Learn how and why we collect and process your data – and what we do to keep it safe.
Last update: 15 July 2020
Users of our website
Parties interested in Cyted
Organisations purchasing medical diagnosis reports products or services from us (“Customers”)
Organisations supplying goods or services to us (“Suppliers”)
Staff and other representatives of our Suppliers or Customers (“Representatives”)
Who is the data controller?
Cyted Ltd is the controller for the personal information we process, unless otherwise stated. We are a limited company registered in England and Wales (company number 11478299). Our registered address is Platinum Building St John’s Innovation Park, Cowley Road, Cambridge, England, CB4 0DS.
Under the Data Protection Act 2018, Cyted is registered with the Information Commissioner’s Office (Registration number: ZA513427).
Our contact details and how you can facilitate your rights
Personal data that we collect
We may collect personal data from you in the course of running our business, including through your use of our website, the use of our products or services, when you contact or request information from us, as a result of you applying for a job with us, or as a result of your relationship with one or more of our staff or customers.
Personal data, or personal information, means any information about a living individual from which that person can be identified. It does not include data where the identity has been anonymised.
We also collect aggregated data such as statistical or demographic data for any purpose. For instance, if you visit our website, we will use your usage data to calculate the number of users accessing a particular web page.
The following is a non-exhaustive list of the categories of personal data that we collect which is grouped by data category:
Nature of provision of personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you.
How we obtain your personal information
We collect personal information from you and others as necessary in the course of running our business.
Most of the personal data we process is provided directly to us by you for one of the following reasons:
When you or your organisation makes an enquiry or uses any of our products or services
When you or your organisation provides products or services to us
When you communicate with us by phone, electronic messaging, in writing, or directly when you meet with our staff
When you or your organisation browse our website, complete a form or communicate via the website or our other electronic services
When you or your organisation participates in our marketing events, recruitment events or other promotional events
When you agree to receive marketing communications from us
When you or your organisation gives feedback (for example completing a survey)
When provided by a publicly available source such as public lists of registers e.g. electoral register, Companies House and other
We also receive personal data indirectly, in the following scenarios:
When provided by a third party organisation, such as an identity verification agency if you had applied for employment with us ; by an analytic provider such as Google if you use the internet; from payment providers if you bought something from us; by a delivery organisation if you took delivery a from us; from a regulatory authority such as HMRC if you are employed by us
When provided by our customer, such as a request for medical diagnosis or investigation where we provide a medical diagnosis report
When you interact with our website or use our systems, we may automatically collect data about your access device and browsing session, using cookies and other technologies. We may also receive technical data about you if you visit other websites using our cookies
As part of Cyted's corporate function, we process special category and criminal conviction data. We have an appropriate policy document that explains our safeguarding policy for special category and criminal conviction data.
Why we use your personal information
We will only process your personal data when we have a lawful basis to do so.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these will apply whenever we process personal data:
Consent: we have your consent to process your personal data for a specific purpose
Contract: the processing is necessary for a contract we have
Legal obligation: the processing is necessary for us to comply with the law
Vital interests: the processing is necessary for us to protect someone’s life
Public task: the processing is necessary for us to perform a task in the public interest
Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests
In most cases, we do not rely on consent as a legal basis for processing your personal data with the exception in relation to sending direct marketing communications to you via email. You have the right to withdraw consent to marketing at any time by contacting us.
We will not use your personal data for making any automated decisions.
How we use your personal data
Cyted will only use your personal data fairly and where we have a lawful basis to do so. Most commonly, we will use your personal data in the following circumstances:
Processing special category data
When we process special category data, we need to identify both a lawful basis for processing and a special category condition to ensure compliance with Article 9 GDPR. We consider Criminal offence information within special category data.
Recipients of personal data we process
Access to personal data is strictly controlled to maintain its privacy and security.
We may share personal data for the purposes mentioned in the above tables with the following recipients or categories of recipients:
Our Staff – we share personal data with our staff involved with the delivery of our medical diagnosis services
Our Healthcare professionals – we share personal data with our healthcare professionals involved with the delivery of our medical diagnosis services
Our Customers – we share personal data with representatives of the medical organisation that commissioned our services
Government and other regulatory bodies – we may be required to share personal data with regulators to comply with our legal, regulatory and statutory obligations such as the Care Quality Commission, Department of Work and Pensions, HMRC, Coroners Court
Service providers – we may share personal data with service providers acting as processors who provide IT and system services
Third parties – We may also be required to pass personal information to third parties acting as data processors of joint controllers such as law enforcement agencies, our insurers, our auditors, the courts and our professional adviser’s
These recipients or categories of recipients are only allowed to process personal data for specified purposes and where they are processing personal data on our behalf, they must do so in accordance with our instructions.
Also, we may share your personal data with other third parties in the context of a possible sale or restructuring of the business.
Transfer to third countries
Some of our recipients are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data outside the EEA, we will ensure that a similar degree of protection of personal data is given by ensuring at least one of these safeguards is in place:
Countries are deemed adequate by EU Commission- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Use model contracts – We may use model contracts approved by the European Commission which give the same protection to personal data as afforded within EEA. These model contracts terms are available on the EU Commissioner website.
Use of Privacy Shield – If the provider processes personal data in USA, we may transfer data to the provider if they have been accredited Privacy Shield status which required them to protect personal data to a similar level as afforded within EEA.
How long we keep your personal data
We will only retain your personal data for as long as it is necessary for the purposes we collected it for, which will include the purposes of meeting any legal, regulatory, accounting or reporting requirements. For further information about how long we hold personal data see our retention schedule that is available on request from our Data Protection Lead.
Your data protection rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
Your right of access- You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. This right is commonly known as a “data subject access request” or “DSAR”.
Your right to rectification- You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure- You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing- You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing- You have the right to object to processing in certain circumstances.
Your right to data portability- This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
Making an information request to us
You can make a request to exercise your privacy rights by contacting us at the address above. To respond we will need information from you to deal with the request such as to locate the information you are looking for. We will set up an electronic case file containing the details of your request. This normally will include your contact details and any other information that you have given us. If you are making a request about your personal data , or are acting on behalf on someone making a request, then we will ask for information to satisfy us of your identity.
You are not required to pay any charge for exercising your rights however we may charge a reasonable fee if your request for access is repeated and/or unfounded or excessive. We have one month to respond to you.
Your right to complain to a supervisory authority
If you have concerns about the way we handle your personal data, you can contact the ICO or raise a complaint. We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner’s Office so please contact us in the first instance.
If you remain dissatisfied, you have the right to make a compliant about the way we process your personal information by contacting the ICO.
by phone on +44 303 123 1113
by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
via their website at
Changes to this policy
Other third party links
Our website may, from time to time, contain links to and from third-party websites, including those of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites may have their own privacy policies. We don’t accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Security and safe storage of your personal information
The security of your personal information is very important to us and we take this matter very seriously. We’ll use appropriate procedures and security features to process and protect your information. We have in place a robust framework to ensure the security of your information.
We may monitor the use and content of emails, calls and secure messages sent from and received by us so that we can, for instance, identify and take legal action against unlawful or improper use of our systems. The main examples of unlawful or improper use are attempting to impersonate Cyted, the transmission of computer viruses and attempts to prevent this website or its services from working.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so.