Website: Privacy Information Notice
On 25th May 2018 the European Union’s General Data Protection Regulation (GDPR) EU/2016/679 came into effect and replaced all existing UK and EU data protection law. The GDPR is enforced in the UK by the Information Commissioner’s Office (ICO). It will continue in force after the UK leaves the EU.
The GDPR is concerned with the collection, processing and security of Personal Data and it gives individuals rights to know what data is held, how it is held, why it is held and to request that it be amended, transferred or destroyed or that the processing of it be restricted.
Personal Data is any information about you which used alone, or combined with other information, would enable someone to identify you.
Microarray recognises its obligation to comply with GDPR and will ensure that Personal Data:-
• is processed fairly, lawfully and in a transparent manner
• is processed for specified purposes only
• is relevant to what it is needed for
• is accurate and kept up to date and is not kept longer than is needed
• is processed in accordance with the rights of individuals
• is kept securely.
Microarray is registered with the ICO as the Data Controller under reference number ZA314698.
Why we need to process your Personal Data
Microarray has to have a reason or reasons for processing your Personal Data – in GDPR this is called a Lawful Basis. Microarray has identified its Lawful Bases as follows:-
You have provided us with clear given consent for us to process your personal data for a specific purpose.
We need your Personal Data to enable us to carry out the work that we have agreed to do for you.
Legitimate Interest Basis
There will be occasions on which we need Personal Data from someone with whom we do not have a contractual agreement in which case we will be using that Personal Data on the basis that such processing is necessary for our legitimate interests or the legitimate interests of the business partner or customer.
Legal Obligation Basis
We also need Personal Data to fulfil our statutory and regulatory requirements.
Special Category Data
The GDPR also lists special types of Personal Data that requires special treatment – these are called Special Category Data, and include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health and data concerning sex life or sexual orientation.
According to the GDPR legislation and on the rare occasions that Microarray has to process Special Category Data, then as well as satisfying one of the above, Microarray will notify you of our need to process this data type and it will also ensure this data is only processed if you have given explicit consent.
If you choose not to provide Personal Data, including on the rare occasions that which is defined as Special Category Data, when requested to do so, we will have to consider whether we can work together.
How we process your Personal Data
Microarray will only process Personal Data, in accordance with applicable law, for the following purposes:
• Access to/consultation of a contacts database containing personal data;
• Sending promotional emails. *
• Storing IP addresses or MAC addresses.
• Video recording (CCTV).
• Administration purposes.
• Ethics and compliance.
• Supplier screening.
• IT administration.
• Responding to your queries, requests and other communications.
• Providing you with technical advice and associated services.
• Enabling us to fulfil our obligations to our business partner or customers (if you are not our business partner or customer).
• Developing and improving our business, products and services.
Your Personal Data is held in electronic form and hard copy.
*Microarray undertakes very little marketing and rarely contacts individuals to advertise services. If and when it does, it does so in ways that are proportionate and have minimal privacy impact.
Our website – www.microarray.co.uk – uses one cookie – functioning as an analytical tool (this allow us to recognise and count the number of visitors to our site and to determine whether they’re humans and not spam bots.). A cookie is a small text file that is downloaded onto a computer or smartphone when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences. Cookies are not enabled on our website unless you give express consent (a banner appears on the web page) and therefore unless you consent, the cookies will remain disabled. You therefore have control over whether they are to function or not. Further information is available on our legal information page (See below).
The types of Personal Data that we process
Microarray process some or all of the following for business partners’ or customers’ and for others in respect of whom such Personal Data is required to enable us to carry out the required work for business partners or customers:
• Business partners or customers data, such as:
• Job title
• Email address
• Contact Number
• Mobile Number
• Name of Department
• Work location
• Work Address
• Contract Details
• Planned days of leave
• Supervisor ID/Name
• Contractual Details
• Bank Details
If required to enable us to carry out our contractual or legal obligations or for our or your legitimate interests, we will also collect information relating to Special Category Data, having received your prior consent to do so.
Who we pass data to?
In order to satisfy our contractual or legal obligations or for our or your legitimate interests, we may from time to time pass Personal Data to third parties or other bodies to whom we are obliged by law to pass Personal Data (subject always to any overriding rights of business partners or customers confidentiality).
If we pass your Personal Data to another legal business or organisation for the purposes of a sale, merger or any other reason, we will ask for your specific consent to do so.
Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the data is used in a manner consistent with this notice and that the security and confidentiality of the data is maintained.
Who gives us Personal Data
Business partners or customers may give us the Personal Data of other individuals to enable us to carry out work for the business partners or customers. We will hold such Personal Data securely but will only contact that individual to give them the information contained in this Privacy Information Notice if we have requested the information directly from them ourselves i.e. we will ask them for their specific consent to do so.
International transfers of your Personal Data
We do not transfer your Personal Data to any country outside the EU, unless it is necessary to enable us to fulfil our contractual obligations with you, and in such event, we would ask for your specific consent to transfer such information.
How long do we keep your Personal Data?
We will keep your Personal Data for the length of your contract/agreement or time working with us plus an additional 6 years after the end date. Data will only be retained as long as it is needed for business purposes. Once it no longer has any business purpose or value it will be securely disposed of.
We destroy data as described within the Microarray Data Retention and Disposal Policy (2018) and therefore once the retention period has expired, the Personal Data will be destroyed or deleted on the next such occasion.
How do we keep your Personal Data safe?
We take all reasonable precautions to prevent the loss, misuse or alteration of the Personal Data that you give us. Personal Data is held securely in an electronic format (if possible, and where appropriate, with pseudonymisation and encryption), only on fully updated company computer systems, with secure servers. Access to this information will be limited to specified employees.
Please note that for ease of use and compatibility, communications will not be sent in an encrypted form unless you require it and provide the information to enable us to communicate with you in that way. E-mail unless encrypted is not a fully secure means of communication, therefore please be aware of providing Personal Data by e-mail.
Your rights (including your right to object to our processing your Personal Data).
The GDPR gives you a number of rights and Microarray will comply so far as it is able, with any requests that you make in this respect.
Right of access (sometimes also called a subject access request)
• You have the right to obtain a copy of your Personal Data – this can help you understand how and why we are using your Personal Data and check that we are doing so lawfully.
• You have the right to obtain confirmation from us that we are processing your Personal Data.
Right of rectification
• You have the right to have Personal Data rectified if it is misleading or incorrect.
Right to erasure (sometimes called the right to be forgotten).
You have the right to have your Personal Data erased if:-
• It is no longer needed for the purpose for which we originally collected or processed it.
• There is no overriding legitimate interest to continue this processing.
• We have processed the Personal Data unlawfully.
• We have to comply with a legal obligation.
Right to restrict processing
• You have the right to restrict the way that we use your Personal Data.
• This is usually for a limited period e.g. if you have asked us to investigate the accuracy of the Personal Data that we hold, you may also request that we cease processing it.
• During this time, we will not process the Personal Data but will simply store it.
Right to data portability
• If we have a contractual relationship with you, or carry out processing by automated means, you have the right to request that we transfer your Personal Data to you or to another data controller in a structured, commonly use and machine-readable format.
• This enables you to use and re-use your Personal Data across a number of different IT environments in a safe and secure way.
Right to object
You have the right to request us to stop processing your Personal Data if:-
• it is used for direct marketing
• the lawful basis is legitimate interests i.e. you are not the business partner or customer but a third party – if there are legitimate grounds to continue processing the Personal Data which override your interests, the request will be refused.
If you wish to make a request in respect of any of these rights, you may contact us by post, e-mail or by telephone. We may then contact you to confirm the nature of the request and we may possibly ask you for ID to ensure that we do not disclose Personal Data to the wrong person. We will then comply with your request within one month of receiving it or of receiving further details or ID if required. We will provide the information in whatever form you require but please note that we cannot give you remote access to our server. We will not charge a fee unless the request is manifestly unfounded or excessive or if you have previously requested and received the same information. We will not provide information about your Personal Data if the request comes from a third party unless that third party provides evidence of its authority to make such a request on your behalf.
If you wish to lodge a complaint with a supervisory authority
If you have a complaint, we would very much hope that you would first raise it with us as we would welcome the opportunity to sort it out, however if we cannot do so or if you wish to raise the matter direct with the ICO, the contact details are set out below.
Keeping you informed
This Notice is held on the Microarray website and at the start of every new matter you will be directed to our website. At the same time you will be offered the chance to receive it in hard copy. Microarray reviews the content on this Notice and its associated policies regularly and if we have an ongoing matter with you, we will notify you of any updates.
For queries about the content of this Privacy Information Notice or for further information or to make a request, please contact our Data Protection Officer Stuart Collyer:
Colworth Science Park,
If you wish to contact the ICO, the details are as follows:
0303 123 1113
Information Commissioner’s Office,
(updated March 2019)