Medicys Limited is a member of, and complies with, the Codes of Conduct and Legal and Ethical Standards as prescribed by the BHBIA, EphMRA and ESOMAR. These guidelines are extremely comprehensive, and act as a pillar of our business processes (including how we protect the rights of respondents, handle data, and record adverse events and product complaints).

1. Data controller and contacts

Data controller: Medicys Limited (company number: 04504403). Registered address: 2nd Floor Medway Bridge House, 1-8 Fairmeadow, Maidstone, Kent, United Kingdom, ME14 1JP.

Data Protection Officer: Richard Cowland, email: privacy@medicysltd.co.uk.

EU Representative: Marie Payraudeau, m.payraudeau@medicysltd.co.uk, +33 6 45 50 29 98.

For questions, to exercise your rights, or to make a complaint, please contact privacy@medicysltd.co.uk or write to the Data Protection Officer at the address above.

2. Scope and purpose

This notice explains how Medicys collects, uses, stores and shares personal data when you participate in research studies we conduct or manage. This includes but is not limited to, observational research, qualitative interviews, online surveys, patient experience and health economics work, and related administrative activities. The notice applies whether you are a patient, caregiver, healthcare professional or other research participant.

3. Categories of personal data we collect

We collect only the personal data necessary for each study. Categories may include:

• Contact details and identifiers: name, email, telephone number, postal address.

• Professional information for healthcare professionals: job title, speciality, employer or affiliated institution.

• Health and clinical information for patients: diagnosis, treatment history and other health information relevant to the study. This is special category personal data.

• Research responses: survey answers, interview notes, and any text, audio or video recordings you provide.

• Administrative information: payment or honorarium details, audit logs, and records required for legal or contractual compliance.

• Technical data used for study integrity: IP address, browser and device information, timestamps and cookies where required to prevent fraud or duplicate entries.

We will not collect highly sensitive personal data outside the scope of the study unless we have a clear legal basis and your explicit agreement.

4. Lawful bases for processing and special category treatment

We process personal data only where there is a lawful basis under applicable data protection law. We process health data and other special category personal data only where we have explicit consent or another Article 9 legal basis as appropriate and disclosed in the study documentation.

Typical lawful bases we rely on are as follows:

• Recruitment, contacting and scheduling participants: explicit consent or legitimate interest (Article 6(1)(a), Article 6(1)(f)).
• Collection and use of health data for research objectives: explicit consent for processing special category personal data (Article 9(2)(a)).
• Reporting adverse events or other matters required by law: legal obligation (Article 6(1)(c)).
• Quality control, de-duplication and fraud prevention: legitimate interests (Article 6(1)(f)).

We will perform and document a balancing test on request.

Where processing is undertaken on instruction of a sponsor and the sponsor is the controller, Medicys will operate as a processor under a written contract.

If we intend to rely on a different legal basis for processing activities, this will be made clear in the study specific information you receive.

5. What we do with your data and who we share it with

Your data will be used to conduct, analyse and report the research. This includes scheduling, moderating and processing responses, transcription and translation where required, analysing results and issuing any agreed payments.

We may share personal data with the following categories of recipients:

• The research sponsor or client may receive study data. If any identifiable information is shared, this will be clearly stated in the study documents and will only happen with your consent, unless sharing is required or permitted by law.

• Third party service providers who act as data processors and who perform functions such as survey hosting, transcription, translation, secure storage, payment administration and analytics. All processors act on our instructions and are subject to data processing agreements containing appropriate technical and organisational safeguards.

• Regulatory bodies and public authorities where required by law, for example for adverse event reporting.

• Where required by local transparency or disclosure laws, such as reporting payments to healthcare professionals, we will disclose the information necessary to comply with those laws and we will advise you of the disclosure where permitted.

We will state whether a recipient acts as controller or processor in the study specific consent form. If we share identifiable data with another controller, you will be told who that controller is and the legal basis for the sharing.

6. International transfers

Your information may be transferred to recipients or processors outside the United Kingdom, the European Economic Area or your home jurisdiction. Where data is transferred to countries without an adequacy decision, we will rely on appropriate safeguards such as the UK or EU Standard Contractual Clauses, binding corporate rules, or other lawful transfer mechanisms. Copies of the safeguards are available on request. For transfers that require it, we will conduct a transfer risk assessment and implement additional protections where necessary.

7. Retention

We retain personal data only for as long as is necessary for the purposes described and to meet legal or contractual requirements. Indicative retention periods are:

• Recruitment contact details: for the duration of the study and typically up to 12 months afterwards for audit and queries, unless you consent to longer retention for recontact.

• Audio and video recordings: normally up to 12 months after study completion, after which recordings will be deleted or irreversibly anonymised unless a longer period is necessary and disclosed in the study materials.

• Adverse event records: a minimum of 5 years, or longer where required by law or by the sponsor contract.

• Anonymised research data: may be retained indefinitely for research, audit and publication.

• Technical logs used for fraud prevention: retained for a short period such as 30 days unless required for an investigation.

Specific retention obligations that differ from the above will be set out in the study specific consent form. If you withdraw consent, we will stop further processing and delete personal identifiers within the periods set out above, except where we are required to retain records by law.

8. Your rights

Subject to local law, you have the following rights in relation to your personal data:

• The right to access your personal data and to receive a copy.

• The right to have inaccurate or incomplete personal data corrected.

• The right to request deletion of your personal data, in certain circumstances.

• The right to request restriction of processing in certain circumstances.

• The right to object to processing based on legitimate interests.

• The right to withdraw consent at any time where processing is based on consent, without affecting processing that took place before withdrawal.

• The right to data portability in a structured, commonly used, machine readable format.

• The right to lodge a complaint with a supervisory authority, for example the Information Commissioner’s Office in the United Kingdom.

To exercise any right, please contact privacy@medicysltd.co.uk, or write to Data Protection Officer, Medicys Limited, 152 Staplehurst Road, Sittingbourne, ME10 1QZ, United Kingdom. We will verify your identity in accordance with our procedures and respond within the time limits required by law, normally within one month. Where complexity or a high number of requests requires additional time, we will advise you and extend the period by up to two months.

9. Automated decision making and profiling

We may use automated tools to assist with pre-screening and fraud detection. Where solely automated decision making is used that produces legal effects or similarly significant effects for you, we will notify you in the study materials, explain the logic involved and inform you of your right to request human review. For routine automated processing supporting scheduling or suitability checks, these will not usually produce legal or similarly significant effects.

10. Security

We take appropriate technical and organisational measures to protect personal data. Measures include encryption in transit and at rest, role-based access controls, multi factor authentication for privileged accounts, logging and monitoring of access, secure development and deployment practices, and contractual obligations on processors to meet appropriate security standards.

We require third party processors to implement suitable safeguards. Where practical we prefer vendors who hold recognised information security certificates. We undertake periodic security reviews and testing. In the event of a personal data breach, we will assess the risk and, where required by law, notify the relevant supervisory authority and any affected individuals without undue delay.

11. Adverse event reporting

If you disclose an adverse event during a study, we will collect the minimum personal and clinical data necessary to fulfil reporting obligations to the sponsor or regulatory authorities. Where follow-up is required, and if permissible, we will ask for your permission to collect or provide identifying information.

Where the law requires us to disclose identifiable information without consent, we will notify you whenever permitted and explain the legal basis for the disclosure.

12. Payments and transparency for healthcare professionals

Payments or honoraria will be administered as agreed for the study. Where local transparency laws require disclosure of payments made to healthcare professionals, we will comply with those legal obligations and inform the participant where disclosure is required and permissible.

13. Children and vulnerable participants

If a study involves children or other vulnerable participants, we will obtain parental or guardian consent and age-appropriate assent as required by law and ethical guidance. Age verification procedures will be used where necessary.

14. Cookies, tracking and fraud prevention

To protect study integrity, we may collect technical information such as IP addresses, browser details, device identifiers and timestamps. We may use cookies or similar technologies to prevent duplicate entries and detect fraud. Such technical data is kept only as long as necessary for these purposes and is deleted in accordance with the retention schedule.

15. Transcription, translation and subcontractors

Audio and video recordings may be transcribed or translated by third party providers. We require such providers to operate under a confidentiality obligation and a data processing agreement. Where translation or transcription requires transfer outside the UK or EEA, we will ensure appropriate transfer safeguards.

16. Changes to this notice

We may update this notice to reflect changes in legal or regulatory requirements or in our processing practices. We will post the revised notice on our website and the study information page. Where changes are material, we will inform participants as required by law.

17. Supervisory authority

You have the right to lodge a complaint with your local supervisory authority, for example the Information Commissioner’s Office in the United Kingdom, at https://ico.org.uk. Our ICO number is: Z1909295.

18. Further information and how to contact us

If you have questions about this notice or how we process personal data, or if you wish to exercise your rights, contact privacy@medicysltd.co.uk or write to: Data Protection Officer, Medicys Limited, 152 Staplehurst Road, Sittingbourne, ME10 1QZ, United Kingdom.