Medway Medical (GDPR) Privacy Policy
What personal data we collect
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.
The GDPR’s definition of personal data is now also much broader than under the DPA. Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. It adds that:

an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

We collect the minimum amount of personal data required to provide the services you have asked us to deliver.
When you take any of our services Medway Medical collects your personal and business information:
This might include some or all the following:

  • Company register name and registered number, address and telephone numbers
  • Billing details
  • Email addresses of any people that we need to communicate with to fulfil our service obligations
  • When you participate in the On-Boarding and validation process
  • When you require a contract amendment
  • When we provide you with your outputs
  • If you visit our website we collect the browser type, cookies, IP address and operating system.

How we use your data
We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

  • To support you: This may include assisting with the resolution of technical report issues or other issues relating to the reports, instructions or services, whether by email, phone or post.
  • Providing you with information you’ve requested from us or information we are required to send to you
  • Operational communications, like changes to our websites and services, security updates, or assistance with our processes systems and services
  • Billing and appointment booking
  • Marketing communications (about Medway Medical or another product or service we think you might be interested in) in accordance with your marketing preferences, any email in this regard will have an OPT OUT link
  • asking you for feedback or to take part in any research we are conducting
  • To comply with any of our legal or regulatory obligations

Medway Medical aims to update you about news, products & services which are of interest and relevant to you as an individual or business with regards to Medway Medical services.
Medway Medical may send you emails and / or postal marketing on the basis of legitimate interest, which may contain relevant tips, new services, for your industry or sector.
You have the right to opt out of receiving postal or email marketing communications at any time, by:

  1. Using the OPT out link in the body of the email sent
  2. Contacting Medway Medical via the contact email

If you opt out of email marketing, we will still need to send you service communications by email from time to time, such as information about changes to our service, contract conditions, contract amendments and services related reporting.

Legal basis for Medway Medical processing personal data
It is important that you understand how and why we use the personal data that we collect about you.
The lawful basis upon which we may rely on to process your personal data are:
Consent, you have given your express consent, through signing the contract for Medway Medical services or have required us to deliver service obligations that are not under contract conditions, for us to process your personal data for a specific purpose.
Contract, the processing is necessary for us to perform our contractual or service obligations with you whether under contract or not, or because you have asked us to take specific steps before entering into a contract with you.
Legal Obligation, the processing is necessary for us to comply with legal or regulatory obligation.
Legitimate Interests, The pursuit of our legitimate interests (as set out below)
Our legitimate interests
The normal legal basis for processing customer data, is that it is necessary for the legitimate interests of Medway Medical, including:

  • to contract you as a new customer

Data Type:

  • identity & contact

Lawful basis for processing:

  • to perform our contract (or obligations) with/to you


  • to process and deliver your contracted services, manage payments

Data Type:

  • identity, contact, financial, transaction and marketing & communications

Lawful basis for processing:

  • to deliver our contracted or services obligations with you;
  • as necessary for our legitimate interest in recovering debts due to us.


  • to manage our partnership with you, notifying you about any amendments to our Terms or Privacy Notice, request to take part in reviews or surveys

Data Type:

  • identity, contact, profile & marketing & communications

Lawful basis for processing

  • to perform our contract with you
  • as necessary to comply with a legal obligation
  • as necessary for our legitimate interests in keeping our records updated and analysing how customers view our delivery of services.


  • to administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data where applicable)

Data Type:

  • identity, contact & technical

Lawful basis for processing:

  • as necessary for our legitimate interests in running Medway Medical, provision of and administration of Medical Reporting Services.
  • as necessary to comply with any legal obligations


  • to use data analytics to improve our website, contracted services, marketing, client relationships and experiences

Data Type:

  • technical & usage

Lawful basis for processing:

  • as necessary for our legitimate interests to define types of customers for our services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy


  • to make suggestions and recommendations to you about the contracted services or other services that could be of interest to you

Data Type:

  • identity, contact, technical, usage & profile

Lawful basis for processing:

  • as necessary for our legitimate interests to develop our services and grow our/your business

Sharing data with third parties
Service and system providers and third parties
We will only share your data with legal or regulatory bodies and systems providers such as our accountants or financial accounting application provider, Medway Medical will never sell your personal data to any other third party.
Who are service and system providers and third parties?
service or systems providers: acting as processors based in the United Kingdom who provide IT, hosting and system administration services and other internal systems.
professional advisors: acting as processors or joint controllers including solicitors, barristers, bankers, auditors and insurers based in the United Kingdom who provide consultancy, banking, legal, insurance and accounting services.
HM Revenue & Customs, Medco, regulators and other authorities: acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
third parties: third parties that in the future we might decide to sell the company to or merge with whether in full or part. Where this occurs the new owners/partner may use your personal data as is outlined here.
We will also share your personal data with third parties in the following circumstances:

  • where you have specifically consented to us sharing your data with a particular third party;
  • where we are required or permitted to do so by law or to protect or enforce our rights or the rights of any third party.

We do not transfer or store your personal data outside the European Economic Area (EEA). If we do carry out any further transfers of your data outside the EEA, we will inform you and we will ensure that the recipient provides an adequate level of protection of your personal data.

Links to other websites
Our website may contain links to other websites of interest. If you follow a link to any of these websites, please note that they have their own privacy policies and that we don’t accept any responsibility or liability for these policies. Please check these websites’ privacy policies before you submit any personal information to them.

How long do we keep your data?
We will keep all your personal data for as long as your contract or service agreement is active. You can cancel your contract within the conditions set out in our Terms and Conditions. If you do this, you can request anonymization of all your data after you have cancelled your services. We will retain and use your information to comply with our legal obligations and to enforce our agreements where necessary.

Medway Medical uses first party cookies (small text files that are stored locally on a user’s computer) on our website.
We use cookies to access information to:

  • identify visitors’ preferences,
  • perform traffic analysis,
  • identify unique visitors,
  • assess usage patterns,
  • analyse trends
  • deliver our services
  • diagnose problems with our servers,

Cookies placed on the user’s computer do not include Personally Identifiable Information such as name, email addresses, phone number, mailing information, we will never link cookies to such Personally Identifiable Information our databases.
Internet Protocol (IP) addresses are considered personal information and are not individually targeted or disclosed.
Medway Medical cannot take responsibility for failure by you or your browser to accurately implement or communicate your browser preferences or settings.
For more information on amending your cookie settings, please refer to your browser instructions. Where you choose not to opt out of Medway Medical cookies, consent will be presumed as having been granted.

How we protect your data
Medway Medical is committed to keeping your personal data safe and secure.
We take reasonable and appropriate measures to protect personal information from loss, misuse, and unauthorised access, disclosure, alteration, and destruction. We rely on various physical and software-based security systems to safeguard the physical and technical security of your information, and we have documented and enforced organisational controls to limit access to, and to protect your information.
If you feel like the security of your account has been compromised, you must inform us immediately, so we can take protective measures to safeguard your information. You can do this by contacting us by phone on 01254 316 580 or email
Our security measures also include:

  • Security controls, such as IP address, MAC address, user profiles and user names and password which protect the entire Medway Medical IT infrastructure from external attack and unauthorised access;
  • Internal policies, employee training which sets out our data security approach.

Your rights:
The following describe your legal rights in relation to your personal data:
Access your Data: under the new regulation you have the right to ask for access to your personal data and be provided with a copy
Correction: if your data is not complete or accurate you can ask us to amend it as required
Erasure: you can ask us to delete or remove your personal data where:

  • you completed the process of exercising your right to object;
  • local laws or regulation require us to erase your personal data;
  • there is no good purpose for us process it;
  • we don’t have a legitimate reason for processing your information

Object: you can object to the processing of your personal data where:

  • where we are relying on our legitimate interest (or those of a third party) as the basis for processing your personal data, if you feel it impacts on your fundamental rights and freedoms;
  • where we use your personal data for direct marketing purposes.

Restrict Processing: you have the right to ask us to us to restrict the processing of your personal data where:

  • you have need of the data, but we no longer require it. This might be your need to have the data to fulfil some legal requirement;
  • our use is not lawful, but you instruct us not to erase it;
  • you have objected to our use of your personal data, but we need to validate our legitimate use;
  • There is need to ensure the accuracy of your personal data;

Request a Transfer: transfer your personal data which you provided your consent for us to process such personal data or which we need to process to perform our obligations to you, to you or a third party.
Withdraw Your Consent: withdraw your consent at any time in circumstances that required your consent.

You have the right to lodge a complaint with the Information Commissioner’s Office. Further information, including contact details, is available at

Contact Information
If you have any questions about how Medway Medical uses your personal data that are not answered here, or if you want to exercise your rights regarding your personal data, please contact us by any of the following means:

  • Phone us on: 01254 316 580:
  • E-mail us at:;
  • Write to us at: Medway Medical Limited, Technology Centre, Bridge Street, Church, BB5 4HU.

Some terms used in GDPR:
Aggregated Data: information such as statistical or demographic data which may be derived from personal data, but which cannot by itself identify a data subject
Controller: an entity that determines the purposes and means of processing personal data
Data Subject: an individual living person identified by personal data which has been defined above
Personal Data: as described above this is information identifying a data subject from that data alone or with other data we may hold but it does not include anonymised or aggregated data
Processor: a body that is responsible for processing personal data on behalf of a controller.
Special Categories of Personal Data: information about race, ethnicity political opinions, religious or philosophical beliefs, trade union membership, health, genetic, biometric data, sex life, sexual orientation.
This privacy policy statement comes into effect on 25th day of May 2018.