The aim of this Policy is to explain how Tudor Health Inc collects and processes your personal data when you visit our website or use our services as a customer or a member of the public.
It is important that you read this privacy notice carefully. It provides information about how we use personal data and explains your legal rights. If you have any questions, you can contact us on the details given at the end of this Policy.
We will make changes to this Policy from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will make sure that you are aware of any significant changes by sending an email message to the email address you most recently provided to us or by posting a notice on our website so that you are aware of the impact to the data processing activities before you continue to engage.
1. Important information about who we are and what we do
Tudor Health Inc is a market research agency. To find out more about Tudor Health Inc’s activities see our website: www.tudorhealth.com
Tudor Health Inc is the data controller and responsible for personal data collected when fulfilling the main purposes of business as stated above.
Tudor Health Inc is a company registered in Washington DC, USA.
Tudor Health Inc’s Privacy Policy applies to our data practices generally and include region specific requirements including:
- The European Economic Area (EEA);
- The UK.
If you have any questions about this privacy notice or our data protection practices, please contact us via the contact details below.
Contact Details
Name / Email: Bernadette Goudy / compliance@tudorhealth.com
Address: Tudor Health Inc, 1100 H St NW, Suite E-101, Washington DC 20005, USA
2. Information about the data we collect
Personal data means any information about an individual from which that person can be identified, or any information about an identifiable individual. It does not include data which cannot be connected to an identifiable individual which is anonymous data.
There are different types of personal data about you which we might collect use, store or transfer. In addition to these specific categories of data, we might in relation to any interaction collect a range of other data about data subjects, for the purposes outlined below. We have grouped these together as follows, and provided some illustrations of the type of personal data which might fall into each grouping:
- Identity Data could include first name, last name, username or similar. Identifier when individuals or organisations agree to become customers and/or participants for Tudor Health Inc’s services as well as users of Tudor Health Inc services including clients.
- Contact Data could include: home or work address, email address, telephone numbers or another unique identifier for use with electronic communication and would be collected to provide services to customers or potential customers of Tudor Health Inc services.
- Financial Data could include bank account and payment card details used by customers (members or clients) to pay for Tudor Health Inc’s services.
- Transaction Data could include details about financial transactions and other details necessary for the fulfilment of contracts and incentive payments including credit and debit card details.
- Technical Data could include your internet protocol (IP) address, browser type and version, operating system and platform, and information about other technology on the devices you use to access Tudor Health Inc website, etc.
- Usage Data could include information about how individuals enter, move and exit from our website, and how you use our products and services.
- Aggregated Data such as statistical, research, survey or demographic data for any purpose. Aggregated Data could be derived from personal data, but this data will not directly or indirectly link to identifiable individual. However, if we combine or connect Aggregated Data with personal data so that it can be linked directly or indirectly to individuals, we treat the combined data as personal data which will only be used in accordance with this privacy notice.
- Marketing and communications data would include any data provided to us when seeking information about our services including what services individuals are interested in.
- Special category data and criminal conviction data health data from participantsis collected and when we do so we ensure that we have a lawful basis for our processing of it.
3. Why we collect personal data
Tudor Health Inc collects personal data about individuals, participants and customers for a variety of different reasons including for research projects, for customer relationships and future business. Tudor Health Inc collects personal data about participants (for example name, job role, employer, telephone number, email address) in order that we can contact participants and undertake research activities.
As a research organisation we may compile databases, or use third party lists, of personal data to identify and contact specialists and leaders in order to issue invitations to participate in research projects.
Where we need to collect personal data by law, or under the terms of a contract, if individuals decide not to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into, provide any services or proceed with some other activity. In this case, we will inform individuals at the time.
4. How we collect personal data
We use different methods to collect data including through:
Direct. identity, contact and financial data may be provided when individuals contact us directly wishing to use our services or when completing an online contact form, when buying services from us or correspond with us about any other matters via the Tudor Health Inc website, by post, phone, email or other means. This includes personal data provided when individuals:
- ask for information about Tudor Health Inc’s services;
- agree to become a customer of Tudor Health Inc;
- respond to an opportunity to participate in a research project including when we approach individuals directly
- respond to research that we are undertaking;
- request communications to be sent; or
- give us feedback or contact us;
- are employees of Tudor Health Inc.
User Generated Data. We may generate transaction, usage, marketing and communications data about individuals, by way of records of the direct and automated interactions that individuals have with us or our website.
Third parties. We will receive personal data about you from various third parties as set out below:
- analytics providers e.g., Google Analytics;
5. How we use personal data
We will only use your personal data for the purpose for which we collected it.
We will use personal data to:
- provide individuals information or services requested from us or which we feel may interest individuals, where they have consented to be contacted for such purposes.
- carry out our obligations arising from any contracts entered into.
- notify individuals about changes to our service.
We may also send individuals marketing materials where we have appropriate permissions (e.g., consent). We may also need to use individual’s personal data for purposes associated with our legal and regulatory obligations.
We have to establish a legal ground to use personal data, so we will make sure that we only use personal data for the purposes set out in Table 1 where we are satisfied that:
- our use of personal data is necessary to perform a contract or take steps to enter into a contract; or
- our use of personal data is based on your consent; or
- our use of personal data is necessary to comply with a relevant legal or regulatory obligation that we are subject to; or
- our use of personal data is necessary to support ‘Legitimate Interests’ that we have as a business (for example, to improve our services, or to carry out some research with customers), provided it is always carried out in a way that is proportionate, and that respects individual’s privacy rights.
- our use of personal data is with consent including where required under separate laws, we will also ensure that individuals have opted in before we send marketing materials.
Before collecting and/or using any special categories of data we will establish an additional lawful ground to those set out above which will allow us to use that information. This additional exemption will typically be explicit consent.
The list of purposes Tudor Health Inc uses, the type of data used and the lawful basis, as defined in legislation, is detailed in Table 1.
Table 1: How Tudor Health Inc uses your personal data analysed by purpose, type of data and lawful bases
| Purpose for using the data | Type of data used for purpose* | Lawful basis for processing |
|---|---|---|
| To identify future customers of Tudor Health Inc’s services including potential clients. | a) Identity data; b) Contact data; c) Marketing and communications data including preferences. | a) Consent. |
| To deliver Tudor Health Inc’s services: a) Market research; b) Data collection services. | a) Identity data; b) Contact data; c) Financial data; d) Transaction data. | a) Performance of a contract; b) consent. |
| To manage our relationship with customers, participants and other stakeholders which may include: a) To notify you about changes to Tudor Health Inc Privacy Policy & Notice; b) Ask individuals to participate in research, feedback or evaluation of our services. | a) Identity data; b) Contact data; c) Profile data; d) Marketing and communications data including preferences. | a) Necessary for legitimate interests e.g., to research members and customers about Tudor Health Inc’s performance and service provision. |
| To satisfy external audit and/or legal requirements and standards. | a) Identity data; b) Contact data; c) Financial data; d) Transaction data. | a) Necessary to comply with a legal obligation; b) Necessary for legitimate interests to allow us to demonstrate adherence to any legal and/or regulatory requirements. |
| To administer and protect Tudor Health Inc as an organisation including website and digital infrastructure e.g., testing and checking systems, maintenance of the website, etc. | a) Identity data; b) Contact data; c) Technical data. | a) Necessary for legitimate interests e.g., to ensure adequate and robust administrative and IT services. |
| To use data analytics to measure and improve Tudor Health Inc’s website performance and customer communications. | a) Technical data; b) Usage data. | a) Necessary for legitimate interests e.g., to measure website traffic and engagement with Tudor Health Inc. |
| To make suggestions to further engagement with customers of Tudor Health Inc. | a) Identity data; b) Contact data; c) Profile data; d) Marketing and communications data including preferences. | a) Necessary for legitimate interests e.g., to communicate with customers; b) Informed consent e.g., direct marketing activities such as email and direct marketing. |
| To administer employment obligations. | a) Identity data; b) Contact data; c) Financial data; d) Transaction data. | a) Necessary to comply with legal obligations; b) Performance of contract. |
6. How we share personal data
We may share personal data with the parties set out below for the purposes set out in Table 1.
Third Parties, including:
- associated companies who may provide services to clients;
- service providers, who help manage our IT and back office systems, and assist with our Customer Relationship Management activities;
- external professionals appointed to provide advice and recommendations on areas connected with their expertise e.g., auditors, legal support;
- our regulators and law enforcement agencies in the US, the UK EEA and globally around the world.
We will only share personal data with a third party to the minimum extent necessary for the lawful purposes. We require all third parties to respect the security of personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use personal data for their own purposes and only permit them to process personal data for specified purposes, to the minimum extent necessary and in accordance with our instructions.
We will never share, rent, or sell your personal data to any third party for the purpose of directly marketing any products or services.
We may share participant personal data with a pharmaceutical company or client sponsoring our market research, so that they can directly review the outcomes of market research to allow them to understand it better. We only so this if participants give us consent to do so. For example, if participants take part in a group discussion, we may share digital footage of the discussion with the pharmaceutical client sponsoring the market research, if all participants consent to this.
In some cases, we may need to share personal data with subcontracted suppliers to help us as we undertake market research findings for example translation, transcription, fieldwork and digital recording suppliers. Any subcontracted suppliers act as data processors will only use personal data to complete a specific task as contracted by Tudor Health Inc (e.g., translation of responses to a research questionnaire) and must follow all of the same data protection requirements as Tudor Health Inc.
7. Direct marketing
We may use your personal data to send direct marketing communications about our related services (eg new services and products, invitations to events). This will be in the form of email, post, or targeted online advertisements.
When we require explicit opt-in consent for direct marketing in accordance with the Privacy and Electronic Communications Regulations we will ask for your consent. This applies to the EU and the UK.
Individuals have a right to stop receiving direct marketing at any time – by following the opt-out or opt-in links and boxes in our electronic and direct marketing communications. Individuals can also contact us at any time to instruct us to stop sending marketing materials by using the contact details in Section 1. You can withdraw your consent at anytime but any data collected to the point of consent withdrawal could still be used as it was lawfully collected at the time.
We also use personal data for customising offers and content based on visits to and/or usage of our services and website as well as individuals interaction with them.
8. What international transfers we undertake and how these are managed
Tudor Health Inc is based in Washington DC and its main service providers are based either in the USA, the UK or in countries in the European Economic Area (EEA) or countries in other regions eg Japan. For any cross-border data transfers such as transferring participant data to a country other than the one in which the participant resides, Tudor Health Inc shall ensure that appropriate safeguards are in place to provide an adequate level of data protection. Tudor Health Inc will ensure appropriate contractual clauses are in place for any data transfers including standard contractual clauses and mechanisms.
Data security for personal data
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those Tudor Health Inc staff, service suppliers, vendors and other third parties who have a reason for needing your personal data e.g., to deliver a Tudor Health Inc service to you. They will only process your personal data on Tudor Health Inc’s instructions and they are subject to a duty of confidentiality.
The data security measures that we have in place include:
- Password protected database which is hosted in the United States;
- On-going support from a specialist IT company ensuring Tudor Health Inc’s security is up-to-date;
- Encrypting documents and servers;
- Having robust back-up procedures;
- Testing data recovery plans bi-annually.
The above procedures are supported by appropriate policies setting out the procedures we undertake. Despite all of our precautions however, no data can be guaranteed to be 100% secure. So, whilst we strive to protect personal information, we cannot guarantee the security of any information.
We have put in place procedures to deal with any suspected personal data breach and will notify individuals affected and any applicable regulator of a breach, in a timely manner, where we are legally required to do so. We will endeavour to work with those affected and to minimise the impact of any breaches.
9. Retaining data
We will only keep personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain personal data for a longer period if we reasonably believe there is a specific need.
We maintain a data retention policy which we apply to records in our care. Where personal data is no longer required and we do not have a legal requirement to retain it, we will ensure it is either securely deleted or stored in a way such that it is anonymised and the personal data is no longer used by Tudor Health Inc.
To determine the appropriate retention period for personal data, we consider the data minimisation principle and balance the need for retention and the need for minimisation.
The actual retention periods for the different types of personal information that we hold is detailed in Table 2 – Table 10 below.
Tudor Health Inc’s current data retention periods
Table 2: General
| Client / Non Client Enquiry Data – Record Type | Retention period | Reason |
|---|---|---|
| General correspondence | 2 years | For reference purposes |
| Emails | 5 years | For reference purposes |
Table 3: Contractual Records
| Client / Non Client Enquiry Data – Record Type | Retention period | Reason |
|---|---|---|
| RFPs | 5 years digital | To respond to any queries |
| MSAs / Client contracts | 10 years digital | To respond to any queries |
| Proposals | 10 years digital | To respond to any queries |
Table 4: Primary Data Collection Records
| Client / Non Client Enquiry Data – Record Type | Retention period | Reason |
|---|---|---|
| Questionnaires/data collection tools | 1 year unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Transcripts of interviews, depths, groups | 1 year unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Translations of interviews, depths, groups | 1 year unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Recruitment questionnaires | 1 year unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Screeners | 1 year unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Consent forms e.g., for recording, etc | 1 year unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Digital recordings (e.g., groups, depths, interviews) | 1 year unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Incentive records inc. bank details | 1 year unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Client supplied lists | 1 year unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Responsible adult children’s research consent forms | 1 year unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
Table 5: Secondary Data Collection Records
| Client / Non Client Enquiry Data – Record Type | Retention period | Reason |
|---|---|---|
| Research reports | 5 years unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Data tables | 5 years unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Published research reports | 5 years unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Presentation materials and decks | 5 years unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
| Research press releases | 5 years unless contracted to retain for a longer period | To respond to queries and for quality standards purposes |
Table 6: Adverse Event Reporting and Pharmacovigilance
| Client / Non Client Enquiry Data – Record Type | Retention period | Reason |
|---|---|---|
| Consent forms | 6 years unless contracted to retain for a longer period | To be retained for reference and for quality standards and audit purposes |
| Records of adverse events (AEs) | 6 years unless contracted to retain for a longer period | To be retained for reference and for quality standards and audit purposes |
| Records of product complaints (PCs) | 6 years unless contracted to retain for a longer period | To be retained for reference and for quality standards and audit purposes |
| Records of special reporting situations (SRS) | 6 years unless contracted to retain for a longer period | To be retained for reference and for quality standards and audit purposes |
| AE/PC/SRS reconciliation forms | 6 years unless contracted to retain for a longer period | To be retained for reference and for quality standards and audit purposes |
Table 7: Staff
| Client / Non Client Enquiry Data – Record Type | Retention period | Reason |
|---|---|---|
| GDPR and pharmacovigilance staff training records | 6 years unless contracted to retain for a longer period | To be retained for reference and client audit purposes |
| EPHMRA/BHBIA and other regulatory training certification records | 6 years unless contracted to retain for a longer period | To be retained for reference and client audit purposes |
Table 8: Employment Records
| Client / Non Client Enquiry Data – Record Type | Retention period | Reason |
|---|---|---|
| Personnel records | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Staff recruitment records e.g. CVs | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Payroll including minimum wage | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Pension records | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Maternity records | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Redundancy records | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Staff disciplinary records | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Statutory sick pay records | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Statutory maternity records | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Furlough records | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Working time records | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Medical records | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
| Employee/staff benefits records e.g. health insurance, death-in-service, etc | Specified by the federal legal requirements and any state specifics | Legislative and audit purposes |
Table 9: Corporate/Governance/Audit
| Client / Non Client Enquiry Data – Record Type | Retention period | Reason |
|---|---|---|
| Legal advice | Indefinitely | For reference and historical purposes |
| Governance records e.g. incorporation records | Indefinitely | For reference and historical purposes |
| Accounting and financial records | Specified by the federal legal requirements | Financial and audit purposes |
Table 10: Marketing
| Client / Non Client Enquiry Data – Record Type | Retention period | Reason |
|---|---|---|
| Third party lists | For the term of the list contract | For contractual purposes |
In some circumstances we will anonymise personal data (so that it can no longer be associated with individuals) for research, survey or statistical purposes, in which case we may retain this aggregate data for an indefinite period as the data will no longer be identifiable.
10. Legal rights
European Economic Area and the UK
Under certain circumstances, individuals have rights under data protection laws in relation to their personal data including the right to receive a copy of the personal data we hold. Rights of individuals in the European Economic Area (EEA) and the UK are detailed in Table 3. Links describing the rights are from the UK although the rights are the same in the EEA.
Table 11: Your legal rights
| Your legal right | What this means |
|---|---|
| Subject access | You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here. |
| Rectification | You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here. |
| Erasure/right to be forgotten | You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here. |
| Restriction | You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here. |
| Objection | You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. You can read more about this right here. |
| Portability | This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here. |
| Automated Decision Making | Tudor Heath does not use automated decision making including profiling techniques. |
We will need to request specific information from individuals to confirm their identity and ensure individuals right to access personal data (or to exercise any of their other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask individuals for further information in relation to requests to speed up our response.
We aim to respond to all legitimate requests within one month of the confirmation of the identity of the request. There may be occasions when request take Tudor Health Inc longer to fulfil e.g., if a request is complex or involves a significant amount of data. If this applies, we will notify individuals and keep them updated.
Contact to exercise rights and to make a complaint:
The primary point of contact for all issues arising from this Policy, including requests to exercise rights is via: compliance@tudorhealth.com or by contacting us by telephone or post using the contact details provided in Section 1 of this policy.
You also have the right to make a complaint at any time with your national data protection authority. In the EEA the national data protection authorities are listed here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
The UK’ssupervisory authority for data protection issues is the Information Commissioner’s Office which is available here: https://ico.org.uk/ for more details.
Tudor Health have assessed (using the online tool on the ICO web site) that there is no requirement to appoint a DPO.
This privacy notice was last updated on 5th June 2023. The Privacy Notice & Policy may be updated from time to time and an updated version will be published on this page on the Tudor Health Inc website.