This Privacy Notice relates to the processing of personal data by Kliniken (“Kliniken”). Unless otherwise stated, all references to “we” or “our” shall imply any entities which form part of Kliniken and which process personal data.
This Privacy Notice also forms part of Kliniken’s obligations to be open and fair with all individuals whose personal data we process and to provide details around how we process such personal data and what we do with it.
We are committed to safeguarding the privacy of personal data and complying with the UK Data Protection Act 2018, the European General Data Protection Regulation 2016/679 (“GDPR”) of the European Parliament, and any future changes in data protection legislation that Kliniken is required to comply with.
None of the lists or examples provided in this Privacy Notice is intended to be exhaustive or fully representative of every individual.
The scope of this Privacy Notice covers website visitor personal data in respect of the following:
Collecting Personal Data
Using Personal Data
Disclosing Personal Data
Retaining Personal Data
Securing Personal Data
International Data Transfers
Data Subject Rights
Updates / Amendments
Third Party Websites
Withdrawal of Consent (“Opt-out”)
3. LEGAL BASIS
4. COLLECTING PERSONAL DATA
We may collect and store the following kinds of personal data:
Information that you give us when you enquire or become a customer or patient of us or apply for a job with us including name, address, contact details (including email address and phone number)
The name and contact details (including phone number) of your next of kin
Details of referrals, quotes and other contact and correspondence we may have had with you
Details of services and/or treatment you have received from us or which have been received from a third party and referred on to us
Recordings of calls we receive or make
Notes and reports about your health and any treatment and care you have received and/or need, including about clinic and hospital visits and medicines administered
Patient feedback and treatment outcome information you provide
Information about complaints and incidents
Information you give us when you make a payment to us, such as financial or credit card information
Information that You provide to Us for the purpose of subscribing to our event and marketing communications.
Information we collect automatically when you browse one of our websites. We may collect information about your visit to our websites, your usage of the website, and your web browsing. That information may include your IP address, your operating system, your browser ID, your browsing activity, and other information about how you interacted with our website or other websites. We may collect this information as a part of log files.
When we send emails to subscribers, we may track behaviour such as who opened the emails and who clicked the links. This allows us to measure the performance of our email campaigns and to improve our features for specific segments of subscribers. To do this, we include single pixel gifs, also called web beacons, in emails we send. Web beacons allow us to collect information about when you open the email, your IP address, your browser or email client type, and other similar details.
Information to help Us comply with court orders and to exercise and defend our legal rights. Before You disclose to Us the personal information of another person, They must provide consent to both the disclosure and the processing of that personal information in accordance with this Privacy Notice.
5. USING PERSONAL DATA
We may use your personal information to:
Enable your use of any services that we may provide through our website or third-party websites.
Supply You with our services and support of these services.
Send You event and marketing communications.
Deal with enquiries and complaints.
Comply with our legal and regulatory obligations.
Set out below are some of the ways in which we process personal data although to do so lawfully we need to have a legal ground for doing so. We normally process personal data if it is:
necessary to provide you with our services – to enable us to carry out our obligations to you arising from any contract entered into between us and you including relating to the provision by us of services or treatments to you and related matter such as billing, accounting and audit, credit or other payment card verification and anti-fraud screening
in our or a third party’s legitimate interests to do so
required or allowed by any applicable law
with your explicit consent for example: direct consumer marketing communications.
Generally, we will only ask for your consent to processing if there is no other legal grounds to process. In these circumstances, we will always aim to be clear and transparent about why we need your consent and what we are asking it for. Where we are relying on consent to process personal data you have the right to withdraw your consent at any time by contacting us using the details below and we will stop the processing for which consent was obtained.
To process special category data we rely on additional legal grounds and generally, they are as follows:
With your explicit consent
It is necessary for the purposes of preventive or occupational medicine, to assess whether you are able to work, medical diagnosis, to provide health or social care treatment, or to manage health or social care systems and services. This may also include monitoring whether the quality of our services or treatment is meeting expectations
It is necessary to establish, make or defend legal claims or court action
It is necessary so that we can comply with employment law
It is necessary for a public interest purpose in line with any laws that are applicable. This should assist in protecting the public against dishonesty, malpractice or other seriously improper behaviour for example, investigating complaints, clinical concerns, regulatory breaches or investigations e.g. the Care Quality Commission or GMC or ICO.
6. DISCLOSING PERSONAL DATA
Across our different business activities, as part of improving our existing services or as part of providing new services.
To third parties who process personal data on our behalf.
To third parties who process personal data on their own behalf but provide Us, or You, with a service on behalf of us.
To any regulator, external auditor or applicable body or court where we are required to do so by law or regulation or as part of any investigation.
7. RETAINING PERSONAL DATA
Personal data that we process, for any purpose or purposes, shall not be kept for longer than is necessary. Kliniken bases its record retention on any legal, regulatory or contractual obligations and bases these on the NHS Records Management Code of Conduct 2020 as best practice guidelines.
If You have consented to other services, the personal data necessary to provide each service will be retained until You no longer require the service, or You withdraw consent.
Please note it can take up to 3 months for our scheduled archiving processes to remove your records after they have been marked for removal.
8. SPECIAL CATEGORY DATA COLLECTED DURING PROVISION OF TREATMENT OR SERVICES
Medical professionals working with us
If we refer you externally for treatment, we will share with the person or organisation that we refer you to, the clinical and administrative information we consider necessary for that referral. It will always be clear when we do this.
If the practitioners treating you believe it to be clinically advisable, we may also share information about your treatment with your GP. You can ask us not to do this, in which case we will respect that request if we are legally permitted to do so, but you should be aware that it can be potentially very dangerous and/or detrimental to your health to deny your GP full information about your medical history, and we strongly advise against it.
We share with your medical insurer information about your treatment, its clinical necessity and its cost, only if they are paying for all or part of your treatment with us. We provide only the information to which they are entitled. If you raise a complaint or a claim we may be required to share personal data with your medical insurer for the purposes of investigating any complaint/claim.
If you are referred to us for treatment by the NHS, we will share the details of your treatment with the part of the NHS that referred you to us, as necessary to perform, process and report back on that treatment.
We may be requested – and in some cases can be required – to share certain information (including personal data and special category data) about you and your care with medical regulators who inspect our clinical facilities and standards. For example, if you make a complaint, or if the conduct of a medical professional involved in your treatment is alleged to have fallen below the appropriate standards, a regulatory body may wish to investigate. Regulatory bodies may include the Care Quality Commission, Health Improvement Scotland, Health Inspectorate Wales, the Regulation and Quality Improvement Authority for Northern Ireland, the Human Fertilisation and Embryology Authority (HEFA), the General Medical Council or the Nursing and Midwifery Council. Where access to personal data is granted, we always ensure that we do so within the framework of the law and with due respect for your privacy.
From time to time, we may also make information available based on necessity for the provision of healthcare, but subject always to patient confidentiality.
In an emergency and if you are incapacitated, we may also process your personal data (including special category data) or make personal data available to third parties on the basis of protecting your ‘vital interest’ (i.e. your life or your health).
We will use your personal data to monitor the outcome of your treatment by us and any treatment associated with your care, including any NHS treatment.
We participate in national audits and initiatives to help ensure that patients are getting the best possible outcomes from their treatment and care. The highest standards of confidentiality will be applied to your personal data in accordance with Data Protection Laws and confidentiality. Any publishing of this data will be in anonymised, statistical form. Anonymous or aggregated data may be used by us, or disclosed to others, for research or statistical purposes.
9. SECURING PERSONAL DATA
Where Kliniken acts as the controller of personal data, it will ensure that necessary and adequate safeguards (e.g. encryption) are in place to prevent unauthorised access, loss, misuse or alteration of your personal data.
Where data is stored electronically, we store all personal information on secure servers with relevant access and firewall controls.
Where data is stored on paper, or forms, all personal data is locked away when not in use and disposed of securely after use either using document shredders or third-party disposal organisations who have been contracted to dispose of documents appropriately.
Any personal data sent to Us, either in writing or email, may be insecure in transit and we cannot guarantee its delivery.
Where You use a Password to access any service provided by Kliniken this must be kept confidential and not disclosed to anyone else. Kliniken does not ask You for your password.
10. SHARING PERSONAL DATA
To provide the services to You we share the personal data that You supply with several third parties. Details of third parties to whom special category data may be shared are outlined in section 8 above. We may also data that is not classed as special category with the third parties outlined below:
Contracted Pathology Laboratory
Contracted Operating theatre services
Contractors working for Kliniken
Clinic management software
Kliniken agree contractual arrangements with these third-party data processors to ensure that your personal data is protected in compliance with this Privacy Notice and the data protection legislation that Kliniken is required to comply with.
Unless otherwise defined above all personal data shared with third parties is stored and processed within the EU.
11. INTERNATIONAL DATA TRANSFERS
Personal data that we collect, is predominantly stored and processed in the UK and the European Union, but for specific services may be transferred, stored, processed outside of the EU (designated under GDPR as “Third Countries”).
As part of providing our services to You, we will use third party data processors from Third Countries – currently there is no scope for international data transfers.
If You wish to know more about the safeguards that are in place, please contact Kliniken as outlined in Section 17.
12. DATA SUBJECT RIGHTS
Subject Access Requests
You may instruct Us to provide You with any personal data we hold about You as part of a Subject Access Request. The provision of such information will be provided to You free of charge, within one month of verifying your identity, and subject to:
Appropriate evidence of your identity, such as a passport, driving licence, a recent bank statement or utility bill.
The request not being excessive in which case we will notify You within one month on when the request can be completed. For repetitive requests we may leverage a charge which we will agree with You in advance.
In certain instances, where exemptions exist, we may withhold personal data that You request, and which is permissible by law.
Right to Rectification
You may wish to contact Us if the personal data that we hold about You needs to be corrected or updated.
Right to Erasure (Right to be forgotten)
You can contact us if You wish to have your information erased to exercise your right to be forgotten.
Right to Object (including withdrawal of consent)
For any services that You have consented to receive, including for event or marketing and communications purposes You may instruct Us at any time not to process your personal data for each purpose by means of withdrawing consent (‘opting-out’).
Right to Restriction of Processing
If You contest the accuracy of your personal data or consider that the processing is unlawful and You do not want Us to erase your personal data, or we no longer need this data for the purpose of the services we provide, You may instruct Us to restrict processing of this data.
In supplying You with our services we do not make decisions affecting you solely by automated means.
13. UPDATES / AMENDMENTS
14. THIRD PARTY WEBSITES
We are not responsible for the practices employed by Third Party Websites linked to or from our Website nor the information or content contained therein. Often links to other websites are provided solely as reference points to information on topics that may be useful to the users of our Website. Please remember that when You use a link to go from our Website to a Third-Party Website, our Privacy Notice will no longer apply. Your browsing and interaction on any other Website, including Third Party Websites, which have a link on our Website, are subject to that Website’s own Privacy Notice.
15. CONSENTS (“OPT-IN”)
16. WITHDRAWAL OF CONSENT (“OPT-OUT”)
17. DATA PROTECTION REGISTRATION
18. OUR DETAILS
Kliniken (“Kliniken Ltd’’) is registered in England and Wales under company number 12532749
Our registered office is at The Pines Oakwood Park Business Centre, Fountains Road, Harrogate, United Kingdom, HG3 3BF
You can contact Us as follows:
TELEPHONE: +44 (0) 1423206388
IN WRITING: Data Protection Officer, The Pines Oakwood Park Business Centre, Fountains Road, Harrogate, United Kingdom, HG3 3BF
Last updated May 2021