Convatec Global Privacy Notice
At Convatec, we prioritise protecting your privacy and personal data.
What this privacy notice describes
This privacy notice describes how Convatec Limited and its subsidiaries (collectively “Convatec”) collects, uses, stores and protects your personal data.
This includes any personal data gathered when using our websites, mobile apps, on the phone, in person, and through communications such as emails and SMS. This may include information submitted through a form, or how you interact with our services.
What we mean by personal data
Personal data (also known as Personally Identifiable Information (PII)) is any information that could lead to someone being identified. This includes data like your identity, contact information, health status and financial details, which we may collect from you.
If the data collected is anonymous and you cannot be identified, it is not considered personal data.
What data Convatec collects about you
Convatec collects different types of data from you. Whenever we do this, we will be transparent about what data we’re processing and why, and collect it in a safe, legal way.
Types of personal data we may collect about you
Convatec collects, uses, stores and transfers the following types of personal data:
- Identity data
This includes your first name, last name, title, date of birth and gender. - Contact data
Your billing and delivery address, email and phone number. - Health data
Medical and health conditions, or fitness and dietary information. - Technical system data
Your IP address, system IDs, your browser type and version, browser plug-ins, your time zone and location, and which operating system and platform you’re using. - User profile data
Your username and password, previous orders, plus your preferences. - Insurance data
This includes your insurance provider, policy details and policy number. - Usage data
How you’ve interacted with Convatec’s services including websites, webinars, social networks, apps, SMS messages, emails and in person with our agents or representatives. - Marketing and communications data
How or if you’ve consented to receive promotional materials from us. - Financial and transaction information
Any bank account, credit or debit card details you’ve provided, transaction numbers and products purchased. - Government ID data
Any government-issued identifiers such as social security numbers, national insurance (NI) numbers, or license to practice numbers. - Fraud protection information
Details of any transactions you’ve made with us, by whom and when.
Reasons why Convatec may collect your personal data
Your data may be collected for the following reasons:
- You tell us you consent to Convatec using your data to provide you with a service
- We’re about to, or already have entered a contract with you, for instance, a purchase order, sample request or consultations
- We need to comply with legal or regulatory obligations
- We’re in the process of detecting or preventing fraud
- We have another legitimate interest or lawful reason for doing so
When Convatec may collect your personal data
Convatec collects your personal data when you:
- Use our online services (websites, platforms, and mobile apps)
- Meet with a Convatec representative or associate
- Request information about our products, services and events
- Enter a competition or promotion
- Request a sample and other products for evaluation
- Purchase products and services
- Attend our clinics
- Attend our webinars
- Participate in our research or in one of our clinical trials (as a patient or researcher)
- Participate in a case study or product and service testimonial
- Interact with us via telephone, online or via social media channels
- Give us general or other specific customer feedback
- Apply for a job at Convatec
Data we collect from other sources
As well as the information you give us, Convatec also collects your data from other sources, including:
- Third parties acting on your behalf
- Partners that help us provide our products and services
- Partners that support us in security and fraud prevention
- If you ask your care provider to request Convatec services on your behalf
- Commercial data sets
- Public domain information, like census or business registration data
- Other lawful sources
Our company-wide commitment to your privacy
We're committed to helping you understand how we use your data, and believe that everyone has the right to privacy, no matter where they live. That’s why we provide everyone with the information and controls needed to understand and manage how their data is collected and used.
How we use your data
We use your personal data for the following reasons:
Processing your requests
We need your data to process requests, provide you with our services or verify your insurance.
Communicating with you
We need your personal data to reply to requests and communications you’ve sent us, or ask you for feedback or to request information. We also need this data to market our products and services. When it’s relevant, we might contact you with important notices and service messages, like product safety information, or to talk to you about your healthcare condition.
Improving and customising your experience
If you customise your services or communications (where you have the option), that information will be used to adapt how we communicate with you or provide you with services. You can opt out of personalisation at any time by changing your preferences or by emailing us at dataprivacy@convatec.com.
Powering our services
Personal data helps us power and improve our services, and carry out internal work like auditing, data analysis and troubleshooting.
Security and preventing fraud
Your data can be used to protect individuals, employees, and Convatec, to provide loss protection, quality assurance and to prevent fraud.
Complying with the law
We use your personal data to comply with applicable law, for example, to satisfy tax or reporting obligations, or to comply with a lawful governmental request.
Convatec's legal basis for processing your dataConvatec will use your personal data only when we have a valid legal basis to do so. |
For more information, see Convatec’s Lawful Basis Policy.
Who we share your data with and why
Convatec may share your personal data with both internal and external parties.
Internal parties
We may share your data with subsidiary companies in the Convatec Group who act as joint controllers or processors (and who provide system administration services or undertake reporting services).
External parties
We may share your data with:
- Service providers acting as processors who help us deliver services like IT and system administration.
- Professional advisers acting as processors or joint controllers including agents, lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance or accounting services.
- Tax authorities, regulators and other competent bodies acting as processors or joint controllers who require reporting of processing activities in certain circumstances.
Other parties
We may share your data with other parties that we have decided to sell, transfer or merge parts of our business with; or businesses we’re acquiring. Any new businesses must store, protect, and use your personal data in the same way as set out in this privacy notice.
How we protect your data
We keep your personal data safe through a combination of administrative, technical, and physical safeguards that consider the nature of your data, how it is processed and any risks it faces. Convatec also uses security and fraud protection tools to protect our websites and mobile apps.
How long we hold your data for
The length of time we hold your data for will vary depending on its purpose. In every instance, we only hold your data for as long as is necessary to do so. This includes for legal, accounting or reporting reasons.
Other factors include the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, why we collected it and whether there’s a way we can proceed without your data. For more information, you can request a copy of our retention policy via our online contact us form.
How we protect your data in transit
To effectively process your personal data, it may be transferred to or accessed by other Convatec entities, including Convatec-affiliated companies or service providers.
How Convatec protects your data when it’s transferred between countries
We comply with the laws on the transfer of personal data between countries. You may access a regional version of this privacy notice in the local language(s), with information on how we’re complying with the region-specific and country-specific privacy and security legislation affecting your personal data.
We comply with laws such as, but not exclusive to:
- General Data Protection Regulation (GDPR)
A European Union (EU) ruling that took effect in 2018. - UK GDPR - Data Protection Act 2018
The UK GDPR is the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). - California Consumer Privacy Act (CCPA)
A 2020 law similar to GDPR but specifically for the way businesses store and share California resident data. If you’re a California resident, please see our California Resident Privacy Notice to find out more. - Health Insurance Portability and Accountability Act (HIPAA)
A law that protects the data rights of patients and contains advice on healthcare cybersecurity for providers like Convatec, 180 Medical (a Convatec subsidiary), hospitals and other organisations that store and collect patient data. - The Personal Information Protection and Electronic Documents Act (PIPEDA)
A law that applies to private-sector organizations that collect, use or disclose personal information in the course of their commercial activities. Alberta, British Columbia and Quebec have their own private-sector privacy laws deemed to be substantially similar to PIPEDA. - The Protection of Personal Information Act 2013 (POPIA)
A piece of legislation which came into effect on 1 July 2020 and governs the law of data protection and privacy in South Africa'.
How Convatec protects data transfers outside the EEA and the UK
Many of our external third-party service providers (for example, IT support consultants or marketing agents) are based outside of the European Economic Area (EEA) or the United Kingdom (UK). This means processing your personal data could involve transferring it outside of these regions.
In this instance, your data will have the same level of protection as it does in the EEA and the UK by ensuring the recipient is signed up to equivalent data protection obligations as the ones contained in GDPR.
We also provide additional protection, by only using legal agreements approved by the European Commission.
How Convatec protects data transferred outside China Mainland
Residents of China Mainland may have their personal data processed in countries/regions outside of China Mainland. This will be done in compliance with local law, including the Personal Information Protection Law. We may also transfer this personal data to third parties, who may in turn store or transfer the data outside of China mainland. Convatec imposes the same or similar protection liability (including notice and consent requirements) on third parties.
Other web technologies
How Convatec uses reCAPTCHA
Convatec uses a Google technology called reCAPTCHA on some of its web sites. reCAPTCHA is a technology that enables our websites to distinguish between human users and automated systems. This is designed to prevent misuse and abuse of our websites by only allowing humans access.
reCAPTCHA distinguishes between humans and automated systems by monitoring personal information like typing patterns, mouse clicks or screen touches. This information is not stored or collected. You can find more information about how Google uses this information by visiting the link below.
Video player services
We host videos on our websites using a variety of video player services including YouTube. These typically use an enhanced privacy version of the player to manage the collection of your personal data.
Clicking play on one of these versions of the video player means it will store and collect interaction data from your computer, but it will not collect personally identifiable information. This means watching a video on our website will not personalise your content on that player service or on any of your subsequent visits to that video platform.
Online chat service
Some of Convatec’s websites include an online chat or ‘chatbot’ service. This service is provided by our partners. When you use our chatbots, these partners collect available information to track how their services are being used.
Third-party links and websites
Convatec websites contain third-party links that may take you to another website, plug-in or application. Following these links or connecting with these services may allow these external websites to collect or share data about you.
Convatec does not control third-party websites, or how they use your data. We encourage you to read the privacy notice of any website you visit that you may have concerns about.
Your rights regarding your personal data
Everyone has the right to know, access, correct, transfer, and restrict the processing of any personal data that Convatec has access to. You may also request the deletion of your personal data.
If you choose to exercise these rights, you won’t be treated in a discriminatory way, or receive a lesser degree of service from Convatec.
Requesting access to your personal data
You may at any time request access to your personal data, commonly known as data subject access request. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
You can do this by contacting us at dataprivacy@convatec.com.
Updating the data we hold about you
If your personal data is out of date, incomplete or inaccurate, you can ask us to update these details. We may need to verify the accuracy of the new data you provide to us. Please contact us dataprivacy@convatec.com to update your data.
Marketing Communications
You can opt out of receiving marketing information from Convatec and its subsidiaries. To unsubscribe from our promotional emails or messages, use the link provided in the promotional messages. Alternatively contact us via email at dataprivacy@convatec.com.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, product regulatory issue, product/service experience or other transactions.
Request the deletion of your personal data
You can ask us to delete any information that we hold about you. Please email our Data Protection Officer at dataprivacy@convatec.com to request a deletion of your data.
Sometimes we may have to decline a request
There will be some situations where we cannot grant your request, for example, if you ask us to delete your data where Convatec is legally obligated to keep a record of that transaction to comply with the law.
We might also decline to grant a request that would undermine our legitimate use of data for anti-fraud and security purposes. Other reasons your request might be denied would be if it jeopardises the privacy of others, or is deemed by Convatec to be frivolous, vexatious, or extremely impractical.
Special circumstances
Children’s privacy notice
Convatec never deliberately markets to children. However, some of our products and services can be used by children.
In any instances where we’ve collected data from children ages 13-16, they will be afforded the same rights as an adult, including the right to access, update, and object to the processing of their personal data. They also have the right to request that their personal data is erased.
For children younger than 13, we will seek consent from whoever holds parental responsibility for the child, unless the online service we offer is a preventive or counselling service.
How to contact Convatec regarding your data
If you’ve got any questions, comments, requests or complaints about our privacy notice, or would like to request access to or change your data, contact the Convatec Data Protection Officer (DPO) by emailing dataprivacy@convatec.com.
What is a Data Protection Officer?
To protect your data more effectively, Convatec has appointed a data protection officer (DPO) for the group, whose responsibilities include protecting your data and keeping you informed and up to date.
Our DPO ensures that this privacy notice is clear and easy to understand, so you can remain totally informed about the relationship between you, us and your personal data. Our DPO is Convatec’s representative regarding your data, so they’re responsible for answering any questions about this privacy notice – or if you want to exercise any of your rights as listed on this page.
How to contact Convatec’s DPO by post
If you prefer not to use email, please send your inquiry to the following address:
Convatec Group Data Protection Officer
Floor 7
20 Eastborne Terrace
Paddington
London
W2 6LG
United Kingdom
Changes to this privacy notice
We will revise this notice from time to time by updating this page so that we can improve the experience that we provide. If we make any changes to how we use or share your personal data, we’ll let you know via email and/or a notice on our website.