This Privacy Notice applies to you if you are an individual and a current or former registered shareholder of Spire Healthcare Group plc and describes what personal data we collect, how that information is used and what your rights are in relation to that personal data. Please take your time to read this Privacy Notice carefully.
This Privacy Notice:
In this Privacy Notice we use "we" or "us" or "our" or "Spire" to refer to Spire Healthcare Group plc (company number 09084066 with registered office at 3 Dorset Rise, London, EC4Y 8EN). When we hold personal data relating to your shareholding in Spire, we are regulated under the General Data Protection Regulation (“GDPR”) which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ for deciding how and why we hold and use personal data about you, for the purposes of those laws.
Our Data Protection Officer ("DPO") has responsibility for ensuring that Spire complies with data protection law.
The DPO can be contacted by:
If you would like further information about any of the matters in this Privacy Notice or have any other questions about how we collect, store or use your personal data, please contact the DPO using the details above.
‘Personal Data’ means any information relating to or which identifies you. We understand how important your personal data is and are committed to protecting and respecting your privacy.
If you are a shareholder of Spire, we will process the following personal data:
Personal data can be held electronically or in certain paper records.
The confidentiality of your personal is important to Spire. We make every effort to prevent unauthorised access to and use of personal data relating to your current or former Spire shareholding. In doing so, Spire complies with UK data protection law, including the Data Protection Act 2018 and the GDPR.
Your personal data is collected when you provide it to us, to Equiniti or to other third parties engaged to carry out services on our behalf, for example when you provide information in writing such as filling in a share transfer form or provide your details via Equiniti’s website.
We have engaged Equiniti Limited as our ordinary share registrar. Equiniti Limited and other Equiniti Group entities (“Equiniti”) maintain the Spire shareholder register and processes shareholders’ personal data on our behalf. This may involve keeping an up-to-date record of shares held by shareholders, administration of dividends, share transfers and issuing of shares certificates (as applicable). When you provide your personal data to Equiniti, their privacy policy will apply and is here.
Your personal data is also collected when you exercise rights attached to your shares, such as voting. Your personal data might also be provided to us or to Equiniti by third parties, for example by an agent through which you trade in Spire shares. Your voice or image may be captured and recorded, for example within a webcast recording of a shareholder meeting which you attend.
We also collect information about how you logged on and off of our website(s), including your IP address, information about your visit, your browsing history, your device information and how you use our website – please see the cookie policy here for further information on this.
We may 'process' your personal data for a number of different purposes, which is essentially the language used by the law to mean using your data.
Your personal data is processed so that we can:
The legal bases for this processing are to allow us to comply with our legal obligations such as under the Companies Act and Stock Exchange requirements or to allow us to fulfil contractual obligations with shareholders or where we have a legitimate interest to process the information so that we can communicate effectively with shareholders.
If you have questions about your Spire shareholding, please contact Equiniti at https://www.shareview.co.uk.
We will also process your personal data for financial crime, money laundering and fraud risk purposes and this can include automated decision making. The legal basis for this processing is to comply with our legal obligations such as under the Companies Act, Stock Exchange requirements, financial crime regulations, taxation laws and social security laws.
Your personal data will be shared with Equiniti. We may share your personal data relating to your Spire shareholding with other companies in the Spire group, where we need to do so.
We may also disclose your information to the third parties listed below for the purposes described in this Privacy Notice. This might include:
We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone. Where we share personal data with third parties, we generally have contracts in place with such third parties which ensures that they will protect your personal data and not use it for any purposes beyond delivering their services to us.
We will only keep your personal data for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice.
Your record on the shareholder register will be maintained while you are a shareholder of Spire. If you cease to hold Spire shares, your personal data will be kept for a period of up to 12 years following the last update to your record on the shareholder register, or for as long as is necessary to resolve any outstanding matters relating to your shareholding or to meet legal, regulatory or tax requirements.
If you would like further information regarding the periods for which your personal data will be stored, please contact our DPO for further details.
We (or third parties acting on our behalf) may store or process information that we collect about you in countries outside the European Economic Area ("EEA"). Where we make a transfer of your personal data outside of the EEA we will take the required steps to ensure that your personal data is protected.
To the extent that it is necessary to do so, Spire may transfer your personal data outside of the EEA to members of the Equiniti Group, including Equiniti India Private Limited which is based in India, for the purposes described in this Privacy Notice. Your personal data will also be shared outside of the EEA and EU for the purposes of contacting you via email via our email service provider. For these transfers, we will only transfer personal data to countries which are recognised as providing adequate level of protection or where we can be satisfied that alternative arrangements are in place to protect your rights, including standard contractual clauses as mandated by the European Commission.
If you would like further information regarding the steps we take to safeguard your personal data, please contact the DPO using the details at the front of this Privacy Notice.
Please note that we have listed above the current common transfers of personal data outside of the EEA but it may be necessary, in future, to transfer such data for other purposes. In the event that it is necessary to do so, we will update this Privacy Notice.
The right to access your personal data
You are usually entitled to a copy of the personal data we hold about you and details about how we use it.
Your personal data will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (eg by email) the personal data will be provided to you by electronic means where possible.
Please note that in some cases we may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you.
You are entitled to the following under data protection law.
Under Article 15(1) of the GDPR we must usually confirm whether we have personal data about you. If we do hold personal data about you we usually need to explain to you:
The right to rectification
We take reasonable steps to ensure that the personal data we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.
The right to erasure (also known as the right to be forgotten)
In some circumstances, you have the right to request that we delete the personal data we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to delete the personal data in question. In particular, for example, we do not have to comply with your request if it is necessary in order to comply with our legal obligation or for the purposes of establishing, exercising or defending legal claims.
The right to restriction of processing
In some circumstances, we must "pause" our use of your personal data if you ask us to. We do not have to comply with all requests to restrict our use of your personal data. In particular, for example, we do not have to comply with your request if it is necessary to keep your personal data in order to perform tasks which are for the purposes of establishing, exercise or defending legal claims.
The right to data portability
In some circumstances, we must transfer personal data that you have provided to us to you or (if this is technically feasible another individual/ organisation of your choice. The information must be transferred in an electronic format.
The right to object to marketing
You can ask us to stop sending you marketing messages at any time and we must comply with your request. You can do this by contacting the DPO.
The right not to be subject to automatic decisions (ie decisions that are made about you by computer alone)
You have a right to not be subject to automatic decisions (ie decisions that are made about you by computer alone) that have a legal or other significant effect on you.
The right to withdraw consent
In some cases we need your consent in order for our use of your personal data to comply with data protection legislation.
We have explained in the section entitled "What are the purposes for which your information is used?" where we rely on your consent in this way. Where we do this, you have the right to withdraw your consent to further use of your personal information. You can do this by contacting Spire’s DPO whose details at the front of this Privacy Notice.
The right to complain to the Information Commissioner's Office
You can complain to the Information Commissioner's Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.
More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/
Your exercise of these rights or subject to certain conditions and exemptions, for example, to safeguard the public interest in investigating crimes, or protecting legal privilege. If you exercise any of these rights we will check your entitlement and respond in most cases within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If you are not satisfied with our use of your personal data or our response to you, you can complain to the contact listed at the front of this Privacy Notice.
Making a complaint will not affect any other legal rights or remedies that you have.
We will use reasonable endeavors to ensure that your personal data is accurate. In order to assist with this, you should notify us of any changes to your personal data by using the contacting us as set out in section 1 above.
We may update this Privacy Notice from time to time to ensure that it remains accurate. The most up-to-date version can always be found at https://investors.spirehealthcare.com/shareholder-privacy/ and we therefore encourage you to review it from time to time to stay informed of how we use your personal data.
We are required to employ adequate technical and organizational security measures to protect your personal data from any loss, destruction, damage or unlawful disclosure. However, no transmission of personal data can ever be guaranteed as secure. Consequently, please note that we cannot guarantee the security of any personal data which you transfer to us or which we transfer to you.
This Privacy Notice was last updated on 12 November 2018.