Employee Privacy Notice

Last Updated: October 23, 2025

Purpose

Aisthesis Medical Ltd (“Aisthesis”, “we”, “our”, or “us”) is committed to protecting the privacy and security of your personal information.

This privacy notice explains how we collect, use, and protect your personal information during and after your employment with us, in accordance with applicable Data Protection Legislation.

“Data Protection Legislation” means the Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Where data is processed by a controller or processor in the European Union (EU)—or relates to individuals within the EU—it also includes the EU General Data Protection Regulation (EU GDPR). This definition covers any subsequent or replacement legislation.

Please read this notice alongside any other privacy notices we may provide to fully understand how and why we use your personal information.

Data Controller

Aisthesis Medical Ltd is the data controller for your personal data. This means we decide how and why your personal information is collected, stored, and used. We are responsible for ensuring your data is handled in compliance with data protection laws.

Aisthesis Medical Ltd is registered with the Information Commissioner’s Office (ICO) under registration number ZB957443.

We have appointed a Data Protection Officer (DPO) to oversee compliance, advise on data protection obligations, and serve as a point of contact for employees, contractors, and the ICO.

📧 Email: dpo@aisthesismedical.com

Scope

This notice applies to all current and former employees, workers, and contractors of Aisthesis Medical Ltd.

It does not form part of any employment contract or other agreement. We reserve the right to update this notice at any time and will notify employees of material changes.

Specific activities—such as clinical research, product testing, or regulatory submissions—may be covered by separate privacy notices. Where applicable, those notices take precedence.

Data Protection Principles

Aisthesis processes all personal data in accordance with the principles established under the UK and EU GDPR.

Personal information must be:

Used lawfully, fairly, and transparently;
Collected only for valid, specific purposes that we have clearly communicated and not used in incompatible ways;
Relevant and limited to what is necessary;
Accurate and kept up to date;
Retained only as long as necessary to fulfil the purposes for which it was collected; and
Kept secure using appropriate technical and organisational measures to protect against unauthorised access, alteration, or loss.

The Information We Hold About You

“Personal data” or “personal information” means any information about an identifiable individual. It does not include anonymous data where the identity has been removed.

Some personal data falls into “special categories” that are more sensitive and require higher levels of protection under data protection law.

We may collect, store, and use the following categories of personal information about you. Not all categories apply to all staff—some may apply only to employees rather than consultants or contractors.

Personal and Employment Information

Full name, title, and contact details (home address, telephone number, and personal email address)
Date of birth
Gender and preferred pronouns
Nationality and citizenship
Marital status and dependants
Emergency contact information
National Insurance number or other government-issued identifiers
Bank account details, payroll records, and tax information
Salary, pension, and benefits details
Working hours and annual leave records
Start date and employment location
Job title, role description, and department
Copy of insurance certificate or driving licence (if required for company business)
Recruitment information (including right-to-work documentation, references, and application materials such as CVs and cover letters)
Copy of passport or other identity document
Education, professional qualifications, and training history
Employment records (including work history and professional memberships)
Compensation and bonus history
Performance and appraisal records
Disciplinary or grievance records
Official correspondence such as employment verification letters
Photographs (e.g., for ID badges or company materials)
Information about your use of company IT systems, email, and communication tools (to ensure security and compliance)

Special Categories of Personal Data

We may also collect, store, and use more sensitive information, including:

Information about your health, including medical conditions, sickness records, or occupational health reports
Information about disability or adjustments needed to support you at work
Information about your racial or ethnic origin, religious or philosophical beliefs, or sexual orientation (where you choose to provide this, e.g., for equal opportunity monitoring)
Details of criminal convictions or offences, where legally required or relevant to your role

We process this data only where necessary and with appropriate safeguards, in line with data protection and employment law.

How Is Your Personal Information Collected?

We collect personal information about employees, workers, and contractors from several sources at different stages of the working relationship:

During recruitment: From you, recruitment agencies, and background checks.
During onboarding: For payroll, benefits, and compliance (e.g., proof of identity, tax details).
Throughout employment: From job-related activities, such as training, performance, and development.
From third parties: Such as external service providers, government bodies, or background check agencies.

All personal information is collected in accordance with this notice and used only for legitimate business, contractual, or legal purposes.

How We Use Your Personal Information

Aisthesis Medical Ltd processes your personal information only when lawful and for legitimate business, contractual, and regulatory purposes.

We may process your personal data in the following situations:

Determining the terms and conditions of your employment or engagement
Verifying your right to work
Administering payroll and benefits (salary, bonuses, tax, etc.)
Managing employment-related benefits (pension, insurance, medical coverage, share options, etc.)
Performing our employment or contractor agreement
Supporting business operations, budgeting, and auditing
Managing conference participation, publications, or IP filings
Conducting performance reviews and setting goals
Deciding salary reviews, promotions, or bonuses
Managing disciplinary or grievance processes
Handling termination or redundancy
Managing training and development
Handling legal disputes or workplace incidents
Assessing fitness to work and health and safety obligations
Detecting fraud or misuse of company assets
Monitoring IT systems for compliance
Protecting network security
Supporting corporate communications (with consent where required)
Conducting internal analytics
Supporting testing and validation of Aisthesis applications (with anonymised data)

All processing is carried out in accordance with data protection law and internal policies.

If You Fail to Provide Personal Information

If you do not provide certain information when requested, we may be unable to:

Fulfil our contractual obligations (e.g., pay or provide benefits), or
Meet legal or regulatory requirements (e.g., right-to-work checks).

We will inform you if this affects your employment or engagement.

Change of Purpose

We only use your information for the purpose it was collected unless a new, compatible purpose arises.
If needed for a new purpose, we’ll notify you and explain the legal basis.

In rare cases, we may process data without your consent if required by law or court order.

How We Use Particularly Sensitive Personal Information

We process special category data only when legally justified, such as:

With explicit written consent (where required)
To comply with legal obligations
For public interest reasons (e.g., equal opportunities)
To assess occupational health
For limited product or research testing with anonymised or controlled data

Less commonly, we may process such data to:

Handle legal claims
Protect vital interests when consent isn’t possible
Use publicly available information

Our Obligations as an Employer

We may use sensitive data to:

Manage leaves of absence
Assess health, safety, and fitness to work
Implement workplace adjustments
Monitor sickness absence
Comply with legal and regulatory duties

All processing complies with our Data Protection Policy and confidentiality standards.

Do We Need Your Consent?

We generally do not require consent to process personal information when doing so lawfully and under written policy.

If consent is required, we’ll explain clearly what it covers and how it will be used.
You are not obliged to give consent, and refusal will not affect your employment rights.

Information About Criminal Convictions

We only process criminal conviction data when necessary and lawful—for example, where required for specific roles or regulatory purposes.

Any such data will be stored securely, handled confidentially, and deleted when no longer required.

Automated Decision-Making

Aisthesis Medical Ltd does not currently use automated decision-making for employees, workers, or contractors.
If this changes, we will notify you and explain your rights.

Data Sharing

We may share data with third parties, including trusted service providers and other Aisthesis entities.

All third parties must:

Use data only under our instruction
Maintain confidentiality
Apply appropriate safeguards

Transfers outside the UK or EU will have equivalent protection (e.g., SCCs, IDTAs, or BCRs).

Why We Might Share Your Personal Information

We share personal data when:

Required by law or regulation
Necessary for employment administration (e.g., payroll, IT systems)
Justified by a legitimate business interest

Third-Party Service Providers

Examples include:

HR, payroll, and benefits providers
Pension and insurance services
IT, cybersecurity, and hosting providers
Travel and expense management systems
Professional advisors (legal, accounting, audit)
Regulatory and compliance partners

All are bound by confidentiality and data protection clauses.

Other Third Parties

We may disclose information in specific circumstances, including:

Business mergers or acquisitions
Legal or regulatory requirements
Requests from authorities such as the ICO or HMRC

Transferring Information Outside the UK and EU

Where data is transferred outside the UK/EU, we ensure adequate protection using:

Standard Contractual Clauses (SCCs) or UK IDTAs
Binding Corporate Rules (BCRs)
Other legally recognised safeguards

Data Security

We apply strong technical and organisational measures to safeguard your data, including:

Role-based access controls
Encryption and network firewalls
Regular security training
Multi-factor authentication
Data audits and monitoring

All staff and contractors are bound by confidentiality and security policies.

If a data breach occurs, we will act immediately and notify affected individuals and authorities when required.

Data Retention

We retain personal data only as long as necessary for the purpose collected and to meet legal or regulatory obligations.

Retention periods are defined in our Data Retention Policy (available via HR).

After your employment or engagement ends, we securely delete or anonymise your data.

Your Rights: Access, Correction, Erasure, and Restriction

Your Duty to Keep Us Informed

You must keep your personal information accurate and up to date. Notify HR of any changes.

Your Rights

You have rights under UK/EU data protection law, including to:

Access your data
Correct inaccuracies
Erase data where appropriate
Object to certain processing
Restrict processing
Transfer your data (data portability)

To exercise your rights, contact our DPO.

No Fee Usually Required

Requests are free of charge unless manifestly unfounded, repetitive, or excessive.

Verification

We may require proof of identity before fulfilling your request.

Right to Withdraw Consent

Where consent applies, you may withdraw it at any time by contacting the DPO.
We will then stop processing your information unless another lawful basis applies.

Changes to This Privacy Notice

We may update this notice periodically.
Significant changes will be communicated through internal HR systems.

Contact Us