background image
16th December 2018 

DATA PROTECTION Respecting and protecting your personal information

DATA PROTECTION POLICIES AND PRIVACY NOTICES

We at Britta Schuessler Therapies are pleased to see the General Data Protection Regulation 2018 setting clear guidelines that all companies should similarly respect personal information. We have embraced the principles of GDPR and used this as an opportunity to further strengthen our practices. We have a comprehensive suite of Data Protection Policies and Privacy Notices which are available below. We have also voluntarily become a member of ICO, the Information Comissioner's Office.


Privacy Notice

1. Who we are
Britta Schuessler Therapies, Stirling Business Centre, Wellgreen Place Room 23, Stirling FK8 2DZ

2. Why we need to process your data
We need to process your personal data in order to fulfil our contractual obligations to you. We consider that we are not able to carry out the steps outlined above without processing your data. We would like to hold your data for three years after our work with you has finished in order to handle any dispute which may arise during the eligible statutory period.
3. Your rights
-You have the right to ask us to rectify any data we hold about you if that data is incorrect or incomplete. More detailed guidance on your rights may be found in our Individual Rights Policy.
-You also have the right to obtain and re-use the data which we hold for your own purposes. This is known as “data portability”. More detailed guidance on your rights may be found in our Individual Rights Policy.
-You also have the right of erasure where there is no compelling reason for us to continue holding your data. More detailed guidance on your rights may be found in our Individual Rights Policy.
-You also have the right to complain if you are not happy about the way we have used your personal data. More detailed guidance on your rights may be found in our Individual Rights Policy.
-You also have the right to object to our use of your data for the purposes outlined in this privacy notice. If you wish to object, please refer to our more detailed guidance on your rights which may be found in our Individual Rights Policy.

In order to be able to process your data in the legitimate interests of our business, we must satisfy a number of criteria and must complete a legitimate interests assessment (LIA) to help us demonstrate compliance. If you exercise your right to object to us processing your data for this purpose or if you exercise your right to complain (both of which are set out in more detail below) we may (but need not) share with you the LIA when dealing with your objection or complaint.


Individual Rights Policy

This policy forms part of the company’s suit of data protection policies. It is drafted so as to comply with the GDPR (General Data Protection Regulation) which comes into force in England on the 25th of May 2018 and which replaces the Data Protection Act 1998.
This policy sets out the individual rights of data subjects, including company employees/workers. This policy will be made public to data subjects.

Legal Framework
The law sets out certain rights of data subjects. Some of those rights only arise in specific circumstances, whereas others apply in all cases.
The table below sets out individual rights. The general rights are as follows:-
1. The right to be informed
2. The right of access
3. The right of rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling
Some of these rights will only arise in relation to certain specific bases for processing. They are as follows:-
If you are unsure about which basis for processing has been used in any given case, you should refer to the Privacy Notice which will state the basis of processing and will also summarise which rights are open to you.

The Rights in Detail

1. The right to be informed
Where we have obtained data directly from you, you have the right to be informed of the following:-
(a) Our identity and contact details.
(b) The identity of our Data Protection Officer (DPO)
(c) Why we are seeking to process your data.
(d) The lawful basis which applies to the processing of your data.
(e) Details of any third parties who will receive your personal data.
(f) Details of any transfers to third party countries and safeguards we have put in place to protect your data.
(g) Details of how long we retain data for.
(h) The fact that you have certain rights in relation to your personal data.
(i) The fact that you have a right to complain to a supervisory authority.
In addition, you have certain specific rights depending on the lawful basis for processing which we are relying upon. For example, if we are processing data on the “Legitimate Interests” basis, you are entitled to know what those interests are. Where we are processing data on the “Consent” basis, you are entitled to know that you have the right to withdraw your consent.
Most of this information will have been supplied to you through the Privacy Notice which relates to the processing in question.
If you wish to complain about any matter related to the processing of your personal data, you may complain either to us or to the supervisory authority.
If you wish to make an internal complaint, you should contact the Managing Director - Britta Schuessler.
If you wish to make an external complaint, you should contact the Information Commissioner’s Office,
whose details are Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF tel: 0303 123 1113.

2. The right of access
This is very similar to the old subject access regime and allows individuals to have the right to obtain:-
(a) Confirmation that their data is being processed.
(b) Access to their personal data.
(c) Other supplementary information (largely the information that should be provided in a privacy notice).
If we obtain your data from a third party, we must also tell you what categories of personal data we hold and must provide the information referred to above at the earliest of:
(a) One month of us obtaining the data
(b) The point at which we first contact you using that data
(c) If we propose to transfer the data to a third party, prior to disclosure of the data

The right to charge 10.00 has been removed and (subject to the below) all subject access requests must be dealt with for free.
The time lapse for compliance with a subject access request has dropped from 40 days to 1 month.
Where a request for information is made electronically, the information should be provided in commonly used electronic format (typical emails with pdf or other attachments).
Where requests are manifestly unfounded or excessive (especially if they are repetitive) we can charge a reasonable fee to take account of the administrative costs of providing the information or may refuse to respond.
Where we refuse to comply with a subject access request, we must explain why we are refusing and inform the data subject of their right to complain to a supervisory authority and/or for a judicial remedy. That information must be provided within one month.
The larger the amount of data requested, the easier it might be to argue that a request is manifestly unfounded or excessive.
Before complying with the subject access request, we must verify your identity using “reasonable means”. This is to ensure that we do not send your data to the wrong person.
If we hold a large quantity of information about an individual, we may be permitted to ask you to specify what information you have requested pursuant to your subject access request. This will help us target your request.

3. The right of rectification
You have the right to have data held about your rectified if, for any reason, it is inaccurate or incomplete.
Where we have disclosed your data to third parties, we must notify them of any rectification action which we take.
You may make a request for rectification by e-mail to [email protected] Your request for rectification should contain sufficient information for us to understand what data which we hold is inaccurate or incomplete and what the correct data is. It would also assist if you could explain why the data we hold is not correct, although this is not absolutely necessary.
We may have to contact you if there is anything we do not understand in your request for rectification.
We must respond to a request for rectification within one month, although this can be extended to two months where your request is complicated.
If you are not happy with our decision about rectification, you may complain to the Information Commissioner’s Office using the contact details set out above or you may apply to the Courts for a judicial remedy.

4. The right to erasure
Depending on which basis we use for processing your data, you may have a right to erasure of that data. This is also known as the “right to be forgotten” and allows you to request the deletion or removal of your personal data when there is no longer any compelling reason for us to continue processing it.
The right to erasure applies in any of the following circumstances:-
(a) Where the personal data held is no longer necessary in relation to the purpose for which it was originally collected and processed.
(b) If you have provided consent to us processing your data and wish to withdraw that consent.
(c) Where you object to us processing the data and there is no overriding legitimate interest allowing us to continue processing.
(d) Where we have processed your data in breach of the law.
(e) Where your data must be erased in order to comply with a legal obligation.
(f) Where we are entitled to processing data pursuant to a right of freedom of expression or freedom of information.
(g) Where the personal data is processed in relation to the offer of information and society services to a child. This is unlikely to apply in relation to the company.
We may refuse to comply with a request for erasure in certain limited circumstances, which include bringing or defending legal claims or for archiving purposes which are in the public interest or which for the purposes of scientific or historical research or statistical purposes.
Where we accept a request for erasure, we must tell any third party to whom we have disclosed the data.

5. The right to restrict processing
We will be obliged to restrict the processing of your personal data in any of the following circumstances:-
(a) You have disputed the accuracy of data which we hold. In that situation, processing of the data will be restricted until such a time as we have established whether or not the data is accurate.
(b) Where you have objected to the processing of data for the purposes of legitimate interests and we are considering whether our legitimate interests override your interests. Again, the restriction of processing will only last for so long as it takes for us to make that decision, although if we find information is in your favour, we will cease processing the data altogether on that ground.
(c) Where we are processing your data contrary to the law and for whatever reason you do not request erasure of your data.
(d) If we no longer need the data but you require it in order to bring or defend a legal claim.
During a period of restriction, we may still store your data, but we may not use it.
Where we have disclosed your data to third parties, we must notify them of any restriction that is in force.
If you wish to restrict the processing of your data, you may make a request by email to [email protected]

6. Data portability
The right to data portability is a new right which allows you to re-use data we hold about you for obtaining services elsewhere or for your own purposes. It is designed to allow easy transfer of your data from one IT system to another.
The right to data portability will only apply in limited circumstances (where we are processing your data with your consent or pursuant to an obligation under contract) and also when the processing has been carried out by automated means.
You can request data portability by emailing [email protected]
We must provide the personal data in a structured, commonly used and machine readable form. We must provide the data free of charge. We will send the data to you or direct to a third party organisation if you request it.
We must comply with a request for data portability without undue delay and in any event within one month. However, this can be extended to two months where the request is complex or we receive more than one request. If we need more than one month, we will write to you to tell you why the extension is necessary.
If we refuse your request for data portability, we must explain why and if you are not happy with our decision, you may complain to the Information Commissioner’s Office using the contact details set out above or you may apply to the Courts for a judicial remedy.

7. The right to object
You have the right to object to us processing your data if we are processing on the grounds of legitimate interests. The right also applies in certain other circumstances, but these do not apply to the company.
You also have the right to object to the processing of your data for direct marketing (including profiling) and the processing of your data for the purposes of gathering statistics or for scientific/historical research.
Your right to object must be sent to [email protected] by e-mail. You must set out the grounds for your objection which must relate to your own particular situation.
Upon receipt of your objection, we must stop processing your data unless either of the following criteria applies:-
(a) We can demonstrate compelling legitimate grounds for processing which override your interests.
(b) We are processing the data pursuant to a legal claim.
If you object to the processing of your personal data for direct marketing purposes, we must cease that processing immediately. There are no grounds for us to refuse.
Where we carry out processing of data online, you must be able to raise an objection online.


DATA PROTECTION POLICY

This policy forms part of the company’s suite of data protection policy. It is drafted so as to comply with the GDPR (General Data Protection Regulation) which comes into force in England on the 25th of May 2018 and which replaces the Data Protection Act 1998. This policy applies to all company employees/workers.
In the event of any query about any aspect of the company’s data protection regime, you should contact the Data Protection Officer (DPO).

The Data Protection Officer is Britta Schuessler

The Company holds and processes information about individuals. This means that the Company is a ‘Data Controller’ for the purposes of data protection legislation (“the Legislation”). Any breach of the Legislation could have serious legal consequences.
Failure to comply with this policy or to the other policies comprised in the company’s data protection regime will be treated as a disciplinary matter.

Key Concepts
The Legislation relates to personal data. In broad terms, personal data is any information about living, identifiable individuals which is held by the company.
Personal data must be obtained only for specified, lawfully and transparent purposes and must not be processed in any way which is incompatible with those purposes. Processing data covers just about anything you can do with information, including collecting it, storing it, using it, passing it to third parties and destroying it.
The personal data that we keep must be accurate, must be limited to what is necessary for the purpose for which the data is being processed and must not be kept for any longer than is necessary. Personal data must also be kept secure. Certain types of data are known as “special category data”. Special category data is any data which would identify a living person and which relates to information about their:

Race
Ethnic origin
Sex life
Politics
Religion
Trade union membership
Genetics
Biometrics (where that information is used for ID purposes)
Health

Processing Data Lawfully
If the company wishes to process personal data, it must be able to demonstrate that at least one of the following six lawful bases for processing applies:

- Consent (that the individual has agreed to the processing of their data for a specific purpose)
- Contract (the processing of the data is necessary pursuant to a contract the company has with the individual)
- Legal Obligation (the processing is necessary to satisfy a legal requirement)
- Legitimate Interests (that there is a good reason for processing the data which outweighs the potential impact on the individual)
- Vital Interests
- Public Tasks
The last two bases (vital interests and public tasks) are extremely unlikely to apply to anything which the company does.

Every processing activity which the company carries out is covered by a Privacy Notice. The Privacy Notice confirms the lawful basis for processing and provides the individual whose data is being processed with requisite information about the processing activities and their rights.
Only the DPO and other employees/workers who have been specifically authorised by the company may complete or issue Privacy Notices. These documents all form part of the company’s suite of data protection policies.
In the event that a company is processing special category data, then in addition to identifying a lawful basis for processing (from the list set out above), we must also be able to satisfy one of the following additional criteria:

- The data subject has given explicit consent
- Employment/social security/social protection
- Data has been made public by data subject
- The processing is necessary for a legal claim
- The processing is necessary to assess the working capacity of an employee/worker
- The processing is necessary in the vital interests of the data subject
- Legitimate activities of political /philosophical/religious or trade union body
- The processing is in the substantial public interest
- Processing is in the public interest in the area of public health
- The processing is necessary for archiving purposes

The Rights of Data Subjects
Individuals have certain rights in relation to data which the company holds about them. The company must notify individuals of the information held about them and this is done through the Privacy Notice system. The rights of data subjects are set out in more detail in the Data Protection – Individual Rights Policy.
Specifically, individuals have the right of access to data held about them. Again, this right extends to you as company employee/worker.
Data subjects have the right to obtain the following:-
- Confirmation that their data has been processed
- Access to their personal data
- Other relevant information (which will normally be included in Privacy Notices)

Any request for disclosure of data held about a data subject is known as a “subject access request”. Companies are no longer allowed to make any charge for complying with a subject access request although we can still charge a reasonable fee where a subject access request is manifestly unfounded or excessive, particularly when such requests have been made on more than one occasion. A fee may also be charged for provision of information which has already been provided. Any fees charged must be limited to the reasonable cost of providing the information.
Information must be provided without delay and in any event within one month of the subject access request. Where a subject access request is complicated or where there is more than one request, the deadline for complying with the request may be extended by up to two months.

Data about Criminal Offences
There are further restrictions when it comes to processing data regarding an individual’s history of criminal offending. Britta Schyuessler Therapies does not process or hold data relating to Criminal Offences.

Security and Non-disclosure
All employees/workers are responsible for making sure that any personal data that the company holds, is kept securely and is not disclosed, either orally or in writing, to any third party other than pursuant to the provisions of a Privacy Notice. To ensure that data is adequately protected, the company has a data security policy which forms part of the company’s suite of data protection policies. If you become aware that messages have been sent to third parties using your e-mail address, you should notify the DPO.
All personal data is kept in a safe place and is not accessible to anyone apart from the DPO. The information is not left unattended, where it can be accessed by a third party. No personal data is permitted to be removed from the work environment without the express permission of the company.


Breach Reporting
All employees/workers are subject to the company’s Breach Reporting Policy.


Data Security Policy

This policy forms part of the Company’s suite of data protection policies. It is drafted so as to comply with the GDPR (General Data Protection Regulation) which comes into force in England on the 25th of May 2018 and which replaces the Data Protection Act 1998.
This policy sets out the Company’s position on data security including (but not limited to) security of personal data as defined by Data Protection legislation. For the purposes of this policy, “data” includes “personal data” as defined in the Data Protection Policy but also all information belonging to the Company or in the possession of the Company which is of a sensitive or confidential nature.
This policy may be made public to data subjects, including employees/workers and others engaged in providing services to the Company.
This policy has contractual effect within the organisation and all employees/workers and others engaged in providing services to the Company are expected to abide by it.

Legal Framework
Data protection legislation requires that organisations process personal data in a manner that ensures its security. This includes ensuring protection against unauthorised or unlawful processing and against loss, destruction or damage.
Organisations must put in place policies to ensure that only authorised people can access, alter, disclose or destroy personal data, that everyone acts within the scope of their authority and that so far as possible, breaches are drawn to the attention of the organisation and steps are taken to minimise the effect of any breaches and to recover any lost data so as to prevent damage or distress to affected data subjects.
The more sensitive the data an organisation holds the greater measures that the organisation should take to protect it.
Outside the sphere of data protection, organisations are entitled to protect confidential information and trade secrets and may also be bound to protect formation provided by third parties which is of a sensitive or personal nature.

Data Security Measures – Employees/Workers and Contractors
All employees/workers and those engaged in providing services to the Company are expected to abide by the following data security measures:-
a) Data may be transmitted only over secure networks. Transmission over unsecured networks is not permitted in any circumstances. The Company’s computer network is a secure network but employees/workers should not send data from their own e-mail accounts or from other networks including public access computers without seeking the advance permission of their manager and (where the information to be sent includes personal data) the data protection officer.
b) Incoming and outgoing e-mails will be stored on the Company’s e-mail system. E-mails will be deleted from time to time. Any data contained in the body of an e-mail (whether sent or received) which needs to be kept for any period of time should be stored securely. Where that data is personal data, it should only be copied and stored where it is necessary to do so for one or more purposes outlined in the Company’s privacy notices.
c) Where data is to be transferred in hard copy form it should be passed directly to the recipient or sent using the recipient’s name and marked “private & confidential – for addressee only”.
d) No data may be shared informally and if an employee/worker, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to and/or are not entitled to access in the normal course of performing their duties, such access should be formally requested from the data protection officer.
e) Hard copies of personal data may only be made with the permission of the data protection officer. Any handwritten notes containing personal data must be for temporary purposes only and shredded after use or similarly destroyed. No hard copies should remain at the end of the working day.
f) All personal data resides on the Company server in a secure data centre. Copies may only be stored locally for brief temporary purposes such as printing customer invoices or attaching PDF documents to emails. Once used all local copies must be immediately deleted.
g) No data may be transferred other than in the normal course of business to any person, whether such parties are working on behalf of the Company or not, without the advance authorisation of the data protection officer.
h) Data must be handled with care at all times and should not be left unattended or on view to unauthorised employees/workers, agents, sub-contractors or other parties at any time;
i) If a computer accessing the Company system is to be left unattended for any period of time, the user must log out by closing the browser.
j) Data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with this policy, with Data Protection legislation and with confidentiality more widely, which may include demonstrating to the Company that all suitable technical and organisational measures have been taken.
k) All data stored electronically should be backed up and the Company shall put in place such measures as are necessary to ensure the regular backing up of data. Wherever possible, all backups will be encrypted.
l) All passwords used to protect data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols.
m) If any data is found to be out of date or otherwise inaccurate, it should be updated and/or corrected immediately where possible. If any data is no longer required by the Company, it should be securely deleted and disposed of.
n) Where data held by the Company is used for marketing purposes, only authorised employees/workers may carry out marketing activities. No other employee/worker is authorised to carry out such activities.
o) Any request for references must be handled by the director of the company. Personal references may be given provided they are first approved by the director of the Company.

Data Security Measure – Company Obligations
The Company shall ensure that:
a) All employees/workers, agents, contractors, or other parties working on behalf of the Company are made fully aware of both their individual responsibilities and the Company’s responsibilities under data protection legislation and under the Company’s suite of data protection policies, and, where necessary, shall be provided with a copy of the Company’s suite of data protection policies.
b) Only employees/workers, agents, sub-contractors, or other parties working on behalf of the Company that need access to and use of data in order to carry out their assigned duties correctly shall have access to personal data held by the Company.
c) All employees/workers, agents, contractors, or other parties working on behalf of the Company handling data will be appropriately trained to do so.
d) All employees/workers, agents, contractors, or other parties working on behalf of the Company handling data will be appropriately supervised.
e) Methods of collecting, holding and processing data shall be regularly evaluated and reviewed.
f) All employees/workers, agents, contractors, or other parties working on behalf of the Company handling data will be bound to do so in accordance with the principles of data protection legislation and the Company’s data protection policies.
g) All agents, contractors, or other parties working on behalf of the Company handling data must ensure that any and all of their employees who are involved in the processing of data are held to the same conditions as those which apply to employees of the Company.
h) Where any agent, contractor or other party working on behalf of the Company handling data fails in their obligations regarding personal data or confidential information, wherever practicable that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Data Storage and Data Sharing
The Company may store or transfer personal data in countries that are not part of the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). These are known as “third countries” and may not have data protection laws that are as strong as those in the UK and/or the EEA. Where personal data is stored or transferred outside the EEA, the Company will take appropriate steps in order to ensure that personal data is treated just as safely and securely as it would be within the UK and under the GDPR.

Data Sharing
The Company may share personal data with external third parties that are based outside the EEA. If so, the Company will only transfer personal data to countries that the European Commission has deemed to provide an adequate level of data protection. More information is available from the European Commission.]
If the Company transfers personal data to a third party based in the US, the data may be protected if the transferee is part of the EU-US Privacy Shield. This requires that third party to provide data protection to standards similar levels of data protection to those in Europe. More information is available from the European Commission.
Please contact Britta Schuessler, Britta Schuessler Therapies, [email protected] for further information about the particular data protection mechanisms used by the Company when transferring personal data to another country.