GDPR 2018 Privacy Notice
The General Data Protection Regulation (GDPR) which is EU wide and far more extensive than its predecessor the Data Protection Act, along with the Privacy and Electronic Communications Regulations (PECR), seek to protect and enhance the rights of EU data subjects. These rights cover the safeguarding of personal data, protection against the unlawful processing of personal data and the unrestricted movement of personal data within the EU and its storage within the EEA.
1 – About Andreas Petrou
Andreas Petrou, Osteopath, who provides treatments at Nuffield Health, the Klinik, Tranquility pilates in the city of London, as well as the Yoga Bar in Twickenham and his home in Wandsworth Town is pleased to provide the following information.
2 – About osteopathy
Osteopaths diagnose and treat health conditions. Treatments are carried out in accordance with the guidelines set out by the General Osteopathic Council Practice Standards, and Institute of Osteopathy’s patient charter (the practice may also provide other treatments in future, about which Andreas will be pleased to provide more details).
3 – Personal Data
a) For the purposes of providing treatment, Andeas may require detailed medical information (C1, C4, C6 of updated osteopathic practise standards). Only what is relevant and necessary for your treatment will be collected. When you visit Andreas, he will make notes which may include details concerning your medication, treatment and other issues affecting your health. This data is always held securely and is not shared with anyone not involved in your treatment.
b) To be able to process your personal data it is a condition of any treatment that you give your explicit consent to allow Andreas to document and process your personal medical data. Contact details provided by you such as telephone numbers, email addresses, postal addresses may be used to remind you of future appointments and, if ever necessary, provide reports or other information concerning your treatment.
c) Andreas will also use the contact details provided by you to respond to your enquiries, including texting and/or emailing appointment reminders. On the odd occasion, in addition to any usual social media posts which you may or may not receive, Andreas may forward information which he believes may be of interest to you.
d) In making initial contact with Andreas, you consent to maintaining a “marketing” dialogue until you either opt out (which you can do at any time) or he decides to desist in promoting his services.
e) Andreas does not broker your data and you can ask to be removed from his records by emailing, texting or phoning him using the contact details provided.
g) Andreas will only collect the information needed so that he can provide you with the services you require, he does not sell or broker your data.
4 – Legal basis
The legal basis for processing any personal data is to meet professional contractual obligations: obtained from explicit Patient Consent, and legitimate interest to respond to enquiries concerning the services provided.
5 – Consent
Through agreeing to this privacy notice you are consenting to Andreas processing your personal data for the purposes outlined. You can withdraw consent at any time using the details provided at the end of this Privacy Notice.
7 – Disclosure
Andreas will keep your personal information safe and secure. Andreas will not disclose your Personal Information unless compelled to, in order to meet legal obligations, regulations or valid governmental requests.
In the event that you are referred to another professional (GP, physiotherapist etc) your explicit and written consent will be obtained.
8 – Retention Policy
Andreas will process personal data during the duration of any treatment and will continue to store only the personal data needed for eight years after the contract has expired to meet any legal obligations. After eight years all personal data will be deleted, unless basic information needs to be retained by to meet future obligations to you, such as erasure details. Records concerning minors who have received treatment will be retained until the child has reached the age of 25.
9 – Data storage
All Data is held in the United Kingdom. Microsoft 365 and Google Drive are GDPR compliant. Andreas does not store personal data outside the EEA.
10 – Your rights
At any point whilst Andreas is in possession of, or processing your personal data, you have the following rights:
Right of access – you have the right to request a copy of the information that held about you.
Right of rectification – you have a right to correct data that is held about you that is inaccurate or incomplete.
Right to be forgotten – in certain circumstances you can ask for the data held about you to be erased from records.
Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.
Right of portability – you have the right to have the data held about you transferred to another organisation, provided you consent to this explicitly.
Right to object – you have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.
13 – Complaints
In the event that you wish to make a complaint about how your personal data is being processed you have the right to complain to Andreas. If you do not get a response within 30 days, you can complain to the ICO.
ICO: Wycliffe House, Water Lane, Wilmslow, SK9 5AF Telephone +44 (0) 303 123 1113 or email: https://ico.org.uk/global/contact-us/email/