Privacy Policy

About us

Company Name: Econsentglobal Ltd (Trading name: Consent Clinic)

Registered office address: 133 Barrack Road, Christchurch, Dorset, United Kingdom, BH23 2AW

Company number: 10225552

ICO Data protection registration reference: N/A

Date of registration: N/A

Registration Expiries: N/A

Nature of work

The following is a comprehensive description of the way Consent Clinic, as data controllers process personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received from us, check any privacy notices, consent forms or contracts we have provided or contact us directly to ask about your personal circumstances and how this Data and Privacy Policy applies to you.

Your information and how we us it

This Data and Privacy Policy tells you what to expect when Consent Clinic collects personal information about you when you engage with us. It also explains how we’ll process that data and keep it safe.

We collect personal and financial information such as your name, date of birth as treatments can only be performed on individuals over the age of 21, address, telephone number, bank details and email address when you provide it to us, or when you have given a third party permission to share your information with us. We also under consultation collect your medical history and medical conditions and details and notes regarding medical procedures undertaken.

We will only use the data captured for specific purposes in relation to the provision of services from Consent Clinic, whether that’s as part of the follow up process originally instigated by you (Consent) or as part of the provision of a service or consent for treatment (under provision of a contract). We may also use your information to keep you up to date with relevant services and useful updates from Consent Clinic (legitimate interest). At all times recipients will be given the option to opt-out of communications and or have their personal data removed if requested and so long as this removal is not against business practices under law (legal obligation). In rare cases we may have need to process information under (Vital interests) or in the where information is in the publics interest or to perform official functions (Public task).

Description of processing

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these will apply whenever we process personal data:

(a) Consent: you have given clear consent for us to process your personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract we have with the you, or because you have asked us to take specific steps before entering into a contract with you.

(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for us to perform a task in the public interest or for Consent Clinic official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for Consent Clinic legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests.

Reasons/purposes for processing information

We process personal information to enable us to:

  • Provide non-surgical treatments and procedures to clients
  • Maintain our accounts and records
  • Promote our services
  • Undertake research
  • Support and manage our employees

Type/classes of information processed

  • We process information relating to the above reasons/purposes. This information may include:
    • Personal details such as name, date of birth, gender, address, place of work, telephone and email addresses
    • Medical records and history
    • Medical Procedures and notes relating to treatments
    • Goods and services
    • Family details
    • Lifestyle and social circumstances
    • Financial details – all bank details are not stored or retained
    • Education and employment details

In some but not all instances we may process sensitive classes of information that may include:

  • Physical or mental health details
  • Racial or ethnic origin
  • Religious or other beliefs of a similar nature
  • Offences and alleged offences
  • Trade union membership

Who the information is processed about;

We process personal information about our:

  • Clients
  • Employees
  • Suppliers
  • Enquirers and complainants
  • Survey respondents
  • Professional advisers and consultants
  • Visitors to our website
  • Visitors to our social media platforms

Who the information may be shared with;

We sometimes need to share the personal information we process with the individual themself and also with other organisations. Where this is necessary we are required to comply with all aspects of GDPR (25th May 2018). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

Where necessary or required we share information with:

We process personal information about our:

  • Current, past or prospective employers
  • Suppliers and service providers
  • Financial organisations
  • Family, associates and representatives of the person whose personal data we are processing
  • Trade associations and bodies
  • Professional advisers and consultants
  • Central government like HMRC
  • Employment and recruitment agencies
  • Business associates
  • Survey and research organisations
  • Credit reference agencies
  • Debt collection agencies

Children

We comply with the all the requirements of the GDPR, not just those specifically relating to children. We ensure that we design our processing with Children in mind from the outset and ensure that it is fair and complies with the data protection principles. We use DPIAs to help us assess and mitigate the risks to children. If our processing is likely to result in high risk to the rights and freedoms of children then we always us a DPIA to mitigate the risks to children. Where treatment is sought and carried out on anyone under the age of 21 we will ask for parental consent. When relying on consent, we make sure that the child understands what they or their parents/guardian are consenting to, and we do not exploit any imbalance in power in the relationship between us.  We also consider the child’s competence to understand what they are agreeing to and to enter into a contract. When replying on legitimate interests we take responsibility for identifying the risks and consequences of the processing and put age appropriate safeguards in place.

Offering an information Society Service (ISS) directly to a child on the basis of consent

If we decide not to offer our ISS (online service) directly to children, then we mitigate the risk of them gaining access, using measures that are proportionate to the risks inherent in the processing.

When offering ISS to UK children on the basis of consent, we make reasonable efforts (taking into account the available technology and the risks inherent in the processing) to ensure that anyone who provides their own consent is at least 13 years old.

When offering ISS to UK children on the basis of consent, we make reasonable efforts (taking into account the available technology and the risks inherent in the processing) to ensure that anyone who provides their own consent is at least 13 years old.

When offering ISS to UK children on the basis of consent, we obtain parental consent to the processing for children who are under the age of 13, and make reasonable efforts (taking into account the available technology and risks inherent in the processing) to verify that the person providing consent holds parental responsibility for the child.

When targeting wider European markets we comply with the age limits applicable in each Member state.

We regularly review available age verification and parental responsibility verification mechanisms to ensure we are using appropriate current technology to reduce risk in the processing of children’s personal data.

We don’t seek parental consent when offering online preventive or counselling services to a child.

Marketing to Children

When considering marketing to children we take into account their reduced ability to recognise and critically assess the purposes behind the processing and the potential consequences of providing their personal data.

We take into account sector specific guidance on marketing, such as that issued by the Advertising Standards Authority, to make sure that children’s personal data is not used in a way that might lead to their exploitation.

We stop processing a child’s personal data for the purposes of direct marketing if they ask us to.

We comply with the direct marketing requirements of the Privacy and Electronic Communications Regulations (PECR).

Solely automated decision making (Including profiling)

We don’t usually use children’s personal data to make solely automated decisions about them if these will have a legal, or similarly significant effect upon them.

If we do use children’s personal data to make such decisions then we make sure that one of the exceptions in Article 22(2) applies and that suitable, child appropriate, measures are in place to safeguard the child’s rights, freedoms and legitimate interests.

In the context of behavioural advertising, when deciding whether a solely automated decision has a similarly significant effect upon a child, we take into account: the choices and behaviours that we are seeking to influence; the way in which these might affect the child; and the child’s increased vulnerability to this form of advertising; using wider evidence on these matters to support our assessment.

We stop any profiling of a child that is related to direct marketing if they ask us to.

hild.

Privacy notices for Children and Parents

Our privacy notices are clear, and written in plain, age-appropriate language.

We use child friendly ways of presenting privacy information, such as: diagrams, cartoons, graphics and videos, dashboards, layered and just-in-time notices, icons and symbols.

We explain to children why we require the personal data we have asked for, and what we will do with it, in a way, which they can understand.

As a matter of good practice, we explain the risks inherent in the processing, and how we intend to safeguard against them, in a child friendly way, so that children (and their parents) understand the implications of sharing their personal data.

We tell children what rights they have over their personal data in language they can understand.

As a matter of good practice, if we are relying upon parental consent then we offer two different versions of our privacy notices; one aimed at the holder of parental responsibility and one aimed at the child. As a matter of good practice, if we are relying upon parental consent then we offer two different versions of our privacy notices; one aimed at the holder of parental responsibility and one aimed at the child.

The Child’s data protection rights

If our processing was base on consent from a parent or guardian then we comply with requests for erasure whenever we can weather this request is received from the consenting adult or the child in question so long as the child is competent to understand their rights and act on them accordingly. We make requesting the erasure of their information as easy as possible and make sure they understand if in the event full erasure is not possible why this will be the case.

Transfers of Data

GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Whist we do not transfer data outside of the EU. It may sometimes be necessary to transfer personal information overseas in the future. Consent Clinic will only transfer personal data where the organisation receiving the personal data has provided us with adequate safeguards and where your rights must be enforceable and effective legal remedies for individuals must be available following the transfer.

Visitors to our website

When someone visits www.consentclinic.com we use the following third party services:

  • Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way- which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
  • Facebook pixels are used

Functionality on our website relies on the use of Cookies find out more through our Cookie Policy.

If we do collect personally identifiable information through our website, this will be clear to the visitor. We will make it clear when we collect personal information and will explain what we intend to do with it.

Personal data via third party services

Consent Clinic will collect and store your personal data provided from third parties only when you have given permission for it to be supplied. For example at events and conferences. This data will only be used for the purposes of relevant follow-up activity (legitimate interest). If after 12 months we have not engaged with you further then your data records will be stored and encrypted so there are no personal identifiers associated with this record. This data will only be used for the purposes of Consent Clinics own research and development. Your records will not be sold to third parties.

People who use our services

Consent Clinic offers various services to businesses. Within those businesses we have to hold the details of people that have requested or are in some way associated with the provision of the service we provide. We only use these details to provide the service and for other closely related purposes. For example, we may use information about people who take services from us to carry out a survey to find out if they are happy with the level of service they received.

Job applicants and our current and former employees

Consent Clinic is the data controller for the information you provide during the application process unless otherwise stated. If you have any queries about the process or how we handle your information please contact: Chloe Plumstead via support@consentclinic.com

Your information and how we collect and use it.

We collect information about you when you complete one of the forms on our website www.consentclinic.com and is transmitted over HTTPS to our web server we also collect data and information about you in one to one meetings, consultations, via email and over the phone. This will include your name, place of work, contact information and where relevant financial information, along with any other information you choose to provide us at any of the above data collection points.

The information will be used to respond to your enquiry, or contact you about a treatment or procedure that you have shown to have an interest in.

The information will be used solely by Consent Clinic and will not be shared with any other third party.

Your personal Information will be stored on our financial system www.freeagent.com purely for the purpose of managing your subscription or membership with us and to provide future communication via mail chimp or similar for future marketing and industry related updates that will be relevant to you. In this case your information may be processed outside of the European Economic Area (EEA).

Grounds for processing

We are processing the information you provide under the legal grounds of our legitimate interest. We will use the information provided for legitimate business purposes such as contacting you in response to an enquiry submitted through our website. We have carried out a legitimate interest assessment on the data we collect to support this decision.

Your rights

You have rights over the information that Consent Clinic, have collected from you, these include the following:

Right to be informed

We provide 'fair processing information' through our privacy notice.

Right of access

We will confirm to you that we process your data, and to provide access to any personal information we hold about you should you request this information in writing.

Right of rectification

If any data we hold about you is incomplete or inaccurate we will correct the information we hold and notify you by email or in writing of the corrections made.

Right to erasure (the right to be forgotten)

Where there is no compelling reason for the continued processing of your information we will erase this.

Right to restrict processing

We will stop processing or block your data on request. We may hold enough information to ensure that we can respect this restriction in the future. e.g. We may hold your email address on a list to prevent it being processed in the future.

Right to data portability

In certain circumstances you may request your data in a commonly used and machine readable format.

Right to object

You may object to us processing your data, unless the processing is for the establishment, exercise or defence of legal claims. If you'd like to access or correct the data we hold, please contact us.

Rights related to automated decision making including profiling

Consent Clinic does not automate any decision making with your information.

You can read more about your individual rights on the Information Commissioner's Office website.

Protecting your information

We know how much data security matters. We will treat your data with the utmost care and take all appropriate steps to protect it.

Your information is only accessed by people who need it to perform their role.

Your personal data is encrypted at rest and in transit as far as possible; we secure the information you submit through consentclinic.com using 'https', however this does not account for personal errors and where there has been a breach of data we will comply with the GDPR regulations and report all activities of breach to the ICO.

Your data may, occasionally, be sent outside the European Economic Area (EEA). As described in this notice. In these cases your information will remain secure and confidential.

We will retain personal information only for so long as the information is necessary to fulfil your request, or until you exercise one of your rights.

Complaints or queries

Consent Clinic tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Consent Clinic collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to support@consentclinic.com. You may also complain to the supervisory authority in the UK, the ICO. Various contact details are listed on the ICO Report a concern page.

Links to other websites

This privacy notice does not cover the links within this site to other websites. We encourage you to read the privacy statements on other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on the 1st May 2019.

How to contact us

If you want to request information about our privacy policy you can email us at support@consentclinic.com or write to:

Chloe Plumstead

Data Privacy Compliance Officer

Econsentglobal Ltd (trading as Consent Clinic)

Richmond House, 8 Richmond Gardens, Bournemouth, Dorset, United Kingdom, BH1 1JE