Please note the bold and underlined text in section 5
Colab Services Limited ("Colabs") offers services to practitioners to facilitate their clients' access to laboratory testing and analysis. We do not conduct testing or analysis ourselves, nor do we have a direct contractual relationship with individual patients.
Colab Services Limited is a data controller. The Information Commissioners Office requires that personal data is fairly and lawfully processed.
Contact details for Colab are:
Data Controller: Colab Services Limited
Email address: firstname.lastname@example.org
Address: PO Box 1331, Lincoln, LN5 5TP, UK
Please use these contact details should you wish to make a data subject access request, which must be done in writing. Please also use these address details in the first instance if you need to make a complaint. We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If you have a complaint regarding the use of your personal data then please contact us by writing at the postal or email address and we will try to help you.
If your complaint is not resolved to your satisfaction and you wish to make a formal complaint to the Information Commissioner’s Office (ICO), you can contact them on 01625 545745 or 0303 1231113 and on the web at www.ico.org.uk.
Information provided by you
You and others (including, if you are a patient or other test subject, the practitioner ordering tests relating to you) provide us with personal data in the following ways:
This may typically include the following information:
We may also collect, use and share aggregated or anonymised data for any purpose. Aggregated/anonymised data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.
Third Party Links
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a service we proposed to provide to you, but we will notify you if this is the case at the time.
It is important that you update us if your contact details or those of your practitioner change. This is to ensure that all personal data we hold for you is correct at all times.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to you via email or text message, or where we specifically ask you to sign a consent form. You have the right to withdraw consent to marketing at any time by contacting us.
We may use your personal data where there is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime. We may also process special category personal data, such as information about your health, on the basis of such processing being necessary in the context of our provision to you (or your practitioner) of healthcare-related services.
Purposes for which we will use your personal data
We have set out below, in a table format, a description of all the ways we plan (or may in the future plan) to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Lawful basis for processing including basis of legitimate interest
Provision of medical test facilitation services
File archiving, deletion and destruction
To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. It is entirely your choice whether you consent to us providing you with direct electronic marketing – we will only do so where you have given us your consent to do so (including so called "soft opt in").
Promotional offers from us
We may use your Identity & Contact, Technical, Usage and Services Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or obtained services from us or if you provided us with your details when you entered a competition or registered for contact and, in each case, you have opted in to receiving that marketing (including via so called "soft opt in").
We will not share your personal data with any third party for their marketing purposes. However, where you have consented to the receipt of marketing from us, we may use a third party to prepare and deliver such marketing materials on our behalf.
You can ask us to stop (and to ask third parties to whom we have provided your personal data to stop) sending you marketing messages by contacting us at any time.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Every individual has the right to see, amend, delete or have a copy of data held that can identify you, with some exceptions. You do not need to give a reason to see your data.
If you want to access your data you must make a subject access request in writing to the addresses outlined above. We will require proof of ID. Under special circumstances, some information may be withheld. We shall respond within 30 days from the point of receiving the request and all necessary information from you. Our response will include the details of the personal data we hold on you including:
You have the right, subject to exemptions, to ask to:
We do not carry out any automated processing, which may lead to automated decisions based on your personal data.
If you would like to invoke any of the above rights then please contact us.
We may have to share your personal data with the parties set out below for the purposes set out in the table in paragraph 4 above.
We require third parties to respect the security of your personal data and to treat it in accordance with the law. We do not authorise our third-party service providers to use your personal data for their own purposes, and only authorise them to process your personal data for specified purposes and in accordance with our instructions.
MOST IF NOT ALL OF THE LABORATORIES THAT WE USE FOR TESTING ARE BASED IN THE USA, AND AS THE UK IS ALSO NOW OUTSIDE THE EUROPEAN UNION, THERE MAY BE A NEED TO PROVIDE LIMITED PERSONAL DATA ABOUT YOU TO SUCH ENTITIES. SOME OF THOSE ENTITIES MAY NOT BE SIGNATORIES TO PRIVACY SHIELD, AND SO WE CANNOT GUARANTEE THAT THEY WILL PROVIDE ADEQUATE PROTECTION OF YOUR PERSONAL DATA IN ACCORDANCE WITH EU STANDARDS. BY PLACING AN ORDER, THE PRACTITIONER IS CONFIRMING TO US THAT THEY HAVE DISCUSSED THIS ISSUE WITH YOU, AND YOU ARE HAPPY TO PROCEED WITH THE TESTING ON THAT BASIS.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. All records held by us will be kept for the duration the duration of our involvement with you and a further period of 7 years (to allow for any claims to be made).