identify Prospects who may become Business Customers.
We are legally required to monitor and report any issues with our products (e.g. adverse reactions), so even where we do not have a direct relationship with a Product User, a Product User may contact us with a complaint or concern and we will need to capture that personal data for regulatory compliance purposes.
If you are a Distribution Partner, Business Customer or Prospect, we also collect a small amount of personal data about you as required to generate leads and manage our relationship.
|When you...||We use this data to...||We get it from...||We rely on (Lawful Basis)||We share it with...|
|Enquire about a product or service||Contact; Correspondence.||You.||Contractual Necessity||Our processors: it’s logged in our systems. We use the Office 365 suite and an enterprise version of Dropbox to maintain records, and SAP to manage our supplies.|
|Make a complaint or register a concern||Adverse Reactions; Complaints / Concerns; Contact; Correspondence: content of your complaint.||You; Distribution Partners||Legal Obligation||Our processors: as above. Regulator: in a form that doesn’t identify you.|
|Make a purchase through Amazon||Contact; Name; Purchase details: to fulfil your order||Amazon dashboard||Contractual Necessity||Amazon; our Amazon agent.|
|Leave a review or publicly comment on our products||Reviews; Name; Contact (if provided)||Amazon; our social media sites||Legitimate Interests||Our processors: as above.|
|Place an order for your company or organisation or to resell||Purchase Details||You.||Contractual Necessity||Our processors: as above.|
|Contact us or respond to us when we contact you as a prospective Distribution Partner or Business Customer||Contact; Correspondence; Social Media; conference participant list||You (your business card or Correspondence); Conference Organisers; Social Media searches (e.g. LinkedIn)||Legitimate Interests||Office 365 (Outlook; Teams)|
|Submit your sales numbers||Performance||You; GAMA Sales Director(s); regional sales data.||Legitimate Interests||Office 365; SAP.|
|End or suspend our relationship||Correspondence; Complaints / Concerns; Reviews||You||Contractual Necessity (re termination); Legitimate Interests (e.g. Reviews)||Office 365 (Outlook; Teams); DropBox.|
Categories of Personal Data (Product Users, Business Customers & Distribution Partners):
|Category of Data||Details|
|Adverse Reactions||Details of any adverse reactions reported in relation to one of our products. We suppress the name and contact information for reporting purposes.|
|Bank Details||Details of any bank account where payment is to be made.|
|Company / Organisation Name||If you are a Distribution Partner operating through an incorporated entity or partnership or a Business Customer (e.g. purchasing on behalf of your hospital, surgery, commercial entity).|
|Complaints / Concerns||Details of your complaint or concern and how it was resolved.|
|Contact||Postal address, billing address, email address and telephone numbers. For Business Customers and Distribution Partners, this will generally be your professional (company) contact details.|
|COVID-related||COVID-related data, e.g. temperature checks, symptom questionnaires, reports of possible exposure, contact tracing information (if on premises).|
|Correspondence||Emails, letters, text messages.|
|Distribution Partner Agreement||Contract terms including key details such as Contact, Compensation/Payment, Bank Details.|
|Invoices||Invoices, day / hourly / project rates, VAT number, billing information, Bank Data, remittances in Company Name or own name (as applicable).|
|Name||First name, last name.|
|Performance||Metrics / KPIs attributable to you, your team or your project (e.g. sales).|
|Purchase details||Quantity and type of item ordered. Notes regarding your account (for Business Customers, Distribution Partners).|
|Reviews||Any reviews you leave on Amazon or social media or similar sites or that you provide directly to us (e.g. by calling customer service if you are a Product User or speaking with your Sales representative if you are a Business Customer or Distribution Partner).|