Information
Tristel Solutions Limited
External Privacy Notice for Tristel 3T Platform
1. Who we are and what we do
Who we are
We are Tristel Solutions Limited (“Tristel”, “us”, “we”, “our”). We are a limited company registered in England and Wales under registration number 03518312 and we have our registered office at Unit 1b Lynx Business Park, Fordham Road Snailwell, Newmarket, Cambridgeshire, CB8 7NY. We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO”), in relation to our processing of Personal Data under registration number ZA346266. We and our subsidiaries are committed to protecting the privacy and security of the Personal Data we process about you.
What we do
We provide the 3T platform Tristel 3T software as a service (SaaS) to our clients, who are organisations such as hospitals, medical centres etc.
We also specialise in the manufacturing of infection control, contamination control, and hygiene products, with headquarters in the UK and with group companies all around the world. However, this privacy notice only applies to users of the 3T platform.
Controller
Unless we notify you otherwise, the controller of your Personal Data is the organisation that you work for and through which you have registered on the 3T platform. This means that they decide the means and purposes of processing your Personal Data i.e what Personal Data to collect and how to process it. The controller organisation is our client and it has instructed us, as a processor, to provide the 3T platform on their behalf, for your use. We, therefore, act under the instructions of the controller organisation.
2. Purpose of this privacy notice
The purpose of this privacy notice is to explain, on behalf of the controller organisation, what Personal Data we collect about you when you use the 3T platform and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions, you will need to contact the controller organisation you work for.
3. Who this privacy notice applies to
This privacy notice applies to you if you use the 3T platform Tristel 3T
4. What Personal Data is
‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.
5. Personal Data we collect
The type of Personal Data we collect about you on the 3T platform is set out in the table below in the section entitled ‘Purposes, lawful bases and retention periods’.
6. How we collect your Personal Data
We collect your Personal Data directly from you when your employer completes the user creation procedure to give you access to the 3T platform.
7. Purposes, lawful bases and retention periods
We use your Personal Data in relation to the 3T platform, as set out below or otherwise as the law allows. However, the controller organisation may have other uses for the data. You would need to contact them directly about this.
| Categories of individuals | Categories of Personal Data | Purpose of Processing | Lawful Basis | Retention Period |
|---|---|---|---|---|
| Users of the 3T platform | Name, work email address, organisation, staff ID, 3T Login details, any other information you provide | To use the 3T platform | Legitimate interests | 30 days following the end of the contract between us and the organisation you work for and through which you have registered to use the 3T platform |
| Patients | Patient ID | Storage for auditing traceability | Legitimate interests | 30 days following the end of the contract between us and the organisation you work for and through which you have registered to use the 3T platform |
8. Sharing your Personal Data
In order to fulfil our duties to the controller organisation, as a processor, we may share your Personal Data, as necessary, with third parties, including:
-
our group companies who provide processing services to us;
-
hosting service providers (located in Europe, Australia, New Zealand and Shanghai)
-
any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
-
an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your Personal Data only for the purposes disclosed in this Privacy Notice.
9. International Transfers
In order to fulfil our duties to the controller organisation, as a processor, your Personal Data may be processed outside the UK and the European Economic Area (“EEA”). This is because the organisations we use to provide our services to you are located outside of the UK and the EEA.
We have taken appropriate steps to ensure that the Personal Data processed outside the UK and the EEA has an essentially equivalent level of protection to that guaranteed in the UK and the EEA. We do this by ensuring that:
For the UK:
-
Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation), or
-
We enter into an International Data Transfer Agreement (“IDTA”) with the receiving organisation and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here international-data-transfer-agreement.pdf (ico.org.uk)).
For the EEA:
-
Your Personal Data is only processed in a country which the European Commission has confirmed has an adequate level of protection (an adequacy decision); or
-
We enter into Standard Contractual Clauses (“SCCs”) with the receiving organisations and adopt supplementary measures, where necessary. (A copy of the SCCs can be found here Standard Contractual Clauses (SCCs)) or
-
In respect of transfers from the EU to the US, we may rely on the EU-US Data Privacy Framework, if appropriate.
For transfers of Personal Data from the UK and the EEA, to a third country without adequacy status, we rely on the SCCs and the IDT Addendum, together with supplementary measures, where necessary.
10. Your rights and how to complain
You have certain rights in relation to the processing of your Personal Data, including to:
-
Right to be informed
You have the right to know what personal data is collected about you, how it used, for what purpose and in accordance with which lawful basis, who it is shared with and how long it is kept.
-
Right of access (commonly known as a “Subject Access Request”)
You have the right to receive a copy of the Personal Data held about you.
-
Right to rectification
You have the right to have any incomplete or inaccurate information about you corrected.
-
Right to erasure (commonly known as the right to be forgotten)
You have the right to ask for your Personal Data to be deleted.
-
Right to object to processing
You have the right to object to the processing of your Personal Data.
-
Right to restrict processing
You have the right to restrict the use of your Personal Data.
-
Right to portability
You have the right to ask for our Personal Data to be transferred to another party.
-
Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. Automated decision-making is not used on the 3T platform.
-
Right to withdraw consent
If you have provided your consent for the processing of your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, your Personal Data will no longer be processed for the purpose(s) you originally agreed to, unless this is permitted by law.
-
Right to lodge a complaint
You have the right to lodge a complaint with the relevant supervisory authority, if you are concerned about the way in which your Personal Data is being handled. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:
Contact us | ICO
Or by telephone on 0303 123 1113
For supervisory authorities in other countries within the EU see the link below:
https://edpb.europa.eu/about-edpb/about-edpb/members_en
How to exercise your rights
You will not usually need to pay a fee to exercise any of the above rights. However, the controller organisation you work for may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, they may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, you will need to contact the data protection officer for the controller organisation you work for. We are not able to process any requests. If you send your request to us, we will simply pass it onto the controller organisation. You will receive a more timely response if you send your request directly to the data protection officer for the controller organisation you work for.
The controller organisation may need to request specific information from you to confirm your identity before they can process your request. Once in receipt of this, the controller organisation will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take them longer than this and, if so, they will keep you updated.
11. Contacting the controller and their Data Protection Officer
If you have any queries relating to this privacy notice or if you wish to exercise any of your rights outlined above, please contact the data protection officer for the controller organisation of your Personal Data. If you contact us, we will simply pass your communication onto the controller organisation, as we are unable to respond on their behalf. You will receive a response more quickly if you contact the controller organisation directly.
12. Changes to this privacy notice
We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify of the changes where required by applicable law to do so.
Last modified 08th September 2023