Privacy Statement

Introduction

HexTransforma Healthcare is strongly committed to protecting personal data. This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights.
It applies to personal data provided to us, both by individuals themselves or by others. We may use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.
“HexTransforma” (and “we”, “us”, or “our”) refers to HexTransforma Healthcare Limited (the limited company registered in England under registration no. 11105434 and with its registration address at Garden House Offices, 11 Milnthorpe Road, Eastbourne East Sussex BN20 7NS) that: (1) is a contracting party for the purposes of providing or receiving services, (2) posted a position for which you are applying, or (3) you have a role or relationship with.
Personal data is any information relating to an identified or identifiable living person. When “you” or “your” are used in this statement, we are referring to the relevant individual who is the subject of the personal data.
HexTransforma processes personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.
When collecting and using personal data, our policy is to be transparent about why and how we process personal data. To find out more about our specific processing activities, please go to the relevant sections of this statement.

Our processing activity

Business ContactsPersonnel (Directors, Staff and contractors)
Corporate clients (and individuals associated with our corporate client)Recruitment applicants
Patients & personal clientsSuppliers (including subcontractors and individuals associated with our suppliers and subcontractors)
Individuals who use our applicationsVisitors to our offices
Individuals whose personal data we obtain in connection with the facilitation of medical services to our clients and patientsVisitors to our websites
Others who get in touch with us

Business Contacts

Collection of personal data
HexTransforma processes personal data about contacts (existing and potential HexTransforma clients and/or individuals associated with them) using a customer relationship management system (the “HexTransforma CRM”).
The collection of personal data about contacts and the addition of that personal data to the HexTransforma CRM is initiated by a HexTransforma user and will include name, employer name, contact title, phone, email and other business contact details. In addition, the HexTransforma CRM may collect data from HexTransforma email (sender name, recipient name, date and time) and calendar (organiser name, participant name, date and time of event) systems concerning interactions between HexTransforma users and contacts or third parties.

Use of personal data

Personal data relating to business contacts may be used for our legitimate interests and the legitimate interests of other HexTransforma member firms for the following purposes:

  • Administering, managing and developing our businesses and services
    We may process personal data in order to run our business, including:
  • managing our relationship with clients;
  • developing our businesses and services (such as identifying client needs and improvements in service delivery and learning more about a client, relationship opportunity we or other HexTransforma affiliate have an interest in);
  • Analysing and evaluating the strength of interactions between us and a contact. The HexTransforma CRM uses an algorithm to help with this analysis and the ranking is primarily based on interaction frequency, duration, recency and response time;
  • performing analytics, including producing metrics for HexTransforma leadership, such as on trends, relationship maps, sales intelligence and progress against account business goals;
  • maintaining and using IT systems;
  • hosting or facilitating the hosting of events; and
  • administering and managing our website and systems and applications.
  • Providing information about us and our range of services
    Unless we are asked not to, we use client business contact details to provide information that we think will be of interest about us and our services. For example, industry updates and insights, other services that may be relevant and invites to events.

HexTransforma do not sell or otherwise release personal data contained in the HexTransforma CRM to third parties for the purpose of allowing them to market their products and services without consent from individuals to do so.

Data retention

Personal data will be retained on the HexTransforma CRM for as long as we have, or need to keep a record of, a relationship with a patient or business contact, which is for the duration of our relationship with a contact or their organisation.
Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.

When and how we share personal data and locations of processing

The HexTransforma CRM is provided by Salesforce and is hosted in Salesforce’s European data centres.

Personnel (Directors, Staff and contractors)

We collect personal data concerning our own personnel (partners, staff and contractors) as part of the administration, management and promotion of our business activities.
Please refer to our privacy statement available on our intranet for information on why and how personal data is collected and processed in relation to your role with HexTransforma.

Corporate clients (and individuals associated with our corporate client)

Collection of personal data

Our policy is to collect only the personal data necessary for agreed purposes and we ask our clients to only share personal data with us where it is strictly needed for those purposes.
Where we need to process personal data to provide healthcare related services, we ask our clients to provide the necessary information to the data subjects regarding its use. Our clients may use relevant sections of this privacy statement or refer data subjects to this privacy statement if they consider it appropriate to do so.
The categories of personal data processed by us in relation to the services we provide are generally:

  • Personal details (e.g. name, age/date of birth, gender, marital status, country of residence);
  • Contact details (e.g. email address, contact number, postal address);

Medical records (e.g. health records, scans, images and any other information pertinent to the treatment of a patient associated with the corporate scheme);
For certain services or activities, we may process special categories of personal data (such as in performing know your client checks and providing immigration status which involve us processing government identification documents that may contain biometric data or data revealing racial or ethnic origin).
Generally, we collect personal data from our clients or from third parties when providing services to the relevant client.
Use of personal data
We use personal data for the following purposes:

  • Providing medical and health related services
    We provide a diverse range of medical and health-related services (click here for information on our services) . Some of our services require us to collect and process personal data in order to ensure that our Healthcare provider partners have all the relevant information to make the appropriate patient treatment decisions. For example details of patients health record to ensure that the patient is indeed suitable for the treatment that they have applied for.Legal grounds: Legitimate interests, legal obligation, public interest or consent
    This processing of personal data by us is necessary for the purposes of the legitimate interests pursued by us in providing medical and health-related services and our client in receiving medical and health-related as part of running their organisation and, in some cases, we have a legal obligation to provide the services in a certain way. Where we process special categories of personal data, we rely on a relevant public interest condition or consent.Administering, managing and developing our businesses and services
    We may process personal data in order to run our business, including:
  • managing our relationship with clients and prospective clients;
  • developing our businesses and services (such as identifying patient needs and improvements in service delivery);
  • maintaining and using IT systems;
  • hosting or facilitating the hosting of events; and
  • administering and managing our website and systems and applications.
  • Legal grounds: Legitimate interests
    This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop our business and services.
  • Security, quality and risk management activities
    We have security measures in place to protect our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails. We monitor the services provided to clients for quality purposes, which may involve processing personal data stored on the relevant client file. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to client engagements. We collect and hold personal data as part of our client engagement and acceptance procedures. As part of those procedures we carry out searches using publicly available sources (such as internet searches and sanctions lists) to identify politically exposed persons and heightened risk individuals and organisations and check that there are no issues that would prevent us from working with a particular client (such as sanctions, criminal convictions (including in respect of company directors), conduct or other reputational issues).

Legal grounds: Legitimate interests
This processing is necessary for the purposes of the legitimate interests pursued by us to ensure network and information security, manage risks to our business and check the quality of our services.

  • Providing our clients, Patients and prospective clients and patients with information about us and our range of services
    Unless we are asked not to, we use client and prospective client business contact details to provide information that we think will be of interest about us and our services. For example, industry updates and insights, other services that may be relevant and invites to events.
    Legal grounds: Legitimate interests
    This processing is necessary for the purposes of the legitimate interests pursued by us to promote our business and services.
  • Complying with any requirement of law, regulation or a professional body of which we are a member
    As with any provider of medical and health-related services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.
    Legal grounds: Legal obligation or legitimate interests
    This processing is necessary for us to comply with a legal obligation; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations and, where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to meet our regulatory or professional obligations.

We are continually looking for ways to help our clients and improve our business and services. Where agreed with our clients, we may use information that we receive in the course of providing medical and health-related services for other lawful purposes, including analysis to better understand a particular issue, industry or sector, provide insights back to our clients, to improve our business, service delivery and offerings and to develop new HexTransforma technologies and offerings. To the extent that the information we receive in the course of providing medical and health-related services contains personal data, we will de-identify the data prior to using the information for these purposes.
Legal grounds: Legitimate interests
We have a legitimate interest in de-identifying data to help our clients, to improve our business, service delivery and offerings and to develop new HexTransforma technologies and offerings, including by performing benchmarking and analysis.

Data retention

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).
In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 8 years.
Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.

When and how we share personal data and locations of processing

Further details about the processors (such as IT service providers) used by HexTransforma and locations of processing are provided here . We may use other organisations to help us deliver our services as agreed with our client on an engagement-specific basis.

Recruitment Applicants

Introduction

This section of our privacy statement describes why and how we collect and use personal data in connection with our recruitment activities.
If your application is successful, we carry out pre-employment screening checks as part of our onboarding process. Depending on the the role you have applied for, these checks may include criminal records checks.

Collection of personal data

We will collect personal data in connection with our recruitment activities as described below.
Most of the personal data we collect as part of our recruitment process is provided by you such as:

  • Contact details (name, email, telephone number);
  • Areas of interest;
  • Username and password to apply for a role;
  • CV, experience, education, academic and professional qualifications;
  • Information provided as part of interviews and assessments;
  • Social mobility data as part our contextual recruitment practices;
  • Diversity and equal opportunities data;
  • Pre-employment screening information if your application is successful;
  • Information about your and your immediate family’s financial relationships if your application is successful; and
  • Bank account details if your application is successful.

We create personal data in connection with our recruitment activities such as:

  • Interview and assessment results and feedback; and
  • Offer details.

We obtain personal data from third party sources such as:

  • References from your named referees;
  • Information from your referrer (where applicable);
  • Results of Disclosure and Barring Service checks (depending on the role applied for);
  • Verification of information provided during the recruitment process by contacting relevant third parties (for example, previous employers, education and qualification providers) or using publicly available sources (for example, to verify your experience, education and qualifications); and
  • Information from social media sites that you are a member of about your engagement with our recruitment campaigns.

For details of the cookies we use on our websites, please click here .

Use of personal data

We process personal data for our legitimate interests to attract and secure the best talent to work with us as follows:

  • To attract talent and market opportunities at HexTransforma including by arranging, hosting and participating in events, marketing and advertising opportunities and using recruiters to help find talent for us.
  • To identify and source talent including by searching our existing talent pool and publicly available sources (such as social media and job websites of which you are a member).
  • To process and manage applications for roles at HexTransforma, evaluate you for open positions that match your interests and experience throughout the HexTransforma network, manage your candidate profile, send you email notifications and other announcements, request additional information or otherwise contact you about your candidacy.
  • To screen and select talent by evaluating your suitability for employment with HexTransforma, including through interviews and assessments and conducting background checks.
  • To hire and onboard talent by making an offer to successful applicants and carrying out pre-employment screening checks.
  • To conduct statistical analyses and create reports including for example regarding usage of our careers websites, demographic analysis of candidates, reports on HexTransforma recruitment activities, and analysis of candidate sourcing channels.
  • To administer and manage our careers websites and communicate with you about careers at HexTransforma.
  • Any other purposes stated when you provide the information to HexTransforma.

We carry out criminal records checks for the following purposes:

  • To comply with our legal obligation to ensure an individual is eligible to work in the UK and to report relevant information to the Home Office as part of HexTransforma sponsored visa applications.
  • For our legitimate interest or that of a third party to carry out pre-employment screening including a full background and criminal records check, depending on the role: (i) to establish whether an applicant has committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct; or (ii) to comply with government and public sector clearance requirements.

We collect and use information about race and ethnicity, religious and philosophical beliefs and health data for the following purposes:

  • For our legitimate interest and reasons of substantial public interest.
  • To comply with our legal obligation to make reasonable adjustments (for example, as a result of the outcome of a pre-employment medical assessment).
  • If your application is successful and where you provide consent, to provide information on relevant HexTransforma support and networks.

When and how we share personal data and locations of processing

In addition to the general information about when and how we share personal data and locations of processing provided here, personal data processed by us in connection with our recruitment activities may be transferred to:

  • Other HexTransforma member firms
    You personal data will be provided to the HexTransforma firm that has posted the position for which you are applying and other HexTransforma member firm(s) where the role you are being considered for involves working with other HexTransforma member firm(s) and to assist with their recruitment and employment activities (for example, if they are recruiting for a role that matches your interests and experience).
    For details of our member firm locations, please click here.
  • Third party organisations that provide applications/functionality, data processing or IT services to us
    We use the products and services of third party organisations as part of the recruitment processes. The products and services we use differ depending on the role you apply for.
  • Employment agencies or recruiters acting on behalf of a candidate
  • Government and regulatory agencies as required by, and in accordance with, applicable law or regulation We are required to keep records of our recruitment processes where we sponsor a worker from outside the EU. The Home Office has authority to obtain disclosure of this personal data to check that we are complying with applicable law and regulation. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.

Data retention

We retain personal data processed in connection with our recruitment activities as follows:

  • If your application is successful we will retain relevant personal data as part of your employee record and your talent pool account (if you choose to join our talent pool).
  • If your application is unsuccessful, we will retain and use the information you provided to HexTransforma as part of your application for a reasonable period of time to deal with any matter which may arise in connection with your application, for purposes of contacting you regarding other employment opportunities and for our legitimate business purposes (for example, to make sure we do not contact an individual about a role they have already applied for) and for as long as you are a member of our talent pool (if you choose to join our talent pool).
  • Where we sponsor a worker from outside the EU we keep personal data about the other applicants for the role until we are audited by the Home Office to check we are complying with applicable law and regulation.

Patients & personal clients

Collection of personal data

Our policy is to collect only the personal data necessary for agreed purposes and we ask our clients only to share personal data where it is strictly needed for those purposes.
Where we need to process personal data to provide our services, we ask our clients to provide the necessary information to other data subjects concerned, such as family members, regarding its use.
Given the diversity of the services we provide to personal clients and patients click here for information on our services , we process many categories of personal data, including as appropriate for the services we are providing:

  • Contact details;
  • Medical records;
  • Family information;

For certain services or activities, and when permitted by law (e.g. under a public interest condition) or with an individual’s consent, we may also collect special categories of personal data. Examples of special categories include race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records.
Generally, we collect personal data from our clients or from a third party acting on the instructions of the relevant client.

Use of personal data

We use personal data for the following purposes:

  • Providing medical and health-related services
    We provide a diverse range of medical and health-related services (click here for information on our services) . Some of our services require us to process personal data in order to provide advice and deliverables. For example, we need to use personal data to provide information to our clinicians in relation to the treatment being requested by the patient.
    Legal grounds: Performance of a contract, legitimate interests, legal obligation, public interest or consent
    This processing is necessary for the performance of the products and services purchased by the client on our website (contract) to which our personal client or patient (the data subject) is a party and, where we process personal data about other individuals (such as family members) in order to provide our services, this processing is necessary for the purposes of the legitimate interests pursued by us in providing medical and health-related services and our client in receiving medical and health-related services. In some cases, we have a legal obligation to provide the services in a certain way and where we process special categories of personal data, we rely on a relevant public interest condition or consent.

Administering, managing and developing our businesses and services
We may process personal data in order to run our business, including:

  • managing our relationship with clients and prospective clients;
  • developing our businesses and services (such as identifying client needs and improvements in service delivery);
  • maintaining and using IT systems;
  • hosting or facilitating the hosting of events; and
  • administering and managing our website and systems and applications.
  • Legal grounds: Legitimate interests
  • This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop our business and services.
  • Security, quality and risk management activities
    We have security measures in place to protect our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails. We monitor the services provided to clients for quality purposes, which may involve processing personal data stored on the relevant client file. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to client engagements. We collect and hold personal data as part of our client engagement and acceptance procedures. As part of our client and engagement acceptance, we carry out searches using publicly available sources (such as internet searches and sanctions lists) to identify politically exposed persons and heightened risk individuals and organisations and check that there are no issues that would prevent us from working with a particular client (such as sanctions, criminal convictions (including in respect of company directors), conduct or other reputational issues).
    Legal grounds: Legitimate interests
    This processing is necessary for the purposes of the legitimate interests pursued by us to ensure network and information security, manage risks to our business and check the quality of our services.
  • Providing our clients and prospective clients with information about us and our range of services
    With consent or otherwise in accordance with applicable law, we use client and prospective client contact details to provide information that we think will be of interest about us and our services. For example, industry updates and insights, other services that may be relevant and invites to events.
    Legal grounds: Legitimate interests
    This processing is necessary for the purposes of the legitimate interests pursued by us to promote our business and services.
  • Complying with any requirement of law, regulation or a professional body of which we are a member
    As with any provider of medical and health-related services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.
    Legal grounds: Legal obligation or legitimate interests
    This processing is necessary for us to comply with a legal obligation; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations and, where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to meet our regulatory or professional obligations.

We are continually looking for ways to help our clients and improve our business and services. Where agreed with our clients, we may use information that we receive in the course of providing medical and health-related services for other lawful purposes, including analysis to better understand a particular issue, industry or sector, provide insights back to our clients, to improve our business, service delivery and offerings and to develop new HexTransforma technologies and offerings. To the extent that the information that we receive in the course of providing professional services contains personal data, we will de-identify the data prior to using the information for these purposes.
Legal grounds: Legitimate interests
We have a legitimate interest in de-identifying data to help our clients, to improve our business, service delivery and offerings and to develop new HexTransforma technologies and offerings, including by performing benchmarking and analysis.

Data retention

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).
In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 8 years.
Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.

When and how we share personal data and locations of processing

Further details about the processors (such as IT service providers) used by HexTransforma and locations of processing are provided here . We may use other organisations to help us deliver our services as agreed with our client on an engagement-specific basis.

Suppliers (including subcontractors and individuals associated with our suppliers and subcontractors)

Collection of personal data

We collect and process personal data about our suppliers (including subcontractors and individuals associated with our suppliers and subcontractors) in order to manage the relationship, contract, to receive services from our suppliers and, where relevant, to provide Medical and Health-related services to our clients. The personal data is generally business card data and will include name, employer name, phone, email and other business contact details and the communications with us.

Use of personal data

We use personal data for the following purposes:

  • Receiving services
    We process personal data in relation to our suppliers and their staff as necessary to receive the services. For example, where a supplier is providing us with facilities management or other outsourced services, we will process personal data about those individuals that are providing services to us.
    Legal grounds: Legitimate interests
    This processing of personal data by us is necessary for the purposes of the legitimate interests pursued by us in receiving services.
  • Providing Medical and Health-related services to clients
    Where a supplier is helping us to deliver Medical and Health-related services to our clients, we process personal data about the individuals involved in providing the services in order to administer and manage our relationship with the supplier and the relevant individuals and to provide such services to our clients (for example, where our supplier is providing people to work with us as part of a HexTransforma team providing Medical and Health-related services to our clients).
    Legal grounds: Legitimate interests
    This processing of personal data by us is necessary for the purposes of the legitimate interests pursued by us in providing Medical and Health-related services and our client in receiving Medical and Health-related services as part of running their organisation.
  • Administering, managing and developing our businesses and services
    We may process personal data in order to run our business, including:

    • managing our relationship with suppliers;
    • developing our businesses and services (such as identifying client needs and improvements in service delivery);
    • maintaining and using IT systems;
    • hosting or facilitating the hosting of events; and
    • administering and managing our website and systems and applications.

Legal grounds: Legitimate interests
This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop our business and services.

  • Security, quality and risk management activities
    We have security measures in place to protect our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to our suppliers. We collect and hold personal data as part of our supplier contracting procedures. We monitor the services provided for quality purposes, which may involve processing personal data.
    Legal grounds: Legitimate interests
    This processing is necessary for the purposes of the legitimate interests pursued by us to ensure network and information security, manage risks to our business and check the quality of the services.
  • Providing information about us and our range of services
    Unless we are asked not to, we use business contact details to provide information that we think will be of interest about us and our services. For example, industry updates and insights, other services that may be relevant and invites to events.
    Legal grounds: Legitimate interests
    This processing is necessary for the purposes of the legitimate interests pursued by us to promote our business and services.
  • Complying with any requirement of law, regulation or a professional body of which we are a member
    As with any provider of Medical and Health-related services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.
    Legal grounds: Legal obligation or legitimate interests
    This processing is necessary for us to comply with a legal obligation; for example, when conducting supplier due diligence checks and, where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to meet our regulatory or professional obligations.

    • Data retention

      We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). Personal data will be retained about our contacts at our suppliers for as long as it is necessary for the purposes set out above (e.g. for as long as we have, or need to keep a record of, a relationship with a contact, which is for the duration of our relationship with a contact or their organisation) and then deleted in line with our deletion and retention policies.
      Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.

      When and how we share personal data and locations of processing

      Further details about the processors (such as IT service providers) used by HexTransforma and locations of processing are provided here . We may use other organisations to help us deliver our services as agreed with our client on an engagement-specific basis.

      Individuals who use our applications

      We provide external users access to various applications managed by us. Such applications will contain their own privacy statements explaining why and how personal data is collected and processed by those applications. We encourage individuals using our applications to refer to the privacy statements available on those applications.

      Visitors to our offices

      We have security measures in place at our offices, including CCTV and building access controls.

      CCTV

      There are signs in our office showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident). We use the CCTV images for the legitimate purposes of promoting security and safety of our personnel and members of the public, preventing and detecting crime and establishing, exercising and defending legal claims. We may disclose CCTV images to law enforcement bodies as requested and permitted by data protection law.
      CCTV recordings are typically automatically overwritten after a short period of time (between 21 and 60 days after being recorded) unless an issue is identified that requires investigation (such as a theft).

      Visitor records

      We require visitors to our offices to sign in at reception and keep a record of visitors for a short period of time. Our visitor records are securely stored and only accessible on a need to know basis (e.g. to look into an incident).

      Guest WIFI

      We monitor traffic on our guest WIFI networks using industry standard intrusion detection systems. This allows us to see limited information about a users network behaviours but will include being able to see at least the source and destination addresses the user is connecting from and to. We cannot inspect any encrypted web pages and therefore do not have access to any information (personal or otherwise) that the user might share via these web pages.

      Individuals whose personal data we obtain in connection with providing medical and health-related services to our clients

      Collection of personal data

      Our policy is to collect only the personal data necessary for agreed purposes and we ask our clients only to share personal data with us where it is strictly needed for those purposes.
      Where we need to process personal data to provide our services, we ask our clients to provide the necessary information to the data subjects concerned regarding its use.
      We collect and use contact details for our clients in order to manage and maintain our relationship with those individuals. Please see the Business contacts section of this privacy statement for more information about our processing of this type of data.
      Given the diversity of the services we provide to clients (click here for information on our services ), we process many categories of personal data, including:

      • Personal details (e.g. name, age/date of birth, gender, marital status, country of residence);
      • Contact details (e.g. email address, contact number, postal address);
      • Financial details (e.g. salary, payroll details and other financial-related details such as income, investments and other financial interests, benefits, tax status); and
      • Job details (e.g. role, grade, experience, performance information and other information about management and employees).
    • For certain services or activities, we may process special categories of personal data (such as in performing know your client checks and providing immigration status, which involve us processing government identification documents that may contain biometric data or data revealing racial or ethnic origin or as part of an audit of an organisation in the health sector).
      Generally, we collect personal data from our clients or from a third party acting on the instructions of the relevant client. For some of our services, for example, when undertaking a due diligence review of an acquisition target on behalf of a client, we may obtain personal data from that target’s management and employees or from a third party acting on the instructions of the target.

      Use of personal data

      We use personal data for the following purposes:

    • Providing Medical and Health-related services
      We provide a diverse range of medical and health-related services (click here for information on our services). Some of our services require us to process personal data in order to provide advice and deliverables. For example, we will review payroll data as part of an audit and we often need to use personal data to provide global mobility and pensions services.
      Legal grounds: Legitimate interests, legal obligation, public interest or consent
      This processing of personal data by us is necessary for the purposes of the legitimate interests pursued by us in providing Medical and Health-related services and our client in receiving medical and health-related services as part of running their organisation and, in some cases, we have a legal obligation to provide the services in a certain way. Where we process special categories of personal data, we rely on a relevant public interest condition or consent.
    • Administering, managing and developing our businesses and services
      We may process personal data in order to run our business, including:

      • managing our relationship with clients;
      • developing our businesses and services (such as identifying client needs and improvements in service delivery);
      • maintaining and using IT systems;
      • hosting or facilitating the hosting of events; and
      • administering and managing our website and systems and applications.
      • Legal grounds: Legitimate interests
        This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop our business and services.
    • Security, quality and risk management activities
      We have security measures in place to protect our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails. We monitor the services provided to clients for quality purposes, which may involve processing personal data stored on the relevant client file. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to client engagements. We collect and hold personal data as part of our client engagement and acceptance procedures. As part of our client and engagement acceptance, we carry out searches using publicly available sources (such as internet searches and sanctions lists) to identify politically exposed persons and heightened risk individuals and organisations and check that there are no issues that would prevent us from working with a particular client (such as sanctions, criminal convictions (including in respect of company directors), conduct or other reputational issues).
      Legal grounds: Legitimate interests
      This processing is necessary for the purposes of the legitimate interests pursued by us to ensure network and information security, manage risks to our business and check the quality of our services.
    • Complying with any requirement of law, regulation or a professional body of which we are a member
      As with any provider of Medical and Health-related services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.
      Legal grounds: Legal obligation or legitimate interests
      This processing is necessary for us to comply with a legal obligation; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations and, where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to meet our regulatory or professional obligations.
    • We are continually looking for ways to help our clients and improve our business and services. Where agreed with our clients, we may use information that we receive in the course of providing Medical and Health-related services for other lawful purposes, including analysis to better understand a particular issue, industry or sector, provide insights back to our clients, to improve our business, service delivery and offerings and to develop new HexTransforma technologies and offerings. To the extent that the information that we receive in the course of providing Medical and Health-related services contains personal data, we will remove the personal data prior to using the information for these purposes.
      Legal grounds: Legitimate interests
      We have a legitimate interest in de-identifying data to help our clients, to improve our business, service delivery and offerings and to develop new HexTransforma technologies and offerings, including by performing benchmarking and analysis.

      Data retention

      We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).
      In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 8 years.
      Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.

      When and how we share personal data and locations of processing

      Further details about the processors (such as IT service providers) used by HexTransforma and locations of processing are provided here . We may use other organisations to help us deliver our services as agreed with our client on an engagement-specific basis.

      Visitors to our website

      Collection of personal data
      Visitors to our websites are generally in control of the personal data shared with us. We may capture limited personal data automatically via the use of cookies and analytics tools on our website. Please see the section on Cookies below for more information.
      We receive personal data, such as name, title, company address, email address, and telephone and fax numbers from website visitors; for example when an individual registers updates from us.
      Visitors are also able to send an email to us through the website. Their messages will contain the user’s screen name and email address, as well as any additional information the user may wish to include in the message.
      We ask that you do not provide special categories of personal data (such as race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records) to us when using our website.

      Use of personal data

      When you provide personal data to us, we may use it for any of the purposes described in this privacy statement or as stated at the point of collection (or as obvious from the context of collection), including:

    • where you submit your contact details, unless we are asked not to, we may contact you with information about HexTransforma’s business, services and events, and other information which may be of interest to you. Should visitors subsequently choose to unsubscribe from mailing lists or any registrations, we will provide instructions on the appropriate webpage, in our communication to the individual, or the individual may contact us by email to data.protection@hextransforma.com;
    • to administer and manage our website, including to confirm and authenticate your identity and prevent unauthorised access to restricted areas of the site or premium content;
    • to communicate with you in order to distribute requested materials or ask for further information;
    • to personalise and enrich your browsing experience by displaying content that is more likely to be relevant and of interest to you;
    • to sort and analyse user data (such as determining how many users from the same organisation have subscribed to or are using our websites);
    • to determine the company, organisation, institution, or agency that you work for or with which you are otherwise associated;
    • to develop our businesses and services, including aggregating data for website analytics and improvements;
    • aggregating data to conduct benchmarking and data analysis including, for example, regarding usage of our websites;
    • to conduct quality and risk management reviews;
    • to understand how people use the features and functions of our websites in order to improve the user experience;
    • to monitor and enforce compliance with our terms, including acceptable use policies; and
    • any other purposes for which you provided the information to HexTransforma (such as to subscribe you to the updates you request).

    Our websites do not collect or compile personally identifying information for sale to non-HexTransforma parties for their marketing purposes. If there is an instance where your personal data may be shared with a party that is not a HexTransforma member firm, you will be asked for their consent beforehand.

    Cookies

    We use small text files called ‘cookies’ which are placed on your hard drives to assist in personalising and enriching your browsing experience by displaying content that is more likely to be relevant and of interest to you. The use of cookies is now standard operating procedure for most websites. However if you are uncomfortable with the use of cookies, most browsers now permit users to opt-out of receiving them. You need to accept cookies in order register on our website. You may find other functionality in the website impaired if you disable cookies. After termination of the visit to our site, you can always delete the cookie from your system if you wish.
    You can find out more details regarding our use of cookies on our Cookies page.

    Our website may link to third party sites not controlled by HexTransforma and which do not operate under HexTransforma’s privacy practices. When you link to third party sites, HexTransforma’s privacy practices no longer apply. We encourage you to review each third party site’s privacy policy before disclosing any personally identifiable information.

    Data retention

    Personal data collected via our websites will be retained by us for as long as it is necessary (e.g. for as long as we have a relationship with the relevant individual).

    Others who get in touch with us

    We collect personal data when an individual gets in touch with us with a question, complaint, comment or feedback (such as name, contact details and contents of the communication). In these cases, the individual is in control of the personal data shared with us and we will only use the data for the purpose of responding to the communication.