GENERAL DATA PROTECTION REGULATIONS – PRIVACY NOTICE – FOOT HEALTH CLIENTS Under the General Data Protection Regulations (GDPR), Plymouth Foot Care (as Data Controller) are required to inform all customers (the Data Subjects) of our contact details, all types and sources of customer data that we keep, the purpose and legal basis for keeping that data, how long we keep it, who it is shared with and whether it is transferred to another country.
The GDPR also gives customers (Data Subjects) certain rights including the right to be informed, have access, rectification, erasure, to restrict processing, data portability, the right to object, along with rights regarding automated profiling
Name and Contact Details of our Organisation and Representative L Griffiths Plymouth Foot Care, Sophie Gees, 128 Cornwall Street, Plymouth PL1 1NJ Tel: 07807 20461 Email: firstname.lastname@example.org Website: www.plymouthfootcare.co.uk
The Categories of Personal Data Obtained CUSTOMER DATA - Name, address, telephone number, email address, Date of Birth, GP name and surgery, medical history, treatment notes and appointment dates and times
The Purpose of Processing To safely and effectively provide foot health care treatments between Plymouth Foot Care and the customer
The Lawful Basis of Processing Medical information is considered Special Category Data and as such requires two separate Lawful Basis’ of Processing
Article 6(b) Contract-the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
Article 9(a) Consent: the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
The Source of the Personal Data Data is provided by the data subject
Who the Data is Shared with Employees and admin personnel The customer’s GP or other medical professional FHP associates in the clinic
The Details of Transfers of the Personal Data to any Third Countries or International Organisations Emails and other information may be kept on Google servers outside of the EU and UK in accordance with the GDPR. Please see https://privacy.google.com/businesses/compliance
The Retention Periods for the Personal Data All personal data will be retained for 7 years after the customers last appointment or minimum to age 25 in the case of minors. This is for protection in case of the establishment, exercise or defence of legal claims.
Data Breaches The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. We must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will also inform the individuals affected without undue delay. We will keep a record of any personal data breaches, regardless of whether we are required to notify.
Right of Access Individuals (data subjects) have the right to access their personal data and supplementary information. We are required to provide you a copy within one month. If you would like to access your personal data, please do so in writing.
Right of Rectification Individuals have the right to request that inaccurate personal data is rectified or completed if it is incomplete. An individual can make a request for rectification verbally or in writing.
Right of Erasure Individuals have the right of erasure. All personal data will be retained for 7 years after the customers last appointment or minimum to age 25 in the case of minors. This is for protection in case of the establishment, exercise or defence of legal claims. However, we may be able to erase minimal data such as phone number and email address. If you would like to request erasure of your personal data, please do so in writing.
Right to Data Portability Individuals have the right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one environment to another in a safe and secure way, without hindrance to usability. Should you wish to request this please do so in writing. This will be provided within one month
Right to Object Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics. We do not process your data in any of these ways.
Rights Relating to Automated Decision Making including Profiling Automated Profiling involves automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. No automated profiling is undertaken by ourselves
The Right to Withdraw Consent Individuals have the right to withdraw consent. However, if consent is withdrawn we will be unable to perform any further treatments. Additionally, all personal data will be retained for 7 years after the customers last appointment or minimum to age 25 in the case of minors. This is for protection in case of the establishment, exercise or defence of legal claims. However, we may be able to erase minimal data such as phone number and email address. Please contact us in writing if you wish to request the withdrawal of consent.
The Right to Lodge a Complaint with a Supervisory Authority Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. If you have a concern about the way we are handling your personal information you may contact the Information Commissioner’s Office and report your concerns. This can be done online at https://ico.org.uk/concerns/handling/ or by telephoning the ICO on 0303 123 1113