Introduction

This Notice describes the steps that Cleveland Clinic Philanthropy (UK)Ltd. (“CCP”, “we” or “us”), an affiliate of The Cleveland Clinic Foundation (“Cleveland Clinic”), takes to protect the personal data that we process about you.  CCP, we collect, store, use and otherwise process personal data about you for the purposes, as described in this Notice. We are committed to the protection of the personal data that we process about you in line with the data protection principles and requirements set out in the European Union General Data Protection Regulation 2016 (“GDPR”), and GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018 (“UK GDPR”), and the UK Data Protection Act 2018 (“DPA”).

This Notice applies to all personal data held by CCP. We may amend this Notice from time to time and will inform you in advance of the effective date of any material changes that we intend to implement.

Terms defined in the UK GDPR or in Section 12 below shall have the meaning set out therein.

Identity of the Data Controller

CCP is responsible for processing your personal data and is the data controller. Our registered office is located at Suite 1, 3rd Floor 11-12 St. James’s Square, London, United Kingdom, SW1Y 4LB. We are registered with the Information Commissioners’ Office and our registration number is ZB318964.

How We Source Your Personal Data

Most of the personal data that we process about you has been provided by you directly to us. CCP also collects personal data about you from third parties including, Cleveland Clinic London Ltd where you have provided consent for your information to be shared with us.

We also source information from open-source platforms such as social media, press releases and Business Reports.

Categories of Personal Data that We Process, Our Purposes for Processing, the Applicable Lawful Bases, and any Special Condition

The categories of personal data that we may process about you and our purposes for doing so are set out in the table below. The table also identifies our lawful basis for the processing of the data.

Categories of Personal Data
Purpose of Processing Lawful Basis
Contact information To communicate with you related to CCP business, respond to questions and complaints, and to send you additional information about us

Processing is in our legitimate interest

You have provided consent

Personal information shared with us by Cleveland Clinic London Ltd

To communicate with you related to CCP business, and to send you additional information about us

To share with other third parties at your direction

It is in both CCL and CCP’s legitimate interest to share contact information for the purpose of funding research and development opportunities in the health care system

You have provided consent

Financial information Purposes of receiving payment
Performance of our contract with you
Any data To provide to regulatory authorities or other organizations when there is a legal obligation
Legal obligation
Any data To maintain backups of information technology systems
It is in our legitimate interest to maintain backups of data to minimize potential disruptions to our operations
Copy of your passport
To verify your identity as part of financial system requirements
Legal obligation
Name, address, phone number, and email address
For purposes of asking whether you would like more information about certain philanthropic opportunities
Legitimate interest
Name and other information required to verify identity
To screen individuals against government sanctions lists
Legal obligation
Electronic data on our networks
For purposes of protecting our networks, systems, and data we monitor all our systems for potential cybersecurity threats
Legitimate interest

Data Sharing: Intra-Group and Third-Party Recipients

The purposes for which we share personal data relating to you:

a) Intra-Group Transfers

CCP stores your personal information records in the United Kingdom. For limited administrative functions, however, we may share your personal data with the Cleveland Clinic Foundation for the purposes set out below. These transfers are protected by the obligations set out in intra-group agreements that we have entered into. This agreement covers personal data transferred for the following purposes:

  • To perform administrative functions
  • To provide services for the operations of CCP
  • For regulatory purposes

b) Third Party Suppliers 

CCP also shares personal data with trusted service providers and business partners pursuant to contractual agreements with them. These agreements will, as necessary, include appropriate technical and organisational safeguards to protect any personal data that we share with them. We may share patient personal data with third parties that perform services and carry out functions on our behalf and under our instruction as a data processor. These third parties include:

  • IT service providers that manage CCL’s infrastructure which is a service provided to CCP
  • Hosted service providers related administration
  • Credit card processors

We may also disclose your personal data to third parties acting as independent data controllers. All of these recipients are themselves responsible to determine the purposes and means of the processing and for the lawfulness of the processing. These third parties include:

  • Our auditors, lawyers, consultants, law enforcement and other public authorities
  • The police, prosecutors, courts, tribunals
  • Our regulators including Information Commissioner’s Office, and Health and Safety Executive

International Transfers: Intra-Group and Third-Party Vendors

a) Intra-Group

CCP transfers limited personal data to the Cleveland Clinic Foundation located in the US. The Cleveland Clinic Foundation (CCF) acts as a joint controller in relation to certain administrative functions. The international transfer of personal data from CCP to the CCF is governed by EU Commission-approved Standard Contractual Clauses for controllers, taking into account appropriate technical and security safeguards. You may request a copy of the relevant sections of these agreements by contacting us in one of the ways set out in Section 11.

b) Third Party Suppliers 

If and when transferring your personal data outside the UK and EEA, we ensure a similar degree of protection is afforded to it by ensuring that appropriate safeguards are implemented. Where a third-party supplier is based outside of the UK and EEA, we will usually achieve this by using one of the following safeguards:

  1. The transfer is to a non-EEA country outside the UK that has been the subject of an adequacy decision; or
  2. The transfer is governed by the EU Commission-approved Standard Contractual Clauses.

You may request further information, including a copy of the relevant sections of the relevant transfer documentation, by contacting us in one of the ways set out in Section 11.

Your Rights

In any circumstances where we have relied on your consent to process your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. This will not affect the lawfulness of any processing carried out before you withdrew your consent. You also have the following rights:

  • To obtain access to your personal data - you may request information on how your personal data is handled by us and request a copy of such personal data
  • To request us to correct or update your personal data if it is inaccurate or out of date 
  • To object to the processing of your personal data for the purposes of our legitimate interests, unless we: 
      1. demonstrate compelling legitimate grounds which override your right to object, or
      2. the processing is necessary for the establishment, exercise or defence of legal claims
  • To erase your personal data held by us:
      1. which are no longer necessary in relation to the purposes for which they were collected
      2. to the processing of which you object, or
      3. which may have been unlawfully processed by us
  • To restrict processing by us, i.e. the processing will be limited to storage only:
      1. where you oppose deletion of your personal data and prefer restriction of processing instead, or
      2. where you object to the processing by us on the basis of its legitimate interests; and
      3. to transmit personal data you submitted to us back to you or to another organisation in certain circumstances.

These rights are not absolute and are subject to various conditions under: 

  • Applicable data protection and privacy legislation; and 
  • The laws and regulations to which we are subject.

Should you wish to exercise the rights accorded to you by data protection laws as described out above, please contact us at the details in Section 11. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You have the right to make a complaint at any time to the UK supervisory authority for data protection issues, for example, if you are not happy with how CCP processes your personal data, or we fail to provide you with a satisfactory resolution to your request. The UK supervisory authority is the Information Commissioner's Office (ICO) whose details can be accessed via the ICO website at https://ico.org.uk/global/contact-us/

Retention of Personal Data

CCP will keep and process your personal data only for as long as is necessary for the purposes for which it was collected, unless CCP has a legal right or obligation to retain the data for a longer period.  View record retention policy.

Statutory/Contractual Requirements

In certain cases, you may choose not to provide CCP with your personal data and/or provide incomplete personal data. However, please be aware that we may not be able to engage in or continue a relationship with you where your personal data is required for administrative purposes or otherwise as necessary for us to perform our contract with you, and/or to fulfil our statutory obligations.

Automated Decision-Making and Profiling

We will not use your personal data to make decisions based solely on automated decision-making and/or profiling. The personal data set out in this notice is used and combined with other open-source data to establish if you fit the criteria for CCP to make contact with you. Matching to these criteria is a manual operation and does not use automated decision technology.

Contact Information

Questions, comments and requests regarding this Notice may be emailed to [email protected] including Cleveland Clinic Philanthropy Ltd in the subject line, or sent by post to Suite 11, 3rd Floor, 11-12 St. James’s Square, London, S21Y4LB, Attn: Cleveland Clinic Philanthropy Ltd Data Protection Officer.

Definitions

The following terms used within this Notice and defined as follows:

data controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or EU laws or regulations, the controller or the specific criteria for his nomination may be designated by national or EU law.

data processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller.

DPA” means the UK Data Protection Act 2018.

"European Economic Area" or "EEA" means the Member States of the European Union, plus Norway, Iceland and Lichtenstein.

filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

personal data” means any information relating to an identified or identifiable natural person (also referred to as ‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

process” or “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“supervisory authority” means for the UK GDPR, the Information Commissioner’s Office; and for GDPR, an independent public authority, which is established by a Member State under the GDPR pursuant to article 51 of the GDPR.