1. INTRODUCTION
This Privacy Notice relates to the processing of personal data by Kliniken (“Kliniken”). Unless otherwise stated, all references to “we” or “our” shall imply any entities which form part of Kliniken and which process personal data.
This Privacy Notice also forms part of Kliniken’s obligations to be open and fair with all individuals whose personal data we process and to provide details around how we process such personal data and what we do with it.
We are committed to safeguarding the privacy of personal data and complying with the UK Data Protection Act 2018, the European General Data Protection Regulation 2016/679 (“GDPR”) of the European Parliament, and any future changes in data protection legislation that Kliniken is required to comply with.
None of the lists or examples provided in this Privacy Notice is intended to be exhaustive or fully representative of every individual.
2. SCOPE
The scope of this Privacy Notice covers website visitor personal data in respect of the following:
Collecting Personal Data
Using Personal Data
Disclosing Personal Data
Retaining Personal Data
Securing Personal Data
International Data Transfers
Data Subject Rights
Updates / Amendments
Third Party Websites
Consents (“Opt-in”)
Withdrawal of Consent (“Opt-out”)
Our Details
3. LEGAL BASIS
We are required to provide you with a legal basis for processing your personal data. We have identified Consent as the legal basis for the processing of your personal data for the purposes detailed in Section 5.
4. COLLECTING PERSONAL DATA
We may collect and store the following kinds of personal data:
Information that you give us when you enquire or become a customer or patient of us or apply for a job with us including name, address, contact details (including email address and phone number)
The name and contact details (including phone number) of your next of kin
Details of referrals, quotes and other contact and correspondence we may have had with you
Details of services and/or treatment you have received from us or which have been received from a third party and referred on to us
Recordings of calls we receive or make
Notes and reports about your health and any treatment and care you have received and/or need, including about clinic and hospital visits and medicines administered
Patient feedback and treatment outcome information you provide
Information about complaints and incidents
Information you give us when you make a payment to us, such as financial or credit card information
Information that You provide to Us for the purpose of subscribing to our event and marketing communications.
Information we collect automatically when you browse one of our websites. We may collect information about your visit to our websites, your usage of the website, and your web browsing. That information may include your IP address, your operating system, your browser ID, your browsing activity, and other information about how you interacted with our website or other websites. We may collect this information as a part of log files.
We and our partners may use various technologies to collect and store information using cookies and similar tracking technologies on our website, such as pixels and web beacons, to analyse trends, administer the website, track users’ movements around the website and gather demographic information about our user base. Users can control the use of cookies at the individual browser level. For further information about cookies and how we use them please see our Cookie Notice.
When we send emails to subscribers, we may track behaviour such as who opened the emails and who clicked the links. This allows us to measure the performance of our email campaigns and to improve our features for specific segments of subscribers. To do this, we include single pixel gifs, also called web beacons, in emails we send. Web beacons allow us to collect information about when you open the email, your IP address, your browser or email client type, and other similar details.
Information to help Us comply with court orders and to exercise and defend our legal rights. Before You disclose to Us the personal information of another person, They must provide consent to both the disclosure and the processing of that personal information in accordance with this Privacy Notice.
5. USING PERSONAL DATA
We may use your personal information to:
Enable your use of any services that we may provide through our website or third-party websites.
Supply You with our services and support of these services.
Send You event and marketing communications.
Deal with enquiries and complaints.
Comply with our legal and regulatory obligations.
Your personal data will be kept confidential and secure and will only be used for the purpose(s) for which it was collected and in accordance with this Privacy Policy, applicable Data Protection Laws, clinical records retention periods and clinical confidentiality guidelines.
Set out below are some of the ways in which we process personal data although to do so lawfully we need to have a legal ground for doing so. We normally process personal data if it is:
necessary to provide you with our services – to enable us to carry out our obligations to you arising from any contract entered into between us and you including relating to the provision by us of services or treatments to you and related matter such as billing, accounting and audit, credit or other payment card verification and anti-fraud screening
in our or a third party’s legitimate interests to do so
required or allowed by any applicable law
with your explicit consent for example: direct consumer marketing communications.
Generally, we will only ask for your consent to processing if there is no other legal grounds to process. In these circumstances, we will always aim to be clear and transparent about why we need your consent and what we are asking it for. Where we are relying on consent to process personal data you have the right to withdraw your consent at any time by contacting us using the details below and we will stop the processing for which consent was obtained.
To process special category data we rely on additional legal grounds and generally, they are as follows:
With your explicit consent
It is necessary for the purposes of preventive or occupational medicine, to assess whether you are able to work, medical diagnosis, to provide health or social care treatment, or to manage health or social care systems and services. This may also include monitoring whether the quality of our services or treatment is meeting expectations
It is necessary to establish, make or defend legal claims or court action
It is necessary so that we can comply with employment law
It is necessary for a public interest purpose in line with any laws that are applicable. This should assist in protecting the public against dishonesty, malpractice or other seriously improper behaviour for example, investigating complaints, clinical concerns, regulatory breaches or investigations e.g. the Care Quality Commission or GMC or ICO.
6. DISCLOSING PERSONAL DATA
We only disclose your personal data in the ways set out in this Privacy Notice. The following circumstances may apply:
Across our different business activities, as part of improving our existing services or as part of providing new services.
To third parties who process personal data on our behalf.
To third parties who process personal data on their own behalf but provide Us, or You, with a service on behalf of us.
To any regulator, external auditor or applicable body or court where we are required to do so by law or regulation or as part of any investigation.
We do not sell, rent or trade any of your personal data. We will not, without your consent, disclose or supply your personal data to any third party for their or any other third party’s direct marketing.
7. RETAINING PERSONAL DATA
Personal data that we process, for any purpose or purposes, shall not be kept for longer than is necessary. Kliniken bases its record retention on any legal, regulatory or contractual obligations and bases these on the NHS Records Management Code of Conduct 2020 as best practice guidelines.
If You have consented to other services, the personal data necessary to provide each service will be retained until You no longer require the service, or You withdraw consent.
Please note it can take up to 3 months for our scheduled archiving processes to remove your records after they have been marked for removal.
8. SPECIAL CATEGORY DATA COLLECTED DURING PROVISION OF TREATMENT OR SERVICES
Special category data (including information relating to your health) will only be disclosed to third parties in accordance with this Privacy Policy. That includes third parties involved with your treatment or care, or in accordance with UK laws and guidelines of appropriate professional bodies. Where applicable, it may be disclosed to any person or organisation who may be responsible for meeting your treatment expenses or their agents. It may also be provided to external service providers and regulatory bodies (unless you object) for the purpose of clinical audit to ensure the highest standards of care and record keeping are maintained.
Medical professionals working with us
We share clinical information about you with our medical professionals as we consider necessary for your treatment and care. Medical professionals working with us might be our employees, or they might be independent consultants in private practice. In the case of independent consultants, the consultant is the data controller of your personal data, either alone or jointly with us and will be required to maintain their own records in accordance with Data Protection Laws and applicable clinical confidentiality guidelines and retention periods. During your treatment pathway, Kliniken is required to create and maintain a single patient record, including a complete and accurate record of the care and treatment provided, for each of our patients. However, in certain circumstances a consultant may also create and maintain their own records. Where that is the case, we may refer you to that consultant to respond to and act on any requests from you to exercise your rights over your data, under Data Protection Laws. Our contracts with independent consultants require them to cooperate with those requests. In all circumstances, those consultants will only process your personal data for the purposes set out in this Privacy Policy or as otherwise notified to you.
External practitioners
If we refer you externally for treatment, we will share with the person or organisation that we refer you to, the clinical and administrative information we consider necessary for that referral. It will always be clear when we do this.
Your GP
If the practitioners treating you believe it to be clinically advisable, we may also share information about your treatment with your GP. You can ask us not to do this, in which case we will respect that request if we are legally permitted to do so, but you should be aware that it can be potentially very dangerous and/or detrimental to your health to deny your GP full information about your medical history, and we strongly advise against it.
Your insurer
We share with your medical insurer information about your treatment, its clinical necessity and its cost, only if they are paying for all or part of your treatment with us. We provide only the information to which they are entitled. If you raise a complaint or a claim we may be required to share personal data with your medical insurer for the purposes of investigating any complaint/claim.
The NHS
If you are referred to us for treatment by the NHS, we will share the details of your treatment with the part of the NHS that referred you to us, as necessary to perform, process and report back on that treatment.
Medical regulators
We may be requested – and in some cases can be required – to share certain information (including personal data and special category data) about you and your care with medical regulators who inspect our clinical facilities and standards. For example, if you make a complaint, or if the conduct of a medical professional involved in your treatment is alleged to have fallen below the appropriate standards, a regulatory body may wish to investigate. Regulatory bodies may include the Care Quality Commission, Health Improvement Scotland, Health Inspectorate Wales, the Regulation and Quality Improvement Authority for Northern Ireland, the Human Fertilisation and Embryology Authority (HEFA), the General Medical Council or the Nursing and Midwifery Council. Where access to personal data is granted, we always ensure that we do so within the framework of the law and with due respect for your privacy.
From time to time, we may also make information available based on necessity for the provision of healthcare, but subject always to patient confidentiality.
In an emergency and if you are incapacitated, we may also process your personal data (including special category data) or make personal data available to third parties on the basis of protecting your ‘vital interest’ (i.e. your life or your health).
We will use your personal data to monitor the outcome of your treatment by us and any treatment associated with your care, including any NHS treatment.
We participate in national audits and initiatives to help ensure that patients are getting the best possible outcomes from their treatment and care. The highest standards of confidentiality will be applied to your personal data in accordance with Data Protection Laws and confidentiality. Any publishing of this data will be in anonymised, statistical form. Anonymous or aggregated data may be used by us, or disclosed to others, for research or statistical purposes.
9. SECURING PERSONAL DATA
Where Kliniken acts as the controller of personal data, it will ensure that necessary and adequate safeguards (e.g. encryption) are in place to prevent unauthorised access, loss, misuse or alteration of your personal data.
Where data is stored electronically, we store all personal information on secure servers with relevant access and firewall controls.
Where data is stored on paper, or forms, all personal data is locked away when not in use and disposed of securely after use either using document shredders or third-party disposal organisations who have been contracted to dispose of documents appropriately.
Any personal data sent to Us, either in writing or email, may be insecure in transit and we cannot guarantee its delivery.
Where You use a Password to access any service provided by Kliniken this must be kept confidential and not disclosed to anyone else. Kliniken does not ask You for your password.
10. SHARING PERSONAL DATA
To provide the services to You we share the personal data that You supply with several third parties. Details of third parties to whom special category data may be shared are outlined in section 8 above. We may also data that is not classed as special category with the third parties outlined below:
Contracted Pathology Laboratory
Contracted Operating theatre services
Contractors working for Kliniken
Radiology services
Clinic management software
Marketing team
Kliniken agree contractual arrangements with these third-party data processors to ensure that your personal data is protected in compliance with this Privacy Notice and the data protection legislation that Kliniken is required to comply with.
Unless otherwise defined above all personal data shared with third parties is stored and processed within the EU.
11. INTERNATIONAL DATA TRANSFERS
Personal data that we collect, is predominantly stored and processed in the UK and the European Union, but for specific services may be transferred, stored, processed outside of the EU (designated under GDPR as “Third Countries”).
As part of providing our services to You, we will use third party data processors from Third Countries – currently there is no scope for international data transfers.
If You wish to know more about the safeguards that are in place, please contact Kliniken as outlined in Section 17.
12. DATA SUBJECT RIGHTS
Subject Access Requests
You may instruct Us to provide You with any personal data we hold about You as part of a Subject Access Request. The provision of such information will be provided to You free of charge, within one month of verifying your identity, and subject to:
Appropriate evidence of your identity, such as a passport, driving licence, a recent bank statement or utility bill.
The request not being excessive in which case we will notify You within one month on when the request can be completed. For repetitive requests we may leverage a charge which we will agree with You in advance.
In certain instances, where exemptions exist, we may withhold personal data that You request, and which is permissible by law.
Right to Rectification
You may wish to contact Us if the personal data that we hold about You needs to be corrected or updated.
Right to Erasure (Right to be forgotten)
You can contact us if You wish to have your information erased to exercise your right to be forgotten.
Right to Object (including withdrawal of consent)
For any services that You have consented to receive, including for event or marketing and communications purposes You may instruct Us at any time not to process your personal data for each purpose by means of withdrawing consent (‘opting-out’).
Right to Restriction of Processing
If You contest the accuracy of your personal data or consider that the processing is unlawful and You do not want Us to erase your personal data, or we no longer need this data for the purpose of the services we provide, You may instruct Us to restrict processing of this data.
Automated Decisions
In supplying You with our services we do not make decisions affecting you solely by automated means.
13. UPDATES / AMENDMENTS
To remain compliant with any legal and regulatory obligations, or as part of our evolving business practices, we may update this Privacy Notice from time to time by publishing a new version on our website.
14. THIRD PARTY WEBSITES
We are not responsible for the practices employed by Third Party Websites linked to or from our Website nor the information or content contained therein. Often links to other websites are provided solely as reference points to information on topics that may be useful to the users of our Website. Please remember that when You use a link to go from our Website to a Third-Party Website, our Privacy Notice will no longer apply. Your browsing and interaction on any other Website, including Third Party Websites, which have a link on our Website, are subject to that Website’s own Privacy Notice.
15. CONSENTS (“OPT-IN”)
Kliniken would like to keep You informed about Kliniken services which You can elect to, or decline from, receiving. As part of the subscription process for each of these services you will be asked to consent to your data being processed to provide that service.
16. WITHDRAWAL OF CONSENT (“OPT-OUT”)
You have the right, at any time, to ask Us not to process your personal data for marketing purposes and any additional services that You have consented to receive. You can opt-out of receiving any of these services and communications simply by clicking the unsubscribe link on any emails You receive or contacting Us. Please note it can take up to 30 days for a request to be fulfilled for general Kliniken communications because of pre-planned or ongoing activity.
17. DATA PROTECTION REGISTRATION
Kliniken is registered as a data controller with the UK Information Commissioner’s Office. Our data protection registration number is ZB054957
18. OUR DETAILS
Kliniken (“Kliniken Ltd’’) is registered in England and Wales under company number 12532749
Our registered office is at The Pines Oakwood Park Business Centre, Fountains Road, Harrogate, United Kingdom, HG3 3BF
You can contact Us as follows:
EMAIL: info@kliniken.co.uk
TELEPHONE: +44 (0) 1423206388
IN WRITING: Data Protection Officer, The Pines Oakwood Park Business Centre, Fountains Road, Harrogate, United Kingdom, HG3 3BF
19. COMPLAINTS
If you are unhappy with the way in which Kliniken uses and processes your personal data, you can complain to the Information Commissioners Office (the supervisory authority that enforces data protection regulations in the UK). The ICO can be contacted on 0303 123 1113 or you can contact by referring to their website at https://ico.org.uk.
Last updated May 2021