Privacy Policy – Consumer, Patient or Carer

Nutricia Limited with its address at Newmarket Avenue, Whitehorse Business Park, Trowbridge, Wiltshire BA14 0X, England knows that you care how your personal data is used and we recognize the importance of protecting your privacy. 

This Privacy Policy explains how Nutricia Limited (“Nutricia”, “we”, “our”, “us”) acting as Data Controller collects and manages your personal data. It contains information on the data we collect, how we use it, why we need it and how it can benefit you. This is our Privacy Policy for Consumers, Patients or Carers. If you are a healthcare professional, please click here to see the privacy notice relevant to you.
 
Contact us at Newmarket Avenue, Whitehorse Business Park, Trowbridge, Wiltshire BA14 0X, England or click here if you have any queries and comments, or if you want to make a request regarding any of your data subject rights.

This Privacy Policy was last updated on 30 October 2020.

Nutricia is committed to protecting your right to privacy. We aim to protect any personal data we hold, to manage your personal data in a responsible way and to be transparent in our practices. Your trust is important to us. We have, for the purposes of complying with our legal obligations to you, committed ourselves to the following basic principles:

• You have no obligation to provide any personal data requested by us except as required to perform any contract we have with you. However, if you choose not to provide any personal data requested by us, we may not be able to provide you with some services or products;
• We only collect and process your data for the purposes set out in this Privacy Policy or for specific purposes that we share with you and/or that you have consented to;
• We aim to collect, process and use as little personal data as possible;
• When we do collect your personal data, we aim to keep it as accurate and up to date as possible;
• If the personal data we collect is no longer needed for any purposes and we are not required by law to retain it, we will do what we can to delete, destroy or permanently de-identify it at the earliest opportunity; and
• Your personal data will not be shared, sold, rented or disclosed other than as described in this Privacy Policy.

By personal data, we refer to any information about a person from which that person can be identified. This does not include data for which the identity has been deleted (anonymous data).

The personal data we collect varies depending upon the purpose of the collection, how you interact with us (for example online, offline or over the phone) and the product or service we are providing you.

Nutricia collects and uses some or all of the following categories of personal data for the purposes described below:

• Personal contact data, such as your name, email address, address, telephone number and topic of interest. This is collected as a requirement to join our CRM programmes, send you items in the post or enable our Careline to reach you if you have a query;
• Account login details, such as your user ID, e-mail, username and password are collected. This information is required to create and give you access to your personal user account for CRM programmes;
• Communications with us, which may include details of our meetings and conversations via email, chat, care lines and/or customer service lines and/or sales representatives;
• Demographic information, such as your age and gender and lifestyle information. Lifestyle information such as topics of interest related to healthcare conditions. Topics of interest may include your preference for some of the products we offer, and your interests related to those products;
• Browser history, such as pages accessed, date of access, location when accessed, and IP address;
• Information about people other than you, such as personal data about your carer (if you are a patient and you have a carer), or about a patient in your care (if you are a carer). This data will only be collected with the express permission of the other person;
• We have no intention of collecting personal data directly from minors, although parents or guardians may voluntarily provide us with information relating to their child. If you are a guardian or parent of a child (a person under the age of 18) we may gather personal details about you, your child, your and their address or your child’s date of birth.

Health Data: We will only process information about you that relates to your health if you have given your explicit consent for us to do so and if the processing is necessary for the purposes set out in the privacy policy. If you provide this type of information to us, we will use it to provide you with information relating to your treatment and care. We may create notes and reports about your health which assist our staff in providing the care and treatment to you or the patient in your care.

We collect your personal data directly from you via the following sources, this collection includes when:

• you communicate with us via email, chat or telephone (including our Careline and/or customer service lines), or through our account or Nutricia Homeward nursing team
• you interact with us on our Nutricia websites and apps, including when you register for an account with Nutricia, or send or post queries or comments;
• you place an order for promotional items with us;
• your healthcare professional places an order, or requests samples or services from us on your behalf; you fill in one of our registration forms (online or offline), such as registering for an account with us or an event;
• you participate in research activity, promotional activity or competitions; or
• you sign up for our marketing communications or other promotional materials.

We may also collect personal data about you indirectly when:

a) you share content on social media pages, websites or applications related to our products or in response to our promotional material on social media;

b) we read or collect personal data about you by reading information collected by third party websites (for instance, we may place an ad on a third party website, and when you click on that ad, we may receive information about you and other website visitors in order to measure the reach and success of that ad).

c) we may collect data about when you open a Nutricia email or click on a link in one. This allows us to see how well our communications with you are performing.

d) we may also receive your personal data from a patient (if you are a carer) or from a carer (if you are a patient), or your healthcare professional (if you have instructed him or her to provide this to us or he or she provides us with information).

There may also be times when information is collected from your relatives or next of kin, for example if you are unable to communicate.

Health Data: We will only process information about you that relates to your health, your genetic data, or your biometric data if you have given your explicit consent for us to do so. If you have explicitly agreed, we may collect information about your health from a healthcare professional about you.

We collect your personal data so we can perform any contract we have with you; provide you with the best online experience and to provide you with a high quality of customer service. We collect hold, use and disclose your personal data for the following purposes:

a. Customer service

We use your personal data:

• To process your orders educational material (condition booklets)
• To process and answer your inquiries or to contact you in order to answer your questions and/or requests
• To share and match your (anonymised) data to external research companies for analysis purposes
• For training and quality control purposes and to verify your identity when contacting us by telephone, electronic means or otherwise

The legal basis for processing your data for this purpose is:

• performance of a contract
• legal obligations
• legitimate interests – to improve the customer service experience; to improve and develop new products and services; to identify and prevent fraud; to monitor, detect and protect our organisation, systems, network, and staff.

b. Communications, personalisation and marketing

We use your personal data:

• To create an account with Nutricia CRM programmes
• To enable the Nutricia accounts or Homeward Nursing team to contact you
• To communicate information to you and to manage your registration (and attendance) at an event, competition or promotion organised by us or a third party and/or to manage your subscription to our newsletters or other direct marketing communications
• To share your details with Nutricia Homeward team.  Full details of Nutricia Homeward Privacy policy can be found here
• To send emails or postal communications about our products or services
• To send educational information about conditions or products relevant to your area of interest, field or expertise
• To send information about events that may be of interest to you (virtual or face to face events)
• To analyse your preferences, anticipate your needs and to personalise your experience on our websites and platforms to show you content and advertising tailored to your interests as well as product recommendations

The legal basis for processing your data for this purpose is:

• consent (where required) 
• performance of a contract
• legitimate interests - to improve and develop new products and services; to identify which products and services may interest you and to communicate these to you; to define types of audiences to develop and improve our products, services and campaigns

c. Development and enhancement of our products, services, communication methods and the functionality of our websites:

We use your personal data:

• To request feedback on Nutricia products and services to provide us with insights and when you respond to such requests
• To request your participation in surveys and/or market research to provide us with insights and when you respond to such requests
• To measure the effectiveness of our advertising and promotional materials
• To improve the quality of your online experience
• To monitor and conduct analytics on our website or apps, pages and links clicked, patterns of navigation, time at a page, devices used, and/or where you are coming from

The legal basis for processing your data for this purpose is:

• consent (where required) 
• legitimate interests – to understand and assess the interests, wants, and changing needs of customers, in order to improve our website, our current products and services, and/or developing new products and services, this also may include visits from Nutricia Representatives; to identify which products and services may interest you and to communicate these to you; to define types of audiences to develop and improve our products and services and campaigns; to monitor, detect and protect our organisation, systems, and network

Health Data: We will only process personal data about your health where it is necessary:

• for the provision of information on our goods and services to you, or to those in your care, where you have expressly requested it from us (for example if we are responding to a question from you regarding product tolerance and allergies);
• related to a contract with a healthcare professional; or
• to a healthcare professional with a duty of care to you in an emergency situation or where you have asked us to do so.

We may also need your personal data to comply with legal obligations to you or in the context of a contractual relationship that we have with you.

When we collect and use your personal data on the legal basis of our legitimate interests, we believe the risk to your data protection rights in connection with personal data is not excessive or overly intrusive. We have also put in place protections for your rights by ensuring proper retention periods and security controls.

When we collect and use your personal data for new purposes, we will inform you before or at the time of collection.

Where legally required to do we will ask for your consent to process the personal data. You have the right to withdraw your consent at any time by informing us of your decision. If you wish to withdraw your consent, please contact us via this link.  

Your rights

Where we process your personal data, you are entitled to a number of rights and can exercise these rights at any point. We have provided an overview of these rights below together with what this entails for you. Should you want to exercise your rights, please contact us via this link.

Some of these rights only apply in certain circumstances and so are not guaranteed or absolute rights. Please contact our Data Protection Officer if you have any questions about your rights.

The right to access your personal data and correction

You have the right to access, correct or update your personal data at any time. We understand the importance of this and should you want to exercise your rights, please contact us via this link.

The right to data portability

Your personal data is portable. This means it can be moved, copied or transmitted electronically. However, this right only applies where:

a) The processing is based on your consent;

b) The processing takes place for the performance of a contract;

c) The processing takes place by automated means

If you wish to exercise your right to data portability, please contact us via this link.

The right to deletion of your personal data 

You have the right to request that we delete your data if: 

a) your personal data is no longer necessary in relation to the purposes for which we collected it; or

b) you withdraw the consent that you had previously given us to process your personal data, and there is no other legal ground to process that personal data; or

c) you object to us processing your personal data for direct marketing purposes; or

d) you object to us processing your personal data for Nutricia’s legitimate interests (such as improving overall user experience on websites); 

e) the personal data is not being processed lawfully; or

f) your personal data needs to be deleted to comply with the law.

If you wish to delete the personal data we hold about you, please contact us via this link. Alternatively, you can contact the Resource Centre during office hours Monday to Friday 9am – 5pm by calling 03457623653. We will respond to your request in accordance with our legal requirements.

If the personal data we collect is no longer needed for any purposes and we are not required by law to retain it, we will delete, destroy or permanently anonymise. This is discussed in further detail below. [Hyperlink to PERSONAL DATA RETENTION PERIOD section]

The right to restriction of processing

You have the right to restrict the processing of your personal data if;

a) you do not believe the personal data we have about you is accurate; or

b) the personal data is not being processed lawfully, but instead of deleting the personal data, you would prefer us to restrict processing instead; or

c) we no longer need your personal data for the purposes we collected it, but you require the data in order to establish, exercise or defend legal claims; or 

d) you have objected to the processing of your personal data and are awaiting verification on whether your interests related to that objection outweigh the legitimate 
grounds for processing your data.

If you wish to restrict our processing of your personal data, please contact us via this link and we will respond to your request in accordance with our legal requirements.

The right to object

You have the right to object to the processing of your personal data at any time. Please contact us via this link.

 The right to withdraw consent

Where legally required to do we will ask for your consent to process the personal data. When we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time. However, such withdrawal does not affect the lawfulness of the processing that took place prior to this withdrawal. If you wish to withdraw your consent, please contact us via this link. 

The right to lodge a complaint with a supervisory authority

While we would be grateful if you lodged any complaints with us, you have the right to lodge a complaint directly with the Information Commissioner’s Office about how we process personal data. 

For more information about your privacy and data protection rights, or if you are not able to resolve a problem directly with us and wish to make a complaint, please contact the Information Commissioner’s Office at:

Mailing Address: Wycliffe House Water Lane, Wilmslow Cheshire SK9 5AF

Phone Numbers: +44 303 123 1113

Email Address: casework@ico.org.uk

You can also contact our Data Protection Officer directly at DPO.UKIE@danone.com.

We understand that the security of your personal data is important. We make our best efforts to protect your personal data from misuse, interference, loss, unauthorized access, modification or disclosure. We have implemented a number of security measures to help protect your personal data. For example, we implement access controls, use firewalls and secure servers, and we encrypt personal data. 

When we share your personal data with affiliates of Nutricia Limited and other organizations described below, we make sure we only do so with organizations that safeguard and protect your personal data and comply with applicable privacy laws in the same or similar way that we do. 
Your personal data will not be shared, sold, rented or disclosed other than as described in this Privacy Policy. We may, however, share your data when required by law and/or government authorities. 

If we decide to reorganise or to sell our business or our company, directly or indirectly through a sale, merger, or acquisition, we may share your personal data with actual or prospective purchasers of the business, or of our company. We will require that any such purchasers treat your Personal Data consistently with this Privacy Policy.

Personal data may be processed outside the European Economic Area (EEA). When processed outside the EEA, Nutricia will make sure that this cross-border data processing is protected by adequate safeguards. 

The safeguards that we use to protect cross-border data processing comprise of:

a) Model Contractual Clauses approved by European Commission. These standardized contractual clauses provide sufficient safeguards to meet the adequacy and security requirements of the European General Data Protection Regulation; or

b) Certifications which demonstrate that third parties outside of the EEA process personal data in a way that is consistent with the European General Data Protection Regulation. These certifications are approved either by the European Commission, a competent supervisory authority or a competent national accreditation body in terms of General Data Protection Regulation.

For some services and products we may process your personal data using automated means. Essentially this means that decisions are taken automatically without human intervention. An example of this would be deciding which type of campaign emails you receive from us.

We may also process your personal data to predict your behaviour on our website and show content or products that may be of interest to you. We will also use your data to send tailored communications via email and direct mail, if you have opted in to receive them. 

When we send or display personalised communications, content, we may use some techniques qualified as “profiling” (i.e. any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s personal preferences, interests, professional experience, economic situation, behaviour, location, reliability, or movements). This means that we may collect personal data about you in the different scenarios mentioned above. We centralise this data and analyse it to evaluate and predict your personal preferences and/or interests, to help us understand engagement and to create relevant content that may be of interest to you. Based on our analysis, we send or display communications and/or content tailored to your interests. You have the right to object to the use of your data for “profiling” in certain circumstances.

We confirm that you will not be subject to a decision based solely on automated decision-making, including profiling which produces legal effects or which will significantly affect you. If we intend to make use of such methods, we will of course inform you and we will give you an opportunity to object to these processes in advance. You are also free to contact us for further information on such processing or to change your mind in relation to this type of processing. Please contact us via this link to exercise your rights..

We will only retain your personal data for the minimum time necessary to achieve the purposes for which we collected it as set out in this privacy policy, including to comply with any legal or accounting requirements. Your personal data will also be retained for the duration of your contractual relationship with us, including where we maintain an ongoing relationship with you (e.g where you have consented to marketing communications and have not unsubscribed from our mailing lists).

We have an automatic process to anonymise inactive profiles after a duration of 3 years since the last contact with Nutricia. After a further 7 years, this data will be deleted.  For our ecommerce and sampling services, all consumer transactional data is retained for 5 years before being deleted. Patient data is stored in CommerceTools for 90 days before being fully deleted. Heath records are retained for 10 years after date of last entry in accordance with legal and NHS requirements.

To determine the appropriate retention period for personal data, we take into account the quantity, nature and sensitivity of personal data, the potential risk of harm resulting from the unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and the possibility of attaining those purposes by other means, as well as the applicable legal requirements.

After the established deadlines, the data is either deleted or retained after being anonymized, especially for statistical purposes. It may be retained in case of pre-litigation and litigation. It should be noted that deletion or anonymization are irreversible operations, and that Nutricia is no longer able, thereafter, to restore this data.

We may also collect personal data about you through the use of cookies and other technologies. This may occur when you visit our sites or third-party sites, view our online content, or use our/third-party mobile applications and may include the following information:

a) Information about your device browser and operating system;

b) The IP address , device ID and Mac ID of the device you are using;

c) Web pages of ours that you view;

d) Adverts you view;

e) Links that you click while interactive with our services, and emails you open.

f) Time and date of activity

Please see our cookie policy for more information on this link.

Although the General Data Protection Regulation (“GDPR”) applies in the same way to all EU Member States, sometimes local privacy laws may contain stricter rules or information that is relevant on a local level. We will hold and process your personal data in accordance with the UK Data Protection Act 2018 and the EU GDPR.

This notice was last updated on 30 October 2020.  We reserve the right to change this notice at any time (for example, to comply with changes in laws or regulations, our practices, procedures and organisational structures, requirements imposed or recommended by supervisory authorities or otherwise).  Changes to this notice shall be applicable on the effective date of implementation.  Please refer to our website for the latest version of this notice.  We will also communicate any changes to you, where we are legally required to do so.

If you have any questions, comments or complaints regarding this Privacy Policy or the processing of your personal data, please contact us via this link or write to us at: 

Data Protection Officer, Nutricia Limited, Newmarket Avenue, Whitehorse Business Park, Trowbridge, Wiltshire BA14 0X, England

You can also contact our Data Protection Officer directly via email at:  DPO.UKIE@danone.com.