This privacy notice is provided to inform about how and why your personal data is used so that we can be as transparent as possible, and to ensure that you are aware of your rights under data protection legislation.
We are Ocean Wood Aesthetics, a trading name of Cutting Edge Aesthetics Limited. We are the Data Controller and our correspondence address is Stringer Hall, East Street, Petworth, West Sussex, GU28 0AB We can be contacted on 01798 344663 or firstname.lastname@example.org
The purpose for processing your data and our basis for doing so
We process your personal data so we can provide our range of aesthetic treatments and consultations as well as provide you with information about our products and special offers.
We obtain your data in several ways, for example through our enquiry contact form on our website and booking platform, the information we collect is your name and contact details. When you attend our premises for your consultation and / or treatment, we will take your address and date of birth, as we do not offer treatments for clients under the age of 16 years. We will also process financial details when you make card payments through our payment provider. We do this processing under Article 6.1.f UK GDPR – Legitimate Interest as we have a legitimate interest in growing our business and client base.
Prior to any treatment being provided, we collect medical information to ensure that the treatment is compatible with certain medical conditions. We collect and process this information under Article 6.1.a – Consent and because medical information is classified as special category, we use Article 9.2.a – Explicit Consent. You can withdraw consent to process this information at any time by contacting us.
If you fail to provide the information required, we will be unable to provide the agreed services to you.
We may, from time to time conduct direct marketing by email and SMS so we can provide clients with updates on treatments and special offers. We undertake this marketing in accordance with the Privacy and Electronic Communications Regulations 2003 which means, when you complete your treatment form, we will give you the opportunity to opt out of direct marketing by phone or SMS.
Recipients of your data
As a general principle, we will not transfer your personal data to other recipients without your permission. There are some exceptions to this:
- It is possible, that we might be obliged to disclose personal information in response to a court order or other lawful obligation. Our lawful basis for this is Article 6.1.c -legal obligation.
- Our external accountants will have some limited access to your personal data through the preparation of our accounts. Our lawful basis for this is Article 6.1.f – Legitimate Interest; we have a legitimate interest in having our accounts correctly managed and filed.
- If you do not pay your bills, we may choose to engage a third party to recover any money you owe us. Our lawful basis for this is Article 6.1.f – Legitimate Interest; we have a legitimate interest to pursue money owed to us.
- We do share your personal data with our own surgical business and / or private hospitals we refer to, our lawful basis is Article 6.1.a and Article 9.2.a – Consent.
Data processed by third parties on our behalf
We use the services of other organisations in the processing your data. We use external accountants, cloud based email and document storage, video conference platforms and our website processes limited personal data such as through our contact form. We use a cloud based practice management platform to transfer data, when appropriate to our surgical centre. Your card payments are made securely through our accredited payment provider.
Those organisations that process personal data on our behalf are subject to a data processing agreement as required by Article 28 of the UK GPDR. This ensures that your data is handled securely in accordance with the UK GPDR.
Transferring your data outside of the UK
We transfer personal data outside of the UK / EEA by virtue of our cloud based platforms. This transfer is to the USA and this international transfer is undertaken using approved Standard Contractual Clauses.
We will retain your data only for the time we require it for the purposes stated and / or where we have a legal obligation. We will retain the personal data for the duration of our commercial relationship and data which is required for accounting purposes held for 7 years subsequently. Otherwise, we will retain your personal data for 3 years.
The UK GDPR provides you with several rights in relation to the data we process. The rights relevant to our activities are:
- You have the right to get access to and copies of your personal data.
- You can in certain circumstances, restrict our processing of your data and request us to erase it (although we may have to retain some for legal reasons).
- You can ask us to rectify any inaccurate information we may be holding.
If you want to exercise any of these rights, please contact us using the above contact details.
You also have the right to lodge a complaint about our processing with a supervisory authority — the UK’s Information Commissioner’s Office.
Information Commissioner’s Office
Telephone: 0303 123 1113