PRIVACY POLICY

This is the Privacy Notice for NP Massage Therapies

 

The purpose of this notice is to inform you about how and why your personal data is used so that we are as transparent as we possibly can, and to ensure that you are aware of your rights under UK data protection legislation (UK GDPR, Data Protection Act 2018).

 

The Company

NP Massage Therapies is registered with the Information Commissioners Office under number ZA358870. We are a data controller for the personal data we collect from you.

 

Our postal address is 1st Floor, Suite 3, Osprey House, 16 – 18 Worthing road, Horsham, RH12 1SL. You can contact us at the naomi@npmassagetherapies.co.uk or on 07825045420.

 

The purpose for processing your data and our basis for doing so.

We process personal data so we can provide tailored clinical massage therapy services to clients and engage with prospective clients.

 

When processing your data, we must establish our legal basis for doing so and the legal basis can be different depending on circumstances in which we process it. In this document, you will see references to the basis of processing e.g.,”(Article. 6.1.f)” are a reference to the specific article of the UK General Data Protection Regulation under which we conduct the processing in question.

 

If you are a client, we will hold the following information about you:

· Your full name.

· Your postal address.

· Your email address.

· Your contact telephone number(s)

· Emergency contact details.

· Your data of birth.

· Gender.

· Your General Practitioner’s name and surgery address.

· Appropriate medical history records.

· Covid screening details

· Your signature.

 

We process this information so we can provide you with our clinical therapies, invoice you and maintain our communication with you. Our legal basis for doing this is Article 6.1.b – performance of a contract; this is necessary to deliver the service to you. We also process your health data which is classified as ‘Special Category’ data for the purposes of the UK GDPR. As well as having a legal basis as described above, we also need to apply a basis for processing this type of personal data.

 

So that we can ensure that we provide bespoke treatment suited to your specific requirements, we will obtain your explicit consent, prior to recording special category data. This is in accordance with Article 9.2.a UK GDPR

 

Where we require your data in the pursuance of a contract, if you fail to provide that data, we will not be able to provide you with our services or enter into a commercial agreement.

 

If you are a prospective client we have engaged with, we will hold the following information about you:

 

· Your full name.

· Your email address.

· Your contact telephone number(s)

 

We will process this information so we can communicate with you and send you occasional updates on our services. As an individual, we will require your consent to send you marketing information. But, if you are an existing client or we have had conversations about the provision of our services, we are able to market to you without further consent as allowed by the Privacy and Electronic Communications Regulations 2003 (amended). You can ask us to stop sending you communications at any time.

 

We will also process your personal data if it is in your own or another person’s vital interest to do so. The legal basis for this is article 6.1.d.

 

Recipients of your data

 

As a general principle, we will not transfer your personal data to other recipients without your permission. There are some exceptions to this:

· If you do not pay your bills, we may choose to engage a third party to recover any money you owe us. Lawful basis Article 6.1.f, we have a legitimate interest to pursue money owed to us.

· It is possible, though unlikely, that we might be forced to disclose your information in response to a court order or other binding mandate. Lawful basis is Article 6.1.c Legal Obligation.

· We will share your personal data with your General Practitioner or another therapist. Lawful basis Article 6.1.f, we have a legitimate interest to ensure our treatments are appropriate to your condition.

·

 

Data processed by third parties on our behalf.

 

We use the services of other organisations in the processing your data. We use cloud-based platforms for booking appointments and recording clinical notes, recording financial transactions email and video conferencing purposes. We also use online payment gateways and a marketing platform for our newsletter. A list of those data processors is available on request.

 

Those organisations that process personal data on our behalf are subject to a data processing contract as required by Article 28 of the UK GPDR. This ensures that your data is handled in accordance with the UK GPDR.

 

Transferring your data outside of the UK

 

Your personal data will be transferred by some of our systems to countries outside of the United Kingdom, such as the United States and Australia. Where this is the case, our vendors have put in place EU approved Standard Contractual Clauses. UK to EU transfers is covered by agreements as required by Article 46 UK GDPR.

Retention periods

 

We will retain your data only for the time we require it for the purposes stated and / or where we have a legal obligation or other legitimate purpose.

 

If you are a customer, then we will keep your data for all the time you are a customer and for 7 years following your last visit to us. If you under the age of 18 at the time of your visit, we will retain your data for 7 years from the date of your 18th birthday.

 

If you are a prospective customer, we will keep your information for 2 years from last meaningful contact unless you have asked us to stop contacting you. If this is the case, we will remove you from the mailing list but will keep the minimum of data to ensure you are not added back into it.

 

Security

 

The UK GDPR requires us to implement technical and organisational measures to protect your data. This means our IT systems are protected by anti-virus and anti-malware software. We use Transport Layer Security (TLS, also known as SSL) to encrypt any data you supply to us through our website. We utilise multifactor authentication and encryption of your data as well as maintaining back up files to ensure availability.

 

11. Your rights

 

The UK GDPR provides you with several rights in relation to the data of your we process. The rights relevant to our activities are:

 

· You have the right to get access to and copies of your personal data.

· You can in certain circumstances, restrict our processing of your data and request us to erase it (although we may have to retain some for legal reasons).

· You can ask us to rectify any inaccurate information we may be holding.

 

If you want to exercise any of these rights, contact us on the above email address.

 

You also have the right to lodge a complaint about our processing with a supervisory authority — the UK’s Information Commissioner’s Office.

 

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Telephone: 0303 123 1113

Website: www.ico.org.uk