Privacy & Cookie Policy

This document provides details of the type of client data we collect and process, and how that data will be used, stored, accessed, modified and/or shared.

Under the UK General Data Protection Regulation (2018) and EU General Data Protection Regulation (2016/679) we are required to define the purpose of and the legal bases for the processing of various categories of personal data and to define how that data will be used. In addition to the above, your rights over data control and processing are defined under the sections headed Your rights as a data subject and Data subject requests.

As a medical skin clinic we process and control a range of sensitive personal data termed ‘special categories data’ for various purposes as follows: personal contact details and medical records, card payment details, bank account details, personal images (before and after treatment), personal images (for marketing), client reviews and feedback.

GDPR (2018) Article 6 allows for lawful processing of personal data only where certain conditions have been met by the data processor. In addition, GDPR (2018) Article 9 prohibits the processing of special categories data under most circumstances. For example, sensitive medical data processing. An exception to this rule is data processing for the purpose of medical record keeping, by a registered medical or health care professional, or with the explicit consent of the data subject.

The following lawful bases for the processing of personal data are applicable

GDPR Article 6(1):

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

All services are performed under a signed contractual agreement between Skin Beautiful Medical & Cosmetic Clinic and you the client. To facilitate the contract we process your personal contact details (full name, address, telephone number, email address) and card payment/bank account details relating to the sale of goods or services provided under the contract.

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes

On occasion we may also seek explicit consent for the processing of personal images (for marketing), client reviews and feedback.

We also process highly sensitive medical data termed as ‘special categories data’ in clinic. The following lawful bases for the processing of this type of data are applicable

GDPR Article 9(2):

(c) processing is necessary to protect the vital interests of the data subject

Extensive medical records data are kept in clinic. This includes medical history and other associated data as part of a medical risk assessment. Medical record keeping is essential for the safety and appropriateness of the treatments and services we provide. For example, if a patient were to develop an allergic reaction to a drug or medical device or a patient experiences complications following a treatment then we must refer to medical records as a standard clinical practice.

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

Personal details and payment records data are processed under contract as detailed above and in accordance with our medical liability insurance policy. We may also need to process your data outside of the contract. For example:

i) to comply with any legal obligation

ii) if required as part of any legal proceedings

iii) to prevent fraud

iv) to establish, exercise or defend any claims arising under the contract

i) data collection we collect personal contact details when an enquiry or a clinical appointment is made (by phone or email) or in clinic by way of recording medical history. Medical records data are only collected in clinic by the consulting practitioner. Personal images are taken before and after treatment to facilitate medical records and treatment plans. Client reviews and feedback data are collected via social media websites: namely Google, Cylex, Lacartes, Bing, Instagram, Facebook, Twitter.

ii) data storage & security All medical records including personal data are handwritten and stored in locked, secured cabinets. We do not keep digital databases of these data and no client data is ever accessible over an internet connection. Personal data collected via email are stored on an encrypted server an/or are encrypted before being archived. Card payment details are processed and stored on an encrypted server by our authorised card processing company PaymentSense Ltd. Personal images are stored on encrypted digital devices.

iii) data access & sharing as a client to our clinic your privacy, rather than marketing strategies is our priority. We do not share any client data, images or any other information with any third party for any purpose, except where required to do so by our insurers or pharmaceutical suppliers for prescription medicines, legal insurance claims or other essential purposes. Where we are required to disclose your personal information from our medical records then we will always inform you of this requirement before doing so and only where absolutely necessary and for the purpose for which the disclosure of information was intended.

Access to sensitive client data is restricted only to the consulting practitioner/clinical director and executive director for the purpose of recording, updating and modifying medical records, where appropriate, to effect safe and correct medical procedures, except where required to disclose the data to pharmacies and/or insurance companies as detailed in the paragraph above.

iii) data modification and deletion All patient data will be retained by Skin Beautiful Medical & Cosmetic Clinic for a period not less than 10 years, or as required by our medical insurers to effect continual medical liability insurance. We reserve the right to make modifications to patient records and other patient data to ensure that our record keeping is accurate and up to date in accordance with GDPR and NMC guidelines for medical record keeping.

As a subject of data processing the general data protection regulation (2018) gives you rights to information, access, rectification, erasure, restriction of data, portability and objection to processing. All of the above are applicable to the data we process except erasure of patient records and, under certain conditions, objection to processing of data. Under GDPR Article 9(2)(f) & (h) We reserve the right of exemption to erasure of data and restriction of data processing where such data may be required for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity and for the purposes of medical diagnosis.

i) information in addition to the information contained within this privacy notice you have a right to be informed about all of your personal data we control and process. By keeping you informed in a clear and transparent way will allow you to make decisions based on your own preferences. You also have a right to be informed about changes and updates to the data we hold about you or about circumstances where we are required to send your data to other organisations (for example to comply with a legal obligation). However we are required to process your data we will always put your security first and will always inform you in advance of any further processing.

ii) access you may access the data we hold about you at any time by making a formal written request to the data protection officer at the address of the clinic at which you attended. Alternatively, you may make a formal request by email to: dataprotection@hm-skinbeautiful.com Please allow up to 30 days from the date of your request. There is no charge for this service except for repetitive requests.

iii) rectification we aim to keep accurate, complete and up to date records at all times. If you believe the data we hold about you is inaccurate, incomplete or otherwise erroneous then we encourage you to inform us at your earliest convenience so that we can promptly correct any such errors. You may make a verbal request to us at any time. Alternatively, please contact us via email at dataprotection@hm-skinbeautiful.com A confirmation email will be sent to you upon rectification.

iv) erasure under the GDPR (2018) data subjects have the right to erasure of data held by a data processor except in certain circumstances. As a provider of medical care some of the data we hold falls under the ‘special categories of data’ (e.g medical records). For this particular data we are exempt from data erasure on grounds of GDPR Article 9(2)(f) for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity & 9(2)(h) for the purposes of medical diagnosis. Other data which requires consent for processing (e.g. patient images used for marketing, reviews/feedback and all other marketing material) is not exempt. For this type of data you have the right to request permanent deletion at any time. A request for erasure of data constitutes a withdrawal of consent. For removal of marketing images or any other marketing material you may make a verbal request to the clinic at any time. Alternatively please email dataprotection@hm-skinbeautiful.com Your request will be promptly actioned, but in any case within 30 days. Skin Beautiful Medical & Cosmetic Clinic will keep all medical records, supporting before and after images and associated payment details for a minimum of 10 years, or as otherwise required by our medical insurance underwriter.

v) restriction of data processing as a data subject you have the right to request a restriction of data processing under certain conditions. A restriction of data processing is, in effect, a pause in the process of further processing, where the data controller still holds all data as before any request but does not process it any further for the duration until such a time that your query has been investigated. The qualifying conditions to which restriction of data processing are granted are as follows: i) if you have notified us that you believe the data we hold about you is inaccurate or you have made a request to verify the data ii) your data has been unlawfully processed and you have requested to restrict rather than erase the data in question iii) we no longer need to keep your data but you require the data for the exercise or defence of a legal claim. Data processing will be restricted as a matter of standard practice when any query over its accuracy or viability is raised.

How do we restrict data processing? we restrict data in 2 ways. For data that is visible in the public domain (e.g. marketing images, feedback or reviews) this data will be temporarily removed from view. All other data (including personal contact details, medical records, personal images (before and after treatment) and payment details relating to such records will be marked as restricted and temporarily moved to a separate file or encrypted database and will remain there until any residing queries have been investigated.

data portability data provided by you, either by consent or as part of a contract can sent to you or directly to another data controller of your choice. This right is limited only to data provided by you and excludes data that we have created ourselves (e.g. clinical notes) or data which we process under a lawful basis other than that of a contract or to which no explicit consent was obtained (e.g. processing of vital interests data or legitimate interests data).

Qualifying data will be sent in a digital format once we have verified the source of the request and identity of the recipient. In the interests of personal data security we will only make data portable to either you or a named data controller whom you have given your explicit consent to receive such data. We will not accept data requests directly from another data controller. As an additional security layer we may contact the data controller to confirm his/her knowledge of your request to receive data and to verify the identity of the data controller as the intended recipient of your data.

right to object you have a right to object to any data processing for marketing purposes at any time. You will be given the opportunity to permanently object to any processing of your images, reviews or feedback at the initial consultation. This is a separate given right to where we have previously used images, feedback or reviews provided by you with explicit consent. Any marketing data already in use can be removed at any time (see iv) erasure & v) restriction of data processing). Please note that the right to object excludes before and after images for medical record keeping purposes.

We reserve the right to refuse or restrict requests from data subjects where the requests are unfounded, excessive or repetitive. We also reserve the right to charge a fee for excessive or repetitive data requests. Where a fee is applicable we will inform you in advance of the cost.

In the interests of personal data security only data requests made by the data subject will be considered. A verbal request must be made face to face, in clinic and only between the data subject and either the clinical director or executive director of the clinic. Data requests made by email, in writing or by any electronic means must be made via the email address, phone number or other contact details held on record for the data subject in question. We will not consider data requests made by family members, friends or representatives of the data subject.

Please note: sensitive patient data is protected from disclosure except in very limited circumstances. Skin Beautiful Medical & Cosmetic Clinic will only process your data in a way that is appropriate for consulting and medical record keeping, that is restricted to only the purposes intended, this is for the duration necessary, that is limited to only the type and volume of data necessary and, that is legally justified to fulfil a contract for the provision of medical services and for the defence of any in legal claims which may arise, in accordance with UK GDPR regulations.

Exceptions to processing sensitive patient data and the Caldicott Principles (2020)

Skin Beautiful Medical & Cosmetic Clinic operates within the Caldicott Principles (2020) for sharing patient identifiable information. The principles are as follows:

Principle 1: Justify the purpose(s) for using confidential information

Principle 2: Use confidential information only when it is necessary

Principle 3: Use the minimum necessary confidential information

Principle 4: Access to confidential information should be on a strict need–to–know basis

Principle 5: Everyone with access to confidential information should be aware of their responsibilities

Principle 6: Comply with the law

Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality

Principle 8: Inform patients and service users about how their confidential information is used

In the first instance we would encourage you to contact us with your concerns. You may contact us by email or by phone:

email: dataprotection@hm-skinbeautiful.com
phone: (UK) +44 7947 523038

If, having shared your data protection concerns with us, you remain unhappy then you have a right to request the decision is reviewed by the Information Commissioner’s Office.

ICO website: ico.org.uk

ICO helpline: 0303 123 1113

Data Controller & Data Processor: Sovereign Clinics Ltd

UK Data Protection Registration No (ICO): ZA401024

ICO Registration Expiry Date: 27th May 2022

We collect anonymous data relating to website visits. The collected data does not allow us to personally identify users either by name, IP address or any other means.

The data we collect is used only for the purpose of analysing trends, website performance and security and volume of traffic. It provides us with visitor numbers, approximate geographical location, time and duration of visit to our website. We may use this statistical data in a collective manner to assist in the future development of the website.

We do not use analytical data for soliciting purposes. We do not share, disclose, sell or otherwise distribute data to any third parties.

Data is analysed and then reported to us using Google analytics and Bing analytics. Live reports are generated by these applications for our webmaster to analyse. Reports are kept for a period not exceeding 14 months.

By using this website in conjunction with our terms and conditions policy you are agreeing to our cookie policy as described in the sections below.

When a client visits our website cookies are stored on the client’s computer. Cookies are used by Google analytics and Bing Analytics to track and record visits to this website. These applications employ cookies to provide our webmaster with analytical data of every visit to our site.

We use both session cookies (valid only for the session duration) and persistent cookies (valid for up to 3 months). These cookies are:

PHPSESSID (session only)

utma

utmb (session only)

utmc (30 minutes)

utmz (3 months)

The types of cookies we use store anonymous data for time and date of visit, duration, country and location, language, operating system, browser type, pages visited, source of visit and landing page. The cookies do not provide any information that would allow our webmaster to personally identify any visitor to our site; including, but not limited to: name, address, phone number or IP address.

We thank you for visiting this website and are sorry that our cookie policy is not acceptable in your case. Accepting cookies is a condition for the continued use of this website. If you do not agree to this then we kindly ask you to leave the website.