PRIVACY POLICY

This document sets out the parameters within which Dalkey Hypnotherapy Clinic acquires, controls, stores, uses and disposes of any personal data, in line with General Data Protection Regulation (GDPR) requirements.

Dalkey Hypnotherapy Clinic takes your privacy very seriously and treats all your personal information as confidential. “Personal information” is information through which you can be directly or indirectly identified e.g. your name or email address. Dalkey Hypnotherapy Clinic strictly adheres to the requirements of the data protection legislation in the Republic of Ireland.

Dalkey Hypnotherapy Clinic does not sell, rent or exchange your personal information with any third party for commercial reasons, beyond the essential requirement for credit/debit card validation during payment of sessions. Dalkey Hypnotherapy Clinic follows strict security procedures in the storage and disclosure of information, which you have given us, to prevent unauthorized access in accordance with the Irish data protection legislation.

Dalkey Hypnotherapy Clinic uses a technology called cookies as part of a normal business procedure. Cookies are small text files that are created by a web server and stored on your computer when you visit a website. Many websites use cookies to improve your browsing experience. Cookies can also be used to record ‘analytics’ data i.e. which web pages you visit, whether or not you arrived at the web page by clicking on an advertisement or an affiliated website. Many websites find the collection of analytics data valuable in improving the quality and content of their web sites.

All the major browsers allow you to block cookies and delete those that have already been created on your computer, usually within the ‘Tools’ section of the browser. These tools allow you to specify which cookies you will accept by type and often by specific websites using an exception list e.g. you can block all cookies and then list the website from which you will accept cookies. There are also a wide choice of browser add-ins that you can install if you wish to have greater control over persistent cookies.

What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual. The General Data Protection Regulation covers all companies that deal with data of EU citizens. GDPR came into effect across the EU on May 25, 2018 (Information Commissioner’s Office).

The personal data information Dalkey Hypnotherapy Clinic holds

As an organization, due to the nature of the therapy services offered, Dalkey Hypnotherapy Clinic holds a moderate level of identifiable personal data including such data as is categorized under GDPR as ‘Special Category Data’.

Under GDPR, personal data is defined as “any information relating to an identified or identifiable natural person”. Special Category data is highlighted as sensitive and therefore needs more protection. Special Category data can include details of:

  • Race
  • Ethnic origin
  • Politics
  • Religion
  • Trade union membership
  • Genetics
  • Biometrics (where used for ID purposes)
  • Health
  • Sex life
  • Sexual orientation

It is viewed as sensitive as, in particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms, for example by putting them at risk of unlawful discrimination.

The personal data information Dalkey Hypnotherapy Clinic holds (continued)

Dalkey Hypnotherapy Clinic holds the following client information:

  • Name, address and contact details including email address and telephone number
  • Issues which the client is presenting/details of problems with which the client requires help
  • Personal history including family details
  • Medical history and medication record
  • Record of progress through therapy

Dalkey Hypnotherapy Clinic understands that client consent for treatment is not the same as GDPR consent. In the healthcare sector, client data is held under a duty of confidence. Dalkey Hypnotherapy Clinic operates on the basis of implied consent to use client data provided, for the purposes of direct therapy treatment, without breaching confidentiality.

How Dalkey Hypnotherapy Clinic acquires this information

  • Through the initial consultation, in person, by email or by telephone
  • Through therapy sessions in person
  • Through Skype sessions

Who Dalkey Hypnotherapy Clinic shares this information with

Dalkey Hypnotherapy Clinic sometimes needs to share the personal information it processes with the individual and also with other organizations. Where this is necessary, Dalkey Hypnotherapy Clinic is required to comply with all aspects of the General Data Protection Act.

The following is a description of the types of organizations Dalkey Hypnotherapy Clinic  may need to share some of the personal information with, that is processes, for one or more reasons:

  • Family, associates and representatives of the person whose personal data Dalkey Hypnotherapy Clinic holds (if dealing with children, for example).
  • Client’s GP or medical/healthcare consultant etc. (in circumstances where this may be appropriate for those health professionals to know).
  • Central government, police forces and security services (if applicable lawful request made).

The lawful basis for processing personal data

Dalkey Hypnotherapy Clinic holds personal data as described above, to enable it to:

  • Conduct an assessment for clients who request help with treatment
  • Provide therapy sessions relevant to those clients
  • Track progress through therapy for clients
  • Assess therapy ‘end-point’ in conjunction with clients

The lawful basis for processing this data is defined under Article 9(2) of the GDPR:

Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.

Consent

Dalkey Hypnotherapy Clinic understands that whilst the holding of sensitive client data is lawful, and is held under a duty of confidence in terms of therapy/treatment, consent to process personal data electronically, or for marketing purposes, must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous

Dalkey Hypnotherapy Clinic understands that holding client data for treatment purposes and GDPR consent are not related. GDPR consent is not a pre-condition for therapy/treatment.

Dalkey Hypnotherapy Clinic understands the need for positive opt-in and that consent cannot be inferred from silence, pre-ticked boxes or inactivity.  Dalkey Hypnotherapy Clinic has also expressly advised its entire marketing database that they can continue to hear from Dalkey Hypnotherapy Clinic by actively ‘opting-in’ to clarify that they agree with this.

Children

Whilst Dalkey Hypnotherapy Clinic may hold client ‘Special Category’ data (see above for definition), via appropriate parental consent, for persons under the age of eighteen, which is considered as being held purely for client treatment purposes under a duty of confidence, Dalkey Hypnotherapy Clinic will not process any of this data for any other purposes such as marketing or profiling etc.

Data Security and Retention Policy

Dalkey Hypnotherapy Clinic IT system is backed up continuously. There is an active security policy in place to ensure that all data is backed up and held in a safe, confidential environment, including a secure, password protected, encrypted file. Personal data is held for a minimum of 5 (five) years, and an average maximum of 8 (eight) years, in line with healthcare industry guidelines, after which time it will be destroyed.

Individual’s Rights

Under GDPR, Dalkey Hypnotherapy Clinic acknowledges the following rights of the individual, in respect of any personal data that we hold:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling

Subject Access Requests

As outlined in GDPR guidelines, Dalkey Hypnotherapy Clinic will respond to and comply with all subject access requests within one month.

If it is felt that the individual’s request is manifestly unfounded or excessive, Dalkey Hypnotherapy Clinic reserves the right to refuse or to make a charge.

If any requests are refused on the above grounds, Dalkey Hypnotherapy Clinic will tell the individual why and inform them that they have the right to complain to the supervisory authority and to a judicial remedy – this will be done within one month of the request.

Communication of Privacy Information

Dalkey Hypnotherapy Clinic is communicating its privacy policy via this document which is, and will be, available at all times on www.dalkeyhypnotherapy.ie

If you would like to discuss any aspect of this document, please contact:

Mark Richardson

+353(0)860218228

mark@dalkeyhypnotherapy.ie

Subject access requests should be submitted in writing to:

Mark Richardson
Dalkey Hypnotherapy Clinic
23 Castle Street
Dalkey
County Dublin A96 N8P3
Ireland