This website, www.MedicalTravelCompared.co.uk (“the Website”) is owned and operated by Medical Travel Compared Ltd (“us”, “we”) a private limited company registered in Gibraltar (Company number 111831) whose registered address is: 1st Floor, Grand Ocean Plaza, Ocean Village, Gibraltar.
Medical Travel Compared is a trading name of Medical Travel Compared Ltd, which is authorised and regulated by the Financial Services Commission, reference number FSC1248B.
Our Responsibility To Protect Your Data
1. General Points
- 1.1 The Board of Directors and management of Medical Travel Compared Ltd are committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information Medical Travel Compared Ltd collects and processes in accordance with the General Data Protection Regulation (GDPR).
- 1.2 Compliance with the GDPR is described by this policy and takes into consideration our connected processes and procedures.
- 1.3 The GDPR and this policy apply to all Medical Travel Compared Ltd’s personal data processing functions, including those performed on clients’, employees’, suppliers’ and partners’ personal data, and any other personal data that Medical Travel Compared Ltd processes from any source.
- 1.4 Our Data Protection Officer is responsible for reviewing our processes, procedures, policies and guidelines on a half-yearly basis in the light of any changes to Medical Travel Compared Ltd’s activities (as determined by management review) and to any additional requirements identified by means of data protection impact assessments.
- 1.5 This policy applies to all staff, suppliers and partners of Medical Travel Compared Ltd, including outsourced suppliers and partners. Any breach of the GDPR will be dealt with under Medical Travel Compared Ltd’s disciplinary policy and in if a criminal offence has been committed, the matter will be reported as soon as possible to the appropriate authorities.
- 1.6 Partners and any third parties working with or for Medical Travel Compared Ltd, and who have or may have access to personal data, will be expected to have read, understood and comply with this policy. No third party may access personal data held by Medical Travel Compared Ltd without having first entered into a Data Security and Confidentiality Agreement, which imposes on the third-party obligations no less onerous than those to which Medical Travel Compared Ltd is committed, and which gives Medical Travel Compared Ltd the right to audit compliance with the agreement.
2. Responsibilities and roles under the General Data Protection Regulation
- 2.1 Medical Travel Compared Ltd is a Data Controller under the GDPR.
- 2.2 Top Management and all those in managerial or supervisory roles throughout Medical Travel Compared Ltd are responsible for developing and encouraging good information handling practices within Medical Travel Compared Ltd; responsibilities are set out in individual job descriptions.
- 2.3 Medical Travel Compared Ltd’s Data Protection Officer is Kate O'Sullivan CDPO, Kate can be contacted at email@example.com As required in the GDPR, he is an advisor to Medical Travel Compared Ltd, is accountable to the Directors of Medical Travel Compared Ltd for the management of personal data and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes:
- 2.3.1 development and implementation of the GDPR as required by this policy; and
- 2.3.2 security and risk management in relation to compliance with the policy.
- 2.4 Compliance with data protection legislation is the responsibility of all Employees/Staff of Medical Travel Compared Ltd who process personal data.
- 2.5 Medical Travel Compared Ltd’s Training Policy sets out specific training and awareness requirements in relation to specific roles and of staff generally.
- 2.6 All staff at Medical Travel Compared Ltd are responsible for ensuring that any personal data is accurate and up-to-date.
General Data Protection Regulation
3. Data protection principles
- 3.1 All processing of personal data must be conducted in accordance with the data protection principles as set out in Article 5 of the GDPR. Medical Travel Compared Ltd’s policies and procedures are designed to ensure compliance with the principles.
The GDPR states that:
- 3.2 Personal data must be processed lawfully, fairly and transparently
- 3.2.1 Lawful –Consent is reinforced by the contract for services which is put in place between Medical Travel Compared Ltd and the data subject, in that it is necessary for Medical Travel Compared Ltd to hold personal data in the performance of the contract for services, as set out in Article 6 1.(b) of the GDPR.
- 3.2.2 Fairly – Medical Travel Compared Ltd will make certain information available to data subjects as soon as practicable following a request from the data subject. This applies whether the personal data was obtained directly from data subjects or from other sources.
- 3.2.3 Transparently – Medical Travel Compared Ltd aim to provide all details about personal data and reasons for processing in a transparent way. If you are unclear about any aspects of our work or our policies, please get in touch with our Data Controller, who is mentioned in 2.3 above.
- 3.3 Personal data must be adequate, relevant and limited to what is necessary for processing
- 3.3.1 Medical Travel Compared Ltd only collect enough personal data from individuals as is necessary to perform the processing noted in 3.3 above.
- 3.3.2 All data collection forms and methods have been reviewed by our Data Protection Officer and have been deemed to be fair methods of collection.
- 3.3.3 Our Data Protection Officer will ensure that, on a half-yearly basis all data collection methods are reviewed to ensure that collected data continues to be adequate, relevant and not excessive.
- 3.4 Personal data must be accurate and kept up to date with every effort to erase or rectify without delay
- 3.4.1 Medical Travel Compared Ltd’s Data Controller will review and update data within our systems as necessary. No data is kept unless it is reasonable to assume that it is accurate.
- 3.4.2 Our Data Protection Officer is responsible for ensuring that all staff are trained in the importance of collecting accurate data and maintaining it.
- 3.4.3 It is the responsibility of Medical Travel Compared Ltd to ensure that any notification regarding changes of circumstances are recorded and acted upon.
- 3.4.4 Our Data Protection Officer is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.
- 3.4.5 CYTI (Medical Travel Compared Ltd’s Data Controller is responsible for responding to requests for rectification from data subjects within one month of the request. This can be extended to a further two months for complex requests, according to Article 12 3. of the GDPR. If Medical Travel Compared Ltd decides not to comply with the data subject request, our Data Protection Officer will respond to the data subject to explain the reasoning and inform the data subject of their right to complain to the supervisory authority and seek judicial remedy.
- 3.4.6 Medical Travel Compared Ltd’s Data Controller is responsible for making appropriate arrangements that, where third-party organisations may have been passed inaccurate or out-of-date personal data, they will be informed that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal data to the third party where this is required.
- 3.5 Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.
- 3.5.1 Where personal data is retained beyond the processing date, it will be minimised and anonymised in order to protect the identity of the data subject in the event of a data breach.
- 3.5.2 Personal data will be retained in line with the Retention of Records Procedure and, once its retention date is passed, it will be securely destroyed as set out in this procedure.
- 3.5.3 Our Data Protection Officer will specifically approve any data retention that exceeds the retention periods defined in Retention of Records Procedure and will ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval will be made in writing.
- 3.6 Personal data must be processed in a manner that ensures the appropriate security
Our Data Protection Officer has carried out risk assessments that take into account all the circumstances of Medical Travel Compared Ltd’s controlling or processing operations.
In determining appropriateness, our Data Protection Officer has considered the extent of possible damage or loss that might be caused to individuals (e.g. staff or clients) if a security breach occurs, the effect of any security breach on Medical Travel Compared Ltd itself, and any likely reputational damage including the possible loss of client trust. Considerations have included:
- Password protection;
- Automatic locking of idle terminals;
- Removal of access rights for USB and other memory media;
- Virus checking software and firewalls;
- Role-based access rights including those assigned to temporary staff;
- Encryption of devices that leave the organisations premises such as laptops;
- Security of local and wide area networks;
- Privacy enhancing technologies such as pseudonymisation and anonymisation.
These controls have been selected on the basis of identified risks to personal data, and the potential for damage or distress to individuals whose data is being processed.
- 3.7 The controller must be able to demonstrate compliance with the GDPR’s other principles (accountability)
Medical Travel Compared Ltd demonstrates compliance with the data protection principles of the GDPR by implementing data protection policies, adhering to codes of conduct, implementing technical and organisational measures, as well as adopting techniques such as data protection by design, DPIAs, breach notification procedures and incident response plans.
Your Personal Data Rights
4. Data subjects’ rights
- 4.1 Data subjects have the following rights regarding data processing, and the data that is recorded about them:
- 4.1.1 To make subject access requests regarding the nature of information held and to whom it has been disclosed.
- 4.1.2 To prevent processing likely to cause damage or distress.
- 4.1.3 To prevent processing for purposes of direct marketing.
- 4.1.4 To be informed about the mechanics of automated decision-taking process that will significantly affect them.
- 4.1.5 To not have significant decisions that will affect them taken solely by automated process.
- 4.1.6 To sue for compensation if they suffer damage by any contravention of the GDPR.
- 4.1.7 To take action to rectify, block, erased, including the right to be forgotten, or destroy inaccurate data.
- 4.1.8 To request the supervisory authority to assess whether any provision of the GDPR has been contravened.
- 4.1.9 To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
- 4.1.10 To object to any automated profiling that is occurring without consent.
- 4.2 Medical Travel Compared Ltd ensures that data subjects may exercise these rights:
- 4.2.1 Data subjects may make data access requests as described in our Subject Access Request Procedure; this procedure also describes how Medical Travel Compared Ltd will ensure that its response to the data access request complies with the requirements of the GDPR.
- 4.2.2 Data subjects have the right to complain to Medical Travel Compared Ltd related to the processing of their personal data, the handling of a request from a data subject and appeals from a data subject on how complaints have been handled in line with our Complaints Procedure.
- 5.1 Medical Travel Compared Ltd understands ‘consent’ to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject can withdraw their consent at any time.
- 5.2 Medical Travel Compared Ltd understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.
- 5.3 Medical Travel Compared Ltd collect special categories of personal data, as described in Article 9 of the GDPR. Medical Travel Compared Ltd collect data related to children and do not collect data regarding criminal convictions. None of these types of data are necessary for Medical Travel Compared Ltd to provide its services to data subjects.
Keeping Your Personal Data Secure
6. Security of data
- 6.1 All staff at Medical Travel Compared Ltd are responsible for ensuring that any personal data that Medical Travel Compared Ltd holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by Medical Travel Compared Ltd to receive that information and has entered into a confidentiality agreement.
- 6.2 Access to personal data is given on a ‘least privilege’ basis to ensure that only those who need to use it are given access. All personal data is kept secure by the following means:
- if computerised, password protected in line with best practice; and
- stored on (removable) computer media which are encrypted in line with Secure Disposal of Storage Media;
- if data is held in hard copy, it is stored in a lockable room with controlled access; and
- in a locked drawer or filing cabinet.
- 6.3 Personal data may only be deleted or disposed of in line with the Retention of Records Procedure. Manual records that have reached their retention date are shredded and disposed of as ‘confidential waste’. Hard drives of redundant PCs will be removed and immediately destroyed before disposal.
- 6.4 Medical Travel Compared Ltd understands that processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data. Staff must be specifically authorised to process data off-site.
7. Disclosure of data
- 7.1 For the purposes of providing you with a quote and the ability to purchase policies, we may share your data with third parties including insurance providers and risk assessment bodies. To improve your experience on this site and keep you informed we may also share your data with customer support service providers, review bodies and marketing agencies who we have a relationship with.
- 7.2 Any requests received by Medical Travel Compared Ltd to provide data to a third party in accordance with Article 23 of the GDPR must be supported by appropriate paperwork and all such disclosures must be specifically authorised by our Data Protection Officer.
- 7.3 Medical Travel Compared Ltd has provided awareness and training that ensures that personal data is not disclosed to unauthorised third parties.
Retaining Your Data
8. Retention and disposal of data
- 8.1 Medical Travel Compared Ltd shall not keep personal data in a form that permits identification of data subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.
- 8.2 Medical Travel Compared Ltd may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.
- 8.3 The retention period for each category of personal data is set out in Medical Travel Compared Ltd’s Retention of Records Procedure along with the criteria used to determine this period including any statutory obligations Medical Travel Compared Ltd has to retain the data.
- 8.4 Medical Travel Compared Ltd’s data retention and data disposal procedures will apply in all cases.
- 8.5 Personal data will be disposed of securely in accordance with the sixth principle of the GDPR – processed in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects.
9. Data Transfers
- 9.1 Medical Travel Compared Ltd do not transfer data to any third parties outside of the European Economic Area (EEA).
10. Information asset register/data inventory
- 10.1 Medical Travel Compared Ltd has established a data inventory and data flow process as part of its approach to address risks and opportunities throughout its GDPR compliance project. Medical Travel Compared Ltd’s data inventory and data flow determines:
- business processes that use personal data;
- source of personal data;
- volume of data subjects;
- description of each item of personal data;
- processing activity;
- maintains the inventory of data categories of personal data processed;
- documents the purpose(s) for which each category of personal data is used;
- recipients, and potential recipients, of the personal data;
- the role of Medical Travel Compared Ltd throughout the data flow;
- key systems and repositories;
- any data transfers; and
- all retention and disposal requirements.
- 10.2 Medical Travel Compared Ltd assesses the level of risk to individuals associated with the processing of their personal data.
- 10.2.1 Data protection impact assessments (DPIAs) are carried out where appropriate in relation to the processing of personal data by Medical Travel Compared Ltd, and in relation to processing undertaken by any other organisations on behalf of Medical Travel Compared Ltd.
- 10.2.2 Medical Travel Compared Ltd shall manage any risks identified by the risk assessment in order to reduce the likelihood of a non-conformance with this policy.
- 10.2.3 Where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons, Medical Travel Compared Ltd shall, prior to the processing, carry out a DPIA of the impact of the envisaged processing operations on the protection of personal data. A single DPIA may address a set of similar processing operations that present similar high risks.
- 10.2.4 Where, as a result of a DPIA it is clear that Medical Travel Compared Ltd is about to commence processing of personal data that could cause damage and/or distress to the data subjects, the decision as to whether or not Medical Travel Compared Ltd may proceed will be escalated for review to our Data Protection Officer.
- 10.2.5 Our Data Protection Officer shall, if there are significant concerns, either as to the potential damage or distress, or the quantity of data concerned, escalate the matter to the supervisory authority.
- 10.2.6 On an ongoing basis, appropriate controls will be selected utilising best practice principles and applied to reduce the level of risk associated with processing individual data to an acceptable level, by reference to the requirements of the GDPR.
Protecting Children’s Data
Minors and Children’s Privacy
Medical Travel Compared Ltd takes the protection and the privacy of young children especially important. Our Service is not directed to children under the age of 16, and we do not knowingly collect Personal Data from children under the age of 16 without obtaining parental consent.
- 11.1 If you are under 16 years of age, then please do not use or access the Service at any time or in any manner. If we learn that Personal Data has been collected on the Service from persons under 16 years of age and without verifiable parental consent, then we will take the appropriate steps to delete this information.
- 11.2 If you are a parent or guardian and discover that your child under 16 years of age has obtained a Quote or Policy via our website, then you may alert our data protection officer firstname.lastname@example.org and request that we delete that child’s Personal Data from our systems.