Privacy statement policy
Introduction
CityDoc Medical Ltd ( “we”, “our” or “us”) understand that your privacy is important to you and that you care about how your personal data is used and shared online. We respect and value the privacy of everyone who visits our websites, citydoc.org.uk and any current or future subdomains and will only collect and use personal data in ways that are described here, and in a manner that is consistent with our obligations and your rights under the law.
Please read this Privacy Policy carefully and ensure that you understand it.
It is likely that we will need to update this policy from time to time. We’ll let you know about significant changes, but you’re welcome to review the policy whenever you wish.
It also describes your choices regarding the use, access and deletion of your personal information.
Definitions
Cookie – means a small text file placed on your computer or device by our sites when you visit certain parts of our sites and/or when you use certain features of our sites
Cookie Law – means the relevant parts of the Privacy and Electronic Communications (EC Directive) Regulations 2003;
Personal data – means any and all data that relates to an identifiable person who can be directly or indirectly identified from that data. In this case, it means personal data that you give to us via Our Site. This definition shall, where applicable, incorporate the definitions provided in the EU Regulation 2016/679 – the General Data Protection Regulation (“GDPR”) or the Data Protection Act (“DPA”) 2018
Contact and data protection officer
CityDoc Medical Limited as a registered Data Controller with the Information Commissioner’s Office (ICO – the UK’s regulator for data protection) within tier 2 has registration number ZA566001.
If you have any questions about this notice, or would like to invoke your rights then please contact us on:
CityDoc Medical Limited
5 Portmill Lane
Hitchin, Herts SG5 1DJ
United Kingdom
Company number: 07619063
Mail: privacy@elcg.dk
Or get in touch with our Data Protection Officer:
GDPR Assist UK LTD
dpo@citydoc.org.uk
Which personal data do we process and with what purpose
We process your personal data for a variety of purposes as set out in the sections below, which also shows our lawful basis under UK data protection legislation (UK GDPR) for doing so.
When you visit our websites
Purpose
When you visit our websites, we collect information about your behaviour to obtain statistics on the site use and for marketing on social media.
Legal basis for processing of personal data
The processing of personal data is based on your consent. Please note that you can withdraw your consent at any point.
Categories of personal data
We collect only personal data provided by you, which consists of IP address and your browsing behaviour.
Recipients of personal data
Your information is shared with Meta and Google.
Retention
The information used for statistics purposes is kept for 24 months, after which it is automatically deleted.
Automated decision-making and profiling
The collected personal information is not used for automated decision-making nor profiling.
Cookies
We use cookies on our websites. Please consult our cookie policy for additional information.
Links to other websites
There may be links on our websites that lead to other sites or our partners. We cannot be held responsible for the content of these sites or collection of personal data carried out there and you should read their Privacy Notices for information about their processing.
When you sign up to receive our newsletter
Purpose
When you sign up to receive our newsletter, we process the provided personal information to send you e-mails with news, offers, new products and services, invitations to events, as well as general marketing materials.
Legal basis for processing of personal data
The processing of personal data are based on your consent. Please note that you can withdraw your consent at any point.
Categories of personal data
We collect your contact details (name and e-mail address) together with user behaviour (interaction with the newsletter).
Recipients of personal data
The personal data remain within our control and is not shared with third parties other than the technology providers who support our service delivery (see Who Do We Share Your Personal Data With below).
Retention
Your personal data are kept for as long as you are an active subscriber to the newsletter or until you withdraw your consent. The personal data are also deleted when the newsletter cannot be delivered (e.g., the e-mail account is closed).
Automated decision-making and profiling
The collected personal information is not used for automated decision-making nor profiling.
When you get vaccinated by us
Purpose
When you get vaccinated by us, we process your information to carry out the medical procedure (vaccination).
The provided details will not be used to sign you up to a newsletter, unless you specifically give a consent to marketing, when making the registration.
Legal basis for processing of personal data
The legal basis for processing your personal data is the performance of our contract with you (or our legitimate interests in performing the contract if the vaccination has been arranged by someone else other than you, e.g. your employer). We process your health-related data for reasons of providing preventive or occupational medicine in accordance with UK GDPR and the Data Protection Act 2018.
For the newsletter registration, an additional legal basis in the form of consent is utilised (see above section)
Categories of personal data
We collect your basic identity information (e.g. name, birth date, …), contact details, travel plans and medical data so that we can provide the best advice on the needed vaccines.
Recipients of personal data
Unless you have specifically requested (and permitted us) to share your information with your GP, the personal data remain within our control and is not shared with third parties other than the technology providers who support our service delivery (see Who Do We Share Your Personal Data With below).
Retention
We store your personal data as long as it is either required by the applicable legislation or as long as we consider it may be relevant for health professional reasons or for the sake of our continued servicing to you. Since information about vaccinations can in principle be relevant throughout life, we have no fixed routines for deleting such data.
If you have signed up for a newsletter, contact personal data are stored as long as you are actively subscribed to the newsletter or until you withdraw your consent. The personal information is also deleted if technical reception of the e-mail is refused (e.g. if the e-mail account is closed).
In case you book a consultation for vaccination, but do not attend, your data are deleted after 3 months.
Automated decision-making and profiling
The collected personal information is not used for automated decision-making nor profiling.
When you get a test with us
Purpose
When you get tested for diseases or specified medical parameters by us, we process your information to carry out the medical procedure (blood or urine test) and provide you with the result.
The presented details will not be used to sign you up to a newsletter, unless you specifically give a consent to marketing, when making the registration.
Legal basis for processing of personal data
The legal basis for processing your personal data is the performance of our contract with you (or our legitimate interests in performing the contract if the test has been arranged by someone else other than you, e.g. your employer). We process your health-related data for reasons of providing preventive or occupational medicine in accordance with UK GDPR and the Data Protection Act 2018.
For the newsletter registration, an additional legal basis in the form of consent is utilised (see above section 6.2)
Categories of personal data
We collect your basic identity information (e.g. name, birth date, …), contact details, travel plans, medical data, and biological samples.
Recipients of personal data
Apart from the samples themselves which are shared with The Doctors Laboratory, the personal data remains within our control and is not shared with third parties other than the technology providers who support our service delivery (see Who Do We Share Your Personal Data With below).
Retention
We store your personal data as long as it is either required by applicable legislation or as long as we consider it may be relevant for health professional reasons or for the sake of our continued servicing to you.
If you have signed up for a newsletter, contact personal data are stored as long as you are actively subscribed to the newsletter or until you withdraw your consent. The personal information is also deleted if technical reception of the e-mail is refused (e.g. if the e-mail account is closed).
The clinical test samples are destroyed immediately after the conclusion of the analysis (max 7 days).
In case you book a consultation for a test, but do not attend, your data are deleted after 3 months.
Automated decision-making and profiling
The collected personal information is not used for automated decision-making nor profiling.
When you use our private GP services
Purpose
The legal basis for processing your personal data is the performance of our contract with you (or our legitimate interests in performing the contract if the consultation has been arranged by someone else other than you, e.g. your employer). We process your health-related data for reasons of providing preventive or occupational medicine in accordance with UK GDPR and the Data Protection Act 2018.
The presented details will not be used to sign you up to a newsletter, unless you specifically give a consent to marketing, when making the registration.
Legal basis for processing of personal data
The legal basis for processing personal data is preventive or occupational medicine, as well as honouring contract and legal requirements.
For the newsletter registration, an additional legal basis in the form of consent is utilised.
Categories of personal data
We collect your basic identity information (e.g. name, birth date, …), contact details, and medical data.
Recipients of personal data
Unless you have specifically requested (and permitted us) to share your information with your GP, the personal data remain within our control and is not shared with third parties other than the technology providers who support our service delivery (see Who Do We Share Your Personal Data With below).
Retention
We store your personal data as long as it is either required by applicable legislation or as long as we consider it may be relevant for health professional reasons or for the sake of our continued servicing to you.
If you have signed up for a newsletter, contact personal data are stored as long as you are actively subscribed to the newsletter or until you withdraw your consent. The personal information is also deleted if technical reception of the e-mail is refused (e.g. if the e-mail account is closed).
In case you book a consultation but do not attend then your data are deleted after 3 months.
Automated decision-making and profiling
The collected personal information is not used for automated decision-making nor profiling.
When you call our support
Purpose
When you call our support, we process the provided personal information with the purpose of resolving your query (e.g., making an appointment or providing information about vaccination).
Legal basis for processing of personal data
Your data are processed because we have a legitimate interest in managing and responding to your query. If any special category data are included (such as health related data) then we process those for the purpose of delivering preventative medicine and the provision and management of healthcare in accordance with UK GDPR and the Data Protection Act 2018.
Categories of personal data
We strive to collect only information that is absolutely necessary to resolve your request – usually though it will include identity and contact details (name, date of birth, etc), travel information, as well as relevant elements of medical history.
Recipients of personal data
The personal data remain within our control and is not shared with third parties other than the technology providers who support our service delivery (see Who Do We Share Your Personal Data With below).
Retention
The personal data will be deleted when it is no longer relevant, in most cases, within 12 months of the request getting resolved.
Automated decision-making and profiling
The collected personal information is not used for automated decision-making nor profiling.
When you write an e-mail to us
Purpose
When you write to us, we process the provided personal information with the aim of solving the query you have approached us with.
Legal basis for processing of personal data
Your data are processed because we have a legitimate interest in managing and responding to your query. If any special category data are included (such as health related data) then we process those for the purpose of delivering preventative medicine and the provision and management of healthcare in accordance with UK GDPR and the Data Protection Act 2018.
Categories of personal data
We strive to collect only information that is absolutely necessary to resolve your request – usually though it will include demographic details (name, date of birth, …), travel information, as well as relevant elements of medical history.
Recipients of personal data
The personal data remain within our control and is not shared with third parties other than the technology providers who support our service delivery (see Who Do We Share Your Personal Data With below).
Retention
The personal data will be deleted when it is no longer relevant, in most cases, within 12 months of the request getting resolved.
Automated decision-making and profiling
The collected personal information is not used for automated decision-making nor profiling.
When you visit our social media websites
Purpose
We, Meta, LinkedIn, and Twitter collect and process your personal data when you visit or interact with company pages (“fan pages”) or profiles. The purpose of the processing is to be able to market ourselves to potential customers, retain inquiries and similar related purposes.
We follow the ICO’s current guidelines regarding shared data responsibility and strive to ensure that visitors to our social media pages receive information about personal data. At present, this entails, among other things, that we continuously try to enter into a dialogue with our suppliers regarding the regulation of joint data responsibility and the distribution of responsibilities. As mentioned below in this policy, visitors to our social media pages also have the opportunity to exercise their rights, e.g. the right to access, the right to object and the right to deletion.
Note! If you do not want your information to be processed, please refrain from visiting our social media pages, as it is not currently possible for us to change our partner’s data collection settings.
Legal basis for processing of personal data
The processing of personal data is based on our legitimate interests in marketing our business and taking into consideration balancing those interests with yours. Information that would require consent is not processed.
Categories of personal data
Typically, we collect contact information in the form of name, e-mail, or phone number. If we receive special category information, such as health related data, it will be deleted as soon as it comes to our attention.
Recipients of personal data
Apart from the social media platform your personal data are not shared.
Retention
Since the personal data published on the social media pages are provided directly by you on our publicly accessible page, the information will initially remain on the page as long as it exists. As the submitter of the information, you can always object to the balancing of interests, with a view to having any postings deleted.
Automated decision-making and profiling
The collected personal information is not used for automated decision-making nor profiling.
When you answer customer satisfaction survey
Purpose
When you respond to a customer satisfaction survey, we process your information with the goal of improving our service and resolving potential grievances.
Legal basis for processing of personal data
The processing of personal data is based on our legitimate interests in understanding your customer experience, taking into consideration balancing those interests with yours. Information that would require consent is not processed.
Categories of personal data
Typically, we collect contact information in the form of name, e-mail or phone number plus your survey responses. If we receive special category information, such as health related data, it will be deleted as soon as it comes to our attention.
Recipients of personal data
The personal data remain within our control and is not shared with third parties other than the technology providers who support our service delivery (see Who Do We Share Your Personal Data With below).
Retention
The personal data are deleted after 6 months from its collection.
Automated decision-making and profiling
The collected personal information is not used for automated decision-making nor profiling.
When you report medical problem or launch a complaint
Purpose
When you report a medical problem or launch a complaint with us, we process the personal data with the purpose of handling and resolving the query.
Legal basis for processing of personal data
The processing of personal data is based on legal obligations to collect, handle and report about specific enquiries.
Categories of personal data
We ask for basic demographic data together with relevant medical information.
Recipients of personal data
We may share your personal information with the key public health institutions (NHS, CQC) but we will not share it with third parties other than the technology providers who support our service delivery (see Who Do We Share Your Personal Data With below).
Retention
The report/complaint together with its associated information is kept for 3 years after which it is deleted.
Automated decision-making and profiling
The collected personal information is not used for automated decision-making nor profiling.
Who do we share your personal data with
We use a number of external companies and services that process personal data on our behalf, for example by utilising technology or software tools that enable us to provide our services and manage our business – they serve as ‘data processors’ for us. Each data processor has entered into a data processing agreement with us, in accordance with UK GDPR, which ensures that our stipulated requirements for the protection of personal data are followed. The commonality in these agreements is that the data are only transferred, i.e. they remain under our control and cannot be used by the external party for their own purposes.
To the extent possible we engage data processors based within the UK or EU/EEA, so that the personal data are not transferred to unsafe third countries. In certain cases, however, we use data processors in the USA, but only if they meet the applicable requirements according to the UK GDPR and we always ensure we have appropriate mechanisms and safeguards in place.
In extraordinary circumstances, under legitimate interest or legal obligations, we may disclose personal data to external organisations. These may be insurance companies, tax or law enforcement authorities and the like. In such situations, they become data controllers for the personal data they receive from us, as they themselves determine the purposes of processing etc.
How do we keep your data secure
We take sensible steps to keep your data secure and ensure we can uphold your rights and meet our obligations under UK GDPR:
- Data processed on our systems is encrypted both while in transit and at rest
- Systems themselves are hardened and regularly tested for technical weaknesses
- Physical protections are put in place to prevent unauthorised access
- Access to personal data is provided only to staff with a legitimate need and a strong authentication (with multiple factors) is enforced
- Our employees are subject to appropriate DBS background checks depending on their job role and are also subject to an obligation of confidentiality. All staff receive training on data protection matters
- We ensure that appropriate contracts are in place with our suppliers who process your personal data to protect your rights, to ensure that they take appropriate security measures to safeguard your data, and that any international transfers are done correctly under UK GDPR
Data subject rights
You have a number of rights relating to the processing of your data (see details below), if you would like to use them or have any questions then please contact us at gdpr@elcg.dk.
We won’t charge you for handling your request, however we may reject it or require a compensation in case of frequent, repeated or unfounded requests.
Right to be informed about the collection and use of personal data
You have the right to be fully informed about why and how we process your information. This privacy notice is intended to meet that requirement, but please do contact us if you have any questions. If we obtain your personal data from a third party (e.g. a social media platform) then we will disclose this origin to you.
Right to access personal data
You have the right to request a copy of the data we hold about you.
Right to restrict the processing of personal data
You have the right to ask us to restrict the processing of personal data whilst we check its accuracy: if you think the processing is unlawful; if you believe we no longer need to process the data but you need us to store it due to pending legal claims; or when you object to our processing based upon our legitimate interests and we are assessing the validity of that.
Right to erase data
You have the right to ask us to delete the data we hold about you. Where we are holding the data to fulfil a legal obligation or a contract with you, your organization or a third party then we will need to retain the data in accordance with the data retention requirements shown above.
Right to rectify inaccurate or incomplete personal data
If you believe some of the data we hold are wrong or incomplete then you have the right to ask us to correct it.
Right to data portability
You can request a copy of the data you provided in a digital format which you can then supply to another provider when we are processing your personal data to fulfil a contract with you, or because we have your consent.
Right to object to automated decision-making and profiling
You have the right, in certain circumstances, not to be subject to decisions based on automated processing (including profiling) if it has a significant or legal impact on you. This doesn’t apply if the processing is necessary to fulfil a contract with you, or if you have given us your consent to do so.
We do not currently use any technology to make automated decisions about you.
Right to complain
You are always welcome to reach out to us at the address provided in section (Contact and Data Protection Officer) if you have a question or would like to complain about our handling of your personal information. Should you not be satisfied with our response, you can launch a complaint with the Information Commissioner’s Office (ICO) on their helpline 0303 123 1113 or online at www.ico.org.uk.
Please note that the ICO will normally ask you to contact us first.