Privacy policy

  1.  Subject-matter and purpose of the privacy policy

 

Right to data portability: The data subject has the right to transfer personal data to another controller without objection by the controller to whom the personal data were provided when: (a) the processing is based on consent or a contract; and (b) the processing is carried out by automated means.

Right to object: The data subject is entitled to oppose at any time the processing of personal data concerning him / her when necessary for the purposes of legitimate interests of our company and for the purposes of direct marketing and profiling.

Right to withdraw consent: The data subject has the right to withdraw consent to the extent that he was taken for the purpose of the processing at any time, without prejudice to the lawfulness of the processing based on consent prior to withdrawal.

For more information, please contact the Data Protection Officer (DPO) of UK CLINICS GLASGOW LTD, via e-mail to gdpr@dhiscotland.com or via tel. to +44 141 332 1745.

 

Any natural person whose data is processed by the company enjoys the following rights:

 

Right to be informed and access: The data subject has the right to be informed and access the data and receive additional information about the processing.

Right to rectification: The data subject has the right to request the correction of inaccurate data or the completion of incomplete data concerning him / her.

Right to erasure (“right to be forgotten”): The data subject has the right to request the deletion of his or her personal data and the controller is obliged to delete it if (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;

c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) the personal data have been collected in relation to the offer of information society services.

Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

 

1 Personal data collected from potential customers or candidates i.e. pre-sales leads

The company collects and processes personal data from potential customers and candidates. In particular, the company collects identification data, contact information, location and health data. For example, it collects the First name and surname, Age, Region, Phone, Email address, Reason for contacting UK CLINICS GLASGOW LTD, Background about the candidate’s hair, Photo of the candidate’s hair. It should be noted that for the processing of the abovementioned data which are collected from site, facebook and Instagram DHI Thessaloniki is joint controller.

 

1.1 Purpose of processing

The above information is being collected to facilitate DHI to create a file record of the candidate, make appointments, enable DHI to contact the candidate with respect to his/her appointment, send out marketing information such as newsletters and direct marketing using emails and phone calls. Each collected data is being used for the purpose needed.

 

1.2 Legal basis for processing

Data that are being collected for the above mentioned purposes are based on the legal basis of consent. This means that for each data that is collected our company takes potential customer’s or candidate’s consent. In particular, consent is received when a person completes the contact form through his / her visit to our website and after confirming that he has received information about the personal data collected, the purposes and the means of processing as mentioned in the Data Protection Privacy Policy and consents to it. Also, during the telephone conversation, the consent of the prospective client is taken with a recorded message, informing him that personal data is collected by our company for the purposes described above, while when requesting information from the prospective client via e-mail following the telephone communication, the latter is informed of the collection of his data and his / her consent is obtained. The prospective client has the ability to make an appointment with us through the social media (facebook, skype, Instagram, viber, dhi hair loss app). In such cases, the data subject's explicit consent is obtained for the purpose of creating a customer candidate card, for marketing and newsletter purposes.

 

1.3 Transfer of data

Data is not transmitted to EU countries or third countries. However, they are forwarded to the following service providers which are used by our company as processors: Skype, Viber, Host Europe, Salesforce.com, inc (CRM), Salesforce Technical Support, Relevance, Instagram, DHI Hair Loss APP and Facebook Messenger. Please note that these service providers comply with the data protection rules under the GDPR.

 

1.4 Retention period

Personal data shall be retained in a form which permits the identification of data subjects only for the time required for the processing of personal data. In particular, the data collected for the purpose of creating a candidate card and for marketing purposes is kept for 20 years and deleted immediately if the data subject withdraws it’s consent.

 

 

2 Personal data collected by prospective clients during diagnosis

The company for the purpose of diagnosing the disease of its prospective clients, collects and processes personal data as well as special categories of personal data. Specifically, it collects and processes identification data, communication data, location data and health data and photos. In particular, the prospective client provides the following information: First name and surname, Date of birth and age, Phone details (landline and mobile), Full address, Email address, Background about the client’s hair, Photos of the client’s hair, History of any previous treatments and results, Medical history, existing ailments, hereditary ailments. It should be noted that for the processing of the abovementioned data which are collected from site, facebook and Instagram DHI Thessaloniki is joint controller.

 

2.1 Purpose of processing

Τhe above data is being collected in order to be able provide services to the client, for advertising and direct marketing purposes, for registration to the newsletter, use of the photographs for advertising and marketing, for future customer contact and sharing data with DHI Thessaloniki.

 

2.2 Legal basis for processing

The legal basis of the first purpose of providing service to the client, is the performance of the contract between the client and DHI. Thus, the collection and processing of specific data categories (health data) for the first purpose is legitimate as processing is necessary for the purposes of medical diagnosis and health care or treatment. In addition, the explicit consent of the data subject is always required to collect and process personal data for advertising and direct marketing, use of photographs for marketing purposes, future customer contact, subscribing to the newsletter and sharing data with DHI Thessaloniki. Also, during the telephone conversation, the consent of the prospective client is taken with a recorded message notifying him that personal data is collected by our company for the above mentioned purposes. Finally, the consent of the prospective client is given through electronic consent when it comes to communication through social media.

 

2.3 Transfer of data

Data are not transmitted to EU countries or third countries. However, data are processed by the following service providers used by the controller as processors: Skype, Viber, Host Europe, Salesforce.com (CRM), Salesforce Technical Support, Relevance, Instagram, DHI Hair Loss APP and Facebook Messenger and Social Media Platforms, DHI Thessaloniki who carry out their duties compliant with the GDPR.

 

2.4 Retention period

The minimum period for which any information about the client’s medical history, existing ailments, hereditary ailments and any newly generated medical records are stored for a minimum of 6 years. In addition, any photographs corresponding to a particular patient are treated as part of his/her health record and are retained for the same period as the medical record i.e. for a minimum period of 6 years from the date of last entry. When the data is collected for advertising and direct marketing purposes, subscribing to newsletter, future customer contact and sharing data with DHI Thessaloniki, the latter are held for 20 years or until the data subject withdraws consent. Also, the photos collected for advertising purposes are kept for 20 years or deleted immediately after the client's consent has been withdrawn.

 

3 Personal data collected by clients who received services

The company collects and processes personal data from clients who have received services such as identification data, contact information, location data, health data, Photos, videos. The health and medical data includes any existing ailments, hereditary information, medical history including any surgeries, existence of hypertension, ulcers, allergies, wounds, diseases, medicines received in the recent past, presence of diabetes, special dietary needs, exercise regimen, etc. Every clinic of DHI Medical Group is joint controller in terms of the collection of videos and photos for marketing reasons.

 

3.1 Purpose of processing

The above data is being collected for the below purposes: Providing service to the client i.e. to provide the client with the best hair treatment available, advertising and promotional purposes including presenting photographs and videos in DHI seminars, DHI meetings, dhi forum, dhi website, dhi social media and for presentation to scientific magazines and newsletters and marketing (customer communication with potential customers).

 

3.2 Legal basis for processing

The Company collects and processes lawfully personal data of its customers in order to provide services to customers as processing is necessary for the performance of the contract between the company and the customer. In addition, the company collects and processes special categories of data such as health data because processing is necessary for the purposes of medical diagnosis and health care or treatment. In addition, DHI prior to the collection and processing of personal data of its customers obtains the explicit consent of the latter for each of advertising and marketing purposes after first informing them of the type of personal data collected and the purpose of the processing.

 

3.3 Transfer of data

Personal data is transmitted to EU countries or third countries on the basis of the adequacy decision by the Commission to the joint controllers clinics of DHI Medical Group . However, data are processed by the following service providers used by the controller as processors: Skype, Host Europe, Salesforce.com (CRM), Salesforce Technical Support, DHI Hair Loss APP, Yuboto, Camera Technical, Relevance, Social Media Platforms, We Transfer and the potential client who requests contact with the client who has received services. The abovementioned processors, process the personal data compliant with the GDPR.

 

3.4 Retention period

Personal data (medical records) collected for the purpose of providing services to clients are kept for 6 years from the date of last patient visit. In addition, any photographs corresponding to a particular patient are treated as part of his/her health record and are retained for the same period as the medical record i.e. for a minimum period of 6 years from the date of last entry. With regard to the collection and processing of photographs and videos for advertising and promotional purposes and those collected for marketing, the data is retained for 20 years and deleted immediately upon withdrawal of consent from the client.

 

4 Personal data collected by employees

The company collects and processes the employee’s identification data, contact information and financial data such as Name and surname, Passport details, Criminal records, Address, Phone number, Email, Bank account details, National insurance number, CV, Payroll data, Employee number and card details, Time of entry and exit.

 

4.1 Purpose of processing

The purpose of collecting the above data is to maintain the relationship between DHI and the employee. This includes creating an employee record, upkeep of employee’s work details, payment of salary, criminal record checks, etc.

 

4.2 Legal basis for processing

Data is collected by the company (DHI) under the legal basis of executing a contract between the company and the employee. In addition, our company informs the employees through a privacy policy what data is collected about the employee and the relevant purpose, in which way we process it, where it is transferred and the rights that the employee has.

 

4.3 Transfer of data

Data is transferred to Skype, Host Europe and KM Steward and Co which process data οn account of our company and have taken all the appropriate measures to comply with GDPR.

 

4.4 Retention period

Tax records are kept for 3 years from the end of the tax year, maternity and paternity records are kept for a period of 3 years from the end of the tax year in which the leave ends, salary records are kept for a minimum of 6 years from the end of the tax year, working time data are kept for a period of 2 years, pension benefit data are kept for 12 years from the year ending of any benefit payable and all personnel files and training records are kept for a period of 6 years from the end of employment. In addition, sickness absence records are kept for a minimum of 3 months but up to 6 years after employment ends.

 

5 Personal data collected by the prospective employees

The prospective employee’s identification data, contact information and CV is obtained by our company. This includes name and surname, phone details, Email, CV.

 

5.1 Purpose of processing

The purpose of collecting the data is to contact the candidate, arrange for interviews and proceed with the recruitment process.

 

5.2 Legal basis for processing

The purpose of collecting the data is covered under the legal basis of executing a “Contract” between the company and the candidate.

 

5.3 Transfer of data

Data is transferred to Host Europe and DHI Thessaloniki and they ensure that they comply with the obligations set by the GDPR.

 

 

5.4 Retention period

Candidate information are deleted after a period of one year.

 

6 Personal data collected by external associates and partners

Our company collects and processes identification data, contact information and financial details by the external associates and partners such as name and surname of contact person, company name, email, billing information and contract details.

 

6.1 Purpose of processing

The purpose of obtaining the above data is to ensure the processing of the contract between DHI and the partner/associate. This also ensures that any financial transactions between the companies can be successfully carried out.

 

6.2 Legal basis for processing

The legal basis for the collection of the above information is the execution of a ‘Contract’.

 

6.3 Transfer of data

Data is transferred to Host Europe and KM Steward and Co who ensure that they comply with the obligations set by the GDPR.

 

6.4 Retention period

DHI retains the above data for a minimum period of 6 years after which it deletes the data.

 

7 Personal data collected by the clients regarding accounting information corresponding to them

Our company collects and processes the client’s identification data, contact information and financial details. This includes details such as name and surname, treatment received, amount owed and financial data such as account number, sort code and credit card details.

 

7.1 Purpose of processing

The purpose of obtaining the above data is to ensure the processing of the contract between DHI and the client. This also ensures that the client has paid for the services that have been provided to the client.

 

7.2 Legal basis for processing

The legal basis for the collection of this information is the execution of a ‘Contract’.

 

7.3 Transfer of data

Data is transferred to Host Europe and KM Steward and Co and they ensure that they comply with the obligations set by the GDPR.

 

7.4 Retention period

DHI retains the above data for a minimum period of 6 years after which it deletes the data.

 

8 Personal data collected during the recorded call

When customer/potential customer calls are recorded, the company collects and processes data such as identification, communication, location data, and health data.

 

8.1 Purpose of processing

The company collects and processes the above data in order to provide evidence of a commercial transaction or other business communication.

 

8.2 Legal basis for processing

The collection and processing of our customers' personal data during call recording is legal as the data subject's explicit consent is obtained before the call is recorded through an audio prompt.

 

8.3 Transfer of data

Data is not transmitted to EU countries or third countries. However, the data is stored on the telephone devices with a logger and on the server.

 

8.4 Retention period

These data are kept for six months.

 

Rights of data subject

The data controller is UK CLINICS GLASGOW LTD, which is based in Scotland, 15 Royal Crescent, Glasgow, G3 7SL, E-mail: info@dhiscotland.com, Tel. 0141 332 1745. The company is the legal entity that collects and processes personal data and determines the manner and purpose for which it collects the personal data.

 

Information about the collection and processing of personal data

The Clinic DHI SCOTLAND (UK CLINICS GLASGOW LTD) collects and processes personal data according to the General Data Protection Regulation 679/2016 of the European Parliament and of the Council (henceforward GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. It also commits to applying national and European privacy law. This policy is provided by UK CLINICS GLASGOW LTD, in order to be defined and announced the terms and conditions that this company holds for the protection of personal data processed by the latter. In particular, in the privacy policy the personal data subjects are clarified, as well as the categories of personal data collected, the purpose for which they are collected, the legal basis of the processing, the transfer of personal data to third countries, other recipients or processors, as well as the storage period/limitation of such data. The purpose of this policy is to inform data subjects about their rights regarding the processing of their personal data. The company takes all the necessary technical and organizational measures required for the security of the personal data collected.

UK CLINICS GLASGOW LTD reserves the right to modify or update this policy without prior notice if required by applicable national or European law or is deemed necessary as a consequence of our ongoing efforts to improve the protection of personal data. For this reason, a regular review of this policy from stakeholders is needed.

 

Data Controller

Chat with us via WhatsApp

Chat with us via WhatsApp