Our Data Protection Representative is Sinead Murphy who can be contacted at [ ].
What Data do we collect?
Our Business collects data comprising personally identifiable information from our patients and clients including the following;
- Email address
- Telephone number
- Medical information relevant to your health and wellbeing.
- Date of birth
We will obtain certain sensitive personal data from our Data Subjects with their consent where necessary for performance of our obligations and provision of our services. Where such information is provided, the information will be shared only where necessary taking into account the nature of the information provided and the proposed services. Sensitive data will not be retained for any longer than necessary for the performance of the services provided by the Business. We will not disclose sensitive personal data without your consent, unless;
- specifically authorised or required by law; or
- required for the protection of the vital interest of the Data Subject or of any other natural person; or
- where necessary for the establishment, exercise or defence of legal claims.
We will ensure that processing of sensitive personal data is carried out in compliance of the GDPR at all times.
How do we collect your Data?
We will collect data from our data subjects and process it in the provision of our services as a physiotherapy clinic. We will collect data from our patients and clients through our website and at consultations and appointments with you. The Business operates as a Data Controller in respect of the personal data supplied by its patients and clients. We will collect personal data about you from the Application Forms, Contact Forms, Questionnaires, consultations, records of correspondence, telephone calls, emails, practice notes and records, and information otherwise directly furnished by you.
How will we use your Data?
Our Business collects your data so that we can perform the services of a physiotherapy clinic offered by our Business. We collect your Data so that we can:
- Process your registration on our website and at our practice for provision of physiotherapy services.
- Enable you and us to manage your account and arrange appointments for you.
- Maintain personal information and treatments notes required to provide our services to you.
- Correspond with other healthcare practitioners on your behalf (e.g. your GP or consultant) with your consent.
- Engage with you and respond to any requests which you may have.
- Process payments in connection with customer bookings in limited circumstances.
- Meet our legal and statutory obligations (including, defence of legal claims, if applicable)
- To issue reminders to our patients
- To issue receipts for payment to our patients
Basis of processing Data
The Business will process data on behalf of natural persons comprising their patients and clients and will ensure that your data is processed in a lawful, clear and transparent manner at all times for a specific and legitimate purpose. The Business relies on the following legal basis for the processing of data.
- Processing necessary for the performance of a Contract
- Processing necessary for the compliance with a legal or statutory obligation
- To protect the vital interest of a Data Subject
- With the consent of the Data Subject for one or more specific and legitimate purposes.
- Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller
- Processing necessary for the purposes of the legitimate interest pursued by the Controller or a third party except where such interest is overridden by the fundamental rights and freedoms of the Data Subject.
Where we rely on the legitimate interest of the Business for the processing of the personal data, we will take all reasonable measure to ensure that the interests of the Data Subject are protected. The legitimate interests of the Business in this context include direct marketing, prevention of fraud and information system security.
We will rely on our legitimate interests as a Business to process your data for direct marketing purposes. We consider it to be a legitimate interest of our Business in promoting its services, products and in the administration operation of our Business. Any such processing will not be carried out where such interest is overridden by the rights and freedoms of the Data Subject. In all direct marketing communications, we will give an unsubscribe option. A Data Subject can unsubscribe at any time.
We will only rely on consent as the basis for processing in limited circumstances. We will specifically obtain your consent in the event that we propose to share your data with any third party, including for the avoidance of doubt your GP or consultant or other medical practitioner. Your personal information and treatment notes are securely hosted on our physiotherapy specific practice management software package. Our administration service has limited access to your contact details so they can make appointments for you. Our software system will register demographic information when you make your first appointment. Our software system does not have access to your personal, medical or physiotherapy information.
We will only collect data which is necessary to provide you with safe treatment and will keep records to facilitate that purpose. We will endeavour to keep the information as accurate and up to date as possible.
How do we store your Data?
The Business securely stores your data at 26 South Bank, Crosses Green, Cork and via our software providers. We have retained certain data processors in the provision of our services to provide specific practice management software packages. All data processors have been vetted and comply with GDPR regulations. Our contracted data processors include TM2, Cliniko and Anair Solutions. We will ensure the appropriate technical and organisational measures are put in place commensurate with the level of security required for the data held on your behalf. We will use all appropriate and reasonable measures to ensure integrity and confidentiality of the personal as maintained at all times.
Our Business would like to send marketing information to you about the products and services which we think will be of relevance to you. We will always give you an option to unsubscribe from our marketing list, Please Click Here or Contact [ .] if you wish to unsubscribe from our marketing list. You have a right to object to our processing your data for direct marketing purposes at any stage.
Sharing of Personal Data
We do not share your personal information with third parties, save with your written consent or as outlined in this policy. We will never provide your personal data to third parties for marketing purposes. It may be necessary for us to share your data with third parties to enable us to comply with our legal and statutory obligations and/or to perform the contract between us in limited circumstances without your consent.
As outlined above, we have retained certain data processors comprising software and administrative service providers (including TM2, Cliniko and Anair Solutions). Your personal information and treatment notes are securely hosted on our physiotherapy specific practice management software, which is fully compliant with GDPR. Our administrator services have limited access to your contact details only, but do not have access to your medical or physiotherapy information. We also share your personal data with Bookinghawk which facilitates a class booking system and Mail Chimp to enable us to process newsletters on behalf of the business. We will not disclose your personal information unless compelled to do so in order to meet our legal obligations, regulations or valid governmental or other requests.
We do not propose to transfer personal data to any parties not resident within Europe.
The Business will keep your data for no longer than necessary for the purpose for which the data was provided taking into account the basis for processing the data. We operate in accordance with the Irish College of General Practitioners Guidelines, which indicates that medical records should be retained for as long as deemed necessary to provide treatment to the individual concerned to meet medical, legal and other professional requirements. It is recommended then that your medical records then are retained for a minimum period of 8 years from the date of last contact, or for any period prescribed by law. In the case of children, we will retain your records for a period of 8 years after you have reached of 18.
Rights of Data Subject
You have the following rights under the GDPR, in certain circumstances and subject to certain exemptions, in relation to your personal data:
- Right to access data – you have the right to request a copy of the personal data that we hold about you together with other information about our processing of that personal data.
- Right to rectification – you have the right to request that any inaccurate data that is held about you is corrected or if we have incomplete information you may request that we request that we update the information such that it is complete.
- Right to erasure – you have the right to request us to delete personal data that we hold about you. This is sometimes referred to as a right to be forgotten.
- Right to restrict processing or object to processing – you have the right to request that we no longer process your personal data for particular purposes or object to our processing of your personal data for a particular purpose
- Right to data portability – you have the right to request us to provide you or a third party with a copy of your personal data in a structured commonly used readable format.
- Right to object to processing – you have the right to object to processing of data under certain conditions.
If you wish to exercise any of the rights set out above, please contact Sinead Murphy at [ ].
We ask that you ensure that all data which you furnish to us is kept accurate and up-to-date at any stage.
If we were processing personal data on the basis of your consent, you may withdraw consent at any time. This does not affect the lawfulness of processing which should take place prior to its withdrawal.
You can object to the processing of your personal data for direct marketing purposes at any stage. If you are unhappy with how we process your personal data we ask that you contact us so that we can rectify the situation. You may lodge a complaint with the Supervisory Authority of the Irish Supervisory Authority of the Data Protection Commission.
Automated decision-making and profiling
We do not use personal data for the purposes of automated decision-making or profiling.
Changes to this Privacy Notice
Date: 12th November 2020