Privacy Policy Purpose

This privacy policy sets out how The Cardiff Clinic uses and protects any personal information provided when patients contact us through our website or attend the clinic. The policy will identify the lawful basis for processing personal information. This policy has been updated to comply with the EU General Data Protection Regulations applicable from 25th May 2018.

Policy Statement

The Cardiff Clinic is committed to respecting patient privacy and personal information. You can be assured that your personal information will only be used in accordance with the EU and General Data Protection Regulations.

The Cardiff Clinic may change this policy in the future by updating the details on the website.


This policy applies to all potential patients, current patients and staff members engaged in the treatments provided in The Cardiff Clinic.

Controller of Personal Information

Any personal information processed by The Cardiff Clinic in connection with this Privacy Policy is controlled by the “data controller” namely The Cardiff Clinic. A data controller is recognised in law as the organisation that processes and takes the responsibility for the information collected and determines the purpose for which the data is collected.

If website links on the The Cardiff Clinic website are accessed then the other sites should also be considered separately as a “data controller.”

What do we mean by Personal Information?

Personal information means details which identify you or could be used to identify you

Examples of personal data:

  • Name and contact details.
  • Financial details to complete transactions for consultations, treatments and products purchased.
  • Personal details collected during consultations and provision of treatment.
  • Information about how potential and current patients use our website and mobile applications.
  • Photographs taken with your permission to monitor your response to treatment.
    CCTV images taken within the reception and private boundaries of the clinic.
  • Audio recordings from within the reception area of The Cardiff Clinic.

When does this Privacy Policy apply?

This Privacy Policy applies to potential patients and current patients who provide personal information in order to obtain information about treatments, or arrange and attend a consultation in The Cardiff Clinic. The information may be acquired through verbal or written communication in person or through our website.

It may sometimes be necessary to share Personal information with organisations allied to the health care of the patient or to marketing organisations. Patients should consult with the data controller in the organisations involved and refer to the information provided under “Controller of Personal Data.”

How can we keep your personal information secure?

We value your personal data and we are committed to protecting the information entrusted to us. We do this by:

  • Ensuring staff employed by The Cardiff Clinic “processors” are well informed and understand the importance of maintaining security of personal information.
  • Processing information as discreetly as possible to avoid any inadvertent lapse of security.
  • Providing security protected computer systems, regularly backed up to retain information.
  • Storing hard copies of personal data in a locked storage environment.
  • Avoiding sharing any personal information entrusted to us, with any unauthorised individuals.
  • Ensuring security of the The Cardiff Clinic premises is appropriate.
  • Should we add encryption of information here, how long stored and storage of off site information.

When do we collect personal information about you?

We collect personal information about potential patients who contact us in person or through our website. We also collect more detailed personal information about those patients who choose to register in The Cardiff Clinic in order to receive a consultation. We use some of this personal data to provide relevant information about treatments of possible interest to patients.

What types of personal information do we collect and retain?

Certain categories of information are classed as “sensitive personal data” under the new EU and UK data protection laws. Generally we try to limit the collection of this type of data, however in order to provide the service of The Cardiff Clinic it is essential that we collect this type of data.

We collect the following categories of information, some of this data is classed as “Sensitive Personal Data”

  • Personal and financial information to complete and manage a booking in preparation for a consultation.
  • Information relating to sexual orientation, ethnicity, pregnancy, medical history, medical consultation, treatment plan and care provided.
  • Photographs of patients sent in via the website for the purpose of supporting the diagnosis and allowing comparison and monitoring of a medical condition.
  • Information provided for the purpose of managing a diagnosed medical condition, including the processing of a prescription.
  • Information about potential patients and current patients who use our website or mobile devices.
  • Your opinions about the treatment you received in The Cardiff Clinic.

The main purposes for which we use your personal information are:

  • To manage your request for a consultation and deliver the treatment you require.
  • To communicate with you regarding future appointments.
  • To document your plan of care and response to treatment.
  • To retain your documentation in the event of any possible litigation.
  • To comply with the General Medical Council and the Nursing and Midwifery Council regulatory organisations.
  • To document the outcome of clinical assessments, diagnosis, treatments administered and response to care.
  • To maintain a record of prescriptions provided to comply with the Royal Pharmaceutical Society regulations.
  • To maintain a record of all financial transactions to comply with the regulatory requirements of a Limited Company.
  • To monitor any concerns and complaints to provide information to improve the delivery of the service we provide.
  • To comply with the regulatory requirements of the Health Inspectorate Wales and the Laser Protection Advisor.
  • To provide appropriate marketing to individuals attending the clinic and using our website.
  • To maintain security within the clinic to safeguard members of the public and clinic staff.

When will we send you marketing materials?

We will request your permission to send you marketing materials. We will give you the opportunity to opt-out of any marketing materials we offer and respect your choice as to what communications you wish to receive and how these are sent.

How can you change what marketing materials you receive?

You can decide to stop receiving any marketing materials we may send at any time.

  • You can unsubscribe to our newsletter communications by clicking the unsubscribe option.
  • You can communicate your request directly in person, by telephone or in writing. The contact details and address are available on the website.
  • If you ask us to stop sending marketing materials please note we will retain your personal information indicating you do not wish to receive marketing communications.

What is our legal basis for using your personal information?

The Cardiff Clinic will only process your personal information where we have a legal basis to do so. The legal basis will depend on the reasons The Cardiff Clinic collected and needs your information. Under EU AND UK data protection laws the legal basis will be:

  • To facilitate the booking process.
  • To provide and document medical assessment and treatment.
  • To comply with legal obligations of the regulatory organisations.
  • To protect your vital interests.
  • To maintain a legitimate interest in your information in order to provide a safe service for the benefit or current and future patients.
  • To process your consent for specific procedures and treatments.

How long do we keep your information?

It may be necessary to keep your information for as long as we need it, in order to:

  • Process your visits to the The Cardiff Clinic, for example the retention of your information will be required during your initial contact right through to any subsequent visits to the clinic.
  • Respond to any concerns or complaints that may occur at a later date.
  • Provide statistical information on the treatments we provide and how we can use that information to improve the experience of future patients.

If your data is no longer required?

  • We will review the information we hold and delete it securely, if it is no longer a legal requirement to retain the data.


We may collect and use your personal information after you have given your specific consent for us to do so. This may include your opinion of the service you received when attending The Cardiff Clinic. These reviews may be used on the website to inform potential patients of your experience.

We may also request your permission to use photographs or testimonials of the type of treatment you have experienced. This information may be used to market specific treatments.

If the reason for processing your data is marketing, you can withdraw your consent to such processing at any time.

Who do we share your personal data with?

Your personal data may be shared with professionals allied to your health care. We share information with them to assist us in providing seamless health care for you.

We may also be required to share your personal information with credit and charge companies and anti-fraud screening service providers to process payments and (where necessary) to carry out fraud screening.

We may respond to a valid legal request for the purpose of evidence to support litigation.

We may provide usage information to our marketing company to inform you of specific treatments that may be of interest to you.

What countries will your personal information be sent to?

We do not share your data with any company outside the United Kingdom unless you have requested that information is sent to professionals allied to your health care in the country you reside.

What are your legal rights regarding the personal information we hold about you?

We recognise that under the UK and EU data protection regulations, you have certain rights in relation to the data we hold about you. We will be receptive to a request for your personal data and aim to offer an initial respond within one month. There will be no fee for a copy of your medical management; however there will be a fee for any medical reports requested.

We will respond to your request as efficiently as possible and in compliance with applicable law. There may on occasions be legal reasons why we are unable to provide all the information you request. We will inform you if we are unable to provide the information you require.

The complexity and nature of your request may require up to three months to collate. If this is the situation we will keep you informed of the progress of your request.

What type of information can I request to be removed from The Cardiff Clinic database?

You may request us to stop sending you newsletters and marketing information. You can use the unsubscribe option on the email or contact us by telephone 02920 256498 to no longer receive this type of marketing material.

You may request that we do not contact you by email or text for the purpose of reminding you about a forthcoming appointment; however failure to attend your appointment may incur a charge.

You may request us to stop using your personal information where we are doing so under the legal reason section of this document. We will comply with your request unless there are more compelling reasons that would prevent us meeting you requirements.

We aim to hold accurate personal information on potential patients and patients who attend The Cardiff Clinic. If you suspect that the personal information we hold is incorrect you may wish to contact the clinic to amend the information.

You cannot remove your personal information from The Cardiff Clinic. Information in relation to the medical management and treatment you received may be removed from the Private Practice Software. A copy of the information will be kept to meet our legal and professional regulatory requirements for 7 years.

How to request your personal data and change how we use any personal data?

Your request should be in writing and contain the following information:

The date of your request
Your name and postal address.
Details of your request.
Any specific details that may help us to establish the date of you visit to the clinic.
Telephone number of when it is suitable to contact you and whether you give permission for us to leave a message if you are not available.
A copy of your passport or driving license so that we can verify your identity
If you have requested someone to act on your behalf, please include a signed letter of permission.

Please send your request to:
Hayley Redway at The Cardiff Clinic