GDPR Data Protection Policy
Effective date: Last reviewed 27th of September 2024
1. Purpose
The purpose of this policy is to outline how EPT Clinic ensures compliance with the General Data Protection Regulation (GDPR) and the Irish Data Protection Acts 1988–2018 in the collection, processing, and protection of personal data.
2. Scope
This policy applies to all staff, contractors, and third parties who process personal data on behalf of EPT Clinic. It covers all personal data handled by the company, including client, customer, employee, and supplier data, both in electronic and paper form.
3. Definitions
Personal Data: Any information relating to an identifiable individual (e.g., name, address, email, phone number).
Data Controller: The organisation (in this case, EPT Clinic) that determines the purposes and means of processing personal data.
Data Processor: Any party that processes personal data on behalf of the Data Controller.
Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
Data Subject: Any individual whose personal data is being processed.
4. Principles of Data Protection
EPT Clinic adheres to the following data protection principles outlined in the GDPR:
Lawfulness, Fairness, and Transparency
Personal data must be processed lawfully, fairly, and in a transparent manner.
Purpose Limitation
Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimisation
Personal data collected must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Accuracy
Personal data must be accurate and kept up to date where necessary.
Storage Limitation
Data must be kept in a form that permits identification of data subjects for no longer than is necessary.
Integrity and Confidentiality
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage.
Accountability
EPT Clinic takes responsibility for demonstrating compliance with the GDPR principles.
5. Data Subject Rights
Under GDPR, individuals have the following rights regarding their personal data:
Right to Access: Data subjects can request access to their personal data.
Right to Rectification: Individuals have the right to correct any inaccuracies in their personal data.
Right to Erasure (Right to be Forgotten): Data subjects can request the deletion of their personal data under certain conditions.
Right to Restriction of Processing: Individuals can request the restriction of processing under specific circumstances.
Right to Data Portability: Data subjects can receive their personal data in a structured format.
Right to Object: Data subjects can object to the processing of their data in certain cases.
Rights Related to Automated Decision-Making: Individuals have the right not to be subject to automated decision-making, including profiling, in specific situations.
6. Lawful Basis for Processing
EPT Clinic processes personal data only when there is a lawful basis, such as:
Consent of the data subject
Performance of a contract
Compliance with legal obligations
Legitimate interests of the company or a third party
Protection of the vital interests of the data subject or another person
7. Data Collection and Use (staff)
Personal data collected by EPT Clinic is limited to what is necessary for business operations and legal requirements.
Data is collected for the following purposes:
- Customer services and relationship management in the context of the provision of healthcare services
- Employee management and HR purposes, including relevant information to support the team and ensure appropriate qualifications, garda vetting and regulation
- Marketing, with appropriate consent
- Research, with appropriate consent
- Legal and regulatory compliance
- Data retention - EPT Clinic retains personal data for as long as necessary to fulfill the purposes for which it was collected or to comply with legal, regulatory, or contractual requirements. The company has a data retention schedule that ensures personal data is securely deleted or anonymised after its retention period.
8. Data Collection and Use (clients)
EPT Clinic collects and processes personal data to provide high-quality healthcare services and to meet our legal obligations. The personal data we collect includes general personal information and special category data, such as health-related information. We ensure that all data is processed lawfully, fairly, and transparently.
Types of Data Collected:
- General Personal Data: Names, addresses, dates of birth, contact details (phone number, email address), emergency contact details.
- Special Category Data (Health Data): Medical history, symptoms, diagnoses, treatment plans, test results, and any other relevant health information.
- Feedback from clients in the form of questionnaires, online feedback forms, Google Reviews, etc.
Purpose of Data Collection
- Provision of Healthcare Services: To diagnose, treat/support, and manage patient care.
- Medical Record Keeping: To maintain accurate patient records in compliance with healthcare and legal standards.
- Appointment Scheduling: To manage bookings, consultations, and follow-ups.
- Compliance with Legal Obligations: To comply with regulatory requirements, such as reporting to health authorities or regulatory bodies.
- Billing and Administration: For processing payments and managing administrative tasks related to patient care.
Lawful Basis for Processing Health Data
The processing of personal and special category data is conducted under the following lawful bases:
- Consent: Patients give explicit consent to process their health data for the provision of medical services.
- Performance of a Contract: Data is processed to provide healthcare services as part of the agreement between the patient and the medical practice.
- Vital Interests: In certain circumstances, we may process data to protect a patient's vital interests, such as in medical emergencies.
- Legal Obligations: We are required to retain and disclose certain information to comply with legal and regulatory obligations.
- Public Interest in the Area of Public Health: For example, reporting infectious diseases to health authorities.
Data Minimisation and Accuracy
We collect the personal and health data that is necessary for the purposes outlined above. We do our best to ensure that the information collected is accurate and kept up to date to provide safe and effective medical care.
Data Retention
We retain health data for the period advised by law, medical best practice guidelines, and clinical guidelines.
9. Data Security
EPT Clinic implements technical and organisational measures to protect personal data, including but not limited to:
- Encryption of sensitive data
- Access controls and user authentication
- Regular security assessments and audits
- Staff training on data protection and security best practices
- Secure disposal of paper records and electronic devices
10. Data Sharing and Transfer
EPT Clinic will not share personal data with third parties unless necessary for business operations or legal requirements (e.g. Stripe and Bank of Ireland are our payment processing systems, Kajabi and FRESHA are our booking central management systems). Where data is shared with third-party service providers, EPT Clinic ensures that they are compliant with GDPR.
Where personal data is transferred outside the European Economic Area (EEA), EPT Clinic ensures adequate safeguards are in place, such as:
- Adequacy decision by the European Commission
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
11. Data Breach Reporting
In the event of a data breach, EPT Clinic will follow the guidelines set out in GDPR, including:
- Notifying the Data Protection Commission (DPC) within 72 hours if the breach poses a risk to the rights and freedoms of individuals.
- Informing affected individuals if the breach is likely to result in high risks to their rights and freedoms.
- Maintaining a record of all data breaches, regardless of whether they are notifiable.
12. Data Protection Officer (DPO)
EPT Clinic has appointed a Data Protection Officer responsible for overseeing data protection strategy and implementation, ensuring compliance with GDPR, and acting as a point of contact for data subjects and the DPC.
13. Staff Training and Awareness
All employees of EPT Clinic receive regular training on data protection best practices, their obligations under GDPR, and how to identify and report data breaches. Training is mandatory and conducted annually or more frequently if necessary.
14. Monitoring and Review
This Data Protection Policy will be reviewed annually or more frequently if required to ensure its relevance and compliance with legal requirements.
Contact Us
If you have any questions, concerns or complaints about this GDPR Data Protection Policy, please contact us:
- By email: [email protected]
- By visiting this page on our website: www.eptclinic.ie
- By phone number: 00353 56 7771383
- By mail: EPT Clinic Ltd., Block B, Floor 2, The Smithland Centre, Waterford Rd, Loughboy, Kilkenny, R95 E44N, Ireland