Data Subject Rights

Your Global
Data Rights

Jurisdiction-specific data rights for US (HIPAA), California (CCPA/CPRA), UAE (PDPL), and India (DPDPA) - and how to exercise them.

01

Select Your Jurisdiction

Select your jurisdiction to view your specific data rights and how to exercise them.

HIPAA Notice of Privacy Practices

This tab applies to US residents whose Protected Health Information (PHI) is handled by BioHealthcare Group or its covered entity brands.

Your HIPAA Rights

  • Right to Access - Request a copy of your medical records and PHI within 30 days
  • Right to Amend - Request correction of inaccurate or incomplete PHI
  • Right to Accounting - Request a list of disclosures made in the past 6 years
  • Right to Restrict - Request restrictions on how we use or disclose your PHI
  • Right to Confidential Communications - Request communications by alternative means
  • Right to Notification - Be notified following a breach of your unsecured PHI

Permitted Uses of PHI: Treatment, payment, healthcare operations, and as required by law. All other uses require your written authorisation, which you may revoke at any time.

Breach Notification: We notify you within 60 days of discovering a breach of your unsecured PHI, and report to HHS within 60 days.

To exercise rights or file a complaint: hipaa@biohealthcare.group or HHS OCR at hhs.gov/hipaa/filing-a-complaint. We will not retaliate for filing a complaint.

CCPA / CPRA - California Residents

This tab applies to California residents only under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

RightDescriptionTimeframe
Right to KnowRequest the categories and specific pieces of personal information collected about you in the past 12 months45 days
Right to DeleteRequest deletion of personal information, subject to legal exceptions45 days
Right to CorrectRequest correction of inaccurate personal information45 days
Right to Opt-OutOpt out of sale/sharing of personal information for cross-context behavioural advertisingImmediate
Right to LimitLimit use of Sensitive Personal Information to what is necessaryImmediate
Right to PortabilityReceive data in a portable, machine-readable format45 days
Non-DiscriminationWe will not discriminate against you for exercising CCPA/CPRA rightsN/A

Do Not Sell or Share

We do not sell personal information for money. Certain analytics and advertising cookie sharing may constitute "sharing" under CPRA. Opt out via our Cookie Preference Centre or by emailing us.

To exercise rights: Email privacy@biohealthcare.group with subject "California Privacy Request". We will verify your identity before processing. Authorised agents must provide written authorisation.

Escalate to: California Privacy Protection Agency at cppa.ca.gov

UAE Personal Data Protection Law - Federal Decree Law No. 45 of 2021

This tab applies to individuals in the UAE. Where data is processed within DIFC, the DIFC Data Protection Law 2020 applies. Within ADGM, the ADGM Data Protection Regulations 2021 apply.

RightDescriptionTimeframe
Right of AccessRequest a copy of personal data we hold about you30 days
Right to RectificationRequest correction of inaccurate or incomplete data30 days
Right to ErasureRequest deletion where data is no longer necessary30 days
Right to RestrictionRequest restriction of processing in certain circumstances30 days
Right to ObjectObject to processing based on legitimate interests30 days
Right to PortabilityReceive data in machine-readable format30 days
Withdraw ConsentWithdraw consent at any time - effective immediatelyImmediate

Health Data: Classified as Sensitive Personal Data under UAE PDPL. Only processed with your explicit consent. Subject to UAE data localisation requirements - stored on UAE-based servers where required by MOHAP, DHA, or SEHA.

To exercise rights: Email privacy@biohealthcare.group

Escalate to: UAE Data Office at uaedataoffice.ae or DIFC Commissioner of Data Protection (for DIFC-processed data)

India Digital Personal Data Protection Act 2023 (DPDPA)

This tab applies to individuals in India. It also reflects applicable obligations under the Information Technology Act 2000 and IT (Intermediary Guidelines) Rules 2021.

RightDescriptionTimeframe
Right to Access InformationRequest a summary of personal data being processed and the processing activities30 days
Right to CorrectionRequest correction of inaccurate, incomplete, or outdated personal data30 days
Right to ErasureRequest erasure of data no longer necessary for its stated purpose, or where consent withdrawn30 days
Right to Grievance RedressalLodge a complaint with our Grievance Officer; escalate to Data Protection Board if unresolved30 days initial response
Right to NominateNominate another person to exercise your rights in the event of your death or incapacityN/A

Consent: We collect your personal data only with free, specific, informed, and unambiguous consent through a clear affirmative action. You may withdraw consent at any time.

Children: Users under 18 require verifiable parental consent. We do not track, profile, or target advertising at children.

Grievance Officer (IT Rules 2021):
Email: grievance@biohealthcare.group - Response within 30 days
If unresolved, escalate to the Data Protection Board of India once established.

02

Rights All Jurisdictions Share

Regardless of your location, all individuals interacting with BioHealthcare Group have these baseline rights:

  • Receive clear, transparent information about how we use your data before we collect it
  • Withdraw consent at any time without detriment to other services
  • Contact our Data Protection Officer with questions or concerns
  • Receive a response to data enquiries within 30-45 days (depending on jurisdiction)
  • Lodge a complaint with your local supervisory authority
  • Have health and biometric data processed only with explicit consent
  • Not have your data sold for commercial purposes
03

Your Rights & International Transfers

BioHealthcare Group processes data across five jurisdictions. When your data is transferred internationally, we ensure it is protected by appropriate legal safeguards:

Transfer RouteSafeguard Mechanism
UK → EU / EEAUK adequacy decision or IDTA (International Data Transfer Agreement)
EU → UKEU adequacy decision
UK / EU → USAStandard Contractual Clauses (SCCs) + Transfer Impact Assessments
UK / EU → UAESCCs / equivalent contractual safeguards + UAE PDPL compliance
UK / EU → IndiaSCCs / equivalent safeguards + DPDPA compliant transfer mechanisms
USA → AllHIPAA BAAs where PHI involved; SCCs for non-PHI transfers
04

Contact & Escalation

Role / AuthorityContact / Link
Data Protection Officer (Global)privacy@biohealthcare.group
HIPAA Privacy Officer (USA)hipaa@biohealthcare.group
California Privacy Requestsprivacy@biohealthcare.group - Subject: "California Privacy Request"
Grievance Officer (India - IT Rules 2021)grievance@biohealthcare.group
UK ICOico.org.uk - 0303 123 1113
HHS OCR (USA - HIPAA)hhs.gov/hipaa
California Privacy Protection Agencycppa.ca.gov
UAE Data Officeuaedataoffice.ae
Data Protection Board of IndiaTo be established under DPDPA 2023

Questions about Your Data Rights?

Contact our Data Protection Officer or the relevant Grievance Officer for your jurisdiction. We respond within 30 days.

Email Legal TeamContact Us