General Data Protection Regulation (GDPR) Policy

Last Updated: June 2025

1. Introduction

Biovara ("we", "us", "our") is committed to protecting the privacy and security of personal data. This policy outlines our obligations and practices in compliance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We process personal data relating to our employees, patients, healthcare professionals, suppliers, and other individuals.

2. Principles of Data Processing

We adhere to the following GDPR principles:

  • Lawfulness, fairness, and transparency: We process personal data lawfully, fairly, and in a transparent manner.
  • Purpose limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it further in a manner incompatible with those purposes.
  • Data minimisation: We collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
  • Accuracy: We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.
  • Storage limitation: We keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  • Integrity and confidentiality: We process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  • Accountability: We are responsible for, and able to demonstrate compliance with, the GDPR.
3. Lawful Basis for Processing

We process personal data based on one or more of the following lawful bases:

  • Consent: When we have obtained explicit consent from the data subject.
  • Contract: When processing is necessary for the performance of a contract with the data subject or to take steps at their request before entering into a contract.
  • Legal obligation: When processing is necessary for compliance with a legal obligation to which we are subject.
  • Vital interests: When processing is necessary to protect the vital interests of the data subject or another natural person.
  • Public interest: When processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
  • Legitimate interests: When processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
  • Special categories of personal data (e.g., health data): We process this data only when we have explicit consent, when it is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional, or for reasons of substantial public interest.
4. Data Subject Rights

Data subjects have the following rights:

  • Right to access: The right to request access to their personal data.
  • Right to rectification: The right to request correction of inaccurate personal data.
  • Right to erasure ("right to be forgotten"): The right to request deletion of their personal data in certain circumstances.
  • Right to restriction of processing: The right to request restriction of processing of their personal data in certain circumstances.
  • Right to data portability: The right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Right to object: The right to object to the processing of their personal data in certain circumstances.
  • Right not to be subject to automated decision-making, including profiling: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
  • Right to withdraw consent: Where processing is based on consent, the right to withdraw consent at any time.
5. Data Security

We implement appropriate technical and organisational measures to ensure the security of personal data, including:

  • Encryption and pseudonymisation of personal data where appropriate.
  • Regular security assessments and audits.
  • Access controls and authorisation procedures.
  • Data backup and disaster recovery plans.
  • Staff training on data protection and security.
6. Data Transfers

If we transfer personal data to a third country or international organisation outside the UK, we will ensure that appropriate safeguards are in place, such as:

  • Adequacy decisions from the UK government.
  • Standard contractual clauses adopted by the UK government.
  • Binding corporate rules.
7. Data Retention

We retain personal data for no longer than is necessary for the purposes for which it is processed. Retention periods are determined based on legal, regulatory, and business requirements.

8. Data Protection Officer (DPO)

Biovara has appointed a Data Protection Officer (DPO) [or designated a data protection contact] who is responsible for overseeing our compliance with the GDPR.

The DPO's contact details are:

9. Data Breaches

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) and affected data subjects as required by the GDPR.

10. Policy Review

This policy will be reviewed and updated regularly to ensure it remains compliant with the GDPR and other relevant data protection legislation.

11. Contact Information

If you have any questions or concerns about this policy or our data processing practices, please contact our DPO [or data protection contact] at the contact details provided above.

12. Changes to this Policy

We reserve the right to amend this privacy policy at any time. Any changes will be posted on this page, and we encourage you to review it frequently.

13. Contact Information

For questions about this Privacy Policy or our data protection practices, please contact: Data Protection Officer

BIOVARA
69-73 Theobalds Road, London, WC1X 8TA
info@biovara.co.uk
01865 602419