Privacy Policy
- Introduction
- Definitions
- Data Protection Legislation
- The information we collect
- Cookies, Analytics and Tracking Technologies
- How we use your information
- Who we might share your information with
- How long we keep your information for
- How we keep you updated on our products and services
- Giving your reviews and sharing your thoughts
- Third Party websites and links
- Children’s privacy
- Your rights over your information
- Security
- International Transfers
- What happens if our business changes hands?
- Contact Us
- Changes to Our Privacy Notice
Introduction
BAP Pharma Group Limited (inclusive of BAP Pharma Holdings Limited, BAP Pharma Limited, BAP Pharma GmbH, and BAP US, Inc., and referred to as “BAP Pharma”, “the Company”, “We, “Our” or “Us”) are committed to protecting the privacy and security of your Personal Data.
This BAP Pharma Privacy Notice applies to you if you are:
- A service user of this website (https://bappharma.com/);
- A Healthcare Professional (HCP), Key Opinion Leader (KOL) or Industry Contact (IC) to whom BAP Pharma wishes to market their products and Services;
- An employee, contractor or other associated party associated with BAP Pharma’s Clients, or prospective Clients;
- An employee, contractor or other associated party contracted by BAP Pharma’s Service Providers; or,
- Any other individual with whom BAP Pharma may conduct commercial operations.
We have developed this Privacy Notice to inform you of the data we collect, what we do with your information, what we do to keep it secure as well as the rights and choices you have over your Personal Data. It is important that you read this notice so that you are aware of how and why we are using such information.
Definitions
For the purposes of this BAP Pharma Privacy Notice:
Company (inclusive of BAP Pharma Holdings Limited, BAP Pharma Limited, BAP Pharma GmbH, and BAP US, Inc., and referred to as either “BAP Pharma”, “the Company”, “We”, “Us” or “Our” in this Agreement) refers to BAP Pharma Limited, Medina House, Globe Business Park, Fieldhouse Lane, Marlow, SL7 1TB, UK.
Clients means any natural or legal person who engages the Company to perform services, including processing Personal Data, through a contractual agreement. It refers to third-party companies or individuals which employ the Company to facilitate the Service, to provide the Service on behalf of the Client, to perform services related to the Service or to assist the Client in analysing how the Service is used. For the purposes of both UK and EU GDPR, Clients are considered Data Controllers of the Personal Data wherever they determine the purposes and means of processing.
Cookies are small files that are placed on Your computer, mobile device, or any other device by a website, containing the details of Your browsing history on that website among its many uses.
Data Controller, for the purposes of both UK and EU GDPR, refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data. For the purposes of both UK and EU GDPR, the Company is the Data Controller.
Data Processor, for the purposes of both UK and EU GDPR, refers to the Company’s Service Providers.
Data Protection Legislation, as defined in the Data Protection Legislation section below.
Device means any device that can access the Service such as a computer, a mobile phone, or a digital tablet.
Personal Data is any information that relates to an identified or identifiable individual. For the purposes of both UK and EU GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
Service refers to the Services that BAP Pharma provide to their Clients and/or the Services that BAP Pharma’s Service Providers provide to BAP Pharma. Where you are a service user of the BAP Pharma Website, the Service refers to the BAP Pharma Website unless otherwise stated.
Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company and/or Client to facilitate the Service, to provide the Service on behalf of the Company and/or Client, to perform services related to the Service, or to assist the Company and/or Client in analysing how the Service is used. For the purposes of both UK and EU GDPR, Service Providers are considered Data Processors.
Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Website refers to the BAP Pharma website, accessible from https://bappharma.com/
You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. Under both UK and EU GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.
Data Protection Legislation
Throughout this document we refer to Data Protection Legislation.
Where data is processed by a controller or processor established in the European Union (EU) or comprises the data of people in the European Union, it is subject to the General Data Protection Regulation (Regulation (EU) 2016/679) (‘EU GDPR’) and the e-Privacy Directive (Directive 2002/58/EC), as well as any local data protection implementation laws. This includes any replacement legislation coming into effect from time to time.
In the United Kingdom (UK), Data Protection Legislation means the United Kingdom General Data Protection Regulation (‘UK GDPR’), the Data Protection Act 2018 (‘DPA 2018’), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) and any legislation implemented in connection with the aforementioned legislation.
BAP Pharma is the Data Controller (‘controller’) for the Personal Data we process, unless otherwise stated.
We have appointed a Data Protection Officer (DPO) to help us monitor internal compliance, inform, and advise on data protection obligations, and act as a point of contact for data subjects and supervisory authorities. For further details on how you can contact our DPO, please see the Contact Us section below.
The information we collect
We only collect Personal Data that we know we will genuinely use and in accordance with the Data Protection Legislation. The type of Personal Data that we will collect on you will depend on whether you are a user of this website; a Healthcare Professional, Key Opinion Leader, or Industry Contact; an employee, contractor, or associated party of BAP Pharma’s Clients, or BAP Pharma’s Service Providers; or any other individual with whom BAP Pharma may conduct commercial operations:
Website User†
- Your name
- Your contact information (email address)
- Your Contact Us form responses
- Your Usage Data (e.g., your IP address)
- Cookies and Tracking Technologies
Healthcare Professional (HCP), Key Opinion Leader (KOL), or Industry Contact
- Your name
- Your contact information (telephone number, email address, or mailing address)
- Your employment details
- Your opinions (e.g., opinions about BAP Pharma’s products and Services)
- Where relevant, your marketing and communications preferences
- Where relevant, your financial information (e.g., bank information)
Employees, Contractors, or Associated Party of BAP Pharma’s Clients or BAP Pharma’s Service Providers
- Your name
- Your contact information (telephone number, email address, or mailing address)
- Your employment details
- Your opinions (e.g., opinions about BAP Pharma’s products and Services)
- Where relevant, your marketing and communications preferences
- Where relevant, your financial information (e.g., bank information)
Any other individual with whom BAP Pharma conducts commercial operations
- Your name
- Your contact information (telephone number, email address, or mailing address)
- Your employment details
- Any information relevant to your relationship to BAP Pharma’s Services
† You are under no statutory or contractual requirement or obligation to provide us with your Personal Data; however, we require at least the information above in order for us to deal with you as a Service User in an efficient and effective manner.
Please note that in limited circumstances BAP Pharma act as a Data Processor for the purposes of delivering our Services to our Clients, such as by processing the Personal Data of clinical trial participants. In these circumstances, BAP Pharma will act as the Data Processor and our Clients will act as the Data Controller. For more information relating to the processing of your Personal Data for these purposes, please see the relevant transparency information provided to you by our Client.
Cookies, Analytics and Tracking Technologies
We use Cookies and similar tracking technologies to track the activity on Our Website and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyse Our Service.
You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service.
Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser. We use both session and persistent Cookies for the purposes set out below:
Strictly Necessary Service Cookies
Type: Session Cookies
Administered by: Us
Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.
Strictly Necessary Cookie Notice Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: These Cookies identify if users have accepted the use of cookies on the Website.
Functionality Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.
Analytical / Performance Cookies
Type: Persistent Cookies
Administered by: Third Parties
Purpose: These Cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new pages, features, or functionality of the Website to see how our users react to them.
Below is a list of the cookies that we use. We have tried to ensure this is complete and up to date, but if you think that we have missed a cookie or there is any discrepancy, please let us know.
Cookie Name | Cookie Type | Cookie Purpose |
hasConsent | Strictly Necessary Cookie Notice Cookies | To determine if visitor has accepted or rejected the analytical / performance cookies. |
_ga, _gid, _gat_gtag_[code] | Analytical / performance | To allow Google Analytics to identify unique users across browsing sessions. |
__qca __ssid _fbp _ga _gcl_ vimeo_cart vuid | Analytical / performance | Vimeo playback tracking. |
We and the third parties we work with use cookies and similar tracking technologies to collect information about your use of the Services, such as your IP address, browser type, browser version, pages viewed, time spent on pages, links clicked and conversion information. This information may be used by us and others to, among other things, analyse and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on the Services and other websites, provide customer support, troubleshoot issues with and improve the operation of our Website and Services, and better understand your online activity.
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.
You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity. For more information on how Google collects and processes data click here. To opt out of tracking by Google Analytics, click here.
For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy?hl=en
How we use your information
We will only process your Personal Data when the law allows us to do so.
Where we have collected your Personal Data, we will have provided you with our lawful basis for processing your Personal Data at the point the information was initially collected from you.
Where we received your Personal Data from a third party, we, or a third party operating on our behalf, will have contacted You to provide You with the lawful basis and other transparency information.
We will not store, process, or transfer your data unless we have an appropriate lawful reason to do so.
Under Data Protection Legislation, the lawful bases we rely on for processing your information are:
- GDPR Article 6(1)(a) – your Consent; *
- GDPR Article 6(1)(b) – We have a Contractual Obligation;
- GDPR Article 6(1)(c) – We have a Legal Obligation;
- GDPR, Article 6(1)(d) – In order to protect the Vital Interests of You or a third party;
- GDPR, Article 6(1)(e) – We have a Public Interest; or,
- GDPR, Article 6(1)(f) – We, or a third party, have a legitimate interest.
* Where the lawful basis for processing is Consent, you are able to withdraw your consent at any time. You can do this by contacting our DPO using the contact details provided in the Contact Us section below.
Where BAP Pharma is the Data Controller, we may use your information for the following purposes:
Processing Activity | Lawful Basis |
Where you are an employee of BAP Pharma’s Clients or Service Providers, to collect information from you or your employer and make available our Services to your employer | Legitimate Interest in managing BAP Pharma’s affairs |
Where you are an employee of BAP Pharma’s Clients or Service Providers, to collect information from you or your employer and take payment from you or your employer, make a payment to you or your employer, give you or your employer a refund, or request a refund | Contractual Obligation |
Where you are an employee of BAP Pharma’s Clients or Service Providers, to collect information from you or your employer and liaise with you or your employer about your contact details and/or the nature and performance of your work, as required | Legitimate Interest in managing BAP Pharma’s affairs |
To collect information from you and monitor, provide, and maintain our Service | Legitimate Interest in providing BAP Pharma’s Services to you |
To contact you following your enquiry where you have provided your contact information and to reply to any questions, suggestions, issues, or complaints, including any Data Subject Requests, about which you have contacted us | Legitimate Interest in providing BAP Pharma’s Services to you |
To collect your Usage Data in order to power our security measures and services so you can safely access our website and other Services | Legitimate Interest in providing a secure Website |
To contact you, where you have provided your contact information, about news and information relating to our Services through service messages | Legitimate Interest in contacting you about our Services |
Business-to-Business (B2B) direct marketing to you about our products and Services, where you have provided your contact information to Us or a third party and where you are classified as a ‘corporate subscriber’ under UK PECR and/or the e-Privacy Directive | Legitimate Interest in marketing our Services to you |
Business-to-Business (B2B) direct marketing to you about our similar products and Services, where you have previously provided your contact information to Us in the context of a sale and where the ‘soft opt-in’ applies under UK PECR and/or the e-Privacy Directive | Legitimate Interest in marketing our Services to you |
Business-to-Business (B2B) direct marketing to you about our products and Services, where you are a sole trader, partnership, or otherwise classified as an ‘individual subscriber’ under UK PECR and/or the e-Privacy Directive and/or the ‘soft opt-in’ does not apply under UK PECR and/or the e-Privacy Directive | Your Consent |
To retain any accounting information generated during the course of our interaction for statutory accountancy retention periods | Legal Obligation |
To respond to and defend against legal claims, where you or a third party has provided us with information which may give rise to legal claims | Legal Obligation |
To act in your vital interest, or in the vital interest of a third party | Vital Interest |
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
In certain circumstances, BAP Pharma may act as a Data Processor for the purposes of delivering our Services to our Clients. In these circumstances, BAP Pharma will act as the Data Processor and our Clients will act as the Data Controller. For more information relating to the processing of your Personal Data for these purposes, please see the relevant transparency information provided to you by our Client.
How long we keep your information for
We retain a record of your Personal Data in order to provide you with a high quality and consistent service. We will always retain your Personal Data in accordance with the Data Protection Legislation and never retain your information for longer than is necessary. BAP Pharma follows a Retention Schedule which outlines how long BAP Pharma will retain your Personal Data. BAP Pharma considers the retention period to begin from the point at which BAP Pharma last contacted you or otherwise reviewed your record to determine whether it was still active, unless otherwise required by law. As such, unless otherwise required by law, your data will be retained for the period specified in the summarised table below and then securely deleted in accordance with our internal policies and procedures.
Purpose | Retention Period |
Processing data in relation to You as a service user of this website (https://bappharma.com/) | 1 year following your last interaction with our Website |
Processing data in relation to marketing our Services to You as a Healthcare Professional, Key Opinion Leader, or Industry Contact | 6 years following our last contact with You |
Processing data in relation to You as an employee, contractor or other associated party contracted by BAP Pharma’s Clients or Service Providers | 6 years following the termination of your employment or our last contact with You |
Processing data in relation to You as any other individual with whom BAP Pharma may conduct commercial operations | 6 years following our last contact with You |
How we keep you updated on our products and services
We make every effort to ensure that we only send such communications to those acting in a business capacity and do not intentionally send such materials to consumers via personal communicational channels (e.g., personal email addresses). If you believe we have contacted you via a personal email address in error, please contact our DPO using the contact details provided in the Contact Us section below.
Please note that we do not require your Consent to send ‘service messages’ which act solely to update you about any news or changes to the Services we currently provide to you.
Where we directly market our products and services to you, we will only do so where you have either previously provided your Consent for that purpose, or where we have a Legitimate Interest in doing so and you have not opted out of receiving these communications.
All direct marketing email communications will have an option to ‘unsubscribe’ at the bottom of each email. If you wish to amend your marketing preferences, you can do so by following the unsubscribe link in the email and updating your preferences accordingly. When you do so, you communicate to us that you withdraw your consent, or otherwise opt out of receiving direct marketing communications going forward. Alternatively, you can contact our DPO using the contact details provided in the Contact Us section below.
Giving your reviews and sharing your thoughts
When using our website and other third party Services, you may be able to share information through social networks like Facebook and Twitter. For example, when you ‘like’, ‘share’ or review our Services. When doing this, your Personal Data may be visible to the providers of those social networks and/or their other users. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts so that you are comfortable with how your information is used and shared on them.
Third Party websites and links
Our Website may contain links to other sites operated by third parties. The Company does not control such other sites and is not responsible for their content, their privacy notices, or their use of Personal Data. The Company’s inclusion of such links does not imply any endorsement of the content on such sites or of their owners or operators except as disclosed through the Services. Any information submitted by you directly to these third parties is subject to that third party’s privacy notice.
We expressly disclaim any and all liability for the actions of third parties, including but without limitation to actions relating to the use and/or disclosure of Personal Data by third parties.
Children’s privacy
We do not seek or knowingly collect any Personal Data about children under 13 years of age. If we become aware that we have unknowingly collected Personal Data from a child under the age of 13, we will make commercially reasonable efforts to delete such information from our systems.
If you are the parent or guardian of a minor child who has provided us with Personal Data, you may Contact Us using the information below to request that it be deleted.
Your rights over your information
The right to be informed about our collection and use of personal data;
You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.
Right to Access Your Personal Data
You have the right to access the Personal Data that we hold about you in many circumstances, by making a request. This is sometimes termed ‘Data Subject Access Request’. If we agree that we are obliged to provide Personal Data to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed.
We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data.
If you would like to exercise this right, please Contact Us as set out below.
Right to Rectify Your Personal Data
If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it.
If you would like to exercise this right, please Contact Us as set out below.
Right to Erasure
You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For instance, the right to erasure does not apply where we have a legal obligation to retain your Personal Data.
If you would like to exercise this right, please Contact Us as set out below.
Right to Restrict Processing
You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. The right is not absolute and only applies in certain circumstances.
If you would like to exercise this right, please Contact Us as set out below.
Right to Portability
The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them you the right to request that a controller transmits this data directly to another controller.
If you would like to exercise this right, please Contact Us as set out below.
Right to Object
You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation.
If you would like to exercise this right, please Contact Us as set out below.
Rights Related to Automated Decision-Making
You have the right to object to our processing where a decision is made about you solely based upon automated processed and which has significant or legal effects. BAP Pharma does not intend to conduct any automated decision-making for your Personal Data.
If you would like to exercise this right, please Contact Us as set out below.
For more information about your privacy rights
In the UK, the Information Commissioner’s Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website, which you can access here: https://ico.org.uk/for-the-public.
You can make a complaint to the ICO, or any other supervisory authority, at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.
Depending on your jurisdiction, it is possible that a different regulator or supervisory authority may govern the processing of Personal Data. Your government’s website should be able to point you in the right direction of the relevant regulatory body. If you are located in the European Economic Area, you can find information about your country’s regulatory body here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
If you have any questions about which supervisory authority applies in your jurisdiction, please Contact Us as set out below.
Security
Data security is of great importance to BAP Pharma. We have put in place appropriate technical and organisational measures to prevent your Personal Data from being accidently lost, used, or accessed in an unauthorised way, altered, or disclosed.
We take security measures to protect your information including:
- Limiting access to our buildings and resources to only those that we have determined are entitled to be there (by use of passes, keys, and other related technologies);
- Managing a data security breach reporting and notification system which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law;
- Implementing access controls to our information technology; and,
- Deploying appropriate procedures and technical security measures (including encryption, anonymisation, and archiving techniques) to safeguard your information across all of our systems.
International Transfers
Your Personal Data is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. This means that this information may be transferred to Devices located outside of Your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction. In particular, when BAP Pharma shares your Personal Data with affiliate BAP Pharma legal entities, your Personal Data would be stored and processed within third countries. Where this occurs, BAP Pharma will ensure that:
- the security and confidentiality of your Personal Data is secure at all times;
- any Data Controller receiving your Personal Data has entered into an agreement with BAP Pharma which contains standard data protection clauses as required by UK GDPR and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer; and,
- any Data Processor receiving your Personal Data has entered into an agreement with BAP Pharma which contains the required Data Processor clauses as well as standard data protection clauses as required by UK GDPR and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer.
Where you are based in the UK or EU and we are required to transfer your Personal Data out of the UK or EU to countries not deemed by the ICO or European Commission (as relevant) to provide an adequate level of Personal Data protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the Data Protection Legislation, such as the specific contracts containing standard data protection clauses approved by the ICO or European Commission (as relevant) providing adequate protection of Personal Data. Where we rely upon standard data protection clauses, we have conducted a transfer impact assessment into the risks associated with any international transfer of your Personal Data. You can obtain a copy of the standard data protection clauses documentation by contacting our DPO identified in the Contact Us section below.
What happens if our business changes hands?
We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any Personal Data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.
Contact Us
If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this Privacy Notice or the way your Personal Data is processed, please contact our Data Protection Officer (DPO) by one of the following means:
By email: [email protected]
By telephone: +4402037971289
By post: The DPO Centre Ltd., 50 Liverpool Street, London, UK, EC2M 7PY
Changes to Our Privacy Notice
Thank you for taking the time to read our Privacy Notice.
We may change this Privacy Notice from time to time (for example, if the law changes). We recommend that you check this Privacy Notice regularly to keep up to date.
This Notice was last updated on 2024-05-07