INTRODUCTION
RQM+ is committed to processing your data securely and transparently. This privacy notice sets out the types of data that we collect and hold on you as a client or potential client of the company. It also sets out how we use that information, how long we keep it for and other relevant information about your data.
RQM+ is aware of its obligations to residents and citizens of the EU under the General Data Protection Regulation (GDPR), of the UK under the Data Protection Act (UKDPA) and the (UK GDPR), of Swiss Federal Act on Data Protection (FADP)) and of the USA under a variety of legislation and acts that include data protection requirements – specifically including the California Consumer Privacy Act (CPRA),and the data protection requirements of residents and citizens of other countries, This privacy notice complies with the requirements of the above laws and regulations and is applicable globally but may be supplemented by additional information on our privacy practices that may be provided as required by applicable laws and regulations via notices provided at the time of data collection. Together, these are referred to as “Data Protection Legislation”.
RQM+ ACTING AS A DATA PROCESSOR
When RQM+ is acting as a data processor, meaning that they handle personal data only on behalf of and under the instructions of a data controller, they don’t decide why or how the data is used; they simply carry out the controller’s directives, such as storing, organizing, or analyzing the data under a clear contract. In this case the privacy regulations differ from those of a data controller. The link below outlines RQM+ responsibilities when acting in the capacity as a data processor.
RQM+ ACTING AS A DATA PROCESSOR
RQM+ ACTING AS A DATA CONTROLLER
RQM+ is acting as a data controller, meaning that it determines the processes to be used when using your personal data. The company has appointed Data Protection Officer who is responsible for ensuring your data is stored and processed in accordance with this privacy notice. The Data Protection Officer can be contacted at [email protected]
SCOPE
This Privacy Policy applies to personal data that we collect and process in our capacity as a data controller through:
- Our websites
- Our applications
- Our services
- Any other means through which we communicate with individuals
LEGAL BASIS FOR PROCESSING
We only process personal data when we have a lawful basis to do so under Article 6 of the GDPR. Depending on the context, our processing may be justified by one or more of the following legal bases:
- Consent (Article 6(1)(a)): You have given clear consent for us to process your personal data for a specific purpose.
- Contract (Article 6(1)(b)): Processing is necessary for the performance of a contract with you or to take steps before entering into such a contract.
- Legal Obligation (Article 6(1)(c)): Processing is necessary for compliance with a legal obligation to which we are subject.
- Legitimate Interests (Article 6(1)(f)): Processing is necessary for our legitimate interests (or those of a third party), unless overridden by your interests or fundamental rights and freedoms.
In relation to your personal data, we will:
- process it fairly, lawfully and in a clear, transparent way
- collect your data only for reasons that we find proper for the course of your relationship with RQM+ in ways that have been explained to you
- only use it in the way that we have told you about
- ensure it is correct and up to date
- keep your data for only as long as we need it
- process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed.
TYPES OF DATA WE PROCESS
We may hold many types of data about you, including:
- your personal details including your name, address, e-mail address, phone numbers
- job title and job descriptions
- job responsibilities
- employer (and previous employers if known)
- who you report to
- your location
- country that you reside in
- information accessed and downloaded from company websites
- events attended and met with RQM+ representatives
- records of your contact with RQM+
- marketing material and campaigns that you have shown an interest in.
We do not request, hold or process special categories of data (such health, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership and genetic and biometric data) or criminal conviction data for clients or potential clients.
HOW WE COLLECT AND YOUR DATA
We collect data about you in a variety of ways and we would normally collect the data from you directly. This will usually start when you contact us or talk to us about a business need you or your company has, but can also be when you have provided your details to access and download information from our website or shown an interest in specific topics of a marketing campaign. Further information may be collected directly from you as our relationship and correspondence increases.
In addition, data about you may be obtained from other sources including from your colleagues as the person to speak to regarding a business opportunity or need, from publicly available sources or third parties such as LinkedIn and Zoominfo. Where this is the case, data that we hold will be limited in nature.
WHY WE PROCESS YOUR DATA
We need to collect your data so that we can perform and meet our obligations under the contracts we are part to for delivering agreed services.
We also collect data so that we can carry out activities which are in the legitimate interests of the Company. We have set these out below:
- discuss and secure future business opportunities
- business pipelining
- making decisions regarding marketing activities
- analyze the effectiveness of marketing activities
- market intelligence including analyzing the needs and potential need within the life science industry
- maintaining effective correspondence and relationships
- ensuring effective business administration
- business forecasting including business planning and growth & restructuring exercises
- achieving legal compliance and dealing with legal claims made against us
- preventing fraud
- ensuring our administrative and IT systems are secure and robust against unauthorized access.
With your consent, we collect your personal data to be able to include you on regular company e-mails and marketing correspondence.
SHARING YOUR DATA
We may share personal data with:
- Employees – where it is necessary for them to undertake their duties.
- Service Providers: Third-party vendors who provide services on our behalf (e.g., IT services, marketing, payment processing). These providers are bound by contractual obligations to protect personal data.
- Business Partners: In the context of joint offerings, co-branded services, or events.
- Legal or Regulatory Authorities: Where required by law, regulation, or court order.
- Corporate Transactions: In the event of a merger, acquisition, sale of assets, or bankruptcy.
RQM+ does not and will not sell your data or any personal data to any third party for any reason.
INTERNATIONAL DATA TRANSFERS
As a globally operating organization RQM+ may be required to transfer personal data to countries between the USA, EEA, UK and also outside of those countries/jurisdictions.
RQM+ follows the EU-U.S. Data Privacy Framework (with the UK extension) and the Swiss-U.S. Data Privacy Framework, which are established by the U.S. Department of Commerce to regulate the collection, use, and storage of personal information that is transferred from the European Union (EU), United Kingdom (UK), and Switzerland to the United States, respectively.
PROTECTING YOUR DATA
We prioritize the confidentiality, integrity, and availability of your personal data. Our security measures are designed according to the NIST Cybersecurity Framework and include:
- Identify: Regular assessments of systems and assets to manage cybersecurity risks.
- Protect: Deployment of encryption, firewalls, and access controls to safeguard data.
- Detect: Continuous monitoring and anomaly detection tools to identify threats.
- Respond: Established incident response plans for data breaches.
- Recover: Comprehensive disaster recovery and business continuity plans to ensure resilience.
These measures are regularly reviewed to meet evolving threats and comply with GDPR Article 32.
HOW LONG WE KEEP YOUR DATA FOR
We retain personal data only as long as necessary to fulfill the purposes outlined in this policy or to comply with legal obligations. Retention periods are defined based on:
- Legal requirements.
- Business needs.
- Risk assessments guided by the NIST framework.
AUTOMATED DECISION MAKING
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
DATA SUBJECT RIGHTS
Data Protection Legislation gives citizens and residents in certain jurisdictions rights in relation to the data we hold. Although these rights may not be rights to citizens and residents in other countries and jurisdictions where Data Protection Legislation is limited, RQM+ extend these privileges to all. These are:
- Right of Access: Obtain confirmation as to whether personal data concerning you is being processed, and receive a copy of your personal data.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data in certain circumstances.
- Right to Restrict Processing: Request restriction of processing where certain conditions apply.
- Right to Data Portability: Receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and have it transferred to another controller where technically feasible.
- Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent: Where processing is based on your consent, you can withdraw consent at any time.
MAKING A COMPLAINT
Data subjects with a complaint about the processing of their personal data by RQM+ (or third-party associates) or how a complaint has been handled have the right to lodge a complaint directly with the Supervisory Authority and RQM+ ’s DPO or delegate at [email protected]
An investigation of the complaint shall be conducted as appropriate based on the merits of the specific case. The DPO shall inform the data subject of the progress and outcome of the complaint within one calendar month. If the issue cannot be resolved through consultation between the data subject and the DPO, then the data subject may seek redress through mediation, binding arbitration, litigation, or via complaint to the Supervisory Authority within the applicable jurisdiction.
Updated April 2025