MediSupplies Ltd are committed to the processing personal data transparently, responsibly, and in compliance with GDPR - the latest legislation surrounding data protection.
- We will use details collected during the order process to fulfil your order, create a web account and for direct marketing in the future.
- Our lawful basis for processing is based on direct marketing being a legitimate interest.
- We will ensure that there is minimal risk of harm or distress from our direct marketing by taking steps to put data subjects in an equivalent position to consent, and by making unsubscribing/managing preferences simple and accessible. Marketing will be related to previous purchases with us or be relevant in a general B2B context, if applicable, to the best of our reasonable knowledge.
- We will also use personal data for profiling and analysis purposes. We use a limited amount of automated software to make decisions for the purposes of direct marketing.
- We are committed to only using the minimum amount of personal data necessary. We have concluded that the data we collect is the minimum amount we require to fulfil orders and conduct direct marketing.
- We have implemented robust security protocols for the storage of all personal data and have various IT security accreditations.
- We will not sell personal data to any companies outside of MediSupplies Ltd or its parent group Poole Bay Holdings Ltd.
- We will conduct necessary due diligence with any third-parties involved in the processing of personal data and only use established, reputable and compliant partners to the best of our reasonable knowledge.
- We will ensure that a data subjects fundamental rights and freedoms are respected at all times.
- We may also use data for the purposes of ongoing fraud prevention.
- We may also contact you to inform you of any open baskets we are holding open for you.
1) MediSupplies Ltd & Your Data
Thank you for choosing to purchase from MediSupplies Ltd. We value the trust of our customers and strive to respect your privacy when handling data relating to the use of our websites and transactions performed on our websites.
This policy describes how we collect personal data about you, the type of data we collect, how this data is used and how you, a valued customer, can control the use of your data by MediSupplies Ltd.
2) What Data Do We Collect?
In order to process orders and ensure the best possible levels of service, we collect certain personal and company information when you make a transaction. This includes:
- Your Title
- Your Name
- Your Company’s Name
- Your Delivery Address
- Your Payment Address
- Your Payment Details (please note we do not retain this information as all transactions are done via a secure connection with an established payment provider)
- Your Email Address
- Your Telephone Number
- Browsing & Shopping Activities
3) How We Use Your Data
We will primarily use your data to:
- Keep you updated on the status of your order
- Fulfil delivery of your order
- Contact you if there is a query regarding your order
- Contact you in relation to product and / or website reviews
- Verify your identity or perform security and credit checks in relation to larger orders or orders placed via Purchase Order
- Assist with any customer queries
- Create a web account to give you better control and management of your data, whilst providing additional fraud prevention benefits
- Enable functionality of Apps relating to MediSupplies Ltd businesses
- Enable functionality of Reward Schemes
- Contact you to inform you of any open baskets we are holding open for you (this is where you may have inputted details but failed to complete your order).
In addition, your data including Payment Address and Payment Details will be shared with relevant and reputable third-party banking providers including PayPal, Amazon Payments, Apple Pay and SagePay in order to verify and authorise your payment so your order can be processed. All third-parties used to process payments are under strict obligation to ensure your personal information is kept private.
Details shared are only used by both parties in order to confirm the customer is who they claim to be for fraud prevention. For credit card payments, we will never store card details and only store a ‘token’ which is recognised by SagePay and is a representation of the data stored by them. This token allows us to confirm with SagePay that the card is valid and able to be used in the purchase. For PayPal payments, we do not send any personal data before the order is complete. When PayPal is selected as the payment option, we send a session ID to PayPal and once successfully logged in to their system, the customer authorises PayPal to share their details with us from PayPal. At this point those details are used to complete the order with us. We may then send final address details to PayPal when they confirm the order has been received for continued Fraud Prevention. The same is true of Amazon Payments and Apple Pay, where the customer logs in to these third-party providers and confirms with them that their details may be shared with us in order to complete the transaction. We then may share details of the order back to these providers for continued Fraud Prevention.
Cookies are small text files that are placed on your computer by websites that you visit. Cookies are a kind of short term memory for the web. They are stored in your browser and enable a site to 'remember' little bits of information between pages or visits. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
Other cookies that are in use on this website assist us with learning which parts of our websites need additional improvements for the betterment of our users. They also gather website testing results so we can ascertain statistical significance that changes to the site are beneficial to our users.
Information stored in the cookies that are issued by the site is not personally identifiable by us. The value stored in the cookies is an anonymous identifier, which is not linked to any other personal information you may give us during your visit.
We share cookie data with advertising and analytical providers such as Google, Bing and Facebook for the purposes of conducting online analysis and making improvements to our websites. The information stored in the cookies also assist us to market to you with more relevant online advertising.
If you do not wish to receive these cookies you can easily and safely disable them in your browser, though doing so may affect the functionality of our website to the detriment of your browsing experience.
4) Direct Marketing
a) Legitimate Interests
We operate on an opt-out basis as we rely on ‘legitimate interests’ as a lawful basis for processing personal data.
We will process your personal data for the purposes of direct marketing of similar products and services from within MediSupplies Ltd in the future, unless you take the opportunity to opt out of direct marketing upon completion of your first order with us, or unsubscribe at any point.
We do however acknowledge that we deal with some private individuals, and that individual employees of companies who input personal data whilst dealing with us have the right to be informed and the right to object to direct marketing. We have therefore put in place a number of controls to put our customers in an equivalent position of control to consent, and to minimise the potential for harm or distress that any unwanted direct marketing could cause. We have concluded these steps to be reasonable and effective in balancing our interest of direct marketing with customer’s rights and expectations under GDPR.
More information on our legitimate interests assessment and justification for the above is available on request.
- In order to improve our direct marketing efforts, we use carefully vetted third-parties to profile our data (further information is available on request). This helps us to ensure that the data we hold is accurate and up to date. It also helps us to classify private individuals and businesses more accurately, which in turn helps us make marketing decisions that are more appropriate to the customer, thus minimising the potential for harm or distress.
- The selected partners we work with in order to profile our data have been subject to due diligence checks, hold various accreditations and are also subject to a strict data sharing agreement that prevents the data being illegally sold on to other companies for the purposes of marketing.
- We also use automated software to make decisions based on buying history with us and send direct marketing material using personal data. For example, we may send an automated email 1 year after your first purchase with us. In order to minimise the risk of any potential harm or distress, these communications are marketing emails that can be unsubscribed from under the same unsubscribe link as all other marketing emails.
Further information on profiling is available on request.
c) What You May Receive
The privacy of your personal data is of the highest importance to us. We will not share or sell your personal details to any company outside of MediSupplies Ltd or our parent group for the purposes of sending direct marketing, only to profile data in the interests of accuracy as explained above.
Unless you have requested not to receive promotional material from MediSupplies Ltd, have unsubscribed, or chosen to opt out at the point of purchase, we may use your personal information to provide you with other relevant offers and details of promotions relating to your transaction history. We may contact you in a number of ways using the personal data supplied when placing an order which includes:
We may also contact you to inform you of any open baskets we are holding open for you (this is where you may have inputted details such as email address but failed to complete your order). We do this for customer convenience as typically this occurs because of a technical fault. By keeping baskets open, customers can return to their purchase seamlessly without having to manually select products all over again. These can be unsubscribed from using a normal unsubscribe link, this will also unsubscribe you from all marketing emails from that website.
You may also receive postal marketing from other business within our parent group. You can unsubscribe from this by emailing our customer services team at firstname.lastname@example.org with “NO MAIL” as the email subject
d) ‘Ship To’ Records
- We understand that many organisations may purchase from a central office and have their order delivered to a different address, such as an individual branch or office. We term a different address entered within the ‘delivery address’ section of an order as a ‘ship to’ record.
- We will use both billing and delivery address details for the purposes of direct marketing under legitimate interests as in these cases, we are unable to distinguish who has driven the purchasing decision; those who ordered the goods, or those who received them.
- If you choose to opt out of marketing at the point of ordering, you will be opting out the details obtained within the billing address. If you wish to also opt out any details used for the delivery of goods, you can contact us using any of the methods listed below.
- If you have received direct marketing from us because your details have been used for the delivery of an order, you can unsubscribe or manage your preferences as normal.
- We may contact ‘ship to’ records via email, post or telephone.
e) Prospect Data
- We will occasionally buy or rent prospect business data lists from accredited data brokers to market our products to. A prospect is defined as someone who has not purchased from us before. We have a number of controls in place to reduce any harm or distress that may arise from marketing to a prospect list.
- When selecting data lists and brokers, we will have exercised due diligence with regards to checking that data subjects have had their data processed lawfully and have either given consent or there being a valid legitimate interest in place. Data brokers will need to demonstrate to us that any data we buy or rent from them is accurate, up to date and valid for the purposes of direct marketing.
- We will select data based on the profile of other customers who purchase and use our products so that any direct marketing we send is of interest and within the scope of consent or a legitimate interest. We only select business to business data in an effort to minimise any impact on private individuals wherever possible.
- In the interests of transparency, all prospect emails will include details of where we have obtained the data from and what data we hold. In the interests of fairness, emails sent to prospect data will include a clear unsubscribe link to avoid any future electronic direct marketing communications.
- In the interests of responsibility, we will pass all complaints from any prospects receiving direct marketing as part of a prospect list to the data broker who provided us with the data. Should a significant enough volume of complaints arise, we will discuss the viability of ongoing use of that list with the broker.
- We may contact prospect records via email, post or telephone.
- The personal data we may store and process as part of a prospect list may include name, company name, job title, company address, email address and phone number.
5) Data Retention & Security
When someone places an order with us, requests a quotation or catalogue, their details will be inputted to our ERP system and be stored on secure servers.
All customer personal data is stored on secure servers employing extensive security measures to ensure it remains fully protected at all times. All servers used for data storage are also physically secured and provided by reputable companies that meet the highest standards of security.
We do not store any payment card information on any of our own servers.
General Retention Periods
MediSupplies Ltd will retain customer data for as long as is reasonable and necessary. For the purposes of direct marketing, ongoing customer profiling, suppression management and fraud prevention this may be a permanent basis.
However, we do acknowledge that private individuals purchase from us and under GDPR we have an obligation to ensure that data is kept up to date and accurate. We take this seriously and therefore have a number of controls in place to ensure that data can be amended easily, and that we take steps to ensure out of date data is not used for direct marketing.
More information on retention periods and the steps we have taken to keep data up to date is available on request.
During The Retention Period
MediSupplies Ltd may use retained customer data for the purposes of ongoing direct marketing as well as enhancing the user experience and customer service. The data we collect and use:
- Company’s Name
- Delivery Address
- Payment Address
- Email Address
- Telephone Number
- Browsing & Shopping Activities
We will store the details securely and back them up daily to secure cloud based servers provided by reputable data storage specialists.
We may use data for the purposes of preventing fraud in the future.
We may use data to enhance commercial analysis, customer profiling and improve targeting of future direct marketing.
Customers may unsubscribe from any marketing communication at any time. Their data will still be stored on the system and on secure servers. They will be flagged as not to be marketed to, but their data may still be used for fraud prevention, analysis and generic profiling purposes.
‘Gone away’ or out of date data will be kept on our system but will be suppressed from future marketing efforts.
Expiration Of The Retention Period
There is currently no expiration of the retention period – all data is held in perpetuity as has been deemed reasonable and necessary – further information is available on request.
MediSupplies Ltd will not collect more personal data than the bare minimum for the purposes of direct marketing. Nor will we retain irrelevant information. We have concluded that the data we collect during the order process is the minimum amount we require in order to conduct direct marketing.
6) Managing Your Personal Data And How It Is Processed
As a valued customer and in line with GDPR, you have full control over your data and how it is used by MediSupplies Ltd We offer a number of ways our customers can manage their personal data in order to ensure that our interest of direct marketing does not override fundamental rights and freedoms or fall outside of a data subject’s expectations.
Your right to object and your right to restrict processing:
Respecting your rights is important to us. We have no desire to send marketing material that is intrusive or not of interest.
To remove your data from email marketing:
Follow the “unsubscribe” link contained within all communications from MediSupplies Ltd
Email our customer services team at email@example.com with “NO ESHOTS” as the email subject
Log in to the ‘My Account’ section on this website to manage your marketing preferences. An account is created for you at the point of order for your convenience. This account is created using only the data in which we require to fulfil your order and does not require additional information other than an email address to exist.
Click the ‘manage my preferences’ link contained within all communications from MediSupplies Ltd
To remove your data from Postal marketing:
Email our customer services team at firstname.lastname@example.org with “NO MAIL” as the email subject
To remove your data from Telephone marketing:
Email our customer services team at email@example.com with “NO PHONE” as the email subject
To remove your data from All marketing activity:
Email our customer services team at firstname.lastname@example.org with “REMOVE” as the email subject.
Updating Your Details – Your Right To Rectification
Should any of the information you have provided to us change, or require amending, please let us know the correct details by sending an email stating "Change Details" as the email subject, to email@example.com.
By sending a letter to MediSupplies Ltd, Unit B, Sharp Road, Poole, Dorset BH12 4BG.
By phoning our customer services team on 0800 160 1621 and stating the details you would like to rectify
Log in to the ‘My Account’ section on this website to manage your personal details. An account is created for you at the point of order for your convenience. This account is created using only the data in which we require to fulfil your order and does not require additional information other than an email address to exist.
Subject Access Requests – Your Right To Access
We respect an individual’s right to access any personal data that we hold on them. As such we have an internal process in place in order to handle subject access requests expediently and in accordance with GDPR requirements.
MediSupplies Ltd will:
- Provide a copy of the information free of charge. However, we will charge a reasonable fee based on administrative costs when a request is manifestly unfounded, excessive, or repetitive.
- Provide a response within one month of receipt.
- Take reasonable steps to verify the identity of the person making the request.
- Provide the information in a commonly used electronic format.
- Where possible, we will provide the information in a secure self-service system, such as a private link to the information hosted on a secure server.
Deletion Of Personal Data – Your Right To Erasure
We respect an individual’s right to delete any personal data that we hold on them.
We recommend that a global suppression may be more benefit to a data subject as opposed to a deletion. This is where we still store a minimal amount of individual’s personal data on our system, but mark it as not to be processed for any purpose. This is because it may be that we market to someone that has previously been deleted as part of a prospect list, which would obviously cause undue distress, however there would be no way for us to avoid it as we will have no record of the deleted details to suppress against.
Keeping the minimal amount of personal data we need in order to ensure that we do not contact an individual again may therefore by a preferable option. In this case we will explain to the data subject and offer a clear choice.
Third-Parties We May Share Your Data With To Fulfil An Order:
- Direct or ‘Drop-Ship’ Suppliers: Some products we sell may be shipped directly from a supplier to the customer. Where this is the case we will need to pass on invoice and delivery names and addresses in order to fulfil the order. We will have processes and documentation in place with our drop-ship suppliers which will demonstrate our due diligence in checking that they will handle and dispose of any personal data in accordance with GDPR. We will also have strict agreements in place with regards to the processing of personal data.
- Credit reference agencies: When we offer instant credit, we reserve the right to use personal details inputted during the order process in the interests of fraud prevention and to ascertain credit worthiness. These will always be reputable companies and be subject to strict agreements in place with regards to personal data (further details are available on request). Credit referencing typically only involves company information and is not personally identifiable, as we only extend credit options to established UK businesses.
- Payment gateways: Your data including a Session ID, Payment Address and Payment Details will be shared with relevant and reputable third-party banking providers including PayPal, Amazon Payments, Apple Pay and SagePay in order to verify and authorise your payment so your order can be processed. All third-parties used to process payments are under strict obligation to ensure your personal information is kept private. Where possible, only the minimum amount of data is shared in order to verify the customers identity for fraud prevention. In many cases, the customer gives the third-party approval to share details with us in order to complete the order. Once this is complete, it is only at this point we confirm personal details with them for continued fraud prevention.
- Couriers; we despatch orders via a number of established couriers, this involves passing name and address details used for delivery in order to fulfil the order.
- Mailing Houses; when mailing catalogues, we provide the company responsible for sending the mailing a list of names and addresses for the catalogue circulation. These files are always password protected and the mailing houses themselves are under strict obligation to only use data for the purposes of fulfilling a catalogue mailing on our behalf. Further details are available on request.
7) Data Breaches
MediSupplies Ltd have a breach reporting procedure in place and in the unlikely event of a breach, will act as per requirements under GDPR.
Sale Of Business
9) Group Company Ownership
MediSupplies Ltd is a subsidiary of Poole Bay Holdings Ltd. Any data that is obtained through your relationship with MediSupplies Ltd is used only for ongoing order management or marketing with MediSupplies Ltd and will not be used by the parent company Poole Bay Holdings or any of it’s other subsidiaries.