Privacy Policy — PharmaDPO

This Privacy Policy explains how PharmaDPO ("we", "us", "our") collects, uses, stores, and protects personal data when you visit pharmadpo.com or contact us in connection with our consulting services.

We are committed to protecting your personal data and processing it in accordance with the EU General Data Protection Regulation (GDPR) (2016/679) and the UK General Data Protection Regulation (UK GDPR) as incorporated into UK law by the Data Protection Act 2018.

Please read this policy carefully. If you have any questions, contact us using the details in Section 12.

01

Who we are

PharmaDPO is a privacy consulting practice providing enterprise privacy risk management, external DPO services, privacy culture development, training, and OneTrust deployment services to life sciences organisations.

Data Controller: PharmaDPO

Trading as: PharmaDPO

Website: pharmadpo.com

Principal place of business: London, United Kingdom

Contact: hello@pharmadpo.com

Where we process personal data of individuals located in the European Union, we act as a data controller subject to the EU GDPR. Where we process personal data of individuals located in the United Kingdom, we act as a data controller subject to the UK GDPR and the Data Protection Act 2018.

02

What personal data we collect

We collect limited personal data, only where necessary for the purposes described in this policy. We do not collect special category data through this website.

Data you provide directly

Contact enquiries: name, email address, company name, job title, and the content of your message when you contact us via our website contact form or by email.
Business communications: correspondence, meeting notes, and related data exchanged in the course of a client or prospective client relationship.
Newsletter or content subscriptions: name and email address, if you subscribe to receive updates or resources from us.

Data collected automatically

Website analytics: IP address (anonymised), browser type, device type, pages visited, time on page, and referring URL, collected via analytics tools.
Cookies and similar technologies: see Section 9 for full details.
Server logs: technical access logs maintained for security and performance monitoring.

Data we obtain from third parties

LinkedIn and professional networks: publicly available professional information where you connect with us or engage with our content on LinkedIn.
Referrals: contact details shared with us by existing clients or partners with your knowledge.

03

How we use your personal data

We use personal data only for the purposes for which it was collected. The table below sets out our processing activities and their corresponding lawful basis.

Purpose	Lawful basis (EU GDPR / UK GDPR)
Responding to enquiries and providing information about our services	Legitimate interests (Art. 6(1)(f)) — responding to business enquiries
Entering into and performing consulting contracts	Performance of a contract (Art. 6(1)(b))
Sending marketing communications and thought leadership content	Consent (Art. 6(1)(a)) — where required; legitimate interests where a prior business relationship exists
Website analytics and performance monitoring	Legitimate interests (Art. 6(1)(f)) — improving website functionality and user experience
Compliance with legal obligations (tax, accounting, regulatory)	Legal obligation (Art. 6(1)(c))
Fraud prevention and website security	Legitimate interests (Art. 6(1)(f)) — protecting our business and users
Managing and developing our business relationships	Legitimate interests (Art. 6(1)(f)) — operating as a professional services business

Where we rely on legitimate interests as our lawful basis, we have carried out a legitimate interests assessment (LIA) to ensure our interests are not overridden by your rights and interests. You have the right to object to processing based on legitimate interests — see Section 8.

Where we rely on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

04

Lawful basis for processing

Under the EU GDPR and UK GDPR, we must have a valid lawful basis to process personal data. We rely on the following bases, as detailed in the table above:

Article 6(1)(a) — Consent: Where you have given clear consent to process your personal data for a specific purpose (e.g. subscribing to our newsletter).
Article 6(1)(b) — Contract: Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering a contract.
Article 6(1)(c) — Legal obligation: Where processing is necessary for compliance with a legal obligation to which we are subject.
Article 6(1)(f) — Legitimate interests: Where processing is necessary for the purposes of our legitimate interests or those of a third party, except where overridden by your interests, rights, and freedoms.

We do not process special category data (Article 9 GDPR) through this website or in the ordinary course of our consulting practice, unless specifically agreed and documented in a separate data processing agreement with a client organisation.

05

Who we share your data with

We do not sell, rent, or trade personal data. We share personal data only where necessary and in accordance with applicable law, with the following categories of recipients:

Service providers (data processors)

Website hosting providers — to host and maintain this website.
Analytics providers — to understand how visitors use our website (e.g. anonymised analytics tools).
Email and communication tools — to send and receive business correspondence.
Accounting and invoicing software — for financial record-keeping and billing.
Cloud storage providers — for secure document storage.

All service providers are contractually required to process personal data only on our instructions and in compliance with applicable data protection law. Where required, we put in place Data Processing Agreements (DPAs) under Article 28 GDPR.

Professional advisors

Lawyers, accountants, and insurers where necessary for legal, financial, or risk management purposes, subject to confidentiality obligations.

Regulatory and law enforcement authorities

Where required by law, court order, or regulatory obligation, we may disclose personal data to competent authorities, including data protection supervisory authorities.

06

International transfers of personal data

Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR and the UK GDPR.

These safeguards may include:

Adequacy decisions — transfers to countries recognised as providing an adequate level of data protection by the European Commission or UK Secretary of State.
Standard Contractual Clauses (SCCs) — the EU Commission-approved standard contractual clauses (2021) for transfers from the EEA, and/or the UK International Data Transfer Agreement (IDTA) or UK Addendum for transfers from the UK.
Binding Corporate Rules (BCRs) — where applicable for transfers within a corporate group.

You may request information about the specific safeguards applied to any international transfer of your personal data by contacting us at the details in Section 12.

07

How long we keep your data

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or regulatory requirements.

Category of data	Retention period
Contact enquiries (no engagement)	12 months from last contact
Client and contract records	7 years from end of engagement (legal and tax obligations)
Financial and invoicing records	7 years (UK HMRC / Irish Revenue requirements)
Marketing consent records	Until consent withdrawn, plus 3 years to demonstrate compliance
Website analytics data	26 months (anonymised or aggregated thereafter)
Server access logs	90 days

After the applicable retention period, personal data is securely deleted or anonymised so that it can no longer be associated with you.

08

Your rights

Under the EU GDPR and UK GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain exemptions.

Right of access (Art. 15)

You have the right to obtain confirmation of whether we process your personal data, and to receive a copy of it, together with supplementary information.

Right to rectification (Art. 16)

You have the right to have inaccurate personal data corrected and incomplete data completed without undue delay.

Right to erasure (Art. 17)

You have the right to request deletion of your personal data in certain circumstances, including where it is no longer necessary for the purposes for which it was collected.

Right to restriction (Art. 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while the accuracy of the data is contested.

Right to portability (Art. 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format.

Right to object (Art. 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing immediately.

Right to withdraw consent

Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

How to exercise your rights

To exercise any of the above rights, please contact us using the details in Section 12. We will respond to your request without undue delay and in any event within one month of receipt. Where requests are complex or numerous, this period may be extended by a further two months, of which we will inform you.

We will not charge a fee for handling your request unless it is manifestly unfounded, excessive, or repetitive.

Supervisory authorities

If you are located in the United Kingdom, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.

If you are located in the European Union, you have the right to lodge a complaint with the supervisory authority in your member state of habitual residence or place of work.

09

Cookies and similar technologies

Our website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device by a website you visit.

Types of cookies we use

Category	Purpose	Legal basis
Strictly necessary	Essential for the website to function correctly. Cannot be disabled.	Legitimate interests
Analytics / performance	Understand how visitors interact with our website. Data is anonymised or aggregated where possible.	Consent
Functional	Remember your preferences to improve your experience.	Consent
Marketing	We do not currently use marketing or advertising cookies.	N/A

You can control and manage cookies through your browser settings. Disabling certain cookies may affect the functionality of this website. For more information about cookies and how to manage them, visit allaboutcookies.org.

Where required by applicable law (including the UK Privacy and Electronic Communications Regulations 2003 and the EU ePrivacy Directive), we will seek your consent before placing non-essential cookies on your device.

10

Children's personal data

Our website and services are directed exclusively at business professionals and organisations. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently received personal data from a child, please contact us immediately at hello@pharmadpo.com and we will take steps to delete that data.

11

Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this policy and, where appropriate, notify you by email or by a prominent notice on our website.

We encourage you to review this policy periodically. Your continued use of our website or services after changes become effective constitutes your acknowledgement of the updated policy.

Previous versions of this Privacy Policy are available upon request.

12

How to contact us

If you have any questions, concerns, or requests relating to this Privacy Policy or our processing of your personal data, please contact us:

PharmaDPO

Email: hello@pharmadpo.com

Website: pharmadpo.com

Principal place of business: London, United Kingdom

We aim to respond to all privacy-related queries within 5 business days and to all formal data subject requests within the statutory timeframe of one calendar month.

UK supervisory authority: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113

EU supervisory authorities: Contact the data protection authority in your EU member state of residence or work.