Opening Hours : Monday to Friday - 9am to 6pm and Saturday - Upon Request

EMAIL

info@marialalousi.com

GDPR Policy - Maria Lalousi

DATA PROTECTION & GDPR POLICY

The practice complies with the legal obligations of the Date Protection Act 2018 (the
Act 2018) and the EU General Data Protection Regulation (“GPR”). The practice
gathers and uses data about workers, employees and consultants, both to manage
our relationships with these individuals and in the course of conducting out business.
This Date protection Policy applies to current and formers employees, workers,
volunteers, consultants an apprentices (“data subjects”).
The practice is a “data controller” for the purposes of these individuals personal data
and is responsible for determining the purpose and means of the processing of that
data,
In line with our records retention policy and computer and Data Security procedure.
The practice has measures in place to protect and means of the processing of that
data.
The practice will retain data in accordance with our records retention policy, this data
will only be held for as long as is necessary for the purposes it has been collected.
This policy has been created to be fully compliant with GDPR and the 2018 Act.
Where any conflict arises between those laws and this policy, the practice will
comply with the 2018 and the GDPR.

The six Data protection principles
The practice processes personal data in accordance with the six Data protection
Principles for GDPR identified by the ICO, which it means it will:
 Be adequate, relevant and limited to what is necessary for the purposes for
which it is processed
 Be processed fairly, lawfully and transparently
 Be accurate and kept up to date, any inaccurate data must be deleted or
rectified without delay
 Be collected and processed only for specified, explicit and legitimate purposes
 Not be kept for longer than is necessary for the purposes for which ti is
processed; and
 Be processed securely

“Personal Data” is defined as information relating to a living person that can be used
to identify on its own, or in combination with other information likely to be collected
by the practice. This applies whether the information is stored physically
electronically or in any other format.

It doesn’t include anonymised date, but does include any expression of opinion
about the person or any indication of the intentions of the practice or others in
respect of that individual.
Personal date might be provided to the practice by the individual, or someone else,
or it could be created by the practice. It could be provide or created as a part of the
recruitment process, in the course of the contract of employment of after its
termination.

The practice will collect and use the following types of personal date about
staff:
 Contact details and date of birth
 Recruitment information e.g. application form, CV, references, qualifications
etc.
 Emergency contact details
 Gender, marital status and family status
 Information regarding their contract of employment
 Bank details and information in relation to tax status, including National
Insurance Number
 Information relating to disciplinary or grievance investigations an proceedings
involving them
 Electronic information in relation to their used of IT SYSTEMS / smart
CARDS/ telephone systems
 Identification documents e.g. passport, information in relation to immigration
status; driving license; and right to work for the practice
 Information relating to an employee’s performance and behaviour at work
 Images (whether captured on CCTV, by photograph or video)
 Training records
 Any other category of personal ate which we may notify o of from time to time
Special categories of Personal Data
These comprise personal data consisting of information relating to:
 Racial or ethnic group
 Political opinions
 Religious or philosophical beliefs
 Trade union membership
 Genetic or biometric data
 Health
 Sex life an sexual orientation and
 Criminal convictions an offences
The practice may hold and use any of these special categories of your personal data
in accordance with the law.

Processing Personal Data
“Processing means any operation which id performed on personal date such as:

 Disclosure by transmission, dissemination or otherwise making available
 Alignment or combination
 Collection, recording, organisation, structuring or storage
 Adaption or alteration
 Retrieval, consultation or used ;
 And restriction, destruction or erasure

The practice will process individual’s personal data in accordance with the
obligations prescribed under the 2018 Act, including:

 Performing the contract of employment between the practice and individual;
 Complying with any legal obligation
 Or if is necessary for the practice legitimate interests. The practice can only
do this in circumstances where the individual’s interests and rights do not
override those of the Practice. Individuals have the right to challenge the
practice legitimate interests and request that his processing be halted.
The practice may process individuals’ personal data for these purposes without your
knowledge or consent. The practice will not use your personal data for an unrelated
purpose without informing you about it and the legal basis for processing it.
The practice may be unable to carry out certain parties of the contract between us,
e.g. the practice needs staff member’s bank account details to pay them.

When the Practice might process your personal data
The practice is required to process individuals’ personal data in carious situations
during their recruitment, employment and even following termination of their
employment for reasons including but not limited to:
 Deciding how much to pay staff and other term of their contract with the
practice
 Ensuring they have the legal right to work for the practice
 Carrying out the contract between the practice and the individual including
where relevant, its termination
 Carrying out disciplinary or grievance investigation or procedure in relation to
them or someone else
 Monitoring and protecting the security of the practice of the individual, other
staff, patients and others

 Paying tax and national insurance
 Providing a reference upon request from another employer
 Preventing an detecting fraud or other criminal offences

The practice may process special categories of personal date to use information in
relation to your:
 Race, ethnic, origin, religion, sexual orientation or gender to monitor equal
opportunities
 Sickness absence, health and medical conditions to monitor your absence,
assess your fitness for work, to pay you benefits, to comply with our legal
obligations under employment law including to make reasonable adjustments
and to look after your health and safety

The practice does not take automated decisions about you sing your personal data
or use profiling in relation to you.
The practice will only process special categories of individuals’ personal data in
certain situations in accordance with the law e.g. with their explicit consent, if the
practice request consent to process a special category of an individuals’ personal
data, the reasons for the request will be explained.

The practice doesn’t to nee consent to process special categories of individuals’
personal data when it is processed it for the following purposes:
 Where it is necessary for carrying out rights and obligations under
employment law;
 Where it is necessary to protect individuals’ vital interests or those of another
person where one or both parties are physically or legally incapable of giving
consent
 Where the individual has made the data public
 Where processing is necessary of the establishment, exercise or defence of
legal claims and
 Where processing is necessity for the purposes of occupational medicine or
for the assessment of the individuals’ working capacity

Sharing your Personal Data
Sometimes the practice might share your personal data with group companies or out
contractors and agents to carry out our obligations under our contract with you or for
our legitimate interests.
We require those companies to keep your personal data confidential and secure and
to protect it in accordance with the law and our policies. They are only permitted to

process your data for the lawful purpose for which it has been share and in
accordance with our instructions.
The practice does not sent your personal data outside the European Economic Area.
If this changes you will be notified and the protections in place to protect the security
of your data will be explained.

Processing Personal Data for the Practice
All staff who work for, or on behalf of , the practice has some responsibility for
ensuring data is collected , stored and handled appropriately in line with this Data
Protection policy and the Practice’s Records Retention Policy and Computer and
Data Security Procedure.
The practice’s Data Protection officer/ Data Protection Manager is responsible for
reviewing this policy and updating the Managing Partners on the Practice’s
responsibilities for data protection, and any risks in relation to the processing of data.
All members of staff must follow these rules:
 Staff must only access personal data covered by this policy if needed for
purposes necessary to their job, or on behalf of the practice, and only if they
are authorised to do so. The data must only be utilised for the specified lawful
purpose for which it was obtained.
 Personal data must be kept secure and not shared with unauthorised people
 Personal data that is accessed, stored and collected for working purposes
must be regularly reviewed and updated. This includes informing the practice
of changes to your personal contract details.
 Do not make unnecessary copies of personal data. Any unused copies must
be kept safe before being securely disposed of.
 Use strong passwords an lock computer screens when not at your workstation
 Where suitable, anonymise data or use separate keys/ codes so that the data
subject cannot be identified.
 Do not save personal data to personal computers or other devices
 Personal data should never be transferred outside the European Economic
Area except to comply with the law and with the authorisation of the Data
Protection Officer
 Lock drawers and filing cabinets and do not leave paper with personal data
unattended
 Do not remove personal data from the practice’s premises without
authorisation form our line manager or Data Protection Officer.
 Personal Data should be shredded and securely disposed of when it is no
longer needed.

Handling Data Breaches
The practice has robust measures in place to minimise and prevent data braches
from occurring. Should a breach of personal data occur, the practice will make note
of the relevant details and circumstances and keep evidence related to that breach.
If the breach is likely to result in a risk to the rights and freedoms of individual the n
the practice will notify the information commissioner’s officer within 72 hours
Subject Access requests
Data subjects can make a Subject Access request (“SAR”) to access the information
the practice holds about them, this request must be made in writing. If you receive a
SAR you should forward it immediately to the Date Protection Officer, who will
prepare a response.
If you wish to make a SAR in relation to your own personal data this should be made
in writing to the protection data manager officer. The practice will respond within one
month unless the request is complex or numerous – if this is the case, then the
practice wil need more time to complete the request and can extend the response
period by a further two months.
A subject access request does not incur a fee, however if the request is deemed to
be manifestly unfounded or excessive then practice is entitled to charge a
reasonable administrative fee, or refused to respond to the request.

Data Subject’s Rights
In most situations the practice will not rely on your consent as a lawful ground to
process your data. If the practice does request your consent to the processing of
your Personal Date for a specific purpose, you have the right to decline or withdraw
your consent at later time.

Data subjects have the right to information about what personal data the practice
process, how it is processed an on what basis. They have the tight to:

 Access their personal data via a Subject access request
 Correct any inquiries in their personal data
 Request that we erase their personal data in the case that the practice was
not entitled under the law to process it, or the data is no longer needed fo the
purpose it was collected
 Object to data processing where the practice is relying on a legitimate interest
to do so and the data subject contends that their rights and interests outweigh
those of the practice wish us to stop

 Object if the practice processes their personal data for the purposed of direct
marketing
 Receive a copy of their personal data and transfer their personal data to
another data controller. The practice will not charge for this and will in most
cases aim to tod this within one month
 With some exceptions, they have the right not to be exposed or subjected to
automated decision – making
 Be notified of a data security breach concerning their personal data
If you have a complaint about how your data is processed that can’t be resolved with
practice you have the right to complain to the information Commissioner, you can do
this by contacting the information Commissioners’ Office.
Where your personal data is being corrected or erased or the practice is contesting
the lawfulness of the processing, you cn apply for its use to be restricted while the
application is made.