Privacy Policy

Greenstaff Medical K.K.

Privacy Policy

Greenstaff Medical Co., Ltd. (hereinafter “we”) operates Greenstaff Life Sciences. This Privacy Policy (hereinafter “this Policy”) explains how we handle users’ personal information in the services (hereinafter “the Services”) provided on this website.

We are the Japanese entity of ICG Medical Group (“ICG”). This Policy follows ICG’s global data‑protection standards and complies with both those standards and applicable Japanese law.

This Policy applies to all ICG brands and operations in the following countries and regions:
United Kingdom, Ireland, United States, Canada, Mexico, South Africa, India, China, Japan, Australia, Philippines

The Policy covers all individuals who interact with ICG – candidates, clients, suppliers and users of ICG websites or apps. For rules specific to Japan, see Clause 15 “Japan‑specific data‑protection measures”.

Clause 1 (About Us)

ICG Medical Group is a global healthcare workforce provider. Although each brand may act as its own data controller, this Policy sets group‑wide privacy standards.

Head office address:
Suite 1, Wrest Park Business Centre
Capability House, Wrest Park, Silsoe
Bedfordshire MK45 4HR, United Kingdom

Clause 2 (Scope of this Policy)

This Policy applies when:

  • you use our websites or apps
  • you apply for or show interest in roles
  • you contact us by email, phone or in person
  • you are referred to us by a third party (with your consent)
  • you deal with us as a supplier, contractor or client

Third‑party services linked from our sites are outside the scope of this Policy.

Clause 3 (Types of Personal Data We Collect)

Depending on how you interact with us, we may collect:

  • Identity & Contact data: name, address, email, phone, etc.
  • Professional data: CV, qualifications, references, work history
  • Compliance data: ID checks, background screening, licences, health data
  • Account data: usernames, passwords, log information
  • Financial data: payment details, tax data
  • Behavioural & Technical data: IP address, device info, usage data
  • Sensitive data: health or criminal‑record data (where lawful and necessary)

Clause 4 (How We Collect Personal Data)

We collect personal data:

  • Directly from you: via applications, forms, surveys or direct contact
  • Automatically: through cookies or analytics on our websites or apps
  • From third parties: background‑check services, referees, regulators
  • By referral: from others with your prior consent

Clause 5 (Cookies and Tracking Technologies)

We use cookies to:

  • enable site functionality
  • analyse user behaviour
  • customise user experience
  • deliver targeted advertising

You can manage or disable cookies in your browser or via our cookie‑consent tool. See our Cookie Policy for details.

Clause 6 (Purposes and Legal Bases for Processing)

We process personal data for the purposes and legal bases below:

PurposeData categoryLegal basis
User verification and onboardingIdentity, ComplianceContract performance
Regulatory and credential checksComplianceLegal obligation / Legitimate interest
Contract management and paymentFinancial, ContactContract performance / Legal obligation
Service improvement and analyticsTechnical, UsageLegitimate interest
Marketing and communicationsContactConsent / Legitimate interest
Legal reporting or fraud preventionAnyLegal obligation / Vital interest / Legitimate interest

You may withdraw consent at any time.

Clause 7 (Provision of Personal Data to Third Parties)

We do not provide personal data to third parties without your consent except:

  • within ICG Group for related services
  • to processors (payroll, IT, compliance providers)
  • to clients as required for service delivery
  • to regulators, auditors and legal advisers
  • where required by law or in connection with business transfers

All sharing is subject to appropriate contractual safeguards.

Clause 8 (International Transfers of Personal Data)

We may transfer personal data abroad. Safeguards include:

  • UK/EU adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Government‑approved protections in countries such as China or India

Clause 9 (Data Retention)

We retain personal data only for:

  • contractual or legal requirements
  • operational support or audits
  • service improvement (in anonymised form)

After the retention period, data are securely deleted or anonymised.

Clause 10 (Data Security)

We implement ISO/IEC 27001‑aligned measures including:

  • encryption
  • role‑based access control
  • intrusion detection and monitoring
  • staff security training
  • incident‑response protocols

Clause 11 (Rights of Data Subjects)

Depending on your location, you may exercise the following rights:

  • access
  • correction
  • erasure
  • restriction of processing
  • objection (including profiling)
  • data portability
  • withdraw consent
  • lodge a complaint with a supervisory authority

To exercise these rights, contact DPO@icgmedical.co.uk.

Clause 12 (Marketing Preferences)

You can opt out of marketing by:

  • clicking “unsubscribe” in our emails
  • contacting us directly
  • changing settings in your account

We never sell personal data.

Clause 13 (Changes to this Policy)

We may update this Policy from time to time. Significant changes will be announced on our website.

Clause 14 (Contact Information)

For enquiries about this Policy:

  • Japan entity: Greenstaff Medical Co., Ltd.
  • Address: 8F Kintetsu Toranomon Building, 3‑8‑25 Toranomon, Minato‑ku, Tokyo 105‑0001
  • Email: info-gsls@greenstafflifesciences.com

Global data‑protection enquiries:

  • Group Data Protection Officer (DPO)
  • Email: DPO@icgmedical.co.uk
  • Address: Suite 1, Wrest Park Business Centre, Capability House, Wrest Park, Silsoe, Bedfordshire MK45 4HR, United Kingdom

Clause 15 (Japan‑specific Data‑Protection Measures)

In Japan we comply with the amended Act on the Protection of Personal Information (APPI) through:

1. Use of Personal Data in AI Training

We may use pseudonymised data for AI model training only when:

  • individuals cannot reasonably be identified
  • the purpose is stated transparently in this Policy
  • an opt‑out mechanism is provided

2. Protection of Biometric and Children’s Data

  • Explicit opt‑in consent is obtained
  • Individuals (or parents) may request suspension of use at any time
  • Risk assessments precede biometric system rollout

3. Breach‑Notification Rules

Certified operators notify the Personal Information Protection Commission (PPC) within 30–60 days, while non‑certified operators notify within five days.

4. Record‑Keeping

We maintain records of all processing activities, including third‑party transfers, under APPI Article 29‑4.

5. Joint Use and Third‑Party Provision

When jointly using data, we disclose scope, purpose, and the party responsible for management, and honour requests for disclosure or cessation.