External Data Protection and Privacy Policy

1. INTRODUCTION
This Data Protection and Privacy Policy sets out how Company Chemists Association
Limited (”we”, “our”, “us”, “CCA”) handle the personal data we collect from the following
categories of data subjects:
• CCA Member Organisations’ employees and senior employees/officers (“Reps”)
(including CCA Directors, Working Group members, LPC reps and Members’ former
employees/officers)
• Service providers, professional advisors or suppliers (e.g. Vodafone, NatWest Bank,
SecurMed) (“Suppliers”)
• Sector-wide representative bodies, governmental, statutory, public and regulatory
bodies or authorities and patient groups (including, for example, NHS England, APPG,
PSNC, NPA, CPW, Department of Health and Social Care) (“Outside Bodies”)
This Policy applies to all personal data we process regardless of the media on which that data
is stored or whether it relates to past or present data subjects. It is important that you read this
privacy notice together with any other privacy notice or fair processing notice we may provide
on specific occasions when we are collecting or processing personal data about you so that
you are fully aware of how and why we are using your data. This privacy notice supplements
the other notices and is not intended to override them. The business of CCA is as a trade
organisation to support and to represent the interests of its Member Organisations Reps and
CCA considers that all personal data is collected and processed for the purpose of promoting
that business and that therefore it has a legitimate interest to collect and process such
personal data.
This website may include links to third-party websites, plug-ins and applications. Clicking on
those links or enabling those connections may allow third parties to collect or share data about
you. We do not control these third-party websites and are not responsible for their privacy
statements. When you leave our website, we encourage you to read the privacy notice of
every website you visit.
2. SCOPE AND CATEGORIES OF PERSONAL DATA COLLECTED
Protecting the confidentiality and integrity of personal data is a critical responsibility that we
take seriously at all times.
a. CCA collects the following categories of personal data about Reps and Suppliers (where
appropriate in each case):
• Identity Data includes first name, last name, title, username or similar identifier,
employer, department, job title, date of birth, contact details, biographies, membership of
Outside Bodies, declared conflicts of interest.
• Contact Data includes billing address, delivery address, email address, residential
address and telephone numbers.
• Transaction Data includes Rep activity details and attendance records, professional
preferences/interest, events/meetings booked/attended, minutes of meetings attended,
and reports made by Reps, response to consultations from Outside Bodies.
• Technical Data includes information collected through cookies, internet protocol (IP)
address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology
on the devices you use to access this website.
• Profile Data includes your username and password, preferences, feedback and survey
responses.
b. Personal Data on representatives of Outside Bodies is limited to Identity Data and
Contact Data.
We do not collect any Special Categories of Personal Data about you (this includes details
about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation,
political opinions, trade union membership, information about your health and genetic and
biometric data). Nor do we collect any information about criminal convictions and offences.
This website is not intended for children and we do not knowingly collect data relating to
children.
3. CONTACT DETAILS
CCA is the controller and responsible for your personal data. We have appointed a data
privacy manager who is responsible for overseeing questions in relation to this privacy notice.
If you have any questions about this privacy notice, please contact the data privacy manager
using the details set out below.
Our full details are:
Full name of legal entity: COMPANY CHEMISTS ASSOCIATION LIMITED
Name or title of data privacy manager: Chief Executive
Email address: [email protected]
Postal address: 16 Upper Woburn Place, London WC1H 0AF
You have the right to make a complaint at any time to the Information Commissioner’s Office
(ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would,
however, appreciate the chance to deal with your concerns before you approach the ICO so
please contact us in the first instance.
4. PERSONAL DATA PROTECTION PRINCIPLES
We adhere to the principles relating to processing of personal data set out in applicable law
(particularly GDPR) which requires personal data to be:
(a) Processed lawfully, fairly and in a transparent manner.
(b) Collected only for specified, explicit and legitimate purposes.
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which
it is processed.
(d) Accurate and where necessary kept up to date.
(e) Not kept in a form which permits identification of data subjects for longer than is necessary
for the purposes for which the data is processed.
(f) Processed in a manner that ensures its security using appropriate technical and
organisational measures to protect against unauthorised or unlawful Processing and against
accidental loss, destruction or damage.
(g) Not transferred to another country without appropriate safeguards being in place.
(h) Made available to data subjects and data subjects allowed to exercise certain rights in
relation to their personal data.
(i) We are responsible for and must be able to demonstrate compliance with the data
protection principles listed above.
5. PURPOSE LIMITATION
The business of CCA is as a trade organisation to support and represent its Member
Organisations and CCA considers that all personal data is collected and processed for the
purpose of promoting that business and that therefore it has a legitimate interest to collect and
process such personal data.
a. CCA collects and processes personal data about Reps for the following purposes:
• Keeping Reps up to date with information which may be of interest to them
• Providing Rep management and administration
• Event management, administration, minuting and reporting
• Account management
• Providing reports to Member Organisations
• Supporting network and security system
• Auditing
• Detecting and preventing fraud
• Complying with legal obligations
• Conducting web analytics
b. CCA collects and processes personal data about ex-Reps who for complying with legal
obligations.
c. CCA collects and processes personal data about Suppliers for the purposes of:
• Contract management, commercial relationship and
administration purposes
• Account management
• Supporting network and security system
• Auditing
• Detecting and preventing fraud
• Complying with legal and auditing obligations
• Conducting web analytics
d. CCA collects and processes personal data about Outside Bodies for the purpose of
complying with legal obligations, relationship and network management, representing
Member Organisations and administration purposes and responding to requests or
consultations from or providing information to Outside Bodies.
6. IF YOU FAIL TO PROVIDE PERSONAL DATA
Where we need to collect personal data by law, or under the terms of a contract we have with
you and you fail to provide that data when requested, we may not be able to perform the
contract we have or are trying to enter into with you (for example, to purchase/provide you
with services).
7. HOW WE USE YOUR DATA
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
• Where we need to, to perform the contract we are about to enter into or have entered
into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your
interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.
Generally, we do not rely on consent as a legal basis for processing your personal data other
than in relation to sending third party direct marketing communications to you via email or text
message. You have the right to withdraw consent to marketing at any time by Contacting us.
We will get your express opt-in consent before we share your personal data with any thirdparty company for marketing purposes.
8. COOKIES
You can set your browser to refuse all or some browser cookies, or to alert you when
websites set or access cookies. If you disable or refuse cookies, please note that some parts
of this website may become inaccessible or not function properly. For more information
about the cookies we use, please see our cookies policy
9. DATA SECURITY
We have put in place appropriate security measures to prevent your personal data from being
accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition,
we limit access to your personal data to those who have a business need to know. They will
only process your personal data on our instructions, and they are subject to a duty of
confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will
notify you and any applicable regulator of a breach where we are legally required to do so.
10. DATA SUBJECT’S RIGHTS AND REQUESTS
Under certain circumstances, you have rights under data protection laws in relation to your
personal data. If you wish to exercise any of the rights set out this notice, please Contact us.
You will not have to pay a fee to access your personal data (or to exercise any of the other
rights). However, we may charge a reasonable fee if your request is clearly unfounded,
repetitive, or excessive. Alternatively, we may refuse to comply with your request in these
circumstances. We may need to request specific information from you to help us confirm your
identity and ensure your right to access your personal data (or to exercise any of your other
rights). This is a security measure to ensure that personal data is not disclosed to any person
who has no right to receive it. We may also contact you to ask you for further information in
relation to your request to speed up our response. We try to respond to all legitimate requests
within one month. Occasionally it may take us longer than a month if your request is
particularly complex or you have made a number of requests. In this case, we will notify you
and keep you updated.
11. SHARING PERSONAL DATA
Generally, we will not share personal data with third parties unless certain safeguards and/or
contractual arrangements have been put in place. CCA will only disclose personal data to
the following categories of recipients and for its legitimate business purposes:
• Other Reps
• Member Organisations and CCA Board
• Employees
• Suppliers
• Outside Bodies
• HMRC or other governmental or legal authority (where applicable)
CCA will not transfer personal data outside the EEA unless one of the following conditions
applies:
(a) the European Commission has issued a decision confirming that the country to which we
transfer the personal data ensures an adequate level of protection for the data subjects’ rights
and freedoms;
(b) appropriate safeguards are in place such as binding corporate rules (BCR), standard
contractual clauses approved by the European Commission, an approved code of conduct or
a certification mechanism;
(c) the Data Subject has provided explicit consent to the proposed transfer after being
informed of any potential risks; or
(d) the transfer is necessary for one of the other reasons set out in the GDPR including the
performance of a contract between us and the data subject, reasons of public interest, to
establish, exercise or defend legal claims or to protect the vital interests of the data subject
where the data subject is physically or legally incapable of giving consent and, in some limited
cases, for our legitimate interest.
We may have to share your personal data with third parties to whom we may choose to sell,
transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire
other businesses or merge with them. If a change happens to our business, then the new
owners may use your personal data in the same way as set out in this privacy notice. We
require all third parties to respect the security of your personal data and to treat it in
accordance with the law. We do not allow our third-party service providers to use your personal
data for their own purposes and only permit them to process your personal data for specified
purposes and in accordance with our instructions.
12. RETENTION
We will only retain your personal data for as long as necessary to fulfil the purposes we
collected it for, including for the purposes of satisfying any legal, accounting, or reporting
requirements.
To determine the appropriate retention period for personal data, we consider the amount,
nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use
or disclosure of your personal data, the purposes for which we process your personal data
and whether we can achieve those purposes through other means, and the applicable legal
requirements.
By law we must keep basic information (including Contact, Identity, financial and transaction
data) for 7 years for tax purposes.
13. CHANGES TO THIS POLICY
We reserve the right to change this Policy at any time without notice to you so please check
back regularly to obtain the latest copy of this Policy. This Policy does not override any
applicable laws.

Back to top of page