Privacy Policy
1. Who are we?
Haemnet is a specialist research and communications organisation working in the area of rare diseases.
We think data protection is important. Your rights do not exist because of your nationality, the colour of your skin, your language, or your culture, instead your rights derive simply from your humanity.
This information explains what personal data we use, how we use it, and why we use it. We’ll try to keep this as plain English as possible though we will need to use some legal terms from time to time. We will talk about lawful bases, you can find out more on the ICO website.
This privacy notice was last updated on 29-07-2025. If you have any questions please contact our Data Protection Officer by emailing DPO@haemnet.com.
2.1. What data do you collect and use?
-
- Your contact details (name, email address, telephone number, job role). We use this information to manage staff.
-
- Annual leave data to manage annual leave across the organisation, ensuring that staff take annual leave while ensuring that the needs of the business are met.
-
- Financial, banking, and social security data. We use this information to pay you, and to fulfil any legal obligations relating to facilitating tax and pension contributions.
-
- Information about your work-issued devices and information systems. We use this information to ensure that the right staff have the right access to the right information for the purpose of their job role.
-
- Health data. We use this information to ensure that staff are fit to work, and to ensure that reasonable adjustments to enable all staff to work to the best of their ability.
-
- If you apply for a role with us we will use data you supply in your application (name
2.2. How do you comply with the law?
Organisations are required to have a ‘lawful basis’ for processing personal data. We have provided the legal reference in case you want to explore it further.
-
- We process your data as part of the performance of the contract of employment we have with each employee (UK GDPR article 6(1)(b)).
-
- Where we process health data this is necessary for complying with laws around health and safety in the workplace, and to ensure that reasonable adjustments are made where relevant (UK GPDR article 9(2)(b)).
-
- We process your data to comply with legal obligations, such as providing information to HMRC to ensure staff are taxed correctly (UK GDPR article 6(1)(c)).
2.3. How long do you keep my data for?
We keep data for 6 years after the end of your contract with us.
2.4. Do you share data?
We share information with data processors (our suppliers who provide services to us). This includes;
-
- BrightHR, who provide systems for managing HR,
-
- Google, Microsoft, and Dropbox who provide tools for communication and collaboration,
-
- Kreston Reeves, our payroll provider.
We also share information with other organisations, this includes;
-
- HMRC who require us to provide information to ensure staff are taxed correctly.
-
- Kreston Reeves, who provide accountancy services.
2.1. What data do you collect and use?
-
- Your contact details (name, email address, telephone number, job role). We use this information to manage staff.
-
- Annual leave data to manage annual leave across the organisation, ensuring that staff take annual leave while ensuring that the needs of the business are met.
-
- Financial, banking, and social security data. We use this information to pay you, and to fulfil any legal obligations relating to facilitating tax and pension contributions.
-
- Information about your work-issued devices and information systems. We use this information to ensure that the right staff have the right access to the right information for the purpose of their job role.
-
- Health data. We use this information to ensure that staff are fit to work, and to ensure that reasonable adjustments to enable all staff to work to the best of their ability.
-
- If you apply for a role with us we will use data you supply in your application (name
2.2. How do you comply with the law?
Organisations are required to have a ‘lawful basis’ for processing personal data. We have provided the legal reference in case you want to explore it further.
-
- We process your data as part of the performance of the contract of employment we have with each employee (UK GDPR article 6(1)(b)).
-
- Where we process health data this is necessary for complying with laws around health and safety in the workplace, and to ensure that reasonable adjustments are made where relevant (UK GPDR article 9(2)(b)).
-
- We process your data to comply with legal obligations, such as providing information to HMRC to ensure staff are taxed correctly (UK GDPR article 6(1)(c)).
2.3. How long do you keep my data for?
We keep data for 6 years after the end of your contract with us.
2.4. Do you share data?
We share information with data processors (our suppliers who provide services to us). This includes;
-
- BrightHR, who provide systems for managing HR,
-
- Google, Microsoft, and Dropbox who provide tools for communication and collaboration,
-
- Kreston Reeves, our payroll provider.
We also share information with other organisations, this includes;
-
- HMRC who require us to provide information to ensure staff are taxed correctly.
-
- Kreston Reeves, who provide accountancy services.
When we run research studies we take the opportunity to ask you if they would like to be contacted for future research opportunities.
3.1. What data do you collect and use?
-
- Your contact details (name, email address. We use this information to identify and contact you.
-
- Data about your health, including diagnosis. We use this information to conduct research, and to identify whether you may be eligible for future studies.
3.2. How do you comply with the law?
Organisations are required to have a ‘lawful basis’ for processing personal data. We have provided the legal reference in case you want to explore it further.
-
- When we collect your consent to be contacted for future research we rely on your explicit consent.
3.3. How long do you keep my data for?
We keep data about your consent until you withdraw consent. We keep study data for the length of time provided in the patient information sheet.
3.4. Do you share data?
We share information with data processors (our suppliers who provide services to us). This includes;
-
- Google, Microsoft, and Dropbox who provide tools for communication and collaboration.
When we run research studies we take the opportunity to ask you if they would like to be contacted for future research opportunities.
3.1. What data do you collect and use?
-
- Your contact details (name, email address. We use this information to identify and contact you.
-
- Data about your health, including diagnosis. We use this information to conduct research, and to identify whether you may be eligible for future studies.
3.2. How do you comply with the law?
Organisations are required to have a ‘lawful basis’ for processing personal data. We have provided the legal reference in case you want to explore it further.
-
- When we collect your consent to be contacted for future research we rely on your explicit consent.
3.3. How long do you keep my data for?
We keep data about your consent until you withdraw consent. We keep study data for the length of time provided in the patient information sheet.
3.4. Do you share data?
We share information with data processors (our suppliers who provide services to us). This includes;
-
- Google, Microsoft, and Dropbox who provide tools for communication and collaboration.
We process the personal data of individuals working on behalf of our customers (their employees & contractors).
4.1. What data do you collect and use?
-
- Your contact details (name, email address, job role). We use this information to identify and communicate with you.
4.2. How do you comply with the law?
Organisations are required to have a ‘lawful basis’ for processing personal data. We have provided the legal reference in case you want to explore it further.
-
- We use your data for because we have a ‘legitimate interest’ in fulfilling our contract with our customers who employ you (UK GDPR article 6(1)(f)).
4.3. How long do you keep my data for?
We keep data about you for 6 years after the termination of our contract with your employer.
4.4. Do you share data?
We share information with data processors (our suppliers who provide services to us). This includes;
-
- Google, Microsoft, and Dropbox who provide tools for communication and collaboration.
We process the personal data of individuals working on behalf of our customers (their employees & contractors).
4.1. What data do you collect and use?
-
- Your contact details (name, email address, job role). We use this information to identify and communicate with you.
4.2. How do you comply with the law?
Organisations are required to have a ‘lawful basis’ for processing personal data. We have provided the legal reference in case you want to explore it further.
-
- We use your data for because we have a ‘legitimate interest’ in fulfilling our contract with our customers who employ you (UK GDPR article 6(1)(f)).
4.3. How long do you keep my data for?
We keep data about you for 6 years after the termination of our contract with your employer.
4.4. Do you share data?
We share information with data processors (our suppliers who provide services to us). This includes;
-
- Google, Microsoft, and Dropbox who provide tools for communication and collaboration.
5. Your rights
Under data protection law, individuals (data subjects) have a number of rights which are detailed below. Some of these only apply in specific circumstances and are qualified in several respects by exemptions in data protection law. We will advise you in our response to your request if we are relying on any such exemptions. All requests should be directed to DPO@haemnet.com.
5.1. Right of access
You have a right to request a copy of the personal data that we hold about you. You should include adequate data to identify yourself and such other relevant data that will reasonably assist us in fulfilling your request. Your request will be dealt with as soon as possible.
5.2. Right to rectification
You can ask us to rectify and correct any personal data that we are processing about you which is incorrect. We provide you with account settings and tools to access the data associated with your account.
5.3. Right to withdraw consent
Where we have relied upon your consent to process your personal data, you have the right to withdraw that consent. To opt out of marketing, you can use the unsubscribe link found in the email marketing communication you receive from us. For other marketing preferences you can contact us, providing details of services or marketing that you wish to opt out of.
5.4. Right of erasure
You can request us to erase your personal data under certain circumstances, for example if you believe that we no longer need to retain your data. This is not an absolute right, and we need to carefully consider each case on its own merits as there may be good reasons why we are not able to erase your data. If we are not able to honour your request we will explain why.
5.5. Right to data portability
This right allows you to obtain your personal data in an electronic format, where you have provided data to us with your consent, or where the data was necessary for us to provide you with our services. You can request that the data be given in a format which enables you to transfer that personal data to another organisation. You may have the right to have your personal data transferred by us directly to the other organisation, if this is technically feasible.
5.6. Right to restrict processing
You have the right in certain circumstances to request that we suspend our processing of any or all your personal data. Where we suspend our processing of your personal data we will still be permitted to store your personal data, but any other processing of this data will require your consent, subject to certain exemptions.
5.7. Right to object
You have the right to object to our use of your personal data which is used where we feel that we have legitimate interest. However, we may continue to process your personal data, despite your objection, where there are compelling legitimate grounds to do so, or where we need to process your personal data in connection with any legal claims. The grounds for continuing to do so will be communicated to you.
5.8. Right to contact the Information Commissioner’s Office (ICO)
Naturally we really hope you never feel you need to, but if you have a complaint you can contact the ICO, the UK’s data protection regulator.
Information Commissioner’s Office
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire
SK9 5AF
Phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number. Contact the ICO for advice or to make a complaint on the ICO website.
