UK Pharmacies are our priority customers

Your Data, Protected & Transparent

At RX Virtual Finance (“the Company”), we are committed to protecting the personal data of our customers, employees, and business contacts (“data subjects”) in compliance with the UK GDPR, the Data Protection Act 2018, and all other applicable data protection and privacy laws. This policy outlines our obligations and practices concerning the collection, processing, transfer, storage, and disposal of personal data.

This policy applies to all employees, contractors, agents, and any third parties processing personal data on behalf of the Company.

• We Protect Your Data
• We Are Always Transparent

Definitions

• Consent: Freely given, specific, informed, and unambiguous agreement by a data subject to the processing of their personal data.
• Data Controller: The entity that determines the purposes and means of processing personal data. The Company acts as the Data Controller.
• Data Processor: Any entity processing personal data on behalf of the Data Controller.
• Data Subject: A living individual whose personal data is processed by the Company.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Special Category Personal Data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation, or biometric/genetic data.
• Processing: Any operation performed on personal data, such as collection, storage, use, or deletion.
• Personal Data Breach: A security breach leading to accidental or unlawful destruction, loss, or access to personal data.

Scope

This policy applies to all personal data processed by the Company, whether in electronic or physical form.

Data Protection Principles The Company adheres to the following principles for personal data processing:

1. Lawfulness, fairness, and transparency: Data is processed lawfully, fairly, and transparently.
2. Purpose limitation: Data is collected for specified, legitimate purposes.
3. Data minimisation: Data collected is adequate, relevant, and limited to what is necessary.
4. Accuracy: Data is accurate and kept up to date.
5. Storage limitation: Data is kept only for as long as necessary.
6. Integrity and confidentiality: Data is processed securely.

Legal Basis for Processing

The Company processes personal data based on the following lawful grounds:

• Consent: Data subject has provided explicit consent.
• Contract: Processing is necessary for a contractual relationship.
• Legal Obligation: Compliance with a legal obligation.
• Legitimate Interests: Where processing is necessary for the Company’s legitimate interests unless overridden by the data subject’s rights.

Rights of Data Subjects

Data subjects have the following rights under GDPR:

1. The right to be informed: About how their data is collected and used.
2. The right of access: To their personal data.
3. The right to rectification: Of inaccurate or incomplete data.
4. The right to erasure: Also known as the “right to be forgotten.”
5. The right to restrict processing: Under certain conditions.
6. The right to data portability: To receive data in a commonly used format.
7. The right to object: To processing based on legitimate interests or for direct marketing.
8. Rights related to automated decision-making: Including profiling.

Consent Management

Consent will be obtained in a clear, transparent manner and can be withdrawn by the data subject at any time. Explicit consent is required for processing special category personal data.

Data Retention

Personal data is retained only as long as necessary for the purposes for which it was collected or to comply with legal obligations. The Company’s Data Retention Policy provides detailed retention periods for various data categories.

Data Security

The Company employs robust technical and organisational measures to ensure the security of personal data, including:

• Encryption of electronic data.
• Secure physical storage for hard copies.
• Controlled access to data on a need-to-know basis.
• Regular security audits and updates.

Data Breach Notification

In the event of a personal data breach:

• The Data Protection Officer (DPO) will assess and document the breach.
• If the breach poses a risk to data subjects, it will be reported to the Information Commissioner’s Office (ICO) within 72 hours.
• Affected data subjects will be notified without undue delay if the breach results in a high risk to their rights and freedoms.

Transferring Data Outside the UK

Personal data will only be transferred outside the UK when adequate safeguards are in place, such as:

• Transfers to countries with UK adequacy regulations.
• Use of standard contractual clauses or binding corporate rules.
• Explicit consent from the data subject.

Accountability and Record-Keeping

The Company maintains comprehensive records of data processing activities, including:

• Categories of data processed.
• Purposes of processing.
• Retention periods.
• Technical and organisational security measures.

Data Protection Officer (DPO)

The Company’s DPO is responsible for overseeing this policy, monitoring compliance, and acting as a point of contact for data subjects and the ICO. Contact details: [Insert DPO name and contact information].

Updates to This Policy

This policy will be reviewed periodically and updated to reflect changes in legislation or business practices.

Contact Us

For questions or concerns about this policy or to exercise your rights, contact us at:

RX Virtual Finance
Alexandra Gate, Alexandra Gate Business Centre 2
Cardiff CF24 2SA
Email: customers@rxvirtualfinance.co.uk
Phone: +447727664215

Complaints

If you believe your data has been mishandled, you have the right to file a complaint with the Information Commissioner’s Office (ICO).

This policy is effective from [1st January 2025].