Privacy Policy
MHRA PRIVACY NOTICE
At the Medicines and Healthcare products Regulatory Agency (the Agency) we are committed to protecting and respecting your privacy.
This privacy notice describes how the MHRA collect, store, and use your personal information, in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) 2018, United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any legislation implemented in connection with this legislation.
When you are based in the EU it also includes the EU General Data Protection Regulation (EU GDPR) 2016/679.
If you are outside the UK and EU then we will adhere to relevant data protection legislation.
This privacy notice applies to anyone (except staff) whose personal data we might process, for example, members of the public, manufacturers, wholesalers, and other authorities.
WHO ARE WE?
The Medicines and Healthcare products Regulatory Agency (the Agency), is an executive agency of the Department for Health and Social Care (DHSC). The DHSC, together with its executive agencies, is a single legal entity (or controller) under data protection law. You will find further information about DHSC, the Agency and its three centres on www.gov.uk.
The Agency’s regulatory centre is known as MHRA. It publishes the British Pharmacopoeia and produces British Pharmacopoeia Chemical Reference Substances (BPCRS) on behalf of the British Pharmacopoeia Commission.
You can contact the British Pharmacopoeia at bpcom@mhra.gov.uk or write to us at:
MHRA British Pharmacopoeia10th Floor10 South Colonnade Canary WharfLondonE14 4PUOur commitment to you
Whenever we process personal data, we will ensure that we comply with the data protection principles, so that your personal data is:
- processed fairly, lawfully and transparently
- processed for the legitimate purposes we tell you about
- adequate, relevant and limited to what is necessary
- accurate and kept up to date where necessary
- kept no longer than necessary for the purpose
- processed securely – we will put in place appropriate technical and organisational measures to safeguard your data
We will also:
- seek your consent before making your personal data available for commercial use
- let you know beforehand if we want to use your data for a different purpose
WHO ARE OUR PROCESSORS?
MHRA has contracts with its processors which means they can only use your personal data in ways that we instruct them. The Stationery Office Limited (TSO) is our processor for hosting and management of the British Pharmacopoeia website, www.pharmacopoeia.com, any British Pharmacopoeia Publication order fulfilment and Marketing, please see the TSO Privacy Notice MHRA also use data processors to process your payments.
TSO may also share information with its parent company, Williams Lea, approved service providers and other Williams Lea entities, where this is necessary to fulfil our contract with you and is lawful to do so. We approve any sub-processors that TSO uses to process your personal data to ensure that they are similarly bound by contracts to protect personal data and process it lawfully.
OUR PURPOSE AND LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA
Creation of accounts on the BP website to purchase or access our products and subscriptions:
The legal basis the MHRA rely on to process your personal data is GDPR article 6(1)(b) – contract. This means that the processing is necessary to enable you to purchase the British Pharmacopoeia Chemical Reference Substances (BPCRS) and to view any on-line subscriptions you have purchased and any updates to them or to dispatch physical publication. This also enables the MHRA to contact you regarding any updates to the products you have purchased.
To notify users when the next edition becomes available:
The legal basis the MHRA rely on to process your data is GDPR article 6(1)(f) – legitimate interest. This means that the MHRA will process your data to inform you of when the next edition becomes available unless you tell us not to.
To market our products:
The legal basis the MHRA rely on to process your data is GDPR article 6(1)(a) - consent. This means that TSO will send you marketing materials on the MHRA behalf if you have provided your explicit consent to receive them. Every marketing email you receive contains an unsubscribe link so you can withdraw consent at any time.
WHAT TYPES OF PERSONAL DATA ARE WE COLLECTING?
Personal data refers to any information relating to an identified living individual; or someone who could be identified by the combination of data we hold about them.
When you purchase our publications or create an account on the BP website, TSO will collect basic information about you including your name, email address, and telephone number which will be shared with the MHRA. If you order British Pharmacopoeia Chemical Reference Substances (BPCRS) through our website, TSO will also collect information about your company and delivery preferences which will be shared with the MHRA.
When you attempt to self-register to your organisations account TSO will collect your email and location of both successful and unsuccessful attempts.
Our website also uses cookies which are small files sent from us to your computer where they are stored and may be read. You can find out more about the use of cookies and any online identifiers they capture in our Cookie Policy.
RETENTION OF YOUR DATA
The period for which the MHRA will retain personal information will vary depending on the purposes that it was collected for, as well as the requirements of any applicable law or regulation:
- If you have signed up for an account on the website, the MHRA will store your personal information and the information in your account for as long as is necessary to provide the account, and for the period for which you or the MHRA could bring legal processing in relation to the running of your account.
- If you order a product through the website, the MHRA will store your personal information and information about your order for as long as is necessary to comply with applicable tax legislation, and for the period for which you or the MHRA could bring legal processing in relation to your order.
YOUR RIGHTS
Data Protection law gives you certain rights when the MHRA process your personal data. Some of these are restricted - how they apply depends upon the Agency’s legal basis in processing your data, and the context.
The rights are to:
- be told that we are processing your data and why
- request a copy of your data (known as a subject access request)
- ask us to correct your data or to complete it if you believe it is incomplete
- ask us to erase your data
- ask us to restrict processing
- ask for your data in an accessible form
- object to the processing
- be told if the MHRA use automated decision making or profiling
If you would like to find out more about your rights, please contact our Data Protection Officer at dataprotection@mhra.gov.uk.
INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION
TSO process your personal information using data centres located inside the European Union and data centres located outside the European Union (third countries). Where TSO transfer personal information to a third country outside of the European Economic Area they have standard contract clauses in place.
If you wish to obtain a copy of these standard contract clauses, please contact us at bpcom@mhra.gov.uk.
THIRD-PARTY SITES
Our website contains links to sites owned and operated by third parties. They have their own privacy policies and terms and conditions which the MHRA advise you to review before browsing those sites. The MHRA do not accept any responsibility or liability for third-party websites.
All British Pharmacopoeia publication purchases on this website will be directed to www.tsoshop.co.uk which is owned and operated processed by TSO. By completing your purchase, you agree to TSO’s Terms of Sale your data will be handled as per TSO’s Privacy Notice.
CONTACT OUR DATA PROTECTION OFFICER
If you have any queries, about how the Agency uses your personal data, please contact our Data Protection Officer at dataprotection@mhra.gov.uk in the first instance. You may also contact the DHSC Data Protection Officer at data_protection@dhsc.gov.uk.
Alternatively, you can contact us in writing:
Data Protection Officer MHRA10 South ColonnadeLondonE14 4PUOr
Data Protection Officer DHSC1st Floor North39 Victoria StreetLondonSW1H 0EUThe Information Commissioner’s Office
For independent advice about data protection, privacy and data sharing issues you can contact the independent Information Commissioner’s Office at:
Wycliffe HouseWater LaneWilmslowCheshireSK9 5AFTel: 0303 123 1113
CHANGES TO THE TERMS OF THIS PRIVACY POLICY
The MHRA will update this privacy notice when applicable. If any change would result in us processing your personal data for a new purpose, the MHRA would inform you before we start using it for a new purpose.