Privacy Notice

This privacy notice applies to our entire business practices, and our website, which is accessible from https://nonacus.com/privacy-notice/. We are not responsible for the content or the privacy notices of any websites to which we may provide external links.

This privacy notice is provided in a layered format so you can click through to the specific areas as set out below. Please also use the definitions contained in our Glossary (see end of this document) to understand the meaning of some of the terms used in it.

It is important that you read this privacy notice together with any other information we may provide on specific occasions when we are processing Personal Data about you (e.g. research), so that you are fully aware of how and why we are using your Personal Data. This privacy notice supplements other notices and privacy policies provided to you on such specific occasions and is not intended to override them.

Whilst we are legally required to comply with applicable Data Protection Laws and Local Privacy Laws, we would also like you to have confidence in dealing with us. Compliance with Data Protection Laws helps us to maintain a positive reputation in relation to how we handle Personal Data.

We are required to comply with the following principles found in applicable Data Protection Laws:

• Lawfulness, fairness and transparency – Personal Data must be processed lawfully, fairly and in a transparent manner.
• Purpose Limitation – Personal Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data minimisation – Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
• Accuracy – Personal Data must be accurate and, where necessary, kept up to date. Inaccurate Personal Data should be corrected or deleted.
• Retention – Personal Data should be kept in an identifiable format for no longer than is necessary.
• Integrity and confidentiality – Personal Data should be kept secure.
• Accountability – Under EU/UK GDPR, we must not only comply with the above six general principles, but we must be able to demonstrate that we comply by documenting and keeping records of all decisions.

We take our accountability obligations seriously. Accountability means that we are able to show how we comply with data protection law as it applies to us as an organisation. We do this, among other ways, by our written policies and procedures, building data protection compliance into our systems and business rules (‘privacy by design and default’), conducting due diligence on our suppliers and effective contract management, as well as internally monitoring our data protection compliance and taking appropriate action as required.

All our representatives, which includes our employees, contractors, agents, suppliers and affiliates, are required to comply with our data protection policies and procedures which inform this privacy notice when they process Personal Data on our behalf.

We collect and process Personal Data for the following specific purposes:

• Provision of products and/or services under our standard terms of business
• Subscription to our marketing activities
• Subscription to our Newsletter
• Customer feedback surveys
• Use of our websites and cookies
• Research
• Job applicants

Each of these processing activities is further detailed below:

 

a) Provision of products and/or services under our standard terms of business

For the provision of our services to businesses, we distinguish between the processing of ‘Customer Personal Data’ and ‘Customer Patient Data’ as further explained below.

Customer Personal Data

If you are a business customer receiving one of our services under our Standard Terms of Business, we will collect from you the following Personal Data (‘Customer Personal Data’):

• contact details of your Key Staff (e.g. procurement staff) such as their name, title, email address, postal address and phone number;
• your billing and delivery information; and
• some financial information (credit card/bank details).

We will process Customer Personal Data as an independent Controller to register you as a customer, contact and communicate with you, provide you with information around our services and to process payment for our services.

If you are a business customer, in order for us to provide the sample analytics services to you, we also need some of your Key Staff (typically the referring clinicians) to register with our cloud-based Healthcare Customer Relationship Management system (HCRM). We call your key personnel with access to our HCRM ‘Authorised Users’.

In respect of these Authorised Users, we will collect and process the following information (together also referred to as ‘Customer Personal Data’):

• Web-based portal (Healthcare Customer Relationship Management system (HCRM) account login details (‘Authorised Users’);
• ‘Authorised Users’ email address;
• ‘Authorised Users’ Internet Protocol (IP) address (of the calling computer)
• ‘Authorised Users’ service use logs, metadata regarding operations and timestamps.

We will process this information as an independent Controller to allow your Authorised Users to log onto the HCRM to view/download the results of the sample analysis you asked us to perform.

If you are an individual who has come to us directly on your own behalf we will collect the Customer Personal Data we need to provide you with the relevant product or service from to you personally. This will include (but may not be limited to):

• contact details such as name, title, email address, postal address and phone number;
• your billing and delivery information; and
• some financial information (credit card/bank details)

Legal basis for processing of Customer Personal Data

The aforementioned information will be processed under the legal bases of:

• 'performance of a contract’ (Art 6(1) b EU/UK GDPR);
• ‘legal obligation’ (Art 6 (1) c EU/UK GDPR); or
• ‘legitimate interests’ (Art 6 (1) f EU/UK GDPR).

With regards to our ‘legitimate interests’ referred to above, these would include, but are not limited to:

• The furtherance of our business operations and services;
• The furtherance of our marketing functions and initiatives;
• The pursuit or defence of any claims, rights or litigation or detection of a crime;
• Our accounting or auditing functions and reporting duties;
• The furtherance of our commercial development, strategy, planning or growth, including any business sales or transactions;
• The protection of our intellectual property rights, confidential information, security or product development;
• Monitoring and ensuring compliance with our policies, processes and procedures such as data protection & confidentiality, information security and fraud prevention and detection; and
• Staff training.

Customer Patient Data

If you are a business customer we will also collect Customer Patient Data about your patients whose samples you have asked us to analyse for you. For this to happen, your ‘Authorised Users’ upload Customer Patient Data of your patients to our HCRM. We will collect information such as your patients’ name, date of birth, gender, as well as other clinical attributes (the latter is called ‘Data Concerning Health’ under EU/UK GDPR).

When we run our data analysis on the samples you provided, we will process ‘Genetic Data’.

Under EU/UK GDPR, Genetic Data as well as Data Concerning Health of a living individual is called ‘Special Category Data’ and requires the fulfilment of at least one of the conditions in Art 9 (2) EU/UK GDPR (see below ‘legal basis’).

On the basis that your Authorised Users upload the patient information to our HCRM and we subsequently analyse your patients’ samples on your request, we are a ‘Processor’ of Personal Data and Special Category Data for you as a ‘Controller’.

If you are an individual who has come to us directly on your own behalf we will collect Customer Patient Data directly from you.

Legal basis for processing of Customer Patient Data

To the extent that any Customer Patient Data falls within the definition of Special Category Data (Art 9 EU/UK GDPR), we will process such data under the following conditions:

• ‘purposes of medical diagnosis and the provision of health care’ (Art 9(2) h EU/UK GDPR)

If you are a customer outside the EU and UK, it is most likely that the legal basis of ‘consent’ applies to our processing activities of your Customer Patient Data. You are solely responsible for ensuring that the uploading of any ‘Customer Patient Data’ to our HCRM in the cloud, and our processing of such data on your behalf, complies with Local Privacy Laws.

You agree to indemnify and hold us harmless from any and all claims, losses, damages, costs and expenses incurred and suffered by us as a result of our breach of Local Privacy Laws.

We currently process all the above information in cloud hosted servers in the UK/EU.

 

b) Provision of GALEAS Software Services (defined below in the Glossary)

If you are a business customer of our GALEAS Software Services, we may collect all of the Personal Data mentioned under a) Provision of products and/or services under our standard terms of business, plus the following additional information (together referred to in this section as ‘Customer Personal Data’):

• Website account login details (‘Authorised Users’);
• ‘Authorised Users’ email address;
• ‘Authorised Users’ Internet Protocol (IP) address (of the calling computer)
• ‘Authorised Users’ service use logs, metadata regarding operations and timestamps.

We will process this information to allow you to log onto the Nonacus portal for results and other communications, as well as to provide the GALEAS Software Services to you.

We will also collect limited information about your patients whose data has been sequenced by you and which you upload to our cloud for interpretation by our GALEAS Software Services (Input Files). We will collect information such as (pseudo-)identifiers which you have allocated to each patient for the purposes of differentiating the reports (Output File) by the GALEAS software. To ensure privacy of your Customer Patient Data and separate the Input File from the Output File, your (pseudo-) identifiers are converted into ‘Globally Unique Identifiers’ (GUIDS), generated by our cloud provider, thus removing any meaningful human readable information from the file names.

We will not attempt to (re-)identify the patients whose DNA you have sequenced.

On the basis that the information you upload to our cloud (Input Data) includes Genetic Data, we will be processing ‘Special Category Data’. We will process such information as a Processor for and on behalf of you as a Controller.

Legal basis

Any ‘Customer Personal Data’ will be processed under the legal bases of:

• 'performance of a contract’ (Art 6(1) b EU/UK GDPR);
• ‘contractual obligation’ (Art 6 (1) c EU/UK GDPR); or
• ‘legitimate interests’ (Art 6 (1) f EU/UK GDPR) (for a list of our ‘legitimate interests’ please refer to the section above).

To the extent that any ‘Customer Patient Data’ falls within the definition of ‘Special Category Data’ (Art 9 EU/UK GDPR), we will process such data as a Processor on behalf of you as a Controller under the following conditions:

• ‘purposes of medical diagnosis and the provision of health care (Art 9(2) h EU/UK GDPR)

If you are a customer outside the EU and UK, it most likely that the legal basis of ‘consent’ applies to our processing activities of your Customer Patient Data. You are solely responsible for ensuring that the uploading of any ‘Customer Patient Data’ to our servers in the cloud, and our processing of such data on your behalf, complies with Local Privacy Laws.

Specifically, you agree not to upload any ‘Customer Patient Data’ in combination with any ‘Direct Identifiers’, unless:

• the Customer Patient Data relates to patients in either the European Union or the UK;
  or
• this has been expressly agreed with Nonacus in writing;
• Nonacus has confirmed completion of its compliance checks; and
• any supplementary agreements required under Local Privacy Laws (e.g. standard contractual clauses) are in place.

You further agree to indemnify and hold us harmless from any and all claims, losses, damages, costs and expenses incurred and suffered by us as a result of our breach of Local Privacy Laws.

We currently process all of the above information on servers in the cloud (Amazon and AWS) hosted in the UK. For more information about our security measures, please refer to our ‘GALEAS Cloud Infrastructure White Paper’. If you require the hosting of this data in a different jurisdiction, please contact us to discuss and obtain a quote.

We store the information in ‘hot’ and ‘cold’ storage in accordance with our Terms of Use available on our website.

 

c) Marketing activities

Description and scope of data processing

In addition to the above, we may also receive information about you from other sources (including publicly available databases) and combine this data with information we already have about you. The gathering of such information will assist us in improving your experience, as well as identifying new product development opportunities. We will not obtain any information about you from a third party if we do not believe that the third party is acting lawfully.

Third party marketing

We will obtain your specific ‘opt-in’ consent before we share your Personal Data with any third party for marketing purposes.

Legal basis

We will process your Personal Data as an independent Controller under the following legal bases:

• ‘consent’ (Art 6(1) a EU/UK GDPR); or
• ‘legitimate interests’ (Art 6 (1) f EU/UK GDPR) (for a list of our ‘legitimate interests’ please refer to the section above).

 

d) Newsletter

Description and scope of data processing

You can subscribe to our newsletter by contacting us via: Contact us | Nonacus. The data from the input mask is transmitted to us when registering for our newsletter. The following data is collected as part of the registration process:

• Your email address
• Your Internet Protocol (IP) address (of the calling computer)
• Date/time of registration

Legal basis for data processing

The above data is processed on the basis of your ‘consent’ (Art 6(1) a EU/UK GDPR).

The data will only be stored as long as necessary to fulfil the purpose of delivering the newsletter to you. You have the right to revoke your consent, object to storing or request the deletion of your data at any time, by sending an email to: DPO@nonacus.com. For more information regarding your data subject rights, please refer to section 10 below.

 

e)Customer feedback surveys

Description and scope of data processing

We may invite you to participate in a customer feedback survey for which we will collect minimal Personal Data about you. We will only ask for such Personal Data as is necessary to fulfil the purposes of the survey.

Legal basis

The above data is processed on the basis of your ‘consent’ (Art 6(1) a) EU/UK GDPR).

We will only store the information for as long as necessary and in accordance with our retention policy. We may retain anonymised/aggregated information about you (i.e. information which is no longer attributable to you) for a longer time period where there is value in doing so.

 

f) Our website and cookies

As you interact with our website, Personal Data may be collected depending on your interactions with us. We distinguish between the data collected automatically and the data you provide to us.

We will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies, server logs and other similar technologies. Please see our Cookie Policy - Nonacus for further details.

We also collect information from publicly available websites (e.g. social media sites).

We will use the aforementioned information to analyse how visitors are using our website, to show customers marketing and advertisements which are relevant to them, and to understand how successful our marketing and advertising is, including on other third-party websites.

Legal basis

We process this information as an independent Controller on the following legal bases:

• 'performance of a contract’ (Art 6(1) b EU/UK GDPR);
• ‘contractual obligation’ (Art 6 (1) c EU/UK GDPR); or
• ‘legitimate interests’ (Art 6 (1) f EU/UK GDPR).

As with most websites, we gather statistical data and other analytical information (for example, demographic information, usage data etc.) collected on an aggregated basis of all visitors to our website. We may also aggregate some information in order to drive services improvements to our products and services. Such aggregated data is not considered Personal Data under Data Protection Law as it does not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Notice.

 

g) Research

Description and scope of data processing

If we work in a collaborative relationship with you, we may collect Personal Data about key personnel involved in the research, such as basic demographic information (e.g. name, job title, function, email address, telephone number). We may also collect Personal Data about patients involved in the research, where these patients have been consented to a specific research protocol. In this case, the patient information sheet (PIS) and consent form will specify which Personal Data is being collected, for what purpose and how it is being processed.

In the great majority of cases, we are involved in research with universities or other academic institutes who share (effectively) anonymised records about patients with us. We will always notify our collaborating partner organisations if we feel that we are being asked to process Personal Data without a legal basis.

Legal basis for data processing

To the extent that we process Personal Data for research purposes, we will do so either as an independent Controller or a Processor under the following legal bases/conditions:

• 'performance of a contract’ (Art 6(1) b EU/UK GDPR); or ‘consent’ (Art 6(1) a EU/UK GDPR); and
• Condition: ‘research’ (Art 9 (2) j EU/UK GDPR) or ‘consent’ (Art 9(2) a EU/UK GDPR).

 

h) Job applicants

When you apply for a job with us, we will collect (with your consent) basic demographic information (e.g. full name, email address, phone number, residence address, birth date, nationality, professional and academic background, etc.). The information we collect will be limited to what is necessary for the role you have applied for. Special Category Data (such as race or ethnic origin) will not be necessary for the job application process. If, however, you provide such information to us, we will treat such information in strict confidence and will process this data in accordance with applicable Data Protection Laws.

Personal Data shall be kept for two (2) years from the time they are collected or from the last contact sent by the applicant, subject to any retention obligations or limitation periods.

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the applicable legal requirements, the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your personal data and whether we can achieve those purposes through other means. In some cases, by law, we have to keep basic information about our customers (including contact, identity, and transaction data) for six years after they cease being customers for tax purposes.

We have a data retention policy and retention schedule in place, and we ensure data is destroyed confidentially when we are required to do so.

In some circumstances you can ask us to delete your data: See below for further information under section 9 (‘Your Rights’).

In some circumstances we may anonymise your Personal Data (so that it can no longer be attributed to you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

If you have any queries about our retention periods you can contact us on dpo@nonacus.com.

We may disclose your Personal Data to approved laboratories, service providers, technical providers and professional advisors based in the EU as well as Non-EU Countries dependant on customer location with the following third parties:

• Service providers acting as (Sub-)Processors based in the UK, Ireland and Europe who provide IT system support and system administration services;
• Technical providers who are other entities that interact with us in connection with the services we provide;
• Professional advisers acting as Processors, (sole or joint) Controllers including lawyers, bankers, auditors and insurers based in the UK and EU who provide consultancy, banking, legal, insurance and accounting services;
• Regulators and other authorities acting as Processors, (sole or joint) Controllers based in the UK and EU who require reporting of processing activities in certain circumstances.

We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We conduct due diligence on all our third parties to ensure relevant security and privacy standards are met, and we ensure we hold our third parties to account via robust contractual arrangements. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

International Data Transfers

All our data is hosted in the UK/EU on secure servers. Should we engage a Processor outside of the UK/EU, we will conduct a transfer impact assessment and put ‘standard contractual clauses’ in place, unless we can rely on an adequacy finding in relation to the country where the data will be transferred to.

Customers who are located outside the EU and UK must notify us of any specific requirements under their Local Privacy Laws before engaging us.

We will use strict procedures and security features to try to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way.

We use encryption (at rest and in transit) to AES 256 standard, access controls and other features to ensure the security of your data.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

We limit access to your Personal Data to those employees, contractors, agents and other third parties on a ‘need-to-know’ basis and who are under a duty of confidentiality. We will only process your Personal Data for the purposes for which it was collected, and where we use third party processors, they are only permitted to process your data on our instructions.

For more information regarding the security of our cloud platform used for GALEAS Software Services, please refer to our ‘GALEAS Cloud Infrastructure White Paper’.

Communication, engagement and actions taken through external social media platforms are subject to the terms and conditions as well as the privacy policies held by each social media platform respectively.

If you are a user of a social media platform, you are advised to use the platform wisely and communicate/engage with it with due care and caution in regard to your own privacy and Personal Data. You should familiarise yourself with the respective privacy settings of the social media platform provider which can be adjusted to suit your preferences. For more information, please visit the ICO website.

This website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. If you intend to use such social sharing buttons, please note that you do so at your own discretion and risk, and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.

Consent and withdrawal of consent

By consenting to our processing of your Personal Data in line with this privacy notice, where this is the appropriate and identified lawful basis for processing, you are giving us permission to process your Personal Data specifically for the purposes identified in the consent form.

You may withdraw consent at any time by providing an unambiguous indication of your wishes by which you signify withdrawal of your consent to the processing of Personal Data relating to you. If you have any queries relating to withdrawing your consent, please contact our Data Protection Officer (DPO) using the contact details set out below.

Withdrawal of consent will be without effect to the lawfulness of processing based on consent before its withdrawal.

Please note that if you withdraw your consent to ‘necessary/essential’ cookies, you may not be able to use our website.

Email Newsletters

We may send a newsletter out to our subscribers. You can opt-out of receiving our email newsletter and/or marketing at any time through an automated system. This process is detailed at the footer of each email campaign. If an automated un-subscription system is unavailable, clear instructions on how to un-subscribe will by detailed instead.

Your other rights

Under certain circumstances, and dependent on the legal basis under which your Personal Data is processed, you have the legal right to:

• Request information about whether we hold Personal Data about you, and, if so, what that Personal Data is and why we are holding/using it.
• Request access to your Personal Data (commonly known as a “Data Subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
• Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
• Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
• Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your Personal Data or profiling of you.
• Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request transfer of your Personal Data in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.

How do you exercise your rights?

We have appointed a Data Protection Officer to monitor compliance with our data protection obligations and with this policy and our related policies. If you have any questions about this policy or about our data protection compliance, please contact the Data Protection Officer.

If you wish to exercise your rights, please contact our Data Protection Officer who will respond to the request within one calendar month.

Our Data Protection Officer can be contacted as follows:

Email: dpo@nonacus.com

Post: 5 Ridgeway, Quinton Business Park, Birmingham B32 1AF

Your Right to Lodge a Complaint

You as the ‘data subject’ have the right to complain at any time to a supervisory authority in relation to any issues related to our processing of your Personal Data. We would like to hear from you first if you have a complaint about how we use your data so that we may rectify the issue.

As our organisation is located in the United Kingdom, we are regulated for data protection purposes by the Information Commissioner’s Office.

You can contact the Information Commissioner’s Office:
Website: http://www.ico.org.uk/
Phone: (+44) 0303 123 1113
Address: Head Office - Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK

Updates

Our practices as described in this Privacy Policy may be changed, but any changes will be posted, and changes will only apply to activities and information on a going forward, not retroactive basis.

You are encouraged to review this Privacy Notice periodically to make sure that you understand how any personal information you provide will be used.

We may also email you in certain circumstances to let you know if and when we update this Privacy Notice to ensure you are informed.