Introduction  This data protection policy is designed to ensure that the rights to privacy of individuals are protected. Flower Associates are committed to the principles set out in the General Data Protection Regulation (GDPR) and aim to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected. This Privacy policy was last updated on 30th April 2018. The policy describes how Flower Associates manage your information when you use the services, if you contact us or when we contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use our website. At present we do not use cookies on our website. Flower Associates will use the information collected in accordance with all the laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws Dirk Flower (admin@flower associates co.uk) is the data controller; if another party has access to your data we will tell you if they are acting as a data controller or a data processer, who they are, what they are doing with your data and why we need to provide them with the information. This privacy notice sets out how Flower Associates Ltd will use your personal data. If your questions are not fully answered by this policy, please contact us at admin@flowerassociates.co.uk. We need to collect information about you so that we can: Know who you are so that we can communicate with you in a personal way. The legal basis for this is a legitimate interest. Deliver goods and services to you. The legal basis for this is the contract with you. Process your payment for the goods and services. The legal basis for this is the contract with you. Verify your identity so that we can be sure we are dealing with the right person. The legal basis for this is a legitimate interest. Optimise your experience on our website. The legal basis for this is a legitimate interest. Provide you with a useful and relevant website. The legal basis for this is a legitimate interest The types of personal data we collect and use We will use your personal data for the reasons set out below. We will collect most of this directly during the registration and/or admission process but there may be sources of personal data collected indirectly as set out later in this Policy. The personal data we use may include:  Your name, address and contact details, including email address and home and mobile telephone numbers, date of birth and gender. Your financial information (your bank account and national insurance number) if you are a "self pay" patient or the financial information of the company or individual who is responsible for the payment of invoices/bills relating to your care (e.g. insurer or sponsor) Information about your marital status, next of kin, dependants nominated and/or emergency contacts. Information about medical or health conditions, including whether or not you or your dependants have a disability for which the organisation needs to make reasonable adjustments Information about medical or health conditions of your family Information received in response to any surveys, complaints claims Information about how you use our website. This data may also include visual images, personal appearance and behaviour e.g. when using an ipad as part of the therapy Flower Associates UK may collect this information in a variety of ways. For example, data might be collected through Registration and Admission forms; obtained from your passport or other identity documents such as your driving licence, from pre-admission forms, online web forms completed by you at the start of your treatment, from correspondence with you, through the Admission and Registration process or through interviews, meetings or other assessments. In some cases, the organisation may collect personal data about you from third parties, such as insurer providers, referral agencies e,g, from the G.P. referral letter, sponsors, and checks permitted by law. Providing your personal data We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, we need you to provide your personal data so we can provide care and treatment and receive payment for these services.  Monitoring of communications Subject to applicable laws, we may monitor and record staff calls, emails, text messages, social media messages and other communications in relation to our dealings with you. We will do this to ensure an appropriate standard of care, for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications networks and systems, to check for unlawful content, obscene or profane content, for quality control and staff training, and when we need to see a record of what has been said. We may also monitor activities on our network and systems where necessary for these reasons and this is for our legitimate interests or other legal obligations. Using your personal data and the legal basis for processing We will process your personal data under Article 6 (1); Article 9 (2) of the General Data Protection Regulations: To support the provision of your healthcare To decide how best to provide treatment to you As necessary to support the healthcare contract with you and to allow us to receive the correct payment for those services To take steps at your request during the course of your treatment To keep your records up to date We will process your personal data under Article 6 (1) f of the General Data Protection Regulations: As necessary for our own legitimate interests or those of other persons and organisations, e.g. For good governance, accounting, and managing and auditing our clinical and business operations To monitor emails, calls, other communications, and activities on Flower Associates networks and systems To monitor emails, calls, other communications, and activities on Flower Associates networks and systems As necessary to comply with a legal obligation: When you exercise your rights under data protection law and make requests For compliance with legal and regulatory requirements and related disclosures For establishment and defence of legal rights For activities relating to the prevention, detection and investigation of crime To verify your identity, make credit fraud prevention and anti-money laundering checks To investigate complaints, legal claims and data protection or clinical incidents Based on your consent: If you ask us to disclose your personal data to other people or organisations such as a company handling a claim on your behalf; social services or otherwise agree to disclosures. You are free at any time to change your mind and withdraw your consent. The consequence might be that we cannot continue to provide full healthcare services to you. Sharing of your personal data  Subject to applicable data protection laws we may share your personal data with: Consultants/Doctors and other healthcare professionals who provide treatment to you at our Facilities Other healthcare providers where we feel this will enhance the quality of your care Sub-contractors and other persons who help us to provide healthcare products and services to you Our legal and other professional advisors, including our auditors Fraud prevention agencies, credit reference agencies, and debt collection agencies Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators, the Information Commissioner's Office. Courts, to comply with legal requirements, and for the administration of justice In an emergency or to otherwise protect your or your child’s vital interests To protect the security or integrity of our business operations and other patients Payment systems and providers Anyone else where we have your consent or as required by law  If you subsequently change your mind please contact the facility where you were treated. Contact details are available on this website. Sharing of your personal data for research purposes Subject to applicable data protection laws and your explicit written consent we may share your personal data for the purpose of scientific research. Sharing of your personal data for marketing purposes Subject to obtaining your written consent and communications preferences we may use your contact details to send you newsletters and other information on new Facilities, services and treatments which we think may be of interest to you. We will not sell your personal data to a third party without your written consent. You are free at any time to change your mind and withdraw your consent. Please contact [insert email address]. This will not affect the healthcare services we provide to you. How long do we keep your data? Information will be kept in in accordance with the retention periods outlined in the Information Governance Alliance (IGA) Records Management Code of Practice for Health and Social Care (2016). Information may be held for longer periods where the following apply:   Retention in case of queries. We will retain your personal data as long as necessary to deal with any queries you may have. Retention in case of claims We will retain your personal data for as long as you might legally bring claims against us. Retention in accordance with legal and regulatory requirements. We will retain your personal data after you have received healthcare services at our Facilities based on our legal and regulatory requirements. Your rights under applicable data protection law.  Your rights are as follows (noting that these rights do not apply in all circumstances): The right to be informed about processing of your personal data The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed The right to object to processing of your personal data The right to restrict processing of your personal data The right to have your personal data erased (the 'right to be forgotten') The right to request access to your personal data and information about how we process it The right to move, copy or transfer your personal data ("data portability") Rights in relation to automated decision making including profiling You may exercise these rights by contacting us at admin@flowerassociates.co.uk  You have the right to complain to the Information Commissioner's Office. It has enforcement powers and can investigate compliance with data protection law ico.org.uk  For more details on all the above you can downloading a copy from our Website or contact our Data Protection Officer to request a paper copy of the 'Using My Personal Data' booklet. What happens in the event of a data breach? The data protection lead is responsible for responding to personal data breaches. He or she notifies the ICO as necessary and also data subjects where the risk to them is high. Breaches which carry any risk to data subjects must be reported to the ICO within 72 hours, together with a summary of the nature of the breach, the steps taken to reduce the risk to data subjects, and measures to prevent the breach from happening again. All personal data breaches, however minor, and whether reportable or not are recorded. Complaints or queries If you are not satisfied with our response to complaints or queries you can raise a complaint with the Information Commissioner’s Office (ICO) Contact information ICO: Website: https://ico.org.uk/concerns Email: casework@ico.org.uk Telephone: 0303 1231113 ================================================================