Privacy Policy

Privacy Notice

1.      Introduction

This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle your personal data, keep it safe and how we use it.

This Privacy Notice is kept regularly under review and was last updated in September 2024.

2.      Who are we?

Entity name: Bio Products Laboratory Limited (“BPL”).

Company registration number: 07343036.

Registered office address: Dagger Lane, Elstree, Hertfordshire, WD6 3BX, United Kingdom.

Registration reference with the Information Commissioner’s Office: Z2422564.

Email: info@bpl.co.uk

Website: www.bplgroup.com

 

3.      What is our status under data protection law?

The data protection laws that apply to BPL include the UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 2018.

 

The “UK GDPR” is the United Kingdom’s retained version of the European Union’s General Data Protection Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).

 

Data protection laws have created the concepts of a “data controller” and a “data processor”. BPL’s status under data protection law is as a data controller. This is because we make decisions around what personal data to collect, how it should be collected and why. We also assign the lawful basis (legal reason) and determine the retention period for all of the processing activities that we do.

 

4. Do we have a Data Protection Officer (“DPO”)?

 

We have thoroughly assessed whether BPL requires a DPO under data protection laws. Although we are not legally required to appoint a DPO, we are deeply committed to upholding the highest standards of data privacy and have voluntarily appointed one.

 

Our DPO plays a central role in our operations, ensuring our compliance with data protection laws and addressing any questions or concerns regarding personal data. If you have any questions or need any assistance, you can reach our DPO at info@bpl.co.uk.

 

5.      Whose personal data do we collect?

We collect personal data from individuals in several categories to support our operations in the creation and distribution of our blood plasma products. These include:

  • Website users: Individuals who browse our website and contact us through our website forms.
  • Donors: Individuals who voluntarily donate blood plasma, from whom we collect personal and medical data necessary for donation eligibility and health monitoring. Please note that the majority of the donations that we receive are from other entities within the same corporate group as BPL and such personal data associated with the donations are pseudonymised.
  • Customers and partners: Individuals working with healthcare providers, institutions and other entities that purchase or partner with us for our products. Healthcare providers will partner with us to assess and test the products that we have acquired before they can be sold.
  • Suppliers and service providers: Individuals working with our third-party suppliers, contractors and servicers providers that support us in creating and distributing our products.
  • Job applicants: Individuals who are interested in or are applying for vacancies within our company.

All personal data collected is handled in compliance with applicable data protection laws to ensure the privacy and security of the individuals involved.

6.      When do we collect your personal data?

We may collect personal data in various circumstances to facilitate our interactions with you and enhance the products we provide. These circumstances include:

  • When you visit our websites and fill out forms: This could involve subscribing to newsletters, requesting information, or participating in any interactive features on our websites.
  • When you contact us for any reason: Whether you reach out to us with a query, lodge a complaint, provide feedback, or request additional information, we collect personal details necessary to respond and resolve your enquiries efficiently.
  • When you attend meetings or events we organise: Whether it’s a business meeting, a seminar, or any event hosted by us, we may collect personal data related to your attendance and engagement. We may also take photographs at these meetings or events.
  • When you participate in surveys we send: If you choose to complete a survey or questionnaire, we collect your responses to improve our organisation and better understand your needs.
  • When you purchase our products: We gather personal data necessary to process orders, fulfil transactions and manage ongoing customer relationships during the course of business.
  • When you authorise a third party to share your information with us: In cases where you have given another third-party permission to share your personal data with us, such as when a reference is provided during job applications, or a supplier shares relevant contact details.
  • When you engage with us on social media: We may collect publicly available information from your interactions with our official social media pages, including likes, comments, and direct messages to better connect with you and address your needs.

 

  • When you apply for a vacancy with us: During the recruitment process, we gather personal data, including your resume, qualifications, and employment history, to evaluate your suitability for a role. Subject to your consent, we also conduct background checks which include reviewing your references and, where applicable, conducting criminal convictions check with the Disclosure and Barring Service.

By collecting this data, we aim to streamline operations and improve the quality of our interactions with you, while ensuring your privacy is protected in line with data protection laws.

7.      What personal data do we collect?

The type of personal data we collect depends on the nature of our relationship with you and your interactions with us. We may collect both personal data (which identifies you as an individual) and anonymous data (which does not directly identify you).

The personal data that we collect is outlined below.

  • Website users: If you browse our websites, we collect anonymised analytics data through Google Analytics. However, if you fill out and submit a contact form, we collect personal data such as your name, email address, phone number, and the message you provide to respond to your query.
  • Newsletter subscribers: If you subscribe to one of our newsletters, we will collect your name and email address to send you updates and relevant information.
  • Social media engagement: When you interact with us via social media platforms, we may collect your contact details and other information you share to respond to your comments, questions, or feedback.
  • Donors: In the case of blood plasma donors, we may collect detailed personal and medical information, including your name, contact details, date of birth, gender, medical history, and any relevant health-related information required for donation eligibility and monitoring.
  • Customers, partners and service providers: If you are a customer, partner, or service provider, and we are discussing or already in a contractual relationship, we may collect personal data during our interactions. This includes notes from meetings, conversations, and email exchanges. Additionally, if required by law, we may collect and store copies of documents, such as passports or driver’s licenses, to verify your identity.
  • Job applicants: If you apply for a job with us, we will collect personal data such as your name, contact details, resume, and employment history to process your application and assess your suitability for the role. Once you are offered a vacancy, we will also collect identity documentation (such as your passport) and information to confirm your right to work in the United Kingdom.

The anonymous data that we collect is outlined below.

  • Website analytics: When you visit our websites, we collect anonymous analytics data through services like Google Analytics to monitor performance and improve user experience. This data does not include personal identifiers like your internet protocol (“IP”) address.
  • Server logs: Our servers automatically collect log files, which may include data like the type of device you are using, browser information, and other technical data. This data is collected for security and performance monitoring purposes and is not associated with individual users. It is automatically deleted on a regular basis.

8.      What is our lawful basis (legal reason) for processing your personal data?

When we collect and process your personal data, we ensure that we have a lawful basis to do so in accordance with data protection laws. Below, we outline the key lawful bases that we rely on for the collection and use of personal data. In some situations, more than one lawful basis may apply to the same processing activity. However, please note that where we rely on consent as a lawful basis, it is the sole basis for processing.

  • Consent: We collect and process your personal data when you have given explicit consent for us to do so. Consent is obtained in specific situations, such as when you agree to participate in a clinical trial or provide your plasma for research purposes. For example, if you voluntarily sign up as a donor or if you consent to receive marketing communications from us about our products. You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Contract: We collect and process your personal data where it is necessary for the performance of a contract, or to take steps at your request before entering into a contract. For example, this applies when you apply for a position with us, and we collect your details during the recruitment process, or if you become a donor or service provider and we need to collect and process personal data to fulfil our contractual obligations, such as processing payments, managing logistics, or coordinating donations.
  • Legal obligation: We collect and process your personal data when required to comply with legal and regulatory obligations. As an organisation involved in the production of products, we are subject to a variety of laws, including those governing health and safety, employment, tax, and data retention. For instance, we may be required by law to retain certain records related to donations or clinical trials for specified periods, or to collect and store certain identification documents for compliance with anti-fraud or anti-money laundering laws.
  • Legitimate interests: We may process your personal data to pursue our legitimate business interests provided that such interests are not overridden by your interests, rights, or freedoms. Our legitimate interests include the management and development of our products, ensuring the safety and integrity of the donation process, maintaining and improving our website, and ensuring the security of our operations and IT infrastructure. In all cases, we ensure that our legitimate interests are balanced with your rights, and where necessary, we conduct assessments to verify that your personal data is protected. If we rely on legitimate interests, you have the right to object to such processing in certain circumstances.

9.      How and why do we use your personal data?

We use your personal data for a variety of purposes, always ensuring that we have a valid lawful basis for doing so. The specific ways in which we use your personal data may vary depending on your relationship with us (e.g., donor, customer, employee or partner).

Below are the key reasons why and how we process your personal data:

  • To respond to your queries: When you contact us—whether through our website, by email, phone, or social media—we collect and process the personal data you provide so we can respond effectively. We may keep a record of these interactions to assist with any future communications and to ensure consistency in how we address your questions or concerns.
  • To develop, test and improve our products: We may use your personal data to enhance the quality, safety and efficiency of our products. This can include feedback from donors, partners, or customers to optimise collection processes, improve donor experience and develop new plasma-derived products. We also use anonymised or aggregated data for research and testing to ensure our systems and products meet rigorous health and safety standards.
  • To fulfil our contractual obligations: If you enter into an agreement with us—whether as a donor, employee, customer, or service provider—we use your personal data to execute our contractual obligations. For example, if you are a donor, we use your medical information to assess eligibility, track donations, and ensure regulatory compliance. If you are a customer, we use your details to provide you with products as requested, manage billing, and handle any related communications.
  • To comply with legal and regulatory obligations: As an organisation operating in the healthcare sector, we are subject to a range of legal and regulatory requirements. We may need to share your personal data with law enforcement agencies, government bodies or courts when required by law. For instance, if we receive a court order or request from regulatory authorities regarding your donation records or product safety, we are legally obliged to provide the requested data. This can also involve compliance with health and safety regulations, data retention laws, and industry-specific guidelines for plasma product manufacturing.
  • To support medical research and development: As part of our mission to advance the creation of blood plasma products, we may use donor data, including medical and demographic information, to contribute to medical research. Any such use is conducted in compliance with applicable laws and ethical standards, ensuring that data is anonymised or pseudonymised where necessary to protect the privacy of individuals.
  • To prevent fraud and safeguard our operations: We may use your personal data to protect you, our organisation, and others from fraud, identity theft, and other illegal activities. This includes updating and maintaining the accuracy and security of the information we hold about you. For instance, we may conduct identity verification checks for donors, employees, or customers and monitor for suspicious activity related to donations, transactions or access to sensitive data.
  • To maintain and improve our IT systems: We may process your personal data to ensure the functionality and security of our IT systems. This helps us protect your information and maintain the integrity of our operations, particularly in the context of storing sensitive health data and ensuring the continuous availability of our products.
  • To assess job applications: If you apply for a role within our organisation, we use your personal data to assess your qualifications, contact you throughout the recruitment process, and make hiring decisions. This includes reviewing your resume, references, and other application materials.

By processing your personal data in these ways, we aim to ensure the highest standards of safety, compliance and customer service while safeguarding the rights and privacy of all individuals involved in our operations.

10.  How do we protect your personal data?

We treat all personal data that we process with the utmost care and take all appropriate steps to protect it.

We have put in place appropriate technical and organisational security measures (such as SSL encryption) to prevent your personal data from being accidentally lost, falsified, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal data to those employees, contractors and other third parties who have a business need to know. We have put in place policies, plans and procedures to deal with any suspected or actual personal data breaches.

We regularly monitor our systems for possible vulnerabilities and attacks.

11.  How long will we keep your personal data?

Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected unless we need to keep it longer to comply with our legal obligations.

At the end of the appropriate retention period, your personal data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.

To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Please note that we may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

12.  Who do we share your personal data with?

We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006 in England & Wales.

We may share your information with selected third parties who we use to provide services. For example:

  • Companies who provide or support our business systems.
  • Operational companies such as couriers.
  • Marketing companies who provide and manage our electronic communication with you.

We may share your personal data with third-parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners will use your personal data in the same way as set out in this Privacy Notice.

In all cases, we ensure that third-parties only receive the minimum information necessary and ensure that:

  • Your personal data is only used for the exact purposes specified in our contract with them.
  • Your privacy is always maintained.
  • Your personal data is kept securely.
  • Any data held by them will either be deleted or rendered anonymous when we stop using their services (with the exception of data which they are required to keep in order to comply with their data retention obligations).

We require all third-parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions, except for when such third-parties are regulators and other governmental organisations.

13.  Where will your personal data be processed?

We ensure that personal data is transferred safely and securely at all times. Whenever your personal data travels outside of the UK and/or the European Economic Area (“EEA”), we ensure that it’s protected by putting in one of the following safeguards:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data as endorsed by the Information Commissioner’s Office (“ICO”) and identified and determined by the European Commission.
  • We will only transfer your personal data where we have entered into specific contracts with an organisation outside of the UK and/or the EEA which states that they will ensure that your personal data has the same level of protection as if it were in the UK and/or the EEA.

If you want to find out the specific mechanism used when transferring your personal data out of the UK and/or the EEA, please contact us.

14.  What are your rights over your personal data?

Under certain circumstances, you have specific rights in respect of the personal data that we process about you. Your rights include:

  • Right of access to information and copies of the personal data that we hold about you.
  • Right to rectify (i.e., correct) your personal data where it is inaccurate or incomplete.
  • Right to delete your personal data, but only in specific circumstances, for example where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed. It may not therefore always be possible for us to delete all of the information we hold about you if you request this, for example, if we have an ongoing contractual relationship with you.
  • Right to restrict processing in specific circumstances, for example while we are reviewing the accuracy or completeness of data or deciding on whether any request for erasure is valid.
  • Right to object to processing in cases where processing is based upon our legitimate interests or where processing is for direct marketing purposes (including profiling).
  • Right to data portability which means the right to receive, move, copy or transfer your personal data to another data controller. You have the right to this when we are processing your personal data based on consent or on a contract and the processing is carried out by automated means.

If you wish to exercise any of the rights set out above, please contact our DPO at info@bpl.co.uk. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

If we choose not to action your request, we will explain to you the reasons for our refusal.

We try to respond to all legitimate requests within 1 month. Occasionally it could take us longer than 1 month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.

15.  How can you stop us contacting you?

  • Click the ‘unsubscribe’ link in any email communication that we send you.
  • Reply to any direct email and request that you are not contacted.
  • Email us atinfo@bpl.co.uk.
  • Write to us at Bio Products Laboratory, Dagger Lane, Elstree, Hertfordshire, WD6 3BX.

Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated. You may also still receive communication from us if we are required to contact you for legal or contractual purposes.

16.  Contacting the data protection supervisory authority

Data protection laws are constantly evolving, and we endeavour to maintain best practice. However, we recognise that we may not always get it right and if you are not satisfied in the way we handle your personal data, or you wish to discuss our processes then we would really like to hear from you and request that you contact us in the first instance.

If you still feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the ICO by contacting it here: www.ico.org.uk/concerns.

If you are based outside the UK, you have the right to lodge your complaint with the appropriate data protection supervisory authority in your country of residence.

17.  Questions

Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to our DPO at info@bpl.co.uk.