Data Protection Notice
Medical Cosmetic (Holdings) Ltd, are committed to protecting the privacy of your personal data in accordance with Data Protection legislation. This Data Protection Notice (`Notice’) sets out the basis on which we will process your personal data.
In this Notice, ‘we’ (and any related expression) refers to: Medical Cosmetic (Holdings) Ltd, registered in England & Wales, no. 08036855, whose registered office is at 103 COMMERCIAL STREET, LEEDS, LS26 0QD.
The Data Protection Legislation
As from 25th May 2018, most personal data processing in the UK is subject to the EU General Data Protection Regulation (`GDPR’), as supplemented by UK legislation.
Personal data is any information that directly or indirectly identifies a living individual.
For the purposes of the GDPR, we will be the controller of any personal data that we collect from or about you in connection with the provision of our professional services, or related activities such as promoting the business and market research or, where relevant, dealing with new enquiries.
Under the GDPR, data controllers are required to process personal data lawfully, fairly and in a transparent manner, and in a manner that ensures appropriate security of the personal data. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, and the data must be adequate, relevant and limited to what is necessary in relation to those purposes, accurate and, where necessary, kept up to date, and kept in a form which permits identification of data subjects for no longer than is necessary for those purposes. Data controllers are responsible for, and must able to demonstrate, compliance with these principles.
What personal data do we collect from or about you?
When you make an enquiry
When you contact us with an enquiry about our professional services (either through one of the group’s websites or by phone, email or post), we will ask you to supply essential contact details (your name, e-mail address, phone number and, where applicable), which we need in order to identify you and deal with your enquiry.
Depending on the nature of your enquiry, we may collect from you further details, such as the circumstances in which you are making the enquiry, the professional services that may be of interest to you.
If you are or become a patient
If you are or become a patient (or the company or other person you represent is or becomes a patient), and in the course of providing our professional services, we may collect further personal data from you, depending on the nature of the services we are providing. In certain cases, the information that we collect from you may be of a sensitive nature (for instance, health related information), but we will only ask you to provide the information that is necessary and appropriate.
We may also need to ask you to provide further personal data, and may need to carry out background checks about you with credit reference agencies and fraud prevention agencies, for credit application.
When you make a personal payment for our services, details of the method of payment, your bank details or your credit or debit card number will be processed.
If you are a professional or business contact
If you provide us (or one of our employees or other personnel) with your professional or business contact details or other relevant personal data, we will use this in order to keep in touch with you and exchange information that we believe is, or may become, relevant to our and your business or profession.
If you enquire about a job
If you submit a job application or enquire about a potential position with a group company, or another person does so on your behalf, we will ask you (or them) to provide relevant personal information about you. Further details of the personal data that we collect, and of the basis on which we will process your personal data, will be provided by our HR Department at the time.
Why and on what basis do we process your personal data?
When you make an enquiry, we will process the personal data that you give us, or we collect from you or about you, so that we can supply you with the information that you have requested about our professional services (including information about the services that other group companies provide), on the basis that it is necessary for our legitimate interests in promoting and marketing the Group and our professional services, or in order to provide a quotation for our services.
If you are or become a patient (or the company or other person you represent is or becomes a patient), we will process the personal data that you give us, or we collect from you or about you, in order to perform the contract that we have with you (or the company or other person you represent).
Where we need to process special categories of data (`sensitive data’) or medical records relating to you, we will only do so with your explicit consent.
We will also process your personal data for internal record keeping, billing and accounting, and to respond to any queries, complaints or requests for further information, and for the purposes of archiving. The basis on which we do so is that it is necessary for our performance of the contract we have with you (or the company or other person you represent), or is necessary for our legitimate interests in managing our business and improving our professional services, and to comply with our regulatory obligations.
In appropriate circumstances we will use the personal data that you provide or that we collect about you on the basis that we are required to do so in order to comply with our regulatory obligations.
Staying in touch
We provide a wide range of additional services for our patients and our professional and business contacts, such as updates of treatments. We would like to use the details on our database in order to inform you of these and the various services that the group provides, on the basis that it is necessary for our legitimate interests in promoting and marketing the group and our professional services. If you do not wish us to use your personal data in this way, please unsubscribe using the relevant link in the email that we send you. All future marketing communications will also contain a simple way to opt out of receiving any further marketing communications from us.
Who do we share your personal data with?
We will not use your personal data for any other purpose, or disclose it to any third party, without your consent unless we are required to do so by law, or as mentioned in this section.
Other Group Companies & Partner Clinics
In the course of providing our professional services, or subsequently to the provision of such services, we may have to share personal data about our patient (or about individuals treating a patient) with other members of the group for administrative or regulatory purposes, where this is necessary for the performance of our contract with you (or the company or other person you represent), or for the legitimate interests we have in managing our business and improving our professional services, or in order to comply with regulatory requirements.
We may also refer you to another member of the group with your consent, in which case we will provide the other member of the group with your contact details and other personal data about you which is relevant to the services they are to provide.
Other professionals and other bodies
In order to provide some of our professional services, we may use the input of third parties, or we may refer you to such third parties, with your consent or where this is necessary for the performance of our contract with you (or the company or other person you represent). This will require the disclosure to such third parties of your contact details, as well as further personal data about you which is relevant to the services they provide.
External organisations may conduct audits or quality checks for us, either where this is necessary for compliance with our legal obligations or for the legitimate interests we have in improving our business and services. These external organisations are required to maintain confidentiality in relation to your records. If you do not want your file to be part of this process, please tell us as soon as possible.
Data processing services
Some of our data processing services are supplied by third party providers, who will need to have access to your data for that purpose. Such third party suppliers will be appointed on the basis that they provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing will meet the requirements of the applicable Data Protection legislation and ensure the protection of the rights of the data subjects, and will carry out processing only on our written instructions, or where we have a legitimate interest in doing so, as indicated above.
Transferring our rights and duties
We may transfer your personal data to anyone to whom we may transfer our rights and duties under the terms of our retainer with you (for instance, if you wish to change your professional representation, or where we do so for the purposes of Group re-organisation and administration or if our business is merged with or we are acquired by a third party). We will do this in order to perform our contract with you (or the company or other person you represent) or where this is necessary for the legitimate interests we have in improving our business and services.
Compliance with legal obligations
We may disclose your personal data if we are required to do so in order to comply with any legal or regulatory obligation or request, or where we have a legitimate interest in doing so, such as in order to enforce or apply our contract with you, to investigate potential breaches, or to protect our property and rights or those of others. This may include exchanging information with other companies and agencies for the purposes of credit risk reduction.
Transfers outside the EEA
In order to provide some of our professional services, we may share your personal data with one or more third party providers situated in countries outside the European Economic Area (including the USA) that do not have the same standards of Data Protection laws as the EU. We may do so with your consent, or where it is necessary for performance of the contract we have with you or for the establishment, exercise or defence of legal claims. However, we will ensure that contractual or other safeguards are in place to ensure that your personal data is adequately protected, and that enforceable rights and effective legal remedies are available for data subjects, and will inform you of the nature of these safeguards at the relevant time.
Professional or business contacts
If you are not a patient (or a representative of a patient) but have provided us with your professional or business contact details or other relevant personal data, we may share your personal data with other Group members and with our other professional or business contacts or those of our other Group members, on the basis that it is necessary for our legitimate interests in promoting and marketing the Group and our professional services, unless you indicate otherwise.
How long do we keep personal data for?
If you contact us with an enquiry about our professional services but you do not subsequently become a patient (or the company or other person you represent does not do so), it is our policy to keep your personal data unless you instruct us not to.
If you are or become a patient (or the company or other person you represent is or becomes a patient), we will retain contract information (including personal data) indefinitely.
Our full data retention policy is available on request.
Personal data relating to our professional contacts will be retained for so long as is necessary, or until you indicate otherwise to us, but we will aim to update our contacts’ preferences on a periodic basis.
In certain cases, it may not be physically possible to delete certain data (for instance, where it is stored on a secure external server), in which case we will take appropriate steps to ensure that it is not available for re-use or disclosure to third parties.
Your rights as a data subject
As a data subject, you have certain legal rights (subject to certain exceptions under the Data Protection legislation) including the right:
- to access the personal data held about you and request a copy of it;
- to ask us not to process your personal data for marketing purposes;
- to withdraw at any time any consent you have given to receive marketing material from us, or in any other case where we process your personal data on the basis of a consent that you have given (and not on some other legal basis);
- to ask us to rectify inaccurate personal data about you;
- to ask for the restriction of personal data about you that is inaccurate, unlawfully processed, or no longer required;
- to ask for the transfer of your personal data in a structured, commonly used and machine readable format where appropriate;
- to ask for the erasure of personal data about you where processing is no longer necessary, or the legitimate interests we have in processing your personal data are overridden by your interests, rights and freedoms as the data subject; and
- to make a complaint to the Information Commissioner’s Office which can be contacted by post via: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or by telephone via 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Changes to this Data Protection Notice
We may change this Data Protection Notice from time to time. In the case of any substantial change, we will notify you (where practicable) in writing or by email.
How to Contact Us
If you have any questions, comments or requests about this Data Protection Notice, or would like to exercise any of the rights you have, as set out above, please contact us:
- by email to: firstname.lastname@example.org; or
- by post to: The Data Protection Manager, Medical Cosmetic (Holdings) Ltd, Rothwell, Leeds, LS26 0QD