Privacy Policy

Cosmetic Surgery Partners is committed to protecting and respecting your privacy. This privacy policy tells you what to expect when we collect personal data.

By visiting our websites or using our services, you agree that we can use your personal data for the purposes described in this privacy policy.

Definitions

When we refer to ‘we’, ‘us’, and ‘our’, we mean Cosmetic Surgery (Uk) Limited.

About Cosmetic Surgery Partners

Cosmetic Surgery (Uk) Limited is a limited company registered in England under company number 05582381, whose registered address is 2nd Floor Hygeia House, 66 College Road, Harrow, Middlesex, HA1 1BE, and whose main trading address is The London Welbeck Hospital, 27 Welbeck Street, London, W1G 8EN.

When this Privacy Policy applies

Our Privacy Policy applies to all of the services offered by Cosmetic Surgery Partners and its affiliates but excludes services that have their own separate privacy policies that do not incorporate this Privacy Policy.

 

Contact

If you would like to know more about anything in this privacy statement, please email us at dp@cosmeticsurgery-partners.co.uk

or write to the Data Protection Officer:

Data Protection Officer
The London Welbeck Hospital
27 Welbeck Street
London
W1G 8EN

 

What is Personal Data?

‘Personal data’ means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).


Personal Data we collect about you and what is it used for?

We will collect, store, and use the following categories of personal data about you:

Identity Data

Code

Description

Purpose

Lawful Basis

PC

Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses. We use this information to identify you, provide our services to you and to communicate with you regarding those services. Perform our contract to you

DOB

Date of birth We use this information to identify you, provide our services to you and to communicate with you regarding those services. Perform our contract to you

G

Gender We use this information to identify you, provide our services to you and to communicate with you regarding those services. Perform our contract to you

MSD

Marital status and dependants We use this information to identify you, provide our services to you and to communicate with you regarding those services. Perform our contract to you

NOK

Next of kin and emergency contact information We use this information to identify you, provide our services to you and to communicate with you regarding those services. Perform our contract to you

BA

Bank account details We use this information to identify you, provide our services to you and to communicate with you regarding those services. Perform our contract to you

Sensitive Data

Code

Description

Purpose

Lawful Basis

HR Information about your health, including any medical condition, health and sickness records and case notes We use this information to provide our services to you and to communicate with you regarding those services. Perform our contract to you Comply with legal obligations
ED Information about your race or ethnicity, religious beliefs, sexual orientation and political opinion We use this information to provide our services to you and to communicate with you regarding those services. Perform our contract to you Comply with legal obligations

Aggregated Data

Code

Description

Purpose

Lawful Basis

SS

Statistical data including demographic, location and usage We use this information to monitor and adjust our services to you, to introduce new enhancements and to tailor our services over time.

Perform our contract to you

To pursue legitimate interests of our own or those of third parties (provided your interests and fundamental rights do not override those interests)

Sessional Data

Code

Description

Purpose

Lawful Basis

IP

Internet protocol address, device type, operating system, browser type & version, plug-ins, time-zone and location. We use this information to provide our services to you. To pursue legitimate interests of our own or those of third parties (provided your interests and fundamental rights do not override those interests)

WS

Website cookies, please refer to our cookie policy  We use this information to provide our services to you. To pursue legitimate interests of our own or those of third parties (provided your interests and fundamental rights do not override those interests)

CL

Call logs and recordings, message logs & email communications relating to queries We use this information to provide our services to you. Perform our contract to you

AP

Appointment information including time, duration, location, contact number, type We use this information to provide our services to you. Perform our contract to you

TD

Transaction data, including time, location, payment gateway, order details, frequency & delivery address We use this information to provide our services to you.

Perform our contract to you

Comply with legal obligations

 

How the information is collected

Direct – We collect person information by telephone or video consultation or when you visit one of our affiliate medical centres or hospitals and complete a patient registration form and/or medical questionnaire.

Affiliates & Third Parties – We collect personal data through our affiliates and third parties, where you have given your consent for us to provide our services to you.

Online – We collect personal data when you use our website or complete an online form as well as capture automated sessional data using cookies as well as and analytics such as Google (please see our cookie policy for further information: cookie policy)

We need all the categories of information identified above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations.  In some cases, we may use your personal data to pursue legitimate interests of our own or those of third parties (provided your interests and fundamental rights do not override those interests).

Failure to provide information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations (such as to ensuring that we keep adequate medical records).

Sensitive personal data

“Special categories” of particularly sensitive personal data require higher levels of protection. We may process special categories of personal data in the following circumstances:

1. In limited circumstances, with your explicit written consent.

2. Where we need to carry out our legal obligations and in line with our Data Protection Policy.

3. Where it is needed in the public interest, such as for equal opportunities monitoring.

4. Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

Disclosure/data sharing

We may have to share your data with third parties, including third-party service providers (including contractors and designated agents); other entities in the group; in the context of a sale of the business; or with a regulator or to otherwise comply with the law; our insurers and/or professional advisers to manage risks legal disputes. The following activities are carried out by third-party service providers: healthcare support services, call handling, pharmacy services.

We do this where required by law; where it is necessary to administer the working relationship with you; or where we have another legitimate interest in doing so.

We require third parties to respect the security of your data and to treat it in accordance with the law.

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms:

Promotional offers from us

We may use your Identity, Sessional and Aggregated Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased services from us or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing.

Third-party marketing

We will get your express opt-in consent before we share your personal data with any third-party company for marketing purposes.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Transfers of data outside of the EU

We do not transfer your personal data outside the European Economic Area (EEA).

Data Security

We are committed to ensuring your personal data is kept securely across all our systems with appropriate access controls for all parties that interact with your personal data.  All of our communication, data-sharing and cloud-based services are fully GDPR compliant and the majority meet several ISO certified standards for information security, communication and processing.

Data Retention

We only keep your personal data for as long as necessary to provide our services to you and whether any legal requirements apply for the retention of any particular data, for example regulations regarding our medical practice (see table below).  In the absence of any legal requirements, personal data may only be retained as long as necessary for the purpose of processing. This means data is to be deleted e.g. when:

• you have withdrawn consent to processing;

• a contract has been performed or cannot be performed anymore; or

• the data is no longer up to date.

• you have requested the erasure of data or the restriction of processing

Exceptions may apply to the processing for historical, statistical or scientific purposes.

During the retention period

We carry out periodical reviews of data retained.

We establish and verify retention periods for data considering the following categories:

• the requirements of our business;

• type of personal data;

• purpose of processing;

• lawful grounds for processing; and

• categories of data subjects

If precise retention periods cannot be established, we identify criteria by which the period can be determined.

Medical Data Retention

Private Doctor

/GP records

Private Doctor/GP records will be retained until 10 years after the patient’s death or after the patient has permanently left the country, unless they remain in the European Union.

Expiration of the retention period

After the expiration of the applicable retention period we will remove all instances of personal data where applicable. This will be achieved by means of:

• erasure of the unique identifiers which allows information to identify you;

• erasure of single pieces of information that identify the data subject (whether alone or in combination with other pieces of information);

• separation of personal data from non-identifying information (e.g. an order number from the customer’s name and address); or

• aggregation of personal data in a way that no allocation to any individual is possible.

Your rights

Your rights in connection with personal data

Under certain circumstances, by law you have the right to:

• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Please contact us regarding our DSAR Procedure for more information.

• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).

• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.

• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.

• Request the transfer of your personal data to another party.

Please contact us if you wish to exercise any of the rights above.

Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Please contact the Data Protection Officer.

Complaints & questions

If you have any questions about this privacy notice or how we handle your personal data, please contact the Data Protection Officer. If we have breached our duty of care, we will take appropriate action.

If you are not satisfied by our response you also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (Email: casework@ico.org.uk)

Changes to our privacy policy

We keep our privacy policy under regular review. This privacy policy was last updated on 21st May 2024.

Contact Us
About Us