Customer Portal
Book a Consultation
Contact

Privacy Policy

British Medical Group (BMG) respects your privacy and is committed to protecting your personal data.

BMG is the parent company for Virologica Ltd. Each company under BMG is separate legal entities. However, this policy covers all companies under the BMG heading.

This privacy policy tells you what to expect when Virologica Ltd collects personal information and is intended to inform you about your privacy rights and how the law protects you. It applies to information we collect about:

  • visitors to our websites.
  • healthcare sector clients, suppliers, contractors and other business associates.
  • patients and healthcare providers who use our technologies in a healthcare setting.
  • job applicants and our current and former employees.

1. General information

Virologica Ltd is incorporated and registered in England and Wales. The registered office and address of Virologica Ltd is The First Floor, 82-88 Bateman House, Hills Road, Cambridge, Cambridgeshire CB2 1LQ. This privacy policy is issued on behalf of the BMG Group so when we mention BMG, “we”, “us” or “our” in this privacy policy, we are referring to the relevant companies in the BMG Group responsible for processing your data. We will let you know which entity will be the controller for your personal data at the point that we collect it.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

DPO contact details

(These contact details should be used if you are contacting Virologica Ltd and are based in the United Kingdom or outside of European Union (EU) and European Economic Area (EEA)):

  • Virologica Ltd
  • Email address: [email protected]
  • Postal address: The First Floor, 82-88 Bateman House, Hills Road, Cambridge, Cambridgeshire CB2 1LQ
  • Telephone number: +44 1223 656565

If we have processed or are processing your personal data, you may be entitled to exercise your rights under GDPR in respect of that personal data. You can exercise your rights in respect of your personal data using details set out above.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

2. The data we collect about you

What personal data do we collect?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data including, but not limited to, first name, last name, username or similar identifier, marital status, title, date of birth, gender.
  • Contact Data including, but not limited to, address, email address, telephone numbers.
  • Financial Data includes bank account and payment card details.
  • Transaction Data includes details about payments to and from you.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Profile Data includes your username and password, preferences, feedback.
  • Usage Data includes information about how you use our website and services.
  • Sensitive Data includes health information and personal information about your employment record and other sensitive details pertaining to your personal history and preferences.
  • Marketing and Communications includes, where we elect to communicate with you for marketing purposes in your capacity as a healthcare sector client, supplier, contractor or other business associate, information on your communication preferences. If we do send you marketing emails you will always be able to unsubscribe.

As a medical device and research company we do sometimes collect and process Sensitive Data about you. When we do this, we will always obtain your express consent.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel the contract you have with us, but we will notify you if this is the case at the time.

How is your personal data collected?

We use different methods to collect data from and about you including through:

a. Direct Interactions

You may give us your personal data when you are required. This includes personal data you provide when you:

  • Become an employee, or supplier or apply for any position at Virologica Ltd as an employee or contractor.
  • As a customer

b. Visitors to our websites

When someone visits our websites, we use a third-party service, SQUARESPACE, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow SQUARESPACE to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

This website is not intended for children, and we do not knowingly collect data relating to children.

To find out about the privacy notice for BMG please go to www.bmg.eu

Use of cookies by BMG

As you interact with BMG www.bmg.eu website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this data by using cookies. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. BMG uses a session cookie during your visit to the website which is deleted when you close your browser.

To find out about use of cookies for our websites please go to www.squarespace.com

Security and performance

BMG uses a third party service to help maintain the security and performance of the www.bmg.eu, www.c-i.co.uk, www.protect.co.uk and www.virologica.co.uk websites. To deliver this service it processes the IP addresses of visitors to the website.

c. People who email us

We use Microsoft BitLocker to encrypt and protect email traffic in line with government recommended best practice. It has Microsoft Defender which blocks most malicious messages.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

d. People who contact us by phone

Where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

3. Processing Your Data

How your personal data is used

BMG will only use personal data when legally allowed. Typical reasons include:

  • Contractual necessity – to perform a contract with you.
  • Legitimate interests – for business purposes, provided your rights do not override these interests.
  • Legal/regulatory compliance – when required by law.

Purposes of processing

Purpose/ActivityType of DataLegal Basis
Allow patients and healthcare providers to use BMG technologiesIdentity, Contact, Sensitive Health InfoContract with healthcare provider, contract with you, public interest in health research, regulatory compliance
Manage relationships (notify changes, request feedback, business communications, provide services)Identity, Contact, Profile, Marketing & CommunicationsContract, legal obligation, legitimate interest
Administer and protect business/websites (maintenance, security, reporting)Identity, Contact, TechnicalLegitimate interest, legal obligation
Improve website, products/services, marketing, customer experienceTechnical, UsageLegitimate interest
Suggest products/servicesIdentity, Contact, Technical, Usage, ProfileLegitimate interest
Recruitment (job applications)Identity, Contact, Sensitive DataLegitimate interest, legal/regulatory requirements, contract

Use of data processors

  • Third-party providers carry out certain services.
  • They only act under BMG’s instructions.
  • Sub-processors must comply with GDPR and keep data secure.

Recruitment specifics

Data collection

CV, contact info, references, identity, qualifications, right-to-work, bank details, emergency contacts. Agencies may provide additional info if applicable.

Usage

Assess suitability for role, communicate about application, regulatory/legal purposes.

Retention
  • Successful applicants: employee file + 6 years after employment ends.
  • Unsuccessful applicants: data may be retained temporarily; assessment notes retained 6 months post-campaign.
Decisions

Made by hiring managers using all application info. Applicants can inquire about decisions through recruitment contacts.

Employees

BMG acts as data controller for employee-provided data unless otherwise stated.

4. Disclosure of your personal data

We may have to share your personal data with the parties set out below:

  • Internal Third Parties: other group companies within BMG.
  • External Third Parties:
    • Service providers who provide support services, IT, and system administration services.
    • Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
    • Data controllers where BMG is acting as a data processor.
    • Employee personal information may be shared with clients if required for legitimate business reasons.
    • HM Revenue & Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.
  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties that provide elements of services for us. We may have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

In some circumstances we are legally obliged to share information. For example, under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information, document our decision making, and satisfy ourselves we have a legal basis on which to share the information.

5. International Transfers

Personal data controlled or processed by BMG and collected in the UK may be disclosed/transferred outside of the UK subject to UK ‘adequacy regulations’ in relation to the country or territory where the receiver is located, or subject to ‘appropriate safeguards’ being put in place such as a legally binding and enforceable instrument, UK Binding Corporate Rules, Standard Contractual Clauses etc., and subject to having unambiguously consented to the disclosure/transfer.

Personal data controlled or processed by BMG and collected in the EU may be disclosed/transferred outside the European Economic Area (EEA) subject to EU ‘adequacy decision’ by the European Commission in relation to the country or territory where the receiver is located, or subject to ‘appropriate safeguards’ being put in place, and subjects having unambiguously consented to the disclosure/transfer.

Personal data controlled or processed by BMG and collected outside of the UK and the EU may be disclosed/transferred outside of the country in which they were collected subject to ‘transfer compliance mechanisms’, including EU-US Privacy Shield framework and other country-specific data protection regulations, or subject to ‘appropriate safeguards’ being put in place, and subjects having unambiguously consented to the disclosure/transfer.

6. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

7. Data Retention

How long will we use your personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. A record of BMG’s processing activities involving personal data is maintained via Data Processing Log / Record of Processing Activities (ROPA).

In some circumstances you can ask us to delete your data: see ‘Right to erasure’ below for further information.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) or pseudonymise your personal data (so that it can no longer be associated with you without the use of additional information) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

8. Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data.

  • Right of access to your personal data (commonly known as a “Data Subject Access Request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. If you make such a request, we will:
    • Give you a description of it
    • Tell you why we are holding it
    • Tell you who it could be disclosed to
    • Let you have a copy of the information in intelligible form
    • Protect data provided to you as a response to your Subject Access Request at a level appropriate to the sensitivity of the information
  • Right to rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Right to erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully, or where we are required to erase your personal data to comply with local law. Note, however, that this right of erasure does not apply to personal data collected as part of the health and care research studies that we undertake. Also, we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Right to restriction of processing of your personal data where you are concerned about the accuracy of the data or how it is being used. If necessary, you can also stop us deleting your data. Together, these opportunities are known as your ‘right to restriction’. You may ask to limit the use of your data rather than delete it if the data is processed unlawfully but you do not want it deleted, or the data is no longer needed but data is needed for legal claims.
  • Right to object to processing of your personal data where we are relying on a Legitimate Interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Right to data portability of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent nor prevent us from continuing to process personal data collected in the course of a health research study. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact our DPO as set out in section 1.

No fee usually required – You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you – We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond – We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

9. Complaints or queries

BMG tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy policy was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of BMG’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the DPO as set out in section 1.

Disclosure of personal information – In many circumstances we will not disclose personal data without consent. However, when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies.

10. Effective Date

We keep our privacy notice under regular review. This privacy notice was last updated on 1st January 2024.