Data Processing Policy

This notice describes how we at Stericycle, trading as My Surgery Website in the UK, process information about visitors to our customers websites.  We provide tools and services to allow our customers to create, edit and publish their own website.  Below is our own Privacy Notice. However, you should also contact the owner and administrator of the website (usually a GP practice or similar) for the details of their own privacy policy.

This Privacy Notice ("Notice") describes how Stericycle Inc. and its affiliates (collectively referred to as "Stericycle", "we", "us" or "our") collects, uses and shares personal data collected in the context of our websites, business contacts, suppliers, current and prospective customers who use Stericycle services or products or users affected by our services (together referred to as "you" or "your"). This Notice also explains your ability to edit, update, correct, or delete your personal data and the security procedures that we have implemented to protect personal data.

In this Notice, you can find out more about:

• We collect personal data, the types of personal data we collect and the purposes for which personal data is collected
• Direct Marketing and how you can manage your marketing preferences
• How we share information within Stericycle and with our service providers, regulators and other third parties
• International Transfers of Personal Data
• Cookies and third-party links
• How we store and protect personal data
• Your rights, including your right to object and how to assert those rights
• Modifications to this Notice
• How you can Contact us for more support.

Controller

Important information about Stericycle

The Stericycle entity responsible for your personal data will be the member of Stericycle that originally collects information from or about you. This will be explained in separate privacy notices made available when your personal data are first collected by that Stericycle entity, for example where you or the business you work for engages us to provide a service.

You can find out more about Stericycle at www.stericycle.co.uk or by contacting us using the information in the Contact us section.

When we collect personal data, the types of personal data we collect and the purposes for which personal data is collected

In this section, you can find out more about:

• When we collect personal data
• The types of personal data we collect and how we use personal data
• Legal basis for the processing

When we collect personal data

We may collect personal data about you if you:

• use one of our websites or online services, you are a registered user or chose to register on our websites (Website Users);
• purchase one of our services (Customers);
• are affected by our services (Users);
• work with us as a business partner (Business Partners);

The types of personal data we collect and how we use personal data

Website Users

a.   Unregistered Website Users

You may use our websites as an unregistered user without (actively) providing any personal data about you. In this case, Stericycle collects the following metadata that result from your usage of our websites: referral page, date and time of access, type of web browser, IP-address, geographic location as determined by your IP address, operating system and interface, language and version of browser software, session information (such as download errors and page response times).

Your IP-address will be used to enable your access to our websites. The metadata will be used to improve the quality and services of our websites by analysing the usage behaviour of our users.

If you commence direct communications via our websites enquiry form, by telephone or writing to us, the nature of the enquiry (e.g., as tick box selection from service type/careers/other) and your message will also be collected and processed to respond to it and improve our services.

b.   Registered Website Users

If you are a registered user or choose to register on a Stericycle website, you may be asked to provide the following personal data about you: first and last name, work phone number, company name, email address, personal telephone number, Stericycle Customer No. or Shred-It Ship to ID, postal address and primary usage. Further, Stericycle will collect user access content.

Stericycle will process such personal data in order to provide you in particular with the services for registered users, verify the legitimacy of your account, to avoid fraudulent accounts being opened, provide you with our products, customer support, compliance trainings, business communications solutions (e.g., answering services, appointment reminders, follow-up services, virtual receptionists), contact form, marketing materials as selected by you, inform you about system issues, comply with legal obligations, and defend, establish and exercise legal claims.

The personal data collected from Website Users is also used to personalize your experience of our websites. We may use such information in the aggregate to understand how you use our services and the resources provided on our websites. We may also use the feedback you provide to improve our services.

Customers

If you purchase products from Stericycle, either via a Stericycle website or offline, you may be asked to provide, among other, the following personal data about you, your representative and/or your contact person: first and last name, suffix, credentials, work phone number, personal phone number, facsimile, email address, job title, mailing address, tax identification number, credit card information, billing address, types and amount of products ordered, reseller/promo code, auto-delivery selection, marketing preferences, job information, academy of general dentistry and license.

To provide certain services we may have to process, depending on the services provided, the following personal data about you: professional data; data relating to your physical characteristics; dosimetry monitoring data; health information such as, as applicable, the dose of radiation to which you were exposed, any relevant medical imaging results, pregnancy status and data relating to the foetus, data relating with accidents at work and disabilities; data relating with professional training.

Stericycle will use such personal data to process your order, deliver the products or services ordered, provide customer care services, provide you with marketing materials as selected by you, provide you with Stericycle updates and/or newsletters, to maintain our client relationship management systems, to detect, investigate, report and seek to prevent fraud and anti-money laundering, for example through know-your- customer checks, AML screening and other identity checks, comply with other legal obligations, defend, establish and exercise legal claims. We may also need to conduct credit and fraud checks on business customers and certain officers of your business, such as your directors.

Users

When providing certain services to a Customer to which you are related to (e.g., if you are an employee, a contractor, an apprentice, a trainee, a patient, etc., of our Customer), Stericycle may have to process the following personal data about you (as applicable, depending on the specific service provided): identification data; contact data; professional data; data relating to your physical characteristics; dosimetry monitoring data; health information such as, as applicable, the dose of radiation to which you were exposed, any relevant medical imaging results, pregnancy status and data relating to the foetus, data relating with accidents at work and disabilities; data relating with professional training. Most of the personal data is obtained from our Customer.

We process such personal data in the context of the provision of a service to a Customer and for purposes of providing the services to said Customer. However, we need to process your personal data either because the services provided have an impact on you (e.g., the dosimetry services are intended to measure the radiation to which you were exposed, or the professional training services are provided to you) and/or because we have to comply with legal obligations that imply the processing of your personal data (e.g., we have a legal obligation of reporting the dosimetry results).

Business Partners

If you work with us as a Business Partner or a service provider, we will collect personal data from you, your representative and/or your contact person such as your full name, job title, email address, phone number.

Most of the personal data is obtained directly from you. In addition, we will collect personal data from other public sources such as credit reference agencies.

We use this information to review/assess your suitability as a Business Partner or service provider, to comply with our legal obligations, to detect investigate, report, and seek to prevent fraud and anti-money laundering, for example through know- your-customer checks, AML screening and other identity checks and to meet our obligations under any contracts we have with you, we may also need to conduct credit and fraud checks on your business and certain officers of your business, such as directors.

Legal basis for the processing

We will only collect, use and share your personal data where we are satisfied that we have an appropriate legal basis to do this. We carry out the processing of your personal data on the following legal bases:

• the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. For example, where you purchase our products or services, we will collect your payment information to process your payment and your address to facilitate delivery of the product or service. We will also collect your email address and phone number to update you on the progress of your purchase and to answer any of your queries;
• the processing is necessary for compliance with a legal obligation to which we are subject to. For example, in order to set you up as a business customer or business partner, we are obliged to carry out certain know-your-customer checks to prevent money laundering and fraudulent activities. This will involve the collection and verification of your personal data;
• you have provided your consent to using your personal data, for example if you have agreed to receive marketing communications;
• the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, namely to provide you with our products and services, except where such interests are overridden by your interests or fundamental rights and freedoms. For example, we use personal data in the aggregate to understand how Website Users use our services and the resources provided on our websites and use this information to improve our services. For example, we also have a legitimate interest to process the personal data of a contact person in order to facilitate the development of a contractual relationship;
• the processing is necessary for reasons of public interest in the area of public health. For example, when providing dosimetry services, we will process your personal data to comply with our legal obligations of reporting of the dosimetry results.

In most of the cases, the provision of your personal data is not required by a statutory or contractual obligation. However, where applicable, the provision of your personal data will be necessary to enter into a contract with Stericycle or to receive our services and products as requested by you. In such situations, not providing your personal data may likely result in disadvantages for you, e.g. you may not be able to use the full functionalities of our websites or to receive the products and services requested by you. However, unless otherwise specified, not providing your personal data will not result in legal consequences for you.

In some cases, where the processing of personal data is necessary for purposes of legal reporting (e.g., dosimetry services or professional training services), the provision of your personal data is a statutory requirement. In other cases, the provision of your personal data is a contractual requirement (e.g., for the provision of professional training services when the contract is executed directly with you).

If you would like to find out more about the legal basis for which we process personal data, please contact us at enquiries@mysurgerywebsite.co.uk

Direct marketing and how you can manage your marketing preferences

How we use personal data to keep you up to date with our products and services

We may use personal data to let you know about our products services that we believe will be of interest to you and/or provide you with our newsletter. We may contact you by email, post, or telephone or through other communication channels that we think you may find helpful. In all cases, we will respect your preferences for how you would like us to manage marketing activity with you.

As a rule, we will obtain your consent prior to sending you marketing materials. We will only contact you with marketing materials without your prior consent if this is permitted by law.

How you can manage your marketing preferences

To protect privacy rights and to ensure you have control over how we manage marketing with you:

• we will take steps to limit direct marketing to a reasonable and proportionate level and Stericycle will only send you communications which we believe may be of interest or relevance to you;
• you can ask us to stop direct marketing at any time ‑ you can ask us to stop sending email marketing, by following the "unsubscribe" link you will find on all the email marketing messages we send you. Alternatively, you can Contact us at enquiries@mysurgerywebsite.co.uk. Please specify whether you would like us to stop all forms of marketing or just a particular type (e.g. email); and
• you can change the way your browser manages cookies, which may be used to deliver online advertising, by following the settings on your browser as explained in Our Cookie Policy.

How we share information within Stericycle and with our service providers, regulators and other third parties

We share your personal data in the manner and for the purposes described below:

• With other Stericycle entities within our group Your personal data will be received by different recipients such as other Stericycle entities. We make such transfers where it is necessary to provide you with our services or to manage our business. For example, we transfer your data to Stericycle, Inc. in the US to operate our websites. Stericycle transfers - in compliance with applicable data protection law - personal data to law enforcement agencies, governmental authorities or other public authorities (or entities appointed by them).
• With third parties who help manage our business and deliver services Stericycle engages external service providers such as legal services, website service providers, marketing service providers, IT support service providers, fulfilment providers, delivery service providers, email administrators, payment processors and customer service providers. When providing such services, the external service providers have access to and process your personal data. We request those external service providers to implement and apply security safeguards to ensure the privacy and security of your personal data. These third parties have agreed to confidentiality restrictions and to use of any personal data we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us.
• In the event of a corporate merger and acquisition, your personal data will be transferred to the third parties being involved in the merger and acquisition in accordance with applicable law.

International transfers of personal data

The personal data that we collect or receive about you may be transferred to and processed by recipients who are located within and outside your location (such as the US), where the level of data protection may not be equivalent to the level of protection applicable at your location.

Where we are legally required to do so, transfers of personal data to parties located in countries outside the EU/EEA will be made pursuant to the European Commission-approved Standard Contractual Clauses or other legally acceptable mechanisms that ensure an adequate level of protection. Please contact enquiries@mysurgerywebsite.co.uk for more details on the third countries to which the data will be transferred.

Where applicable, you are entitled to receive a copy of the relevant agreements (such as Standard Contractual Clauses or Binding Corporate Rules) showing that appropriate safeguards have been taken to protect your personal data during such transfer. You can obtain a copy by contacting us at enquiries@mysurgerywebsite.co.uk. However, please note that we are not required to share details of safeguards where sharing such details would affect or commercial position, or create a security risk.

Some recipients located outside of the EEA are located in countries for which the European Commission has issued adequacy decisions (currently this includes Canada ((for non-public organizations subject to the Canadian Personal Information Protection and Electronic Documents Act)). The transfer is thereby recognized as providing an adequate level of data protection for personal data.

Contact enquiries@mysurgerywebsite.co.uk for additional information regarding the identity, industry, sector and location of the relevant data recipients.

Cookies and third-party links

Stericycle websites use cookies. Generally, we use cookies to understand how our services are used, track bugs and errors, improve our services, verify account credentials, allow logins, track sessions, prevent fraud, and protect our Services, as well as for targeted marketing and advertising, to personalize content and for analytics purposes. For further information please view our Cookie Policy or contact enquiries@mysurgerywebsite.co.uk.

Our websites contain links to websites operated and maintained by third parties over which Stericycle has no control. Any information you provide to third-party websites will be governed under the terms of each website’s privacy policy, and we encourage you to investigate and ask questions before disclosing any information to the operators of third-party websites. We have no responsibility or liability whatsoever for the content, actions, or policies of third-party websites. The inclusion of third-party websites on our site in no way constitutes an endorsement of such websites’ content, actions, or policies.

How we store and protect personal data

How long does Stericycle keep your personal data?

Your Personal Data will be retained as long as it is required for the purposes for which the data is collected e.g. as necessary to provide you with the services and products requested. Once you have terminated the contractual relationship with us and/or you have deleted your account, or, in case you are a User, following the termination of the contractual relationship in the scope of which your personal data was processed, we will permanently remove your personal data unless statutory retention requirements apply (such as for taxation purposes, dosimetry purposes or professional training purposes) or in order to fulfil regulatory requirements. We retain your contact details and interests in our products or services for a longer period of time if Stericycle is allowed to send you marketing materials. We also retain your personal data if needed to establish, exercise or defend a legal claim, on a need to know basis only. Personal data security

As technology continues to enhance, we are committed to using our technological resources in an effort to ensure that our customers and users receive the kind of privacy protection that will make them confident and secure. We are not responsible, however, for harm that you or any person may suffer as a result of a breach of confidentiality due to your use of the Internet.

We have adopted appropriate data collection, storage and processing practices, technical, organisational and security measures designed to protect against unauthorized access, alteration, disclosure or destruction of the personal data that you share with us. For example, such measures include:

• placing confidentiality requirements on our staff members and service providers;
• permanently removing personal data if it is no longer needed for the purposes for which it was collected;
• following security procedures in the storage and disclosure of your personal data to prevent unauthorised access to it; and
• using secure communication channels such as SSL ("secure sockets layer") for transmitting data that is sent to us. SSL is an industry standard encryption protocol used to protect online transaction channels.

As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect user IDs and passwords, please take appropriate measures to protect this information.

Your rights, including your right to object, and how to assert those rights

We will take steps in accordance with applicable legislation to keep your personal data accurate, complete and up-to-date. Depending on the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement. You also have the right to request access to your personal data as well as additional information about the processing and to request us to erase the personal data we hold about you.

You can object to the use of your personal data which has our legitimate interests as its legal basis, including for the purposes of marketing, without incurring any costs other than the transmission costs (see also below).

The following rights apply, to European residents:

(i) Right of access:

You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and where that is the case, to request access to the personal data. The accessed information includes – among others - the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed.

You have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

(ii) Right to rectify and complete personal data:

You can request the rectification of inaccurate data and the completion of incomplete data. We will inform relevant third parties to whom we have transferred your data about the rectification and completion if we are legally obliged to do so.

(iii) Right to erasure (right to be forgotten):

You have the right to obtain from us the erasure of personal data concerning you in limited circumstances where:

• • it is no longer needed for the purposes for which it was collected; or
  • you have withdrawn your consent (where the data processing was based on consent); or
  • following a successful right to object; or
  • it has been processed unlawfully; or
  •  the data has to be erased in order to comply with a legal obligation to which Stericycle is subject.
  • We are not required to comply with your request to erase personal data if the processing of your personal data is necessary for:
  • compliance with a legal obligation; or
  • the establishment, exercise or defence of legal claims.

(iv) Right to restriction of processing:

You have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be marked and only be processed by us for certain purposes. This right can only be exercised where:

• • the accuracy of your personal data is contested, to allow us verify its accuracy; or
  • the processing is unlawful, but you do not want the personal data erased; or
  • it is no longer needed for the purposes for which it was collected, but you still need it to establish, exercise or defend legal claims; or
  • you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal data following a request for restriction, where:

• • we have your consent; or
  • to establish, exercise or defend legal claims; or
  • to protect the rights of another natural or legal person.

(v) Right to data portability:

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another entity without hindrance from us, but in each case only where:

• • the processing is based on your consent or on the performance of a contract with you; and
  • the processing is carried out by automated means.

(vi) Right to object:

You have the right to object at any time to any processing of your personal data which has our legitimate interests as its legal basis. You may exercise this right without incurring any costs.

If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

The right to object does not exist, in particular, if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.

(vii) Right to object to how we use your personal data for direct marketing purposes:

You can request that we change the manner in which we contact you for marketing purposes. You can request that we not transfer your personal data to unaffiliated third parties for the purposes of direct marketing or any other purposes.

(viii) Right to withdraw consent:

If you have given us your consent for the processing of your personal data, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

(ix) Right to obtain a copy of personal data safeguards for transfers outside your jurisdiction:

You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside the EU/EEA. We may redact data transfer agreements to protect commercial terms.

(x) Right to lodge a complaint with your local supervisory authority:

You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal data.

We ask that you please attempt to resolve any issue with us first, although you have a right to contact your supervisory authority at any time.

Please note that the aforementioned rights might be limited under the applicable national data protection law.

We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

To exercise your rights please Contact us using the contact information below. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

Modifications to this notice

Stericycle reserves the right to change this Notice at any time. Any changes to this Notice will be effective immediately upon notice, by posting the latest version on our websites.

Contact us

Subject Access Requests

If you wish to obtain a subject access request for a patient of this practice please direct your query to the details held in the "contact us" section of this website and not the details below (which are actually for the website provider).

The primary points of contact for all other issues arising from this Notice can be contacted in the following way:

• Initial contact at enquiries@mysurgerywebsite.co.uk
• For escalation purposes at privacy@mysurgerywebsite.co.uk
• Phone: 0333 433 0211
• Mail: First Practice Management | Indigo House | Leeds | West Yorkshire | LS10 2LF

If you have any questions, concerns or complaints regarding our compliance with this Notice, the information we hold about you or if you wish to exercise your rights, we encourage you to first contact enquiries@mysurgerywebsite.co.uk. We will investigate and attempt to resolve complaints and disputes and make every reasonable effort to honour your wish to exercise your rights as quickly as possible and in any event, within the timescales provided by data protection laws.

EU residents have a right to lodge a complaint with their local data protection supervisory authority (i.e. your place of habitual residence, place or work or place of alleged infringement). We ask that you please attempt to resolve any issues with us before your local supervisory authority.

Last updated: 04/07/22