Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controllers possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulations 2016/679 (GDPR).
Who are we?
Central Health Holdings Limited, operating as Central Health Physiotherapy is a data controller. This means it can decide how your personal data is processed and for what purposes – provided you authorise these uses with appropriate consent.
How do we process your personal data?
Central Health Holdings limited complies with its obligations under GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect your personal data.
We use your personal data for the following purposes:
- To enable us to effectively and efficiently provide you with the service that you engaged with us to provide.
- To maintain our accounts and appropriate legally required records.
- To operate the Central Health Physiotherapy website and deliver the services that our clients engage with us to provide.
- To inform individuals of news, events, activities or services running at Central Health Physiotherapy.
- To contact individuals via surveys to conduct research about their opinions of current services or of potential new services that may be offered.
What is the legal basis for processing your personal data?
Article 6 Lawfulness of Processing:
Consent from you as the data subject (please see our consent form here).
Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Article 7 Conditions for Consent
- Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
- The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
- When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Article 9 Processing of Special Categories of Personal Data
- Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
- Paragraph 11 shall not apply if one of the following applies:
- the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 11 may not be lifted by the data subject;
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
- processing relates to personal data which are manifestly made public by the data subject;
- processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 13;
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
- Personal data referred to in paragraph 11 may be processed for the purposes referred to in point (viii) of paragraph 12 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
Sharing your personal data
Your personal data will be treated as strictly confidential, and will be shared only with your GP, referring Consultants or other relevant medical professionals. We will only share your data with the above listed third parties outside of Central Health Physiotherapy with your consent.
How long do we keep your personal data?
We keep your data for no longer than reasonably necessary. Legally we have to retain copies of your personal data for 20 years. This is in case of any legal claims/complaints or for safeguarding purposes. All data retention is in line with the statutory minimum retention period guidelines set out by the Lord Chancellor’s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000. Central Health Holdings is obliged to meet the legal requirements for the retention and disposal of records in accordance with relevant legislation, particularly the Public Records Act 1958 (PRA 1958), the Freedom of Information Act 2000 (FOIA 2000) and the General Data Protection Regulations (GDPR 2016). You can read about legislation that relates to, or affects archives, records management or public sector information on The National Archives website.
Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
- The right to request a copy of your personal data which Central Health Holdings holds about you;
- The right to request that the personal data be corrected if any is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for Central Health Holdings to retain such data;
- The right to withdraw your consent to the processing at any time;
- The right to request that Central Health Holdings provide you with your personal data and where possible to transit that data directly to another controller (known as the right to data portability) in an accessible, usable format;
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction be placed on further processing;
- The right to object to the processing of personal data;
- The right to lodge a complaint with the Information Commissioners Office.
If we wish to use your personal data for a new purpose, not covered by this data protection notice, then we will provide you with a new notice explaining this new use prior to commencing the processing, to set out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to new processing.
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies at https://aboutcookies.org.
Some of the more significant individual cookies we use and the purposes for which we use them are:
Central Health Holdings Data Protection Manager is Natasha Price. To exercise all relevant rights, queries or complaints, Natasha can be contacted via the reception at our Chancery Lane office. This can be done on telephone number: 020 7404 6343 or via email: firstname.lastname@example.org