General Data Protection Regulations (GDPR) and Privacy Policy
Awareness
All staff have been made aware in our organisation that the law is changing with regard to an individual’s rights to have their personal data protected. These changes are set out in the General Data Protection Regulations which come into effect on the 25th May 2018. The GDPR will be similar to the existing UK Data Protection Act 1998 (DPA) but brought up to date and with many more legal requirements. The UK agency that will be responsible for enforcing the GDPR is the Information Commission’s Office (ICO). Once the GDPR comes into effect there are significant financial penalties that can be enforced for a data breach or a failure to follow the stipulations under GDPR or a failure to obtain proper consent.
Information we may hold
We may collect, store and use the following kinds of personal information:
(a) information about your computer and about your visits to and use of this website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views, and website navigation details.)
(b) information relating to any transactions carried out between you and us on or in relation to this website. We do not however sell anything directly through our website and direct purchases cannot be made via the website.
(c) information that you provide to us for the purpose of registering with us (including your email address, telephone number, address, and name)
(d) information that you provide to us for the purpose of subscribing to our website services, email notifications and/or newsletters.
(e) any other information that you choose to send to us.
(f) Cookies
A cookie consists of information sent by a web server to a web browser, and stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser. We may use both “session” cookies and “persistent” cookies on the website. We will use the session cookies to: keep track of you whilst you navigate the website. We will use the persistent cookies to: enable our website to recognise you when you visit. Session cookies will be deleted from your computer when you close your browser. Persistent cookies will remain stored on your computer until deleted, or until they reach a specified expiry date. We use Google Analytics to analyse the use of this website. Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ computers. The information generated relating to our website is used to create reports about the use of the website. Google will store this information. Google’s privacy policy is available at: http://www.google.com/privacypolicy.html. Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third party cookies. For example, in Internet Explorer you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector. Blocking all cookies will, however, have a negative impact upon the usability of many websites, including this one.
(g) Contact details, ie Names, addresses, email, occupation and dates of birth obtained during the consultation and consent process.
(h) Photographic Images
(h) Customer payment Data
Using your personal information
Personal information submitted to us via this website will only be used for the purposes specified in this privacy policy or in relevant parts of the website. We may use your personal information to:
(a) administer the website;
(b) improve your browsing experience by personalising the website;
(c) enable your use of the services available on the website;
(d) send you general (non-marketing) commercial communications;
(e) send you by post or marketing email notifications which you have specifically agreed to and have been also unambiguously and properly opted in. For example discount vouchers obtained from our website.
(f) send to you our newsletter and other marketing communications relating to our business, where you have specifically agreed to this and they have also been unambiguously and properly opted in, by post, by email or similar technology. You can inform us at any time if you no longer require marketing communications.
(g) provide third parties with statistical information about our users – but this information will not be used to identify any individual user; for example as used by google analytics
(h) deal with enquiries and complaints made by or about you relating to the website;
We will not provide your personal information to any third parties for the purpose of direct marketing.
(i) Date of birth is required by our insurance company as there are legal minimum age requirements for most treatments. It is used to decide on whether a particular treatment can be carried out or not.
(j) Occupation is an important consideration when trying to obtain a correct diagnosis and can be a significant influence on a specific condition. Occupation can affect a prescribed treatment plan.
(k) Merchant cardholder receipt data is stored for the required minimum accounting period of 7 years and also to respond to providing copy receipts and chargebacks.
Our Lawful basis for processing personal data:
Asking for consent
We consider that consent is the most appropriate lawful basis for processing personal data.
The request for consent is prominent and separate from our terms and conditions.
We ask people to positively opt in.
We don’t use pre-ticked boxes or any other type of default consent.
We use clear, plain language that is easy to understand.
We specify why we want the data and what we’re going to do with it.
We give individual detailed options to consent separately to different purposes and types of processing.
We name our organisation and any third party controllers who will be relying on the consent.
We tell individuals they can withdraw their consent.
We ensure that individuals can refuse to consent without detriment.
We avoid making consent a precondition of a service.
If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
Recording consent
A record is kept of when and how we gained consent from an individual.
A record of exactly what they were told at the time.
Managing Consent
We regularly review consents to check that the relationship, the processing and the purposes have not changed.
There are processes in place to refresh consent at appropriate intervals, including any parental consents.
Individuals may withdraw their consent at any time, and we publicise how to do so.
Withdrawals of consent are acted on as soon as possible.
We will not penalise individuals who wish to withdraw consent.
Legitimate Business Interests
We consider that legitimate interests is also another appropriate basis for processing and storing of for instance photographic images.
We understand our responsibility to protect the individual’s interests.
We have conducted a legitimate interest’s assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
We have identified the relevant legitimate interests.
We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.
We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
If we process children’s data, we take extra care to make sure we protect their interests.
We have considered safeguards to reduce the impact where possible.
We have considered whether we can offer an opt-out.
If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
We keep our LIA under review, and repeat it if circumstances change.
We include information about our legitimate interests in our privacy notice.
There are contractual and legitimate business interest’s requirements that will require us to record and keep personal details such as your name, address, date of birth, occupation and also take before and after treatment area images. If you object to giving these details we may have to decline providing treatment.
Disclosures
We may disclose information about you to any of our employees insofar as reasonably necessary for the purposes as set out in this privacy policy. In addition, we may disclose your personal information:
(a) to the extent that we are required to do so by law;
(b) in connection with any legal proceedings or prospective legal proceedings;
(c) in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
(e) to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information.
Except as provided in this privacy policy, we will not provide your information to third parties.
Security of your personal information
We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We will store all the personal information you provide on our secure (password- and firewall- protected) servers. All electronic transactions you make to or receive from us will be encrypted using SSL technology. All information is handled in accordance with the data protection act 1998. Of course, data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
Data Breaches
Any breach which leads to accidental, unlawful destruction or the loss or alteration of personal data will be notified to the ICO within 72 hours and to all affected individuals without undue delay.
Policy amendments
We may update this privacy policy from time-to-time by posting a new version on our website. You should check this page occasionally to ensure you are happy with any changes. We may also notify you of changes to our privacy policy by email.
Your rights-Complaints
You have the absolute right to object to your data being processed and profiled for direct marketing purposes. You have the right to have your information withdrawn at any time. Your information will be provided to you within one month and no fee will be levied. You may instruct us to provide you with any personal information we hold about you. Provision of such information will be subject to:
(a) the supply of appropriate evidence of your identity. For this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address.
We may withhold such personal information to the extent permitted by law. You may instruct us not to process your personal information for marketing purposes by email at any time. In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt-out of the use of your personal information for marketing purposes.
If you are not happy with the way your personal information has been treated you can complain to the Information Commissions Office (ICO).
Serious breaches will be reported by our Data Controller to the ICO using our DPA security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff who will record the breach and give you advice about what to do next.
If you would like to report in writing you can use our DPA security breach notification form, which should be sent to the email address casework@ico.org.uk or by post to our office address Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
The security breach notification form can be found here:
https://ico.org.uk/media/fororganisations/documents/2666/security_breach_notification_form.d oc
Third party websites
The website contains links to other websites. We are not responsible for the privacy policies or practices of third party websites.
Updating information
Please let us know if the personal information which we hold about you needs to be corrected or updated.
Contact
If you have any questions about this privacy policy or our treatment of your personal information, please write to us by email to info@beautywithinspa.co.uk or by post to:
Beauty Within Medi Spa
10 High Street
Cowbridge
Vale of Glamorgan
South Wales
CF717AG
Data controller
The data controller responsible in respect of the information collected at Beauty Within Medi spa and on this website is Beauty Within Medi Spa. Our data protection registration number is Z2495750. Our designated data protection officer is Neil Moaksom