This notice applies to client’s/patient’s, website users and suppliers.
A) DATA PROTECTION PRINCIPLES
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
a) processing is fair, lawful and transparent
b) data is collected for specific, explicit, and legitimate purposes
c) data collected is adequate, relevant and limited to what is necessary for the purposes of processing
d) data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
e) data is not kept for longer than is necessary for its given purpose
f) data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
g) we comply with the relevant GDPR procedures for international transferring of personal data
B) TYPES OF DATA HELD
We keep several categories of personal data on our clients, website users and suppliers in order to carry out effective and efficient processes. We keep this data within our computer systems.
Specifically, we hold the following types of data, as appropriate to your status:
a) personal details such as name, age/date of birth.
b) contact details such as address, email and phone numbers
c) name and contact details of your next of kin
e) your gender, marital status, information of any disability you have or other medical information
f) diversity information including racial or ethnic origin
g) information gathered from forms you have filled in for your treatment consent
h) CCTV footage
i) building access card records
j) IT equipment use including telephones and internet access
k) IP address
*Please note that the above list of categories of personal data we may collect is not exhaustive.
C) COLLECTING YOUR DATA
You provide several pieces of data to us directly such as:
Information that you provide by filling in forms on our site pfeffersal.com (“our site”) or in clinic either directly by phone or email.
Directly through suppliers by phone or email.
In some cases, we will collect data about you from third parties, such as agencies or credit reference agencies.
Personal data is kept in files or within the Company’s IT systems.
IP addresses and cookies
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users’ browsing actions and patterns and does not identify any individual.
For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer.
Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our site and to deliver a better and more personalised service. They enable us:
- To estimate our audience size and usage pattern
- To store information about your preferences, and so allow us to customise our site according to your individual interests
- To speed up your searches
- To recognise you when you return to our site
D) HOW YOUR DATA IS USED
We use information held about you in the following ways:
- To ensure that content from our site is presented in the most effective manner for you and for your computer.
- To provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
- To carry out our obligations arising from any contracts entered into between you and us.
- To allow you to participate in interactive features of our service, when you choose to do so.
- To notify you about changes to our service.
- If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those which were the subject of a previous sale to you.
- If you are a new customer, we will contact you by electronic means only if you have consented to this.
- If you do not want us to use your data in this way please tick the relevant box situated on the form on which we collect your data.
*Please note that this list is not exhaustive.
E) WHERE WE STORE YOUR DATA
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.
Once we have received your information, we use strict procedures and security features to try to prevent unauthorised access.
F) LAWFUL BASIS FOR PROCESSING
The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to comply with a legal requirement or in order to effectively manage the service we have with you.
G) SPECIAL CATEGORIES OF DATA
Special categories of data are data relating to your:
b) sex life
c) sexual orientation
e) ethnic origin
g) genetic and biometric data.
We carry out processing activities using special category data:
a) for the purposes of bespoke treatment services
b) in our treatment protocols and procedures
c) to determine reasonable adjustments
Most commonly, we will process special categories of data when the following applies:
a) you have given explicit consent to the processing
b) we must process the data in order to carry out our legal obligations
c) we must process data for reasons of substantial public interest
d) you have already made the data public.
H) FAILURE TO PROVIDE DATA
Your failure to provide us with data may mean that we are unable to fulfil our requirements for entering into a service or contract with you. This could include being unable to offer you the service or administer treatments and advice.
I) WHO WE SHARE YOUR DATA WITH
Employees within our company who have responsibility for delivering treatments, administration of payment and bookings and the carrying out performance related procedures will have access to your data which is relevant to their function. All employees with such responsibility have been trained in ensuring data is processing in line with GDPR.
Data is shared with third parties for the following reasons: for the administration of payments, bookings, the fulfilment of orders or services and marketing.
We may also share your data with third parties as part of a company sale or restructure, or for other reasons to comply with a legal obligation upon us. We have a data processing agreement in place with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
We do not share your data with bodies outside of the European Economic Area.
J) PROTECTING YOUR DATA
We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.
If you suspect any misuse or loss of or unauthorised access to your personal information, please let us know immediately.
K) RETENTION PERIODS
We only keep your data for as long as we need it for. Some data retention periods are set by the law. Retention periods can vary depending on why we need your data, as set out below:
Enquiries - expressed interest only
For clients who have enquired with us and expressed an interest in our services, we will delete your personal data from our systems if we have had no contact with you for a period of a year.
Consultations attended only
For clients who have had a consultation only, we will delete your personal data from our systems if the last consultation date is over 2 years and we have had no contact with you for a period of a year.
Treatments or services undertaken/goods purchased
For clients who have had a procedure with us we will delete your personal data from our systems if the last date of the appointment or payment is over 8 years and we have had no contact with you for a period of a year.
L) AUTOMATED DECISION MAKING
Automated decision-making means making decisions about you using no human involvement e.g. using computerised filtering equipment. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data.
N) THE RIGHT OF ACCESS
You have the right to access your personal data which is held by us. You can find out more about how to request access to your data by reading our Subject Access Request below.
O) THE RIGHT TO ‘CORRECTION’
If you discover that the data, we hold about you is incorrect or incomplete, you have the right to have the data corrected. If you wish to have your data corrected, you should contact us.
Usually, we will comply with a request to rectify data within one month unless the request is particularly complex in which case we may write to you to inform you we require an extension to the normal timescale. The maximum extension period is two months.
You will be informed if we decide not to take any action as a result of the request. In these circumstances, you are able to complain to the Information Commissioner and have access to a judicial remedy.
Third parties to whom the data was disclosed will be informed of the rectification.
P) THE RIGHT OF ‘ERASURE’
In certain circumstances, we are required to delete the data we hold on you. Those circumstances are:
a) where it is no longer necessary for us to keep the data;
b) where we relied on your consent to process the data and you subsequently withdraw that consent. Where this happens, we will consider whether another legal basis applies to our continued use of your data;
c) where you object to the processing (see below) and the Company has no overriding legitimate interest to continue the processing;
d) where we have unlawfully processed your data;
e) where we are required by law to erase the data.
If you wish to make a request for data deletion, you should contact us.
We will consider each request individually, however, you must be aware that processing may continue under one of the permissible reasons. Where this happens, you will be informed of the continued use of your data and the reason for this.
Third parties to whom the data was disclosed will be informed of the erasure where possible unless to do so will cause a disproportionate effect on us.
Q) THE RIGHT OF ‘RESTRICTION’
You have the right to restrict the processing of your data in certain circumstances.
We will be required to restrict the processing of your personal data in the following circumstances:
a) where you tell us that the data we hold on you is not accurate. Where this is the case, we will stop processing the data until we have taken steps to ensure that the data is accurate;
b) where the data is processed for the performance of a public interest task or because of our legitimate interests and you have objected to the processing of data. In these circumstances, the processing may be restricted whilst we consider whether our legitimate interests mean it is appropriate to continue to process it;
c) when the data has been processed unlawfully;
d) where we no longer need to process the data but you need the data in relation to a legal claim.
If you wish to make a request for data restriction, you should contact us.
Where data processing is restricted, we will continue to hold the data but will not process it unless you consent to the processing or processing is required in relation to a legal claim.
Where the data to be restricted has been shared with third parties, we will inform those third parties of the restriction where possible unless to do so will cause a disproportionate effect on us.
You will be informed before any restriction is lifted.
R) THE RIGHT TO DATA ‘PORTABILITY’
You have the right to obtain the data that we process on you and transfer it to another party. Where our technology permits, we will transfer the data directly to the other party.
Data which may be transferred is data which:
a) you have provided to us; and
b) is processed because you have provided your consent or because it is needed to perform the contract between us; and
c) is processed by automated means.
If you wish to exercise this right, please contact us.
We will respond to a portability request without undue delay, and within one month at the latest unless the request is complex or we receive a number of requests in which case we may write to you to inform you that we require an extension and reasons for this. The maximum extension period is two months.
We will not charge you for access to your data for this purpose.
You will be informed if we decide not to take any action as a result of the request, for example, because the data you wish to transfer does not meet the above criteria. In these circumstances, you are able to complain to the Information Commissioner and have access to a judicial remedy.
The right to data portability relates only to data defined as above. You should be aware that this differs from the data which is accessible via a Subject Access Request.
S) THE RIGHT TO ‘OBJECT’
You have a right to require us to stop processing your data; this is known as data objection.
You may object to processing where it is carried out:
a) in relation to the Company’s legitimate interests;
b) for the performance of a task in the public interest;
c) in the exercise of official authority; or
d) for profiling purposes.
If you wish to object, you should do so by contacting us.
In some circumstances, we will continue to process the data you have objected to. This may occur when:
a) we can demonstrate compelling legitimate reasons for the processing which are believed to be more important than your rights; or
b) the processing is required in relation to legal claims made by, or against, us.
If the response to your request is that we will take no action, you will be informed of the reasons.
T) MAKING A SUBJECT ACCESS REQUEST
Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing.
Requests that are made directly by you should be accompanied by evidence of your identity. If this is not provided, we may contact you to ask that such evidence be forwarded before we comply with the request.
Requests made in relation to your data from a third party should be accompanied by evidence that the third party is able to act on your behalf. If this is not provided, we may contact the third party to ask that such evidence be forwarded before we comply with the request.
Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.
We will normally comply with your request at no cost. However, if the request is manifestly unfounded or excessive, or if it is repetitive, we may contact you requesting a fee. This fee must be paid in order for us to comply with the request. The fee will be determined at the relevant time and will be set at a level which is reasonable in the circumstances.
In addition, we may also charge a reasonable fee if you request further copies of the same information.
INFORMATION YOU WILL RECEIVE
When you make a subject access request, you will be informed of:
a) whether or not your data is processed and the reasons for the processing of your data;
b) the categories of personal data concerning you;
c) where your data has been collected from if it was not collected from you;
d) anyone who your personal data has been disclosed to or will be disclosed to, including anyone outside of the EEA and the safeguards utilised to ensure data security;
e) how long your data is kept for (or how that period is decided);
f) your rights in relation to data rectification, erasure, restriction of and objection to processing;
g) your right to complain to the Information Commissioner if you are of the opinion that your rights have been infringed;
h) the reasoning behind any automated decisions taken about you.
CIRCUMSTANCES IN WHICH YOUR REQUEST MAY BE REFUSED
We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.
We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with and an explanation of the reason will be provided.
U) PERSONAL DATA BREACH
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed.
In accordance with the GDPR, we will undertake to notify the individual whose data is the subject of a breach if there is a high risk to people’s rights and freedoms. A high risk may be, for example, where there is an immediate threat of identity theft, or if special categories of data are disclosed online.
This notification will be made without undue delay and may, dependent on the circumstances, be made before the supervisory authority is notified.
The following information will be provided when a breach is notified to the affected individuals:
a) a description of the nature of the breach
b) the name and contact details of the (delete as appropriate - data protection officer/ appointed compliance officer) where more information can be obtained
c) a description of the likely consequences of the personal data breach and
d) a description of the measures taken or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
V) MAKING A COMPLAINT
If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.
W) DATA PROTECTION COMPLIANCE
Our Data Protection Officer can be contacted on:
Pfeffer Sal Ltd
106 Cleveland Street
W1T 6BY, London
© 2019 PfefferSal