Our Contact Details
Tympa Health Technologies Ltd
Landmark
33 Cavendish Square
London W1G 0PW
ICO Registration No. ZA677793
This privacy notice was last updated on 22nd May 2023.
This Privacy Notice describes how Tympa Health Technologies Ltd (TympaHealth, we, or us) collects, uses and discloses information associated with an identifiable individual (referred to as ‘Personal Data’, you) and what choices you have with respect to the information.
When we refer to ‘TympaHealth’, we mean the TympaHealth entity that acts as the controller or processor of your information, as explained in more detail in the “Identifying the Data Controller and Processor” section.
CLIENTS/CUSTOMERS
We process a limited amount of personal data relating to the employees of our clients/customers and partners which is separate from the data that we process as a data processor.
What data do you collect?
We collect data about you to fulfill our obligations to you, including business communications with you, and the provision of services to users, these include:
- Data that identifies you, basic details such as name
- Contact data like address, telephone number, and email address
Do you share my data?
In rare cases, if a TympaHealth ENT specialist identifies a health issue that has not been picked up as part of the treatment provided to the patient by you, the images and video will be combined with identifiable patient data by TympaHealth to allow the ENT specialist to contact you the customer organisation and advise on treatment.
We do not share your company details with any other third party.
How do you use my data?
We use your data to fulfill our contractual obligations, to ensure that you are able to use the services that we provide.
We use your data to enable patients to locate your business via our clinic lookup feature.
How long do you keep my data?
We keep your personal data for the duration of the contract to provide services, and 6 years after the end of the contract.
What is the legal basis for processing my data?
Data protection law requires organisations to have a legal basis for processing data.
You have a signed contract with us, and we use your data to fulfill that contract
- UK GDPR Article 6 1(b) – Contract
We collect and use data like names and contact details so that we can liaise with you.
- UK GDPR Article 6 1(f) – Legitimate interests
We may share your details with ENT specialists to enable you to provide the best care for your patients.
- UK GDPR Article 6 1(e) – Public interest
- UK GDPR Article 9 2(h) – Preventative or occupational medicine
PATIENTS
What data do you collect?
Tympa Health is a data processor for several NHS organisations and health organisations and processes the following data:
- Data that identifies you, basic details such as name, gender, date of birth
- Contact data like address, telephone number, and email address
- NHS or health number
- Medical history
- Images/videos/audiograms relating to your hearing/ears
Do you share my data?
We will share your personal data with the NHS organisations and health organisations that have commissioned our services to provide your healthcare.
Pseudonymised images and video (meaning that it is not possible for the specialist to identify the patient) are shared with our ear, nose, and throat specialists (ENTs) in order to improve the product and the quality of care provided to patients.
How do you use my data?
The personal data we collect on their behalf is used for the following purposes:
- To book and manage your appointments
- To provide your healthcare
How long do you keep my data?
We keep your identifiable data until the end of our clients/customers contract, at which point all identifiable data is returned to the client/customer or deleted if requested by the client/customer (if there is no legal requirement for the customer to keep the data) or if requested, transferred securely to another provider within the timescales stated within the contract.
Research and Development
Your anonymous images, videos and audiograms will be retained by Tympahealth indefinitely for product development and research purposes.
What is the legal basis for processing my data?
Data protection law requires organisations to have a legal basis for processing personal data. We process your data for the provision of your direct care and related administrative purposes.
- UK GDPR Article 6 1(e) – Public interest
- UK GDPR Article 9 2(h) – Preventative or occupational medicine
Volunteers and Patient Involvement
What data do you collect?
To enable you to volunteer, we collect the following data about you:
- Data that identifies you, basic details such as name
- Contact data like address, telephone number, and email address
- Medical data like allergies
Do you share my data?
We only share your data with customers/clients involved and do not share your contact details with third parties.
How do you use my data?
We use your data to fulfil our obligations to you, including communications with you and to arrange meetings and appointments.
How long do you keep my data?
We keep your contact data for 8 years.
What is the legal basis for processing my data?
Data protection law requires organisations to have a legal basis for processing personal data. We process your data for the provision of your direct care and related administrative purposes.
- UK GDPR Article 6 1(e) – Public interest
- UK GDPR Article 9 2(h) – Preventative or occupational medicine
MARKETING AND COMMUNICATIONS
What data do you collect?
We collect data from you, this may include:
- Name
- Job title
- Telephone number
- Email address
- Institutions or companies that you may be associated with
- Images/videos
We collect data from you directly in the course of introductions. We also collect selected data from publicly available sources like LinkedIn when you have expressed an interest in our services and products. We also collect images and videos to improve our public relations and help promote our services and products.
Do you share my data?
We do not share your data with third parties.
How do you use my data?
We use your personal data to provide you with the opportunity to benefit from our services and solutions we offer.
You have a right to object to processing at any time by emailing:
How long do you keep my data?
Where we are processing your data to provide services to you, we will keep your information for as long as is needed to provide those services.
Where we are processing your information for marketing purposes, we will continue to do so until such a time as you inform us that you wish to be removed from our marketing database.
What is the legal basis for processing my data?
Data protection law requires organisations to have a legal basis for processing data.
We collect and use data like names and contact details so that we can liaise with you
- UK GDPR Article 6 1(f) – Legitimate interests
We collect and use images and videos of you so that we can promote our product and services
- UK GDPR Article 6 1(a) – Consent
EMPLOYEES
What data do you collect?
We collect data about you to fulfill our obligations to you as an employer, including ensuring that you are paid for your work and are protected in the workplace.
We do this because you have entered into a contract of employment with us. We collect data from you, as well as creating data once you have been successful in a job application, this includes:
- Data that identifies you, basic details such as name, gender, date of birth
- Contact data like address, telephone number, and email address
- Financial data including bank and pension details, and national insurance number
- Computer records, including email and messaging history relating to your work
- Qualifications and employment history
- Data relating to leave, including annual leave, maternity, paternity, adoption, and shared parental leave
- Medical and health data, including sick leave, allergies, or occupational health requirements
- References and employee feedback
- Images and photographs
We may also collect personal data about you from other people and organisations, such as:
- We request confidential references from referees that you have given to us, which contain data about you
- We receive data from HMRC such as tax codes
Do you share my data?
We share your personal data under specific and unique circumstances. When we do share data, we use as little as possible, and on a need to know basis.
- If you require emergency medical treatment, we will share your personal data with health professionals to ensure you receive appropriate treatment
- We share your data with HMRC to ensure that you are taxed correctly
- Tympa Health Technologies Ltd shares data with companies who process the data on our behalf for purposes of paying expenses, pension contributions, salary payments
How do you use my data?
We use your personal data to fulfill our obligations to you as an employer, to ensure you are paid for your work, and that you are protected in the workplace.
This includes:
- Using financial data to make sure you are paid and taxed correctly
- Using your data to manage your performance in fulfilling your contract with us
- Understanding how we can support you if you have a disability or impairment
- Ensuring that you are employed in a suitable environment
- Assessing if you may present any risk to other individuals
- Understanding the diversity of our workforce and complying with equality and diversity legislation
- Ensuring that you receive adequate training for your role
- Investigating incidents
How long do you keep my data?
We keep your personal data during your employment, and we also retain the data when you leave Tympa Health Technologies Ltd. for an appropriate time. Employee data is kept for at least 6 years after you stop working for us.
If you apply for a job with us and are unfortunately unsuccessful, we will erase your data within 12 months of the close of the recruitment process.
We keep your data to defend ourselves against any potential legal claims. We may keep anonymised data for longer than 6 years. Anonymised data cannot identify you and helps us better understand the colleagues that we have employed.
What is the legal basis for processing my data?
Data protection law requires organisations to have a legal basis for processing personal data.
You have a signed a contract of employment with us and we use the data to fulfill that contract
- UK GDPR Article 6 1(b) – Contract
- UK GDPR Article 9 2(b) – Employment
We can share your data with healthcare professionals in emergency situations where your life is at risk
- UK GDPR Article 6 1(d) – Vital Interests
- UK GDPR Article 9 2(h) – Preventive or occupational medicine
We can use healthcare data for occupational medical care, and to assess your working capacity
- UK GDPR Article 6 1(e) – Public task
- UK GDPR Article 9 2(h) – Preventive or occupational medicine
IDENTIFYING THE DATA CONTROLLER AND PROCESSOR
Data protection law in certain jurisdictions differentiates between the ‘controller’ and ‘processor’ of information.
A data controller determines how and why of the processing of personal data.
A data processor engages in personal data processing on behalf of the controller.
In general, the Client/Customer organisation is the controller of Patient Data and TympaHealth is the processor of Patient Data.
In general, TympaHealth is the controller of Customer Data and Employee Data.
YOUR RIGHTS
Under data protection law, individuals (data subjects) have a number of rights which are detailed below. Some of these only apply in specific circumstances and are qualified in several respects by exemptions in data protection legislation. We will advise you in our response to your request if we are relying on any such exemptions.
Right to be informed
You have the right to be informed about the collection and use of your personal data. This Privacy Notice is one of the company’s key methods for providing you with this information.
Right to access personal data
You have a right to request a copy of the personal data that we hold about you. You should include adequate data to identify yourself and such other relevant data that will reasonably assist us in fulfilling your request. Your request will normally be responded to within one calendar month. (If we process your personal data on behalf of a Data Controller, you will need to request your information from them)
Right to rectification (correction)
You can request us to rectify and correct any personal data that we are processing about you which is incorrect. We provide customers/clients with account settings and tools to access the data associated with your account.
Right of erasure (right to be forgotten)
You can request us to erase your personal data under certain circumstances, it is not a guaranteed or absolute right.
Right to restrict processing
You have the right in certain circumstances to request that we suspend our processing of any or all your personal data. Where we suspend our processing of your personal data, we will still be permitted to store your personal data, but any other processing of this data will require your consent, subject to certain exemptions.
Right to data portability
This right allows you to obtain your personal data in an electronic format, where the lawful basis for processing your information is consent or for the performance of a contract and, or where the data was necessary for us to provide you with our services or employment. You can request that the data be given in a format which enables you to transfer that personal data to another organisation. You may have the right to have your personal data transferred by us directly to the other organisation if this is technically feasible.
Right to object to processing of personal data
You have the right to object to our use of your personal data which is used where we feel that we have legitimate interest. However, we may continue to process your personal data, despite your objection, where there are compelling legitimate grounds to do so, or we need to process your personal data in connection with any legal claims.
Right to withdraw consent
Where we have relied upon your consent to process your personal data, you have the right to withdraw that consent. To opt out of marketing, you can use the unsubscribe link found in the email marketing communication you receive from us. For other marketing preferences you can contact us, providing details of services or marketing that you wish to opt-out.
GETTING IN TOUCH
Should you wish to exercise any of your rights, or you have any queries about the how your data is used, including a complaint, then please contact our Data Protection Officer
Email: [email protected]
Postal address: Tympa Health Technologies Ltd, Landmark, 33 Cavendish Square, London, W1G 0PW
If we do not resolve your concerns to your satisfaction, you have the right to make a complaint to the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
