Privacy Policy

At Healthy Harmony we are committed to ensuring and protecting your privacy at any time you are on our website or communicate electronically with our personnel.

Our Privacy Policy is contained below and provides a detailed explanation as to how we may use your personal information provided to us or any we collect through legal means.

If you attend for an appointment, we will provide you with this and the Data protection policy and ask you to sign that you have read.

We will also ask you at the time of the first consultation to confirm how you are agreeable to being contacted in the future for example on treatment plans and further booking.

Updates of our Privacy Policy are completed frequently, thus you should peruse this Policy habitually.

Healthy Harmony website has a “hosted Server” with “What no website” which uses cookies. To review the Privacy policy of “what No Website” this can be undertaken at www.whatnowebsite.co.uk

What No Website will NOT access Healthy Harmony Data and conforms to the expectations of the GDPR and is registered with the ICO (Information Commissioners Office)

YOUR PERSONAL INFORMATION - GENERAL DATA PROTECTION REGULATION (GDPR)

GDPR is bringing in new legal protection for personal information from May 2018. This tells you what personal information Healthy Harmony Tenerife hold and why, and what your rights are. Once you have read it please confirm that you have read and accept this document. 

GDPR is bringing in new legal protection for personal information from May 2018. This tells you what personal information Healthy Harmony gather via the website and why, and what your rights are. 

Healthy Harmony Tenerife:

Camino Las Tuneras no 1

Los Migueles,

Buzanada

Arona

38627

Santa Cruz De Tenerife

Telephone No: 00 34 618187223

                00 34 822680030

Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.

Data Controller Contact Details: Catherine Hamilton-Harris

Data Protection Officer Catherine Hamilton-harris

1. Information We Collect from You

Data can be collected and processed when our website is in operation by you.

The following are approved methods of collection:

1.1 If you register for information or complete a purchase, by filling out a form we can collect the information provided.

1.2 Traffic data, weblogs, location data, and any other communication can be collected. These details come from your visit to our site and any resource tools you use while on the site.

1.3 Any communication on our website or to personnel allows us to collect information.

The Purpose of processing Client Data 

In order to give professional Complementary treatments, Healthy Harmony needs to gather and retain potentially sensitive information about your health. This information will only be used for informing treatments and associated recommendations concerning aspects of health and wellbeing which will be offered to you.  Healthy Harmony only takes basic contact details and information via the website to allow contact and handle bookings.

Lawful Basis for holding and using Client Information

  • Legitimate interest: Required to retain the information about clients in order to fulfil the role of a health care practitioner and to provide them with the best possible treatment options and advice.
  • Special Category Data - Health Related: Process under special category data, therefore the additional condition under which Information is held and used in order to fulfil expectations as a healthcare practitioner, bound under the CNHC (Complementary National Health Council), UK Reiki Federation, FHT (Federation of Holistic Therapies) and the AOR (Association of Reflexologists), AAMET (Association For The Advancement of Meridian Energy Techniques) confidentiality as defined in their Codes of Practice and Ethics.

Healthy Harmony requirement to hold your information for the following legal reasons:

  • ‘Claims occurring’ insurance
  • Law regarding children’s records 
  • CNHC requirements to retain information 
  • Your consent

What information Healthy Harmony will hold and what we will do with it

In order to give professional Complementary treatments, there is a need to ask for and keep information about your health. This information will only be used for informing Complementary treatments and any advice given as a result of your treatment. This information will be undertaken at the first consultation.

The information to be held is:

  • Your contact details
  • Medical history and other health-related information (which will be taken from you at first consultation)
  • Treatment details and related notes (which will be updated after each consultation)

Healthy Harmony will NOT share your information with anyone else without explaining why it is necessary, and getting your explicit consent

How Long Your Information will be retained for:

Healthy Harmony will keep information for the following periods 

a) claims occurring insurance: Required to keep records for 7 years after the last treatment – (including following the client’s death)

b) law regarding children’s records: Required to keep records until the child is 25, or if 17 when treated then until they are 26.

c) registration with The Complementary and Natural Health Care Council (for work as a Reflexologist): for which required to retain information for 8 years.

Your data will not be transferred outside the EU without your consent.  

Protecting Your Personal Data

Healthy Harmony is committed to ensuring that your personal data is secure. In order to prevent unauthorised access or disclosure, in place are the appropriate technical, physical and managerial procedures to safeguard and secure the information that has been collected from you.

You will be contacted you using the contact preferences you have provided in relation to: 

  • Appointment times
  • After care/treatments plans/information or information related to your health
  • Special offers and promotions

You may unsubscribe from this at any time.

How we handle enquiries via email or text

If someone emails or texts with an enquiry, by this action it is understood that they are giving implied consent for Healthy Harmony to hold and use their contact details. 

On our web site Healthy Harmony include the following statement:

“Please be aware that if you send any sensitive medical/health information, we will only hold and use this if we proceed to treatment, at which time we will require explicit consent from you to hold this data. If we do not proceed to treatment, we will erase this information.”

Your Rights

GDPR gives you the following rights:

  • The right to be informed:
    To know how your information will be held and used (this notice).
  • The right of access:
    To see your therapist’s records of your personal information, so you know what is held about you and can verify it.
  • The right to rectification:
    To tell your therapist to make changes to your personal information if it is incorrect or incomplete.
  • The right to erasure (also called “the right to be forgotten”):
    For you to request your therapist to erase any information they hold about you
  • The right to restrict processing of personal data:
    You have the right to request limits on how your therapist uses your personal information
  • The right to data portability: under certain circumstances you can request a copy of personal information held electronically so you can reuse it in other systems. 
  • The right to object:
    To be able to tell your therapist you don’t want them to use certain parts of your information, or only to use it for certain purposes.
  • Rights in relation to automated decision-making and profiling.

Full details of your rights can be found at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

Please note 

Registration is NOT required with the ICO (Information Controllers office) by Healthy Harmony Tenerife. As detailed in the ICO document V 1.0 dated 21 February 2018 page 12 

“The name and address of the controller (for registered companies this should be the address of its registered office; for any other person carrying on a business, this should be that person’s principal place of business in the UK)”

Healthy Harmony does NOT have any base in the United Kingdom and data is only processed in Tenerife.

THERAPIST’S RIGHTS

Please note:

  • If you don’t agree to your therapist keeping records of information about you and your treatments, or if you don’t allow them to use the information in the way they need to for treatments, the therapist may not be able to treat you  
  • Your therapist has to keep your records of treatment for a certain period as described above, which may mean that even if you ask them to erase any details about you, they might have to keep these details until after that period has passed
  • Your therapist can move their records between their computers and IT systems, as long as your details are protected from being seen by others without your permission.

Once you have met your therapist you will be asked to sign a declaration to confirm you have read the Privacy and Data Protection policy and that by signing this document you understand that Healthy Harmony will hold and use your personal information, using it in order to provide the best possible treatment options and advice in line with the statements above.

 

GDPR: Data Protection Policy: Kate Hamilton-Harris

Healthy Harmony Tenerife

Documented Created: 20th May 2018

Date of Last Review: 20th May 2018

Date of Next Review: 20th May 2019

Healthy Harmony Tenerife

Camino Las Tuneras no1, Los Migueles, Buzanada, Arona, Santa Cruz, Tenerife, Spain 38627

0034 618187223

www.healthyharmonytenerife.com

Policy Purpose

This policy outlines the required data protection policy, and thus demonstrates compliance with the GDPR.

GDPR Registration

Registration has not been undertaken with the ICO as Healthy Harmony does not have a base in the United Kingdom.

Policy Content

1.The data that is processed and how it flows into, through and out of the business.

Data comes into the business in 4 ways:

a) Via email messages to from potential clients (PC) and clients(C) that have the email number.

b) Via text messages (as above)

c) Via the website contact page (Hosted by “What no website”)

d) Via Facebook Messenger

It flows through the business via:

  • Laptop - which remains at home unless taken for initial home visit
  • Smart phone – Goes everywhere
  • IPad which remains at home
  • Mac computer remains at home

The information does not flow out of the business.

2. The personal data held, where it comes from, who It may be shared with, and what happens to it.

Information Asset Register

  • Personal information is held on clients that they have provided and given consent for this undertaking by signing the appropriate documentation. 
  • This includes: name, address, contact details, and, where appropriate, age.  In addition, health and wellbeing information is collected from them at their first consultation.
  • Information about each treatment received is collected. 

We do not share this information with anyone. (If a client asked for their records or part thereof, to be shared this would only be undertaken if they had signed requesting and providing consent in writing to share their information, specifically naming the party it is to be shared with.

This is in accordance with the Association of Reflexologists Code of Practice 2a).

Written confirmation is also required to be obtained from the party the client proposes to share the information with that they comply with the requirements of GDPR.

  • Information is maintained following treatments in order to provide appropriate advice within the realms of the treatment, professional experience and qualifications.

All data is kept for:

a. claims occurring insurance: Required to keep records for 7 years after the last treatment – (including following the client’s death)

b. law regarding children’s records: Required to keep records until the child is 25, or if 17 when treated then until they are 26.

c. registration with The Complementary and Natural Health Care Council (for work as a Reflexologist): for which required to retain information for 8 years.

3. The lawful bases to process personal data and special categories of data.

 Personal data under:

  • Legitimate interest: Required to retain the information about clients in order to provide them with the best possible treatment options and advice.
  • Special Category Data - Health Related: Process under special category data, therefore the additional condition under which Information is held and used in order to fulfil expectations as a healthcare practitioner, bound under the CNHC (Complementary Natural Health Council), UK Reiki Federation, FHT (Federation of Holistic Therapists and the AOR (Association of Reflexologists) Confidentiality as defined in their Codes of Practice and Ethics.

4. Privacy Notice

Individuals need to know that their data is collected, why it is processed and who it is shared with.  This information is in included in the privacy notice on the website and within any forms or letters sent to individuals and is included at the first consultation with the client.

The privacy notice on the website and for clients, have ensured that the privacy notice includes all of the information included in the ICO privacy notice checklist at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed#table

If someone emails or texts with an enquiry, by this action it is understood that they are giving implied consent for Healthy Harmony to hold and use their contact details. 

On our web site Healthy Harmony include the following statement:

“Please be aware that if you send any sensitive medical/health information, we will only hold and use this if we proceed to treatment, at which time we will require explicit consent from you to hold this data. If we do not proceed to treatment, we will erase this information.”

5. Processes to recognise and respond to individuals' requests to access their personal data.

All individuals will need to submit a written request to access their personal data - either by email or by letter.  The information will be provided without delay and at least within one calendar month of receipt. This period may be extended by a further two months for complex or numerous requests (in which case the individual will be informed and given an explanation).

    • The client will be identified using reasonable means, which because of the special category under which data is processed will be photographic ID.
    • Records of any requests to access personal data will be maintained.

6. Processes to ensure that the personal data held remains accurate and up to date.

Client information is kept up to date during treatments and will be further updated as/when informed by the client of any changes. Once a year data will be reviewed.

7. Schedule to dispose of various categories of data, and its secure disposal.

Once a year during the process of client information review, any dormant client’s information will be secured in a separate electronic file.  This information will be assessed each month to ensure that data that is no longer required to be kept under GDPR is destroyed securely. 

8. Procedures to respond to an individual’s request to restrict the processing of their personal data.

Information data is only held in order to provide treatments. Although it is not envisaged that a situation would where a request would be received to restrict the processing of an individual’s personal data. However, if a request was received It would be responded to as quickly as possible, and within one calendar month, explaining clearly what currently is undertaken do with their data and that this data will continue to be held but they will be ensured that it is not processed.

9. Processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.

Should clients wish their data to be copied or transferred, this work would be undertaken in collaboration with client to ensure that this is done in a way that was most appropriate for them - for example this could be an electronic summary of treatment received and progress made, copies of individual treatment records. 

Transmission of data on the internet can never be ultimately secure. We do not and cannot guarantee security of information collected electronically or transmitted; however, we take all necessary steps to provide the best security available where we have control over the communications systems used. As a result of our inability to guarantee safety, you are submitting information to us at your own risk.  

10. Procedures to handle an individual’s objection to the processing of their personal data.

Clients will be informed of their right to object “at the point of first communication” and this is clearly detailed in the privacy notice.

Right to Erasure vs. the Requirement to retain Client Information for a ‘Designated Period’

The individual may request deletion or removal of personal data where there is no compelling reason for its continued processing. However, the requirement to retain client information for a designated period may provide a lawful basis to override this.

In fact, neither the ‘right to erasure’ nor the requirement to retain insurance records are deemed to be an absolute right.

Specific circumstances apply:

The ‘right to erasure holds when:

1. the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed. E.g.

a. the therapist does not have ‘claims occurring’ insurance (so there is no insurance requirement to hold the data), or

b. the data is more than 7 years old and the therapist no longer requires it even though treatments continue, or

c. the therapist is no longer treating the client and the data is older than the ‘designated period’ (see above) 

2. if the lawful basis chosen is ‘consent’ and the individual withdraws consent.

3. the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.

4. the data was unlawfully processed (i.e. otherwise in breach of the GDPR).

5. the personal data has to be erased in order to comply with a legal obligation.

6. the personal data is processed in relation to chat rooms and other online services specifically for children.

The right to erasure may be overturned if the therapist has a lawful basis for retaining the information. In this case the therapist can refuse the erasure request but must be able to explain what that lawful basis is, for example:

the therapist has (or had at the time of treatment) ‘claims occurring’ insurance which means that the client may make a claim within 7 years of receiving treatment, and the insurance which was in force then will still allow a claim, as long as the therapist has retained the relevant treatment and client data.

the therapist is CNHC registered, and must abide by their information retention requirements (currently 8 years) which are defined by the Department of Health.

11. Processing operations that constitute automated decision making.

There are no processing operations that constitute automated decision making and therefore, currently there is no requirement to have procedures in place to deal with the requirements.  This right is, however, included in the privacy statement.

12. Data Protection Policy

This document forms the data protection policy and shows how compliance with GDPR.

This is a live document and will be amended as and when any changes to the data processing takes place, at the very least it will be reviewed annually.

13. Effective and structured information risks management 

The risks associated with data storage and collection, and how that risk is managed is as follows:

Theft of electronic devices - all have password locks on all electronic devices which are changed regularly and are not shared with anyone outside of Healthy Harmony.

Break in to office – All information is stored electronically. When the property is unoccupied there is an alarm system and CCTV in operation. (Data protection rules do not apply if you install a camera on your own home to protect it from burglary.

14. Named Data Protection Officer (DPO) and Management Responsibility

The DPO is Catherine Hamilton-Harris and who will ensure compliance with GDPR is maintained.

15. Security Policy

Electronic equipment is based on industry record as having the robust inbuilt protection. Additional safety measures have been implemented including security passwords.

16. Data Breach Policy

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In the event of a breach the ICO will be notified of the breach where it is likely to result in a risk to the rights and freedoms of individuals.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, those concerned will be directly notified without undue delay.

In all cases records of personal data breaches will be maintained whether or not they were notifiable to the ICO.

Data Protection Policy created: 20th May 2018

This is a live document and will be updated as and when changes occur.

Date of Next Review: 20th May 2019

Healthy Harmony Tenerife

Kate Hamilton-Harris

Get In Touch Today

Contact us for a consultation and find your balance !
+34 822 680030
+34 618 187223

Review Us

Review Us On Google


Review Us On Facebook

Subscribe Today

For free information, advice and tutorials.
For a better, more balanced you.
Privacy Policy

Latest Blog Articles...

  • Default
  • Title
  • Date
  • Random
load more hold SHIFT key to load all load all

Latest Blog Articles...

  • Default
  • Title
  • Date
  • Random
load more hold SHIFT key to load all load all