ABOUT US AND THIS PATIENT PRIVACY NOTICE
This is the Patient Privacy Notice for East and Badia Limited, t/a Rhinoplasty London (East and Badia, We, Us). We are a medical practice specialising in rhinoplasty and facial plastic surgery.
This Patient Privacy Notice applies to all patients, whether current, previous or prospective (You, Your). Please read it carefully. It gives you detailed information about when and why we collect your personal data, how we use it, how we keep it secure, and what your rights are.
We respect your privacy and are committed to protecting your personal data in accordance with our obligations under (as applicable) the EU General Data Protection Regulation (GDPR), the GDPR as it forms part of the law of England, Wales, Scotland and Northern Ireland (UK GDPR), the Data Protection Act 2018 (DPA) and all other relevant legislation relating to data privacy (together the Data Protection Legislation).
Under the Data Protection Legislation, we act as data controller of your personal data because we are responsible for how personal data collected about you is held and used.
OUR CONTACT DETAILS
If you have any questions about this Patient Privacy Notice or the way we process your personal data, please contact our Data Protection Officer, Lydia Badia, at:
Email address: office@eastandbadia.com
Postal address: Tempus Belgravia, 11a West Halkin Street, London, SW1X 8JL.
Telephone: 020 3196 0130
HOW WE COLLECT YOUR PERSONAL DATA
We may collect personal data about you in several ways, including when:
- You interact directly with us either online (including by completing the enquiry form on our website, rhinoplastylondon.co.uk), over the telephone, by email, by post, or in person when you attend a consultation at our practice;
- We are provided with your personal data by other healthcare providers, such as your GP or consultant, or by other surgeries or hospitals; or
- We are provided with your personal data by someone acting on your behalf, such as your personal assistant, family member, carer or next of kin, or by any other third-party.
WHAT PERSONAL DATA WE COLLECT
Personal data means any information about an individual from which that person can be identified. The categories of personal data we process may include (as applicable) the following:
Identity Data, including your full name, former names, title, date of birth, marital status, gender, NHS number, nationality and likeness (in the form of photographs or video footage as applicable).
Contact Data, including your email address, home address, billing address, telephone number and emergency contact number.
Financial and Transactional Data, including your bank account details, payment card details and payment transaction details and history.
Correspondence Data, including any information which you provide in, or we learn about you from, any correspondence or communications with us, including details of any enquiries or requests for support, feedback and complaints.
Special Category Data is personal data that needs more protection because it is sensitive. We may collect your Special Category Data, including, personal health and medical information, such as medical reports, images, photographs and videos of you (before, during and after your treatment), notes, test results, diagnostic information, details of the treatment you wish to receive and have received in the past, your prescriptions (current and previous), your medical appointment and activity records, your family history, your disability information and, where relevant to your treatment, information about your ethnicity or race, religious beliefs, sexual orientation, sex life or gender identity.
WHY WE COLLECT YOUR PERSONAL DATA AND HOW WE USE IT
Under the Data Protection Legislation we can only process your personal data if we have a legal basis for doing so. Most commonly this will be:
- Where we need to perform the contract we are about to enter into with you (or have entered with you);
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- Where we need to comply with a legal obligation.
Sometimes we will process your personal data when we have your consent to do so, where it is in your vital interests or in the public interest to do so. Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time.
Where we process your Special Category Data, we are required to fulfil a further condition for processing. Generally, we will process your Special Category Data because it is necessary for health care purposes including diagnosis, provision of healthcare or treatment, and management of our patient healthcare systems and services. Occasionally we will also process your Special Category Data because you have given us your explicit consent to do so, because it is necessary for the establishment, exercise or defence of legal claims, or because it is in the public interest to do so.
We set out below in more detail the purposes for which we may use the categories of personal data (including Special Categories of data) listed above:
Delivery of our services: Admitting you as a patient, assessing your medical needs and objectives, consulting with your other medical providers (including your GP), providing you with medical advice, providing rhinoplasty treatments, communicating with you about our services (including sending you appointment reminders and follow-up letters), maintaining your medical records, and sharing information about your treatment with your other medical providers to ensure ongoing care.
Processing and collecting payment for our services: Facilitating payment for our services and collecting/recovering money owed to us.
Feedback, queries and complaints: Obtaining reviews of and feedback on our services, evaluating and improving our services, handling your queries, investigating and responding to any complaints.
Business management: Managing our business including keeping financial and accounting records, maintaining our IT systems, administering and protecting our business, meeting our regulatory obligations.
With your explicit consent we may also:
- Share your ‘before and after surgery’ photographs, videos and other non-audio visual information about your treatment with other medical professionals, for training purposes, in clinical, scientific and medical presentations.
- Share your ‘before and after surgery’ photographs and other information about your treatment for the purposes of publication in scientific and medical publications and journals.
- Share your ‘before and after surgery’ photographs and videos during consultation with other patients for the purposes of showing them examples of our work and to demonstrate likely possible surgical outcomes.
- Post your images, your ‘before and after surgery’ photographs and your videos on our social media pages (including Twitter, Facebook, Instagram and TikTok), the East and Badia website, and doctor review sites (such as Real Self, Doctify and Top Doctors) for the purposes of marketing our services to other potential patients.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you (which may be by way of an update to this Patient Privacy Notice) and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law.
WHAT IF YOU REFUSE TO PROVIDE US WITH ANY PERSONAL DATA?
Where we need to collect personal data under the terms of an agreement we have with you, and you fail to provide that data when requested, we may not be able to perform that agreement.
AUTOMATED DECISION MAKING
Automated decision is the process of making a decision by automated means without any human involvement. We do not envisage that any decisions will be taken about you using automated means, however, we will notify you if this position changes.
SHARING YOUR PERSONAL DATA WITH THIRD PARTIES
We may need to share personal data with third parties including, where necessary, your GP or referrer to provide coordinated care, other healthcare providers to deliver your care, your health insurance provider, pharmacies for prescription purposes, our bank, auditors, accountants, consultants, lawyers, insurance brokers, relevant tax authorities and regulators.
We may also share personal data with third party service providers who we engage to provide services which facilitate our business and carry out functions on our behalf and under our instruction as a data processor including IT service providers that manage East and Badia’s infrastructure (including SharePoint and WestOne), hosted service providers related to patient care or administration (including Semble) and our billing provider. We seek to ensure that any third party engaged by us who processes your personal data has policies and procedures in place to ensure compliance with data protection laws.
In the event that our business or any part of it is sold or integrated with another business, your personal data may be disclosed to our advisers and those of any prospective purchaser and will be passed to the new owners of the business.
INTERNATIONAL DATA TRANSFERS
We may share your personal data with our external third-party service providers who may be based outside the UK and the EEA. However, we will not transfer your personal data outside of the UK and the EEA unless such transfer is to a country or jurisdiction which the EU Commission and/or the UK has approved as having an adequate level of protection; appropriate safeguards are in place in accordance with the Data Protection Legislation (these safeguards include the use of standard contractual clauses); or the transfer is otherwise allowed under data protection laws. We will ensure that if your personal data is transferred outside of the UK and the EEA, it is afforded the same protection as would be afforded to it within the UK and the EEA.
DATA SECURITY
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
DATA RETENTION
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
YOUR RIGHTS
Under the Data Protection Legislation you have certain rights in relation to your personal data. See below a description of those rights:
- The right to request a copy of your personal data held by us;
- The right to correct any inaccurate or incomplete personal data held by us;
- The right to request that we erase personal data we hold about you;
- The right to request that we restrict the processing of your data;
- The right to have your personal data transferred to another organisation;
- The right to object to certain types of processing of your personal data by us; and
- The right to complain (see “Questions and Complaints” below).
Please note that the above rights are not all absolute and are subject to applicable data protection law. If you wish to exercise any of the rights set out above, please contact us using the details provided above.
CHANGES TO THIS PATIENT PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES
We may make changes to this Patient Privacy Notice from time to time, including as may be necessary or prudent to reflect any changes in the ways in which we process personal data or any changes in data protection laws. Any changes and updates to this notice will be posted on the East and Badia website. Please check this Patient Privacy Notice regularly so that you are aware of any changes.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
QUESTIONS AND COMPLAINTS
We take our data protection obligations seriously. If you have any questions or complaints about this Patient Privacy Notice or the way that we handle your personal data, we would appreciate the chance to deal with your concerns in the first instance before you approach the relevant data protection authority. Please contact our Data Protection Officer using the details provided above.
You have the right to make a complaint at any time to the relevant supervisory authority for data protection issues which, in the UK, is the Information Commissioner’s Office (ICO) (www.ico.org.uk). The ICO reference number for East and Badia is ZA498843.
Last updated September 2023