Legal · Last updated May 12, 2020

    Company Details, Privacy Policy, Data Control & Complaints Procedure

    This document sets out 23MD's company details, our Privacy Policy, our approach to data control, and our complaints procedure. It describes how we collect, use, retain and protect your personal and medical data, and the rights you have under GDPR.

    01

    Company Details

    23MD Medical Services Limited, 23MD is a UK-based company registered in England and Wales. Registration number: 11375909. Registered address: Camburgh House, 27 New Dover Road, Canterbury, Kent, United Kingdom, CT1 3DN.

    The Data Protection Officer (“DPO”) is Dr Martin Galy and can be contacted via email to the clinic. Complaints can be made by contacting the Practice Manager.

    23MD Dubai LLC, 23MD Dubai is a UAE-based company registered in Dubai. Company registration number: 1089104. Registered address: Street 10b, The Court Residences, Jumeirah 1.

    02

    Privacy & Confidentiality

    This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.

    We use Your Personal Data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

    03

    Definitions

    For the purposes of this Privacy Policy:

    • You means the individual accessing or using the Service. Under GDPR, You are the Data Subject.
    • Company (“the Company”, “We”, “Us” or “Our”) refers to 23MD, 23 Elystan St, London SW3 3NT. For GDPR purposes, the Company is the Data Controller.
    • Service refers to the Website, accessible from 23md.co.uk.
    • Personal Data means any information relating to an identified or identifiable individual, name, identification number, location data, online identifier or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.
    • Cookies are small files placed on Your computer or mobile device by a website, containing details of Your browsing history.
    • Usage Data refers to data collected automatically, generated by the use of the Service or from the Service infrastructure itself.
    • Data Protection Officer, We have appointed Dr Martin Galy as our DPO to oversee compliance with this policy.
    04

    What Personal Information We Collect

    Personal data means any information relating to you which allows us to identify you, such as your name, contact details, patient ID number, payment details and information about your access to our website.

    We may collect and retain personal data from you when you register with us for an appointment, or make an enquiry via telephone or website. We may use this data to communicate with you via email, telephone or SMS about treatments available and treatment delivered to you. You will have the right to withdraw from some types of communications. We may record and retain telephone calls for training and quality purposes.

    Specifically, we may collect the following categories of information:

    • Personal Data, name, home address, email address, telephone number, passport or other personal ID details, credit/debit card or other payment details, and next-of-kin details.
    • Medical Data, medical history and treatment details.
    • Purchasing Data, treatments, products or services that you have purchased from us.
    • Information about your use of our website and/or App when available.
    • Communication Data, letters, emails, chat, calls and social-media exchanges with us.
    • Sensitive personal data, details about your physical or mental health, and any alleged commission or conviction of criminal offences, recorded as appropriate in your medical files.
    05

    Usage Data

    Usage Data is collected automatically when using the Service. It may include your device’s IP address, browser type and version, the pages of our Service you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

    When You access the Service through a mobile device, We may also collect the type of device, mobile device unique ID, IP address, mobile operating system, browser type, and other diagnostic data.

    06

    Tracking Technologies and Cookies

    We use Cookies and similar tracking technologies (beacons, tags, scripts) to track activity on Our Service and to improve and analyse it. You can instruct your browser to refuse all Cookies or indicate when one is being sent. However, refusing Cookies may prevent some parts of our Service from working.

    We use both session and persistent Cookies for the following purposes:

    • Necessary / Essential Cookies, to provide the services available through the Website and to authenticate users.
    • Cookie Notice Acceptance Cookies, to record whether users have accepted the use of cookies.
    • Functionality Cookies, to remember choices you make, such as login details or language preference.
    • Tracking and Performance Cookies, administered by third parties to track traffic and how users interact with the Website.
    07

    Use of Your Personal Data

    The Company may use Personal Data for the following purposes:

    • To provide and maintain our Service, including monitoring usage.
    • To manage Your Account and registration as a user.
    • For the performance of a contract for products or services You have purchased.
    • To contact You by email, phone, SMS or other electronic means about appointments, updates and informative communications.
    • To provide news, special offers and general information about goods, services and events similar to those you have already purchased or enquired about, unless you have opted out.
    • To manage Your requests.
    08

    Retention of Your Personal Data

    The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy, including to comply with legal obligations, resolve disputes and enforce our agreements.

    We will hold your data for a minimum of 10 years after your treatment, and longer if deemed necessary for legal reasons, in accordance with the NHS Code of Practice for Records Management. Information may be used within the clinic and shared amongst our multidisciplinary team to ensure coherence in treatment, and for clinical audit. Any statistical use is subject to strict measures so that individual patients cannot be identified.

    Only adults aged 18 or over can attend our clinic and provide their own consent.

    09

    Transfer & Disclosure of Your Data

    Your information may be processed at the Company’s operating offices and in any other place where the parties involved in the processing are located, including outside your jurisdiction. The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy.

    Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law, or to: comply with a legal obligation; protect and defend the rights or property of the Company; prevent or investigate possible wrongdoing; protect the personal safety of Users or the public; or protect against legal liability.

    10

    Security of Your Personal Data

    The practice is registered with the Information Commissioner’s Office (ICO). We follow strict security procedures in the storage and disclosure of your personal data, and to protect it against accidental loss, destruction or damage. Data is protected using SSL (Secure Socket Layer) technology, the industry standard for encrypting personal information and credit card details for secure transmission over the internet.

    Your medical data is stored in a cloud-based system that is compliant with the Department of Health UK, the Information Commissioner’s Office (ICO), the General Data Protection Regulations Act 2018 and the Data Protection Act 2018.

    11

    Sharing Your Personal Data

    Your personal data may be shared within the company amongst the members of our multidisciplinary team, and with other companies (e.g. for laboratory tests and other investigations) as agreed with you at the time of your consultation or treatment.

    We may also share your personal data with the following partner organisations, all bound by contractual agreements to keep information confidential and secure:

    • Private-sector providers such as pharmacists, The Doctors Laboratory, Ultrasound Diagnostic Services and other professional associates
    • GPs, NHS Trusts, Foundation Trusts and NHS Commissioning Support Units
    • Social Care Services and Voluntary Sector Providers
    • Ambulance Trusts and Clinical Commissioning Groups
    • Local Authorities, Education Services, Fire & Rescue Services
    • Police & Judicial Services and other authorised data processors

    Except for emergency situations, you will be informed who your data will be shared with and, where required, asked for explicit consent.

    12

    Payments

    We may provide paid products and/or services within the Service. We use third-party services for payment processing and we will not store or collect Your payment card details. That information is provided directly to our third-party payment processors, who adhere to PCI-DSS standards.

    Stripe’s Privacy Policy can be viewed at stripe.com/us/privacy.

    13

    Analytics & Email Marketing

    We may use third-party Service providers to monitor and analyse use of our Service, including Google Analytics. You can opt out by installing the Google Analytics opt-out browser add-on. For more information on Google’s privacy practices, visit policies.google.com/privacy.

    We may use Your Personal Data to contact You with newsletters, marketing or promotional materials. You may opt out at any time by following the unsubscribe link in any email We send, or by contacting Us. We use Pabau to manage and send emails, their Privacy Policy is at pabau.com/privacy.

    14

    Your Rights under the GDPR

    The Company undertakes to respect the confidentiality of Your Personal Data and to guarantee You can exercise Your rights. You have the right to:

    • Request access to Your Personal Data and receive a copy of the data We hold about You.
    • Request correction of any incomplete or inaccurate information.
    • Object to processing based on legitimate interests, or for direct marketing purposes.
    • Request erasure of Your Personal Data when there is no good reason for Us to continue processing it.
    • Request the transfer of Your Personal Data in a structured, commonly used, machine-readable format.
    • Withdraw Your consent at any time.

    You may exercise Your rights by contacting Us. We may ask You to verify Your identity before responding. You also have the right to complain to a Data Protection Authority, in the UK, the Information Commissioner’s Office (ico.org.uk).

    15

    Accessing Data of a Deceased Person

    If you want to view the health records of a deceased person, you can apply in writing to the Data Protection Officer (DPO) under the Access to Health Records Act (1990). The DPO at 23MD is Dr Martin Galy and can be contacted here.

    17

    Objections & Complaints

    Should you have any concerns about how your information is managed, please contact the Practice Manager. If you are still unhappy following a review by the practice, you can complain to the Information Commissioner’s Office (ICO) via ico.org.uk. The ICO is the lead data-protection supervisory authority for 23MD Limited as a UK data controller.

    Book a Consultation

    Choose your hub