Terms & Conditions
(1) Cancellations and Missed Appointments
We reserve the right to charge a £10 deposit if you have failed to attend your previous appointment and not given us 48 hours notice. If you cannot attend an appointment please give us at least 48 hours notice by telephoning 0800 9179334. Messages via email and other channels are not a valid form of communication.
(2) Referral Promotion Terms & Conditions
(a) The voucher should be presented at payment stage after your first consultation. It cannot be used at any other stage of treatment.
(b) Both patients must fill out the slimming referral voucher; the voucher cannot be redeemed unless both halves are completed.
(c) The clinic will check that the ‘new’ patient has not been to the clinic before or has not attended The Slimming Clinic for an appointment for the last 90 days and then the existing patient is therefore entitled to this offer.
(d) Once the ‘new’ patient has purchased a programme, both patients will receive a £25 credit on their account. This can be used against the next payment of Pay As You Slim or Change 1.
If the patient is on either Change or Transform, the credit will either be added to the patient’s account for future payments or be deducted from future direct debit payments depending on when the next payment is due to be take.
(e) This offer cannot be used in conjunction with any other offer.
(f) The credit is valid for 6 months from the date it is applied to the account.
(3) Post and Packaging charges will apply to remote consultations.
These terms and conditions govern your use of our website; by using our website, you accept these terms and conditions in full. If you disagree with these terms and conditions or any part of these terms and conditions, you must not use our website.
(5) Quick Start Terms and Conditions
(a) Programme available to new patients and patients who are:
- new patients
- patients who haven’t attended The Slimming Clinic for an appointment for the last 90 days.
(b) Existing Change, Change One and Pay As You Slim patients can also purchase this programme and run it concurrently with their existing programme. Existing patients will not receive any additional medication.
(c) Patients have 60 days from the date of purchase to start their Quick Start programme. (d) 48 hour cancellation policy – patients need to give 48 hours notice to change their appointment otherwise they forfeit the programme.
(6) Licence to use website
Unless otherwise stated, we or our licensors own the intellectual property rights in the website and material on the website. Subject to the licence below, all these intellectual property rights are reserved.
You may view, download for caching purposes only, and print pages or other content from the website for your own personal use, subject to the restrictions set out below and elsewhere in these terms and conditions.
You must not:
(a) republish material from this website (including republication on another website);
(b) sell, rent or sub-license material from the website;
(c) show any material from the website in public;
(d) reproduce, duplicate, copy or otherwise exploit material on our website for a commercial purpose;
(e) edit or otherwise modify any material on the website; or
(f) redistribute material from this website except for content specifically and expressly made available for redistribution (such as our downloadable PDF’s).
Where content is specifically made available for redistribution, it may only be redistributed within your organisation.
(7) Acceptable use
You must not use our website in any way that causes, or may cause, damage to the website or impairment of the availability or accessibility of the website; or in any way which is unlawful, illegal, fraudulent or harmful, or in connection with any unlawful, illegal, fraudulent or harmful purpose or activity. You must not use our website to copy, store, host, transmit, send, use, publish or distribute any material which consists of (or is linked to) any spyware, computer virus, Trojan horse, worm, keystroke logger, rootkit or other malicious computer software. You must not conduct any systematic or automated data collection activities (including without limitation scraping, data mining, data extraction and data harvesting) on or in relation to our website without our express written consent. You must not use our website to transmit or send unsolicited commercial communications. You must not use our website for any purposes related to marketing without our express written consent.
(8) Restricted access
Access to certain areas of our website is restricted. We reserve the right to restrict access to other areas of our website, or indeed our whole website, at our discretion.
If we provide you with a user ID and password to enable you to access restricted areas of our website or other content or services, you must ensure that that user ID and password is kept confidential.
(9) User generated content
In these terms and conditions, ”your user content” means material (including without limitation text, images, audio material, video material and audio-visual material) that you submit to our website, for whatever purpose.
You grant to us a worldwide, irrevocable, non-exclusive, royalty-free licence to use, reproduce, adapt, publish, translate and distribute your user content in any existing or future media. You also grant to us the right to sub-license these rights, and the right to bring an action for infringement of these rights.
Your user content must not be illegal or unlawful, must not infringe any third party’s legal rights, and must not be capable of giving rise to legal action whether against you or us or a third party (in each case under any applicable law).
You must not submit any user content to the website that is or has ever been the subject of any threatened or actual legal proceedings or other similar complaint.
We reserve the right to edit or remove any material submitted to our website, or stored on our servers, or hosted or published upon our website.
[Notwithstanding our rights under these terms and conditions in relation to user content, we do not undertake to monitor the submission of such content to, or the publication of such content on, our website.]
(10) Limited warranties
Whilst we endeavour to ensure that the information on this website is correct, we do not warrant its completeness or accuracy; nor do we commit to ensuring that the website remains available or that the material on the website is kept up-to-date.
To the maximum extent permitted by applicable law we exclude all representations, warranties and conditions relating to this website and the use of this website (including, without limitation, any warranties implied by law of satisfactory quality, fitness for purpose and/or the use of reasonable care and skill).
(11) Limitations of liability
Nothing in these terms and conditions (or elsewhere on our website) will exclude or limit our liability for fraud, for death or personal injury caused by our negligence, or for any other liability which cannot be excluded or limited under applicable law.
Subject to this, our liability to you in relation to the use of our website or under or in connection with these terms and conditions, whether in contract, tort (including negligence) or otherwise, will be limited as follows:
(a) to the extent that the website and the information and services on the website are provided free-of-charge, we will not be liable for any loss or damage of any nature;
(b) we will not be liable for any consequential, indirect or special loss or damage;
(c) we will not be liable for any loss of profit, income, revenue, anticipated savings, contracts, business, goodwill, reputation, data, or information;
(d) we will not be liable for any loss or damage arising out of any event or events beyond our reasonable control;
(e) our maximum liability in relation to any event or series of related events will be limited to zero.
You hereby indemnify us and undertake to keep us indemnified against any losses, damages, costs, liabilities and expenses (including without limitation legal expenses and any amounts paid by us to a third party in settlement of a claim or dispute on the advice of our legal advisers) incurred or suffered by us arising out of any breach by you of any provision of these terms and conditions, [or arising out of any claim that you have breached any provision of these terms and conditions].
(13) Breaches of these terms and conditions
Without prejudice to our other rights under these terms and conditions, if you breach these terms and conditions in any way, we may take such action as we deem appropriate to deal with the breach, including suspending your access to the website, prohibiting you from accessing the website, blocking computers using your IP address from accessing the website, contacting your internet service provider to request that they block your access to the website and/or bringing court proceedings against you.
We may revise these terms and conditions from time-to-time. Revised terms and conditions will apply to the use of our website from the date of the publication of the revised terms and conditions on our website. Please check this page regularly to ensure you are familiar with the current version.
We may transfer, sub-contract or otherwise deal with our rights and/or obligations under these terms and conditions without notifying you or obtaining your consent.
You may not transfer, sub-contract or otherwise deal with your rights and/or obligations under these terms and conditions.
If a provision of these terms and conditions is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions will continue in effect. If any unlawful and/or unenforceable provision would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect.
(17) Exclusion of third party rights
These terms and conditions are for the benefit of you and us, and are not intended to benefit any third party or be enforceable by any third party. The exercise of our and your rights in relation to these terms and conditions is not subject to the consent of any third party.
(18) Entire agreement
(19) Law and jurisdiction
These terms and conditions will be governed by and construed in accordance with English law, and any disputes relating to these terms and conditions will be subject to the [non-]exclusive jurisdiction of the courts of England and Wales.
These terms and conditions are provided courtesy of Website Contracts and Website Law
(20) Weight Loss Counter Terms and Conditions
The weight loss recorded is of patients who have received treatment at an The Slimming Clinic since October 2012 or who are currently receiving weight loss treatment / service from The Slimming Clinic. Only Patients’ combined individual weight loss is recorded from all The Slimming Clinic. All figures are rounded to the nearest pound All figures are calculated and submitted by clinic staff, therefore are subject to human error. However we make every effort to ensure accuracy The data included in the figure has been collected since October 2012 Figures are reported to the best of company’s awareness. Any misrepresentation is accidental. The Slimming Clinic does not guarantee 100% accuracy of the data.
The data controller is Slim Holdings Limited, company number 02284712, registered in England and Wales at 5 Trinity, 161 Old Christchurch Road, Bournemouth, BH1 1JW. The Slimming Clinic is the trading name of Slim Holdings Limited.
(22) Collection and Use of Personal Information
Personal information is data that can be used to identify an individual, including contact details.
If you enquire about, or engage our services, you will be asked to provide some personal information. We collect this information so that we can provide our services to you in a safe, effective and responsible way. As a provider of medical services, we have legal and regulatory responsibilities to record and store items of personal data, and we may not be able to provide our services without this information.
(a) What personal information we collect
When you register as a patient of The Slimming Clinic, attend a consultation, receive treatment, or make certain enquiries, we will ask you for a variety of information, including your name, address, phone number, email address, date of birth, gender, occupation, and relevant medical information, including your medical history.
With your written permission, we may also contact your GP for your medical records if we consider this necessary for your treatment.
(b) How we use your personal information
The personal information we collect allows us to ensure we provide a safe, effective service while complying with our legal and regulatory responsibilities.
We use your personal information to carry out our contractual obligations to you and, when you make an enquiry, to provide you with information on our products and services.
We will use your address, email address and/or phone number to contact you about any changes to our service and regarding your appointment(s) at our clinic(s). This may include contacting you to remind you of your appointment, to confirm attendance or with regards to our invoice(s). If you miss an appointment, we may contact you to reschedule an appointment.
With your explicit written consent, our doctors use your medical information to ensure you are medically suitable to benefit from treatments and that any associated risks are minimised. If you do not consent to us using your medical information, we may not be able to provide you with the treatment/services that you want.
We also use your personal information for internal purposes such as auditing, data analysis and research so that we can comply with legal and regulatory responsibilities and so that we can ensure our services are continually reviewed for effectiveness and safety.
In exceptional circumstances, we may use your personal information to inform you of important safety notices, for example, in the event of a medication recall. Because this information relates to patient safety, you may not opt out of receiving these communications.
We may with your explicit written consent share your personal information with your GP as part of our legal, regulatory and ethical responsibilities to your health and safety. We may without your explicit consent share your personal information with your GP or other medical provider in the event of a medical emergency.
We may with your consent use your personal information to send information to you regarding our products and services. When you enquire about or engage our services we will ask you if you want to receive this type of information from us. If you change your mind and you do not want to receive this information having previously consented, you can opt out at any time by contacting us by phone on 0800 9179334, email at firstname.lastname@example.org, using our website contact options, or by using the unsubscribe link on our emails.
(c) Protection of Personal Information
The Slimming Clinic takes the security of your personal information very seriously.
When The Slimming Clinic stores your personal data electronically, we use computer systems with limited access in facilities protected by physical security measures. This includes electronic data stored on third-party systems, and access is limited to The Slimming Clinic’s employees and designated support staff only. Our electronic data is routinely backed up to a secure server to prevent damage or loss. All of our servers are based in the European Economic Area (EEA) and we do not transfer your data outside of the EEA.
Where The Slimming Clinic stores your personal data in hardcopy, we limit access to this data using physical security measures.
When you use some The Slimming Clinic’s services (for example, our social media pages or forums), the personal information and content you share is visible to other users and can be read, collected, or used by them. You are responsible for the personal information you choose to share or submit in these instances. Please take care when using these features.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee that security of your data transmitted to our site; any transmission is at your own risk. However, once we have received your information, we will use strict procedures and security features to try and prevent unauthorised access.
(d) Website “cookies” and Other Technologies
The Slimming Clinic’s website, online services, interactive applications, mobile device apps, social media pages and advertisements may use “cookies” and other similar technologies. These technologies help us better understand user behaviour, tell us which parts of our website people have visited, and facilitate and measure the effectiveness of advertisements and web searches.
The data gathered by website “cookies” and other similar technologies is Non-Personal information and cannot be used to identify any specific individual.
Our Live Chat website feature may record your IP address for the purposes of facilitating the conversation between our support staff and yourself.
On visiting our website, you will be presented with the option to decline the use of “cookies,” which you can do with no detrimental effect to the provision of our services to you. Additionally, most web browsers have the facility to disable cookies and other tracking technologies – you should refer to guidance for your particular browser software.
(e) Disclosure to Third Parties
The Slimming Clinic may use third parties to store your information in order to utilise technology to provide our services to you in the most efficient and safe way. For example, we may utilise electronic practice management software to arrange appointments, which involves storing your information on third party systems.
Any third parties used to store your information can only access the information in a support capacity. Further access is only available to The Slimming Clinic employees and support staff.
It may be necessary – by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence – for The Slimming Clinic to disclose your personal information. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.
Additionally, in the event of a reorganisation, merger, or sale, we may transfer any and all personal information we collect to the relevant third party.
Integrity and Retention of Personal Information
The Slimming Clinic endeavours to keep your personal information accurate, complete, and up to date. Providing a medical service means that we have obligations to keep certain recorded information for specific lengths of time, so we will retain your personal information only for as long as is required to provide requested services to you, or as is required by law or regulation. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
(f) Access to Personal Information and other rights
You are entitled to request a copy of any personal information we hold relating to you as an individual. This is usually provided free of charge and supplied within 30 days. Requests should be made either in writing, or by email to our head office or to your local clinic. We may ask you for proof of your identity before providing you with the data.
You also have to ask us to rectify inaccurate personal data, to erase your personal data in certain circumstances, to restrict processing of your personal data where, for example, the data is inaccurate, and the right to obtain and reuse your personal data for your own purposes across different services (right to data portability). Further details of your rights can be found in our Data Protection Policy below.
If you have any concerns about the processing of your personal data, we hope that you will contact us in the first instance, however, if you wish, you can raise your concerns directly with the Information Commissioner’s Office (ICO). For details on how to contact the ICO, please go to their website https://ico.org.uk/concerns/ or call 0303 123 1113
(23) The Slimming Clinic’s Data Protection Policy (GDPR)
The Slimming Clinic is the trading name of Slim Holdings Limited, company number 02284712, registered in England and Wales at 1st Floor Rear Suite, Telephone House, 18 Christchurch Rd, Bournemouth BH1 3NE
The Slimming Clinic is committed to complying with privacy and data protection laws, including:
The General Data Protection Regulation, EU Regulation 2016/679 (“the GDPR”) and any related legislation which applies in the UK, including, without limitation, any legislation replacing and/or repealing the Data Protection Act 1998; The Privacy and Electronic Communications Regulations (2003) and any successor or related legislation, including without limitation, E-Privacy Regulation 2017/0003; All other applicable laws and regulations relating to the processing of personal data and privacy, including statutory instruments and, where applicable, the guidance and codes of practice issues by the Information Commissioner’s Office (“ICO”) or any other supervisory authority. (together “the Legislation”)
This policy sets out what we do to protect individuals’ personal data.
Anyone who handles personal data in any way on behalf of The Slimming Clinic must ensure that we comply with this policy. The definition of “personal data” is outlined below. Any breach of this policy will be taken seriously and may result in disciplinary action and sanctions, including dismissal for serious breaches of this policy.
This policy may be amended from time to time to reflect any changes in legislation, regulatory guidance or internal policy decisions.
(a) POLICY PARTICULARS
The Slimming Clinic handles personal data relating to:
Employees Patients Self-employed consultants Potential patients with registered interest Tom Pearson (Data Protection Officer) is responsible for ensuring compliance with the GDPR and with this policy. Any questions or concerns about this policy should be referred in the first instance to Tom Pearson at 1st Floor Rear Suite, Telephone House, 18 Christchurch Rd, Bournemouth BH1 3NE
(b) DEFINITIONS OF DATA PROTECTION TERMS
The following terms will be used in this policy and are defined below:
Data Subjects include all living individuals about whom we hold personal data, for instance, an employee or a patient. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data. In particular, data subjects in the European Union have rights under the GDPR.
Personal Data means any information relating to a living person who can be identified directly or indirectly from that information (or from that information and other information in our or another’s possession e.g. pseudonymisation). Personal data can be factual (such as a name, address, or date of birth) or it can be an opinion (such as those contained in a performance appraisal). It can also include an identifier such as an identification number, location data, an online identifier specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Data Controllers are the people who, or organisations which, decide the purposes and the means for which, any personal data is processed. They have a responsibility to process personal data in compliance with the Legislation. Slim Holdings Limited, trading as The Slimming Clinic is the data controller of all personal data that we manage in connection with our work and activities.
Data Processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include other organisations such as website hosts, fulfilment houses or other service providers which handle personal data on our behalf.
European Economic Area includes all countries in the European Union as well as Norway, Iceland and Liechtenstein.
ICO means the Information Commissioner’s Office (the authority which oversees data protection regulation in the UK).
Processing is any activity that involves the use of personal data, whether or not by automated means. It includes but is not limited to:
Collecting Recording Organising Structuring Storing Adapting or altering Retrieving Disclosing by transmission Disseminating or otherwise making available Alignment or combination Restricting Erasing Destruction of personal data Sensitive Personal Data (which is defined as “special categories of personal data” under the GDPR) includes information about a person’s:
Racial or ethnic origin Political opinions Religious, philosophical or similar beliefs Trade union membership Physical or mental health or condition Sexual life or orientation Genetic data Biometric data Such other categories of personal data as may be designated as “special categories of personal data” under the Legislation.
(c) PROTECTION PRINCIPLES
Anyone processing personal data must comply with the six data protection principles set out in the GDPR. We are required to comply with these principles (summarised below), and show that we comply, in respect of any personal data that we deal with as a data controller.
Personal data should be:
Processed fairly, lawfully and transparently Collected for a specified, explicit and legitimate purposes and not further processed in a way which is incompatible with those purposes Adequate, relevant and limited to what is necessary for the purpose for which it is processed Accurate and, where necessary, kept up to date having regard to the purposes for which they are processed Not kept longer than necessary Processed in a manner that ensures appropriate security of the personal data
(d) PROCESSING DATA FAIRLY, LAWFULLY AND IN A TRANSPARENT MANNER The first data protection principle requires that personal data is obtained fairly and lawfully and processed for purposes that the data subject has been told about. Processing will only be lawful if certain conditions can be satisfied, including where the data subject has given consent, or where the processing is necessary for one or more specified reasons, such as where it is necessary for the performance of a contract.
To comply with this principle, every time we receive personal data about a person directly from that individual, which we intend to keep, we need to provide that person with information relating to the processing that we intend to carry out. In particular, we will tell them:
The type of information we will be collecting (categories of personal data concerned) Who will be holding their information, i.e. The Slimming Clinic Why we are collecting their information and what we intend to do with it The legal basis for collecting and processing their personal information If we are relying on legitimate interests as a basis for processing, what those legitimate interests are Whether the provision of their personal data is part of a statutory or contractual obligation and details of the consequences of the data subject not providing that data The period for which their personal data will be stored or, where that is not possible, the criteria that will be used to decide that period Details of the people or organisations with whom we will be sharing their personal data If relevant, the fact that we will be transferring their personal data outside the EEA and details of relevant safeguards The existence of any automated decision-making including profiling in relation to that personal data Where we obtain personal data about a person from a source other than the person his or her self, we must provide that individual with the following information in addition to the above:
The categories of personal data that we hold The source of the personal data and whether this is a public source In addition, in both scenarios (where personal data is obtained both directly and indirectly), we must also inform individuals of their rights outlined below, including the right to lodge a complaint with the ICO and, the right to withdraw consent to the processing of their personal data.
This fair processing information can be provided in a number of places including on web pages, in mailings or on application forms. We must ensure that the fair processing information is concise, transparent, intelligible and easily accessible.
(e) PROCESSING DATA FOR THE ORIGINAL PURPOSE The second data protection principle requires that personal data is only processed for the specific, explicit and legitimate purposes that the individual was told about when we first obtained their information.
This means that, ordinarily, we should not collect personal data for one purpose and then use it for another. If it becomes necessary to process a person’s information for a new purpose, that is not specifically permitted by the GDPR, the individual should be informed of the new purpose beforehand.
(f) PERSONAL DATA SHOULD BE ADEQUATE AND ACCURATE
The third and fourth data protection principles require that personal data that we keep should be accurate, adequate and relevant. Data should be limited to what is necessary in relation to the purposes for which it is processed. Personal data that is no longer needed should be destroyed securely, and we must take every reasonable step to ensure that personal data which is inaccurate is corrected.
(g) NOT RETAINING DATA LONGER THAN NECESSARY
The fifth data protection principle requires that we should not keep personal data for longer than we need to for the purpose it was collected for. This means that the personal data that we hold should be destroyed or erased from our systems when it is no longer needed.
As a provider of medical services, we are legally required to hold certain data for specific periods of time. For guidance on how long particular types of personal data that we collect should be kept for before being destroyed or erased, please contact Tom Pearson (Data Protection Officer).
(h) DATA SECURITY
The sixth data protection principle requires that we keep secure any personal data that we hold.
We are required to put in place procedures to keep the personal data that we hold secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
When we are dealing with sensitive personal data, more rigorous security measures are likely to be needed, for instance, if sensitive personal data (such as details of an individual’s health, race or sexuality) is held on a memory stick or other portable device it should always be encrypted.
When deciding what level of security is needed, our starting point will be to look at whether the information is sensitive or highly confidential and how much damage could be caused if it fell into the wrong hands.
The following security procedures and monitoring processes must be following in relation to all personal data processed by us:
Backing up data (daily back-ups are taken of all the data on the system and data should not be stored by staff on local drives or removable media as these will not be backed up) Staff should always ensure that individual monitors do not show confidential information to passers-by and that they log off or “lock” their PC when it is left unattended Paper documents should be shredded, memory sticks, CD-ROMs and other media on which personal data is stored should be physically destroyed when they are no longer required Personal data must always be transferred in a secure manner (the degree of security required will depend on the nature of the data) Desks and cupboards should be kept locked if they hold confidential information of any kind Staff must keep data secure when travelling or using it outside the offices Staff must take steps to ensure we are giving information only to authorised persons when it is requested. This involves requesting at least two pieces of security information that you can match with data we have on record, for example, a date of birth and a postcode. RIGHTS OF INDIVIDUALS UNDER THE GDPR
The GDPR gives people rights in relation to how organisations process their personal data. Everyone who holds personal data on behalf of The Slimming Clinic needs to be aware of these rights. They include (but are not limited to) the right:
To request a copy of any personal data that we hold about them (as a data controller), as well as a description of the type of information that we are processing, the uses that are being made of the information, details of anyone to whom their personal data has been disclosed, and how long the data will be stored (known as subject access rights) To be told, where any information is not collected from the personal directly, any available information as to the source of the information To be told of the existence of automated decision-making To object to the processing of data where the processing is based on either the conditions of public interest or legitimate interests To object to direct marketing, including profiling for such purposes To have all personal data erased (the right to be forgotten) unless certain limited conditions apply To restrict processing where the individual has objected to the processing To have inaccurate data amended or destroyed To obtain and reuse their personal data for their own purposes across different services (right to data portability). This right only applies to data that has been provided to us by the data subject, where the processing is based on consent or the performance of a contract and when processing is carried out by automated means. The data will be provided in a structured, commonly used and machine-readable format.
(i) SUBJECT ACCESS REQUESTS
Under the GDPR, people have the right to request a copy of any personal data we hold about them. To do this, they must request a copy of the data in writing (email requests are valid as are requests made via other social media platforms). Staff should refer all such requests to Tom Pearson (HR & Operations Manager) immediately on receiving a request and in any event within 24 hours. Staff should not disclose personal data themselves in response to a request.
In almost all cases, there will be no charge for a subject access request and the company should usually respond to the request within one month of receipt of the request.
We must verify the identity of the individual making the request by asking for proof of ID.
(j) TRANSFERRING DATA OUTSIDE THE EEA
The GDPR requires that when organisations transfer personal data outside the EEA, they take steps to ensure that the data is properly protected.
The European Commission has determined that certain countries provide an adequate data protection regime. These countries currently include Andorra, Argentine, Canada, Guernsey, Isle of Man, Israel, New Zealand, Switzerland, Faroe Islands, Jersey and Uruguay, but this list may be updated.
As such, personal data may be transferred to people or organisations in these countries without the need to take additional steps beyond those you would take when sharing personal data with any other organisation. In transferring personal data to other countries outside the EEA (which are not on this approved list), it will be necessary to enter into an EC-approved agreement, seek the explicit consent of the individual, or rely on one of the other derogations under the GDPR that apply to the transfer of personal data outside the EEA.
We currently do not transfer any personal data outside of the EEA.
For further information, please speak to Catherine Meyrick (Data Protection Officer).
(k) PROCESSING SENSITIVE PERSONAL DATA
On some occasions we may collect information about individuals that is defined by the GDPR as special categories of personal data, and special rules will apply to the processing of this data. In this policy we refer to “special categories of personal data” as “sensitive personal data.” The categories of sensitive personal data are defined earlier in this document.
Purely financial information is not technically defined as sensitive personal data by the GDPR. However, particular care should be taken when processing such data, as the ICO will treat a breach relating to financial data very seriously.
In most cases, in order to process sensitive personal data, we must obtain explicit consent from the individuals involved. As with any other type of information we will also have to be absolutely clear with people about how we are going to use their information.
As The Slimming Clinic provides a medical service, we have a legal and regulatory obligation to obtain and record certain medical information. If an individual is not willing to provide “explicit consent” to us processing relevant medical or sensitive personal data then we will have to refuse treatment or services.
We recognise that whilst there is no obligation for us to make an annual notification to the ICO under the GDPR, we will consult with the ICO where necessary if and when we are carrying out “high risk” processing.
We will report breaches (other than those which are unlikely to be a risk to individuals) to the ICO where necessary, within 72 hours. We will also notify affected individuals where the breach is likely to result in a high risk to the rights and freedoms of these individuals.
Staff that become aware of a breach should immediately notify his/her line manager and Tom Pearson (HR & Operations Manager)
(m) MONITORING AND REVIEW OF THE POLICY
This policy is reviewed annually by the company Directors and Senior Management to ensure that it is achieving its objectives.