These are our policies for our web site, contact information and emails.
The EU General Data Protection Regulation (GDPR) includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are more detailed and specific than in the Data Protection Act and place an emphasis on making privacy notices more transparent, and accessible.
A privacy notice must be supplied to the individual at the time they provide you with their personal data. The GDPR says that the information you provide to people about how you process their personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
The following guidance advises what types of information should be included in a privacy notice and where possible, provides standard wording which can be used in all privacy notices
Identity and contact details of the Data Controller
SnowberrylaneClinic is the Data Controller and is committed to protecting the rights of individuals in line with the Data Protection Act 1998 (DPA) and the new General Data Protection Regulation (GDPR).
Contact details of the Data Protection Officer
SnowberrylaneClinic has a Data Protection Officer who can be contacted through firstname.lastname@example.org
What information do we collect about you?
Outline the types of personal data being processed. The GDPR defines personal data like the following:‘
- Any information relating to an identified or identifiable natural person ('data subject');
- an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Personal data relating to employee/student can include: name, job title, date of birth, passport data, home address, home telephone number, private email address, emergency contact, staff number etc.
- ‘Special categories’ of personal data (sensitive personal data) relate to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
- Special category data relating to employee/student can include: racial and ethnic origin, religion, health records etc.
How will your information be used?
Outline the purposes for the processing. Examples provided below:
- administering orders to fulfil delivery obligations
- contacting the customer in the event of a delivery issue
- storing payment information pertaining to orders
- managing student accommodation
- carrying out research and statistical analysis
- providing operational information
- promoting our services
- ensuring customer safety and security
- preventing and detecting crime
- will the data be used to make automated decisions?
What is our legal basis for processing your personal data?
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. It is important that you determine your lawful basis for processing personal data and document this.
If you are processing personal data then you must satisfy a condition under Article 6 and if you are processing special category data then you must satisfy a condition under Article 6 and article 9.
|Article 6 - Personal Data||Article 9 - Special Categories|
|The data subject has given consent to the processing *||The data subject has given explicit consent to the processing|
|Processing is necessary for the performance of a contract with the data subject||Processing is necessary for the purposes of carrying out the obligations of the controller or of the data subject in the field of employment|
|Processing is necessary for compliance with a legal obligation||Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent|
|Processing is necessary in order to protect the vital interests of the data subject or of another natural person||Processing is carried out in the course of its legitimate activities by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim.|
|Processing is necessary for the performance of a task carried out in the public interest||Processing relates to personal data which are made public by the data subject|
|Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. This condition can only be used by the organisation if the processing does not fall within our core function which is providing education and conducting research**||Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity|
|Processing is necessary for reasons of substantial public interest|
|Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems|
|Processing is necessary for reasons of public interest in the area of public health|
|Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes|
*Please note that rules around consent are much stricter under GDPR. Consent means offering individuals genuine choice and control and requires a positive opt-in. Pre-ticked boxes and any other methods of consent by default are not lawful.
The GDPR gives individuals a specific right to withdraw consent. You need to tell people about their right to withdraw and offer them easy ways to withdraw consent at any time
**In order to rely on the ‘legitimate interests’ condition you must meet certain requirements.
The first requirement is that you must need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it.
The second requirement, once the first has been established, is that these interests must be balanced against the interests of the individual(s) concerned. The “legitimate interests” condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. Your legitimate interests do not need to be in harmony with those of the individual for the condition to be met. However, where there is a serious mismatch between competing interests, the individual’s legitimate interests will come first.
Who receives your information?
Here you will need to specify the recipients or categories of recipients of data. Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Any transfers to third countries and the safeguards in place
Here you will need to specify if the data will be transferred outside of the EU and how this transfer is justified.
How long will your information be held? Here you will need to specify the retention period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period. It is important to be aware that the GDPR states that personal data must be kept ‘no longer than is necessary for the purposes’
What are your rights? Here you will need to inform data subjects about their rights under the GDPR including their rights to access and port data, to rectify, erase and restrict his or her data, to object to the processing as well as the right to withdraw the consent if the processing is based on consent.
Our general privacy and confidentiality rules
- We ask for only the minimum information we need to serve you.
- We only use your information for the purposes you gave it to us.
- We do our best to keep your information safe whilst it is inside our organisation, and we make it as difficult as we can for others to obtain it illegally.
- We will not give to third parties any information that identifies you (or sell it, or whatever), without your specific permission.
- We occasionally use third-party systems to send emails. We do not do this through organisations that have less stringent privacy rules than our own.
Unless you have an account for this site, and you log-in, this web server does not send cookies to your computer. If you are 'just visiting' you should NOT receive cookies from us (and we would be keen to know if you did!).
There is one exception to this:
Our use of Google Analytics
To help us tune our website, we use Google Analytics ("Analytics"). It is a service provided by Google, Inc., which helps us understand how people use the site. To do this, Analytics uses "cookies" technology, which are small text files placed temporarily on your computer.
The information generated by Analytics is stored by Google, sometimes on servers in the United States. Google makes information anonymous before storing it. We use the analysis that Analytics creates from the data, however we do not have direct access to any of the data set itself.
We do not collect any personally-identifiable information about visitors to this site, except in the case of those who have an account on the site and choose to log-in when they visit. If you do not log in, your activity is not followed in an identifiable way.
Google has its own terms of service for Analytics, which we recommend you read, however, we use the Analytics service in good faith, believing it to be both legal in the UK and in the interests of both ourselves and our web site users. As part of Analytics' terms of service, Google says it will not associate your IP address with any other data the company holds.
There are, however, links from this site to third parties, such as YouTube (Google Inc.), news feeds from media organisations, and other links included in the site's content. We have no control over, and do not monitor the activities of these third parties with respect to privacy. We would expect you to exercise the normal cautions you do when using any other unfamiliar web sites, and we will not be held responsible for organisations outside our control.
Please note: By continuing to use this website, beyond this document and the page on which you first 'landed', our understanding is that you consent to the processing of data about your visit in the manner and for the purposes set out above.
General email policies
- Our public email ("Newsletter") is provided on a free, best-effort basis only: no contract is implied between sender and recipient.
- Any discounts or offers referred to within the Newsletter, either from us or from third parties, should be regarded as an invitation to treat and are subject to contract, per usual commercial practice.