Privacy policy

GAMA Website Privacy Notice ('notice')

v.2.0 effective September 23rd 2020

www.gamahealthcare.com

Our Website. Your Privacy.

Welcome to GAMA Healthcare’s Website Privacy Notice.

We know you value your privacy. And when you make an enquiry, give us feedback, apply for a job or visit our website to learn more about us, you shouldn’t have to worry that we’re learning more than we need to about you, or using your personal data in ways that make you uncomfortable. 

About GAMA Healthcare Ltd.

GAMA Healthcare Ltd. is part of the GAMA Corporation Ltd. (UK) group of companies. We are registered as a data controller (registration no. ZA308362) with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. This Notice is issued on behalf of our UK-based entities: GAMA Healthcare Ltd., Carell Ltd., and Aga Nanotech Ltd. (UK), and Fellows Research Centre Ltd. (UK), so when we refer to ‘GAMA’ we refer to this group of companies. 

About This Notice

This notice describes how and why we collect the personal data of: 

  • Website visitors

  • Candidates, Freelancers, Agency Workers, Consultants

  • Product users

  • Distribution Partners

  • Business customers or prospects

It describes our privacy commitment and explains how we comply with data protection law. You should read it along with any other notices we’ve provided in specific contexts, for example at a conference. 

We’ll alert you to important changes to our privacy notice by posting them here or contacting you directly where appropriate. For more information please contact privacy@gamahealthcare.com.

Our Privacy Commitment

We’re committed to protecting the privacy and security of your personal data, only processing what’s necessary, and ensuring we strike the right balance between our business objectives and your privacy. We want to ensure you understand your rights and our responsibilities. We process your personal data: 

  • Lawfully: Only if we can justify it on one of the GDPR’s Lawful Bases (see Lawful Bases table below).

  • Fairly and transparently: we strike the right balance between our interests and yours and we tell you what we do with your personal data.

  • For a specific purpose: we won’t use your personal data for another incompatible purpose unless the law permits or requires us to.

  • Using the least amount reasonably necessary.

  • Ensuring it is accurate, complete and up-to-date.

  • For a limited time: Only for as long as reasonably necessary, and then we either destroy it or de-identify it so it can’t be linked back to you.

  • Securely: managing our people and designing our processes and technology to ensure end-to-end confidentiality, integrity and availability.

  • With your rights in mind: We make it easy for you to exercise your rights (see table below).

  • Within the UK/EEA: we don’t transfer your personal data outside the EEA except as permitted under Data Protection Law. We use appropriate safeguards to ensure consistent protection by third parties who support our work. Find out more in the Your Data At-a-Glance table below.

Privacy FAQs
Privacy FAQs

Who can I contact with questions or complaints or to exercise my rights?

You can contact our Privacy Manager to ask questions, express concerns or exercise your rights via e…Read More

What information do you have about me? Why do you need it? What do you do with it?

The information we process about you will depend on our relationship and how we interact. For exampl…Read More

How do you get all of this information? Don’t you need my consent for all of this?

We get most information directly from you, for example when you fill out a form, or indirectly, for …Read More

Do you share my information outside of GAMA?

Sometimes we need to share your information outside GAMA, for example with vendors who support us. W…Read More

What about Third-Party Content?

Find out more about third parties we use to support our website by clicking on the ‘Manage cookie pr…Read More

Do you use Automated decision-making (‘ADM’)?

ADM involves a computer making a decision without human involvement that could have significant lega…Read More

Do you collect sensitive information, like my health data? Aren’t there restrictions on this?

‘Special Data’ like health-related information or information revealing your religion, ethnicity or …Read More

How do you strike the right balance when you rely on Legitimate Interests?

We conduct Legitimate Interests Assessments (LIA’s) whenever we rely on Legitimate Interests and, wh…Read More

What happens if you can’t get this personal data?

If we can’t process this personal data, or if it’s inaccurate, it will be difficult to optimise your…Read More

Is my personal data secure?

We’ve implemented measures to prevent your personal data from accidental loss, unauthorised use, acc…Read More

Lawful Bases Table
Lawful Bases Table
Lawful basisWhat this means
ConsentYou have given us permission, which you can withdraw at any time. We need your Explicit Consent to process sensitive data like health-related data (Special Data) or to transfer your Personal Data outside the EEA where we don’t have another basis for doing so, or for any Automated Decision Making (‘ADM’) that has significant legal or other effects unless an exception applies.
Legitimate interestsTo help fulfil a legitimate business objective (see the ‘We use this data to...’ column of the Your Data At-a-Glance table) after confirming we’ve only used what’s reasonably necessary and proportionate to meet that objective and struck the right balance between our interests and yours (LIA).
Contractual necessityTo enter into or fulfil our contract, including to generate a quote.
Legal obligationTo comply with the law (e.g. tax reporting).
Vital interestsIn rare instances where one of the others don’t apply but we need your personal data to protect your vital interests or those of another person. Highly unlikely.
Additional Conditions for Special Data and criminal records data
Your Data Rights
Additional Conditions for Special Data and criminal records data

Below are the additional conditions we may rely on to process your Special Data along with examples:

Special Data ConditionsExamples
To fulfil legal obligations and exercise specific rights in connection with workplace health and safety and employment laws or monitoring of products for safety issues.Use information about possible COVID status or exposure; to provide adjustments for candidates; to record Adverse Reactions to a product.
To meet workplace diversity / equal opportunities requirementsUse statistics about e.g. race, ethnicity, gender reflected in our workplace to monitor and achieve workplace diversity, equal opportunity / pay under equal opportunities laws.
To establish, exercise or defend legal claimsTo defend ourselves against a wrongful dismissal, personal injury or discrimination claim.
To protect your vital interests or those of another personGet the help of medical professionals, your emergency contact or bystanders in a life-threatening emergency (e.g. a severe allergic reaction, heart attack).
Where you have made the information manifestly publicE.g. you are the public face of an advocacy group promoting LGBT rights (sexual orientation) or a religious community association (religion) or you publicly self-identify as such.
Your Data Rights

You have various rights with respect to your personal data:

RightWhat this means
AccessReceive a copy of the personal data we hold about you and confirm we’re lawfully processing it by making a Data Subject Access Request (DSAR). It’s free of charge unless your request is clearly unfounded or excessive.
RectificationAsk us to update, complete or correct your personal data at any time if you detect an inaccuracy. In fact, we encourage you to do so.
PortabilityGet any personal data you’ve given us in electronic form on the basis of Consent (or Contractual Necessity) in a common machine-readable format. We can also transfer it to a third party if you ask.
ErasureAsk us to delete or remove personal data where there is no good reason or Lawful Basis for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to Objection. We are allowed to refuse in certain circumstances. Find out more, here.
ObjectionObject to any processing we do based on Legitimate Interests. You also have the right to object where we are processing your personal data in certain circumstances.
Automated processingNot to be subject to ADM that has significant legal or other affects.
RestrictionSuspend the processing of some of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
Withdrawal of consentWithdraw consent at any time and we will stop processing it unless we have another legitimate basis for doing so in law. Where we rely on your consent we also explain how you can easily withdraw it.

We will need to confirm your identity and your right to access the information or exercise any of your other rights. This is to prevent personal data being disclosed to anyone who has no right to receive it. You can find out more about your rights by visiting the Information Commissioner’s Office website.

Your Data At-a-Glance (Website Visitors)
Your Data At-a-Glance (Candidates, Freelancers & Agency Workers & Interns) - under revision
Your Data At-a-Glance (Product Users, Business Customers or Prospects and Distribution Partners)
Your Data At-a-Glance (Website Visitors)

We want to learn what brings you to our website, what products, services and information interest you, how you engage with our content, what worked… and what didn’t. But we also want to respect your privacy and your choices. Right now, we’re focused on the bigger picture, not the individual website visitor’s activity. So we only collect what we need to help us get a general understanding of how our visitors engage with our website and we make it easy for you to manage your preferences using Metomic, our privacy platform.

We don’t process a lot of personal data about our website visitors. As we continue to develop our site and begin to use different tools to measure engagement, we may find we need more personal data or prefer a more personalised approach, but we’ll let you know and make sure you’re okay with this. Note that our services are not intended for children and we do not knowingly collect data relating to children. Find detail about our website data collection and manage your preferences using our Metomic Cookie Widget.

When you...We use this data to...We get it from...We rely on (Lawful Basis)We share it with...It's stored in...We keep it for this amount of time...
Set your cookie preferencesCookies & other technologies to remember your preferences and collect proof of consent.The selections you make (opt-in or out).Legal obligationMetomicUKSee our cookie widget
Visit our site from AustraliaIP Address (to detect you are in Australia) to direct you to the correct site where information approved for Australian audiences is found.Your routerLegal obligationIP StackWe don't store it.We don't store it.

Get full details in our Metomic Cookie Widget. Click on the ‘Manage cookie preferences’ link in the webpage footer.

Categories of Personal Data (Website Visitors):

Category of DataDetails
IP addressInternet Protocol address.
Browser DataBrowser types and version.
OSOperating System and platform.
Device IDDevice ID, MAC address.
LocationLocation – we generalise location to country-level or region.
Time ZoneTime zone setting.
Cookies & other technologiesWe use a cookie widget on our website powered by Metomic which details the cookies we use and allows website visitors to manage their preferences. Manage your preferences and find out more at any time by clicking on the ‘Manage cookie preferences’ link in the webpage footer.
Web analyticsStandard internet log information and visitor behaviour patterns obtained using Google Analytics and Hotjar. We get aggregated statistics of
  • pages visited
  • time on page
  • interactions / clicks and related information
  • traffic and exits
  • the page that referred you to our site and we use Hotjar to get anonymised session recordings, heat maps, and other information.
  • Your Data At-a-Glance (Candidates, Freelancers & Agency Workers & Interns) - under revision

    We process personal data to support our talent management activities, from advertising positions and seeking out potential candidates, to screening your application, to creating a shortlist, to convening you for an interview, reviewing your fit, making an offer, negotiating the contract and welcoming you to GAMA. Over the course of these activities we also aim to satisfy any special needs you may require.

    When you...We use this data to...We get it from...We rely on (Lawful Basis)We share it with...We keep it for this amount of time...
    See one of our job adverts or are contacted by a recruiterApplication; Social Media; photo; internet search: see privacy notices of the recruiters you engage with. Impressions Work Product Statistics (number applied, length of campaign, etc.): to measure campaign effectiveness.MaxAd; LinkedIn.

    MaxAd advertises jobs on the major job boards, job aggregator sites & social media.

    It also proactively searches its own CV database & major job boards, specialist sites & social media (incl. Total Jobs, Job Site, CV Library, Monster, Reed, Indeed, LinkedIn) to find potential matches.

    MaxAd can see all the Impressions with the job ad but generates anonymised statistics & metrics to share with GAMA to ensure campaign success.
    Legitimate InterestsMaxAd6 months from the end of the recruitment phase.
    Apply for a positionApplication; Social Media; photo; internet search: to get an overall sense of you as a candidate.MaxAd; LinkedIn.

    You have either given your Personal Data to MaxAd directly by uploading your CV or MaxAd received it indirectly from the above sources. Or you apply through GAMA’s website using our processor Natural HR’s widget.

    MaxAd uses Vacancy Filler as its processor for uploading CVs.

    For other data, GAMA only gets access to what MaxAd shares with us. See ‘Vetting’, below.
    Contractual NecessityMaxAd. We give MaxAd access to GAMA’s Job Board accounts to do its search, post our job ad; deal with applications & monitor campaign success.

    Vacancy Filler (to upload CVs)

    HR staff can access all applications. Hiring managers can only access those for their own vacancies when HR staff share it through Natural HR or the Recruitment Site, or via PDF.
    6 months from the end of the recruitment phase.
    Reviewing your ApplicationApplication; Social Media; photo; internet search; references: to get an overall sense of your as a candidateMaxAd; LinkedIn; You.

    GAMA HR staff may access your profile in our Job Board accounts searching name, industry, employer, etc. Your privacy settings determine what we see, but it’s generally only your profile. Note that LinkedIn profiles usually include your photo.

    Natural HR: stores personnel data but also has a widget for candidates to securely upload their applications when they apply directly through our website.
    Contractual NecessityMaxAd (who will vet job ad responses).

    Natural HR (the processor that operates our HR database).
    6 months
    Are being vetted for a positionName; Contact; Application; Social Media; Photo; Correspondence: to advance your application.MaxAd: MaxAd reviews potential matches to find the applications that are the best fit & triages them based on requirements for the role.

    MaxAd contacts promising potential matches to ask more detailed questions as part of the vetting process. Creates a shortened list to give to GAMA for review.

    GAMA creates a Natural HR candidate profile (if not already created) to administer the recruitment process & documentation.
    Contractual NecessityMaxAd shares with GAMA.

    Natural HR for administering applications & process.
    6 months
    Attend an interviewName; Contact; Application; Work Product (MaxAd & GAMA – interview notes); Reasonable Adjustments: to ask you questions, get a sense of ‘fit’ and get additional information.GAMA reviews the applications internally to create an Interview List - from MaxAd, Recruitment Manager & Hiring Manager.

    Directly from you (for Reasonable Adjustments + correspondence + answers to interview questions).

    Second interview with Managing Director.
    Contractual Necessity. Legal Obligation (employment law) + Art. 9(2)(b), GDPR + Sch. I, Pt. 1(1), DPA 2018 for Special DataNatural HR for administering applications & process & capturing notes.6 months
    Undergo an assessmentName; Contact; test date; test result; Interview (Assessor): to confirm you have the skills, knowledge or qualities for the role.We send you a link from the assessment provider (Skills Arena) via email & you do the test directly with them. We assess your grammar & numerical reasoning. Candidates for more senior roles also do a psychometric test (Hogan Assessment) administered by Syzygy + interview with assessor.Contractual Necessity.Natural HR for administering applications & process & capturing notes6 months
    Undergo reference & background checksReferee Contact; Application; Referee Correspondence.You.Contractual Necessity.Natural HR for administering applications & process & capturing notes6 months
    Receive an offerName; Contact; Application; DBS Check results (clear or not); Offer Letter with Compensation, Benefits, etc; Correspondence: to make you a conditional offer and answer questions, negotiate some aspects of the offer.A conditional offer will be made for a role that requires a successful DBS check (e.g. Sales).

    We offer you the job & negotiate the details. We ask you to fulfil any additional pre-conditions & verify your information.
    Contractual Necessity. Legal Obligation (DBS)Natural HR for administering applications & process & capturing notes6 months. DBS check: report result & code are logged and original (if we receive it) is disposed of promptly.
    Don’t receive an offerApplicationWe inform you that you have not been selected. We retain your Application long enough to defend against legal action.Legal Obligation. Contractual Necessity. Legitimate Interests for job bankNatural HR (processor)3 months for all (in case of complaint).

    Job bank: up to 12 months in case a new position arises, though you can object.
    Undergo Right to Work due diligenceRight to Work: to confirm you are legally entitled to work with us.You. References. Background check services.Legal ObligationNatural HR; Background Check servicesUp to 3 months if no pass.

    For duration of employment + retention period if successful.
    Make it officialEmployment details. Declarations / AcknowledgmentsYou (signature). HR.Contractual NecessityNatural HRFor duration of employment + retention period.

    Categories of Personal Data (Candidates, Freelancers & Agency Workers & Interns):

    Category of DataDetails
    AcknowledgmentsSigned acknowledgments of key documents (e.g. this notice, the Data Privacy Charter, the Health and Safety Policy). These are usually tracked through our HR platform – Natural HR.
    Agency ContractName and Contact. Agency name. Key terms (rate, hours of work, payment details).
    ApplicationWork history, cover letter, LinkedIn profile, profile on recruitment sites, test results, interview notes, references, samples of work (if provided) and other information relevant to your application.
    BankBank account and transaction details.
    CCTVCCTV footage both inside the premises and at the entrances / exits and immediate surroundings, where applicable.
    Claims / ExpensesClaims for business and travel expenses with supporting documents
    Company IDID badge, employee ID number, photograph.
    Company NameFreelancer or consultant’s company name.
    CompensationYour rate (hourly, daily, deliverable).
    Consultancy ContractProject proposal, scope of work, deliverables, rate, start / end dates (duration), Name and Contact of individual(s) who will do the work, company name, consultant’s title, etc.
    ContactPostal address, email address and telephone numbers, next-of-kin name.
    CorrespondenceEmails, letters, text messages.
    COVID-RelatedCOVID-related data, e.g. temperature checks, symptom questionnaires, reports of possible exposure, contact tracing info (if on premises).
    DepartureReason for departure (e.g. term ended; contract / project cancelled etc.). Conditions of departure (if any), e.g. non-disclosure agreement.
    Emergency contactNext-of-kin or other individuals you would like us to contact in the event of an emergency if you provide them. It is your responsibility to inform them of the purpose for the information and bring this notice to their attention.
    Entry/ExitKey fob records of entry/exit to the premises. People: for employees entering and exiting using. Parking: for entry/exist to the parking for parking pass holders
    FeedbackFeedback anyone shares with GAMA that may relate to you or your role, or feedback that you share.
    Health & SafetyHealth-related Special Data, e.g. self-assessment and any adjustments requested, accident logs for Health and Safety (kept in the Accident Book and Treatment Record where it occurred), Health and Safety Committee decisions relating to you specifically or an incident involving you (e.g. injury).
    InvoicesInvoices, day / hourly / project rates, VAT number, billing information, Bank Data, remittances for freelancer in Company Name or own name (as applicable), or in Agency name for Agency Workers.
    NameFirst name, last name
    PerformanceMetrics / KPIs attributable to you, your team or your project (e.g. sales numbers, website content clicks / downloads, complaints resolved), company distinctions or awards attributable to you or your team.
    Photo(s)Image(s) of an Individual or group of Individuals.
    Reasonable AdjustmentsSpecial Data about e.g. religious or philosophical beliefs, race / ethnicity, sexual orientation information or Health-Related Special Data (e.g. disabilities, allergies) if you provide it when making a request for a reasonable adjustment under the Equality Act 2010. Our Lawful Basis is Legal Obligation (Art. 691)(c), GDPR) and the condition we rely on to process Special Data is the employer’s obligation in employment law (Art. 9(2)(b), DPA 2018, Sch. I, Part 1(1), DPA 2018).
    Social MediaProfiles, posts, handles, likes, articles, other activity; your personal blogs or website if:
  • We’re connected to you on LinkedIn or other social media channels or
  • You share your social media URL / handle or web address(es) or
  • It’s been brought to our attention (e.g. in the context of a workplace bullying complaint). You can generally control what and how you share and with whom in your social media settings.
  • Technical / ITDetails of your corporate IT and network access and usage – Internet protocol (IP) address, browser activity, username and credentials (login data), access logs, remote login details, device ID for mobile devices, corporate mobile device usage data, software application usage (e.g. documents you have created, edited, uploaded to Dropbox plus metadata from document uploads, edits: time and date, document type, title, last modified date and created by details), e-signatures.
    Training RecordsTraining logs: proof of attendance (e.g. e-learning modules for privacy, security, H&S), completion / non-completion and pass/fail details or grades for mandatory training (e.g. GDPR training).
    Voice recordingsFor example, in a training video if you provide voice over.
    Work Product__GAMA work product generated by or attributable to you__: Internal and external communications with other employees, customers, prospects; documents, content or work product you create or edit that is or can reasonably be associated with you in relation to your tasks (diaries, address books, other documents of any description, external storage, files, mobile phones or computers) of any kind relating to the Company’s business. Contributions to or Impressions of Company Social Media, website, or other communications or media activity attributable to you (e.g. creating, sharing or liking a post from our Twitter account using your own Social Media profile).
    Your Data At-a-Glance (Product Users, Business Customers or Prospects and Distribution Partners)

    We mostly sell our products and services to businesses or organisations who either use the products themselves (e.g. hospitals and surgeries) or to other resellers who then sell to other organisations or directly to product users. We have Distribution Partners across Europe and in other parts of the world. They may engage in their own research (lead generation) to identify potential customers. We instruct them to collect only the personal data required to fulfil these objectives and to ensure any processing is consistent with Data Protection Law. We also engage in lead generation activities to identify Prospects who may become Business Customers.

    We are legally required to monitor and report any issues with our products (e.g. adverse reactions), so even where we do not have a direct relationship with a Product User, a Product User may contact us with a complaint or concern and we will need to capture that personal data for regulatory compliance purposes.

    If you are a Distribution Partner, Business Customer or Prospect, we also collect a small amount of personal data about you as required to generate leads and manage our relationship.

    When you...We use this data to...We get it from...We rely on (Lawful Basis)We share it with...
    Enquire about a product or serviceContact; Correspondence.You.Contractual NecessityOur processors: it’s logged in our systems. We use the Office 365 suite and an enterprise version of Dropbox to maintain records, and SAP to manage our supplies.
    Make a complaint or register a concernAdverse Reactions; Complaints / Concerns; Contact; Correspondence: content of your complaint.You; Distribution PartnersLegal ObligationOur processors: as above. Regulator: in a form that doesn’t identify you.
    Make a purchase through AmazonContact; Name; Purchase details: to fulfil your orderAmazon dashboardContractual NecessityAmazon; our Amazon agent.
    Leave a review or publicly comment on our productsReviews; Name; Contact (if provided)Amazon; our social media sitesLegitimate InterestsOur processors: as above.
    Place an order for your company or organisation or to resellPurchase DetailsYou.Contractual NecessityOur processors: as above.
    Contact us or respond to us when we contact you as a prospective Distribution Partner or Business CustomerContact; Correspondence; Social Media; conference participant listYou (your business card or Correspondence); Conference Organisers; Social Media searches (e.g. LinkedIn)Legitimate InterestsOffice 365 (Outlook; Teams)
    Submit your sales numbersPerformanceYou; GAMA Sales Director(s); regional sales data.Legitimate InterestsOffice 365; SAP.
    End or suspend our relationshipCorrespondence; Complaints / Concerns; ReviewsYouContractual Necessity (re termination); Legitimate Interests (e.g. Reviews)Office 365 (Outlook; Teams); DropBox.

    Categories of Personal Data (Product Users, Business Customers & Distribution Partners):

    Category of DataDetails
    Adverse ReactionsDetails of any adverse reactions reported in relation to one of our products. We suppress the name and contact information for reporting purposes.
    Bank DetailsDetails of any bank account where payment is to be made.
    Company / Organisation NameIf you are a Distribution Partner operating through an incorporated entity or partnership or a Business Customer (e.g. purchasing on behalf of your hospital, surgery, commercial entity).
    Complaints / ConcernsDetails of your complaint or concern and how it was resolved.
    ContactPostal address, billing address, email address and telephone numbers. For Business Customers and Distribution Partners, this will generally be your professional (company) contact details.
    COVID-relatedCOVID-related data, e.g. temperature checks, symptom questionnaires, reports of possible exposure, contact tracing information (if on premises).
    CorrespondenceEmails, letters, text messages.
    Distribution Partner AgreementContract terms including key details such as Contact, Compensation/Payment, Bank Details.
    InvoicesInvoices, day / hourly / project rates, VAT number, billing information, Bank Data, remittances in Company Name or own name (as applicable).
    NameFirst name, last name.
    PerformanceMetrics / KPIs attributable to you, your team or your project (e.g. sales).
    Purchase detailsQuantity and type of item ordered. Notes regarding your account (for Business Customers, Distribution Partners).
    ReviewsAny reviews you leave on Amazon or social media or similar sites or that you provide directly to us (e.g. by calling customer service if you are a Product User or speaking with your Sales representative if you are a Business Customer or Distribution Partner).

    Latest

    Research
    21.09.2020_Improving hospital cleaning and disinfection.jpg

    Improving hospital cleaning and disinfection

    The third largest health board in Scotland has recently published…

    Research
    shutterstock_289471151.jpg

    28 Australian Societies provide consensus on COVID…

    Sourcing up-to-date reliable information on COVID-19 management a…

    Research
    20.07.2020_Let’s not forget MRSA and the risk from contaminated surfaces-01-01 copy.jpg

    Let’s not forget MRSA and the risk from contaminat…

    There is strong evidence that MRSA transmission dynamics can incl…

    Company news
    08.07.2020-Hand-Wash-Game_GAMA_1366x472px.jpg

    New digital hand hygiene game launches

    Innovative educational game, ‘Hand Wash Squad’, helps children le…