PRIVACY AND DATA PROTECTION POLICY This notice is issued by: Manchester Imaging Ltd, Room E43, Sackville Street Building, Sackville Street, Manchester, M1 3BU, United Kingdom Company Registered in England and Wales, Registration No 09098192 Registered address: Manchester Imaging Limited C/O Slater Heelis Limited, 86 Deansgate, Manchester, M3 2ER, United Kingdom Registered with the Information Commissioners Office (ICO), No ZA318534 We will keep our privacy policy under regular review and publish any updates on our website. This privacy policy was last updated on 15th March 2021. DATA CONTROLLER AND DATA PROCESSOR The General Data Protection Regulation (GDPR) distinguishes between two types of organisation: a Data Controller, and a Data Processor. In most cases Manchester Imaging is a Data Controller. However, in relation to information on and derived from analysing images the company is a Data Processor. The GDPR defines responsibilities that Data Controllers and Data Processors must publish and adhere to in the management of personal information. Personal information is any information relating to an identified or identifiable individual. Any reference to an identifier such as a name, email address, or IP address, and any factor relating to a natural person such as their physical, physiological, or social identity, is personal information. Purely business data, such as a business name, office address, or generic email address, is not personal information. The GDPR applies whether personal information is stored and processed digitally or manually (e.g., on paper). Manchester Imaging Ltd collects and uses personal data in accordance with the General Data Protection Regulation (GDPR) and all other data protection legislation currently in force. We will: • collect your data only for lawful reasons and in ways that have been explained to you • process it fairly, lawfully, and only where we have a need to do so • ensure it is correct and up to date • keep your data for only as long as we need it • only use it in a way that you would reasonably expect or have consented to (as appropriate). WHAT INFORMATION DO WE COLLECT, HOW, AND WHY The information we collect includes: • Identity data including title, first name and last name. If you participate in Manchester Imaging events at which photographs are taken, we may have your photograph. • Professional and business data including your professional qualifications and affiliations, business title and role. • Contact data including billing address, delivery address, email address and telephone numbers. • Marketing and communications data including your preferences and consent (if given) to receiving communications from us, and your interest in Manchester Imaging products and services • Customer support data including your practice status, and information relating to your use of the software and any customer support needed. • Business correspondence, by post, email or other means, or written notes following a meeting, phone call, digital or other communication. • Technical data including information about the software, device, and IP address from which you access our website, which links you click and which videos you watch. For registered users we collect your username and a means of checking if your password is valid. Personal data may be collected through: • Direct interaction. We may meet you at an event, you may phone, email, or complete a form on a web site, you may communicate with us by other digital means, or you may correspond with us by post. • Automated technology. As you interact with our website, we may automatically collect technical data about the type of device used and your browsing actions. We collect this personal data by using cookies, server logs and other similar technologies. Why do we collect this information: We collect your information in order to manage your needs and ours in relation to Manchester Imaging products and services, including: • Selection of an appropriate product and contract • Training, support and maintenance • Provision and improvement of our products and services, including anonymisation of information and its subsequent analysis • Security, enforcement, and legal obligations, to ensure that our products and services, and your use of them, conform to contract terms and conditions, and other legal requirements such as tax and regulations. ON WHAT LAWFUL BASIS DO WE COLLECT AND PROCESS YOUR INFORMATION Collection and processing of your information will be according to a Lawful Basis: • Legal obligation. To comply with tax and other regulations, court orders or law enforcement demands. • Contract. Where we have a contract with you and need to process personal data to comply with our obligations under the contract, or where you have asked us to do something (e.g. provide a quote) and we need to process your personal data to do what you have asked. • Consent. Where you have consented to the use of your personal information. Consent requires a positive opt-in, and will always be for a clearly specified purpose. When you consent, you can change your mind at any time. • Legitimate interests. We have a legitimate interest in managing our business effectively and providing the products and services our customers expect, which may require the use of personal data. Where the lawful basis for our use of your personal information is legitimate interest, we will only use your data in ways you would reasonably expect and which have a minimal impact on your privacy. MARKETING If you are not a current customer then we will only contact you if we have your consent, or if we believe you would reasonably expect us to contact you to ask for such consent (for example if we have spoken to you at a recent event). We may send you material by post or email relating to Manchester Imaging’s products and services that we believe may be of interest to you. We will never pass on your details to any other company for their promotion or marketing purposes. You can withdraw your consent to marketing messages at any time. HOW LONG WILL WE KEEP YOUR DATA We will only keep your personal information for as long as necessary to meet the needs for which we collected it. In determining the appropriate length of time to keep your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. SECURITY We have in place appropriate security measures to prevent your personal data from being accidentally lost, destroyed, or disclosed or used in an unauthorised way. We limit access to your personal data to those employees who have a business need to know, or to third party Data Processors who have a need to know in order to process your data according to our instructions and to meet our business needs. Any such Data Processors are also required to comply with the GDPR. All of our critical business data, including personal information, is routinely backed up and archived. Should your information change, that change will not be made to the backup copies but will be incorporated should we need to restore live data from a backup copy. INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA Manchester Imaging does business both inside and outside the European Economic Area (EEA). Your personal information may be transferred outside the EEA where required to meet your needs and ours in relation to Manchester Imaging products and services. Such transfers will only occur in accordance with Article 49 of the GDPR, including where you have given explicit consent, where the transfer is necessary for the conclusion or performance of a contract, where the transfer is required for legal reasons, or where the information is already open to the public. DATA BREACH If your personal information is subject to unauthorised access or other such data breach we will document the breach and assess the likelihood and severity of the resulting risk to your rights and freedoms. If it is likely that there will be a significant risk then we will notify the ICO within 72 hours. If the breach is likely to result in a high risk we will also inform you without undue delay. YOUR RIGHTS The GPDR gives you 8 rights: • The right to be informed • The right of access • The right to rectification • The right to erasure • The right to restrict processing • The right to data portability • The right to object Rights in relation to automated decision making and profiling. For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner's Office at https://ico.org.uk/for-organisations/guide-to-the-general-data- protection-regulation-gdpr/individual-rights/ If you would like to exercise any of your rights, please contact Manchester Imaging at tony.travers@manchester-imaging.com. We will need sufficient information to allow us to formally identify you, and the specific nature of your request.