In this notice, the “Company” means Laura Kay London Limited or Laura Kay London Academy Limited being the entities processing or managing your data in the date that you receive this document.The Company is registered in the UK and its registered address is at 5 Beaumont Gate, Radlett, WD7 7AR.The Company collects, controls and processes personal and sensitive personal data relating to its clients and customers in the day to day management of the business and this privacy notice sets out the basis on which any personal and sensitive personal data about you will be processed by the Company. The Company is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.This privacy notice applies if you are a client or customer of the Company. Please take the time to read and understand this privacy notice.What information does the Company collect?
The Company collects and processes a range of information about you. The Company may obtain this information in a variety of ways: you may provide this information to the Company directly; the Company may collect or generate this information in connection with your custom; or the Company may obtain information from other sources or third parties.Information that you provide to the Company or that the Company collects about you includes:
- your name, address and contact details, including email address and telephone numbers, date of birth and gender;
- the terms and conditions of any treatments or training that you have;
- your medical history including whether or not you have a disability or contra-indication for which the Company needs to make reasonable adjustments during any treatment or training;
- information about next of kin, dependants and emergency contacts;
- your picture for before and after treatment purposes;
This information might be collected through application forms or treatment forms or from correspondence with you; or through meetings or other assessments.Information that the Company obtains from other sources includes:
- Medical information provided by doctors or consultants to confirm that you are eligible for particular treatments if you have certain medical conditions.
Why does the Company process personal data and sensitive personal data?The Company processes your personal and sensitive personal data for the following purposes, to:
- maintain accurate and up-to-date client records (including medical history) and contact details (including details of who to contact in the event of an emergency);
- to ensure your safety for treatment purposes;
- to be able to keep you up to date on the latest offerings, including treatments, discounts and products;
- for the purposes of ensuring that purchases made via the Company websites are sent to you.
The Company is entitled to use your personal and sensitive personal data in these ways because:
- the Company needs to meet its obligations under your purchase or training contract and particularly where there is a treatment contract, for your safety;
- the Company needs to process data to ensure compliance with its legal obligations; and
- the Company may need to establish, exercise or defend its legal rights or for the purpose of legal proceedings.
Currently the Company does not process other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief.Who has access to data?
The Company shares your data with a minimal number of third parties, mainly for the purposes of storing customer and client data and with consultants who work with the Company in the course of carrying out its core activities.The Company may share your data with third parties to the extent required by law, for example if the Company is under a duty to disclose your personal data in order to comply with any legal obligation, establish, exercise or defend our legal rights.It is not envisaged that your data will be exported outside the European Economic Area (EEA).Where the Company transfers your personal data outside the EEA, the Company will ensure that it is protected in a manner that is consistent with how your personal data will be protected by the Company in the EEA. This can be done in a number of ways, for instance:
- the country that the Company send the data to might be approved by the European Commission as offering a sufficient level of protection;
- the recipient might have signed up to a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your personal data; or
- where the recipient is located in the US, it might be a certified member of the EU-US Privacy Shield scheme.
In other circumstances the law may permit the Company to otherwise transfer your personal data outside the EEA. In all cases, however, the Company will ensure that any transfer of your personal data is compliant with data protection law.How does the Company protect data?
The Company takes the security of your personal data seriously. There are internal policies and controls in place to ensure that your data is protected.Where the Company engages third parties to process personal data on its behalf, the Company will ensure they do so on the basis of written instructions, and that the third party is under a duty of confidentiality and that it is obliged to implement appropriate technical and organisational measures to ensure the security of data.For how long does the Company keep data?
The Company’s intention from May 2018, is to limit the retention of data.The retention period which applies in relation to different categories of our personal or sensitive personal data will be determined by the following criteria:
- the purpose for which the Company is using your personal or sensitive personal data – the Company will need to keep the data for as long as is necessary for that purpose; and
- legal obligations – laws or regulation may set a minimum period for which the Company have to keep your personal data.
As a data subject, you have a number of legal rights in relation to the personal data that the Company holds about you. You have the right:
- to obtain information regarding the processing of your personal data and to access a copy of your personal data;
- to withdraw your consent to our processing of your personal data at any time. Please note, however, that the Company may still be entitled to process your personal data if the Company has another legitimate reason (other than consent) for doing so;
- to request that the Company rectifies your personal data where it is incorrect or incomplete;
- in some circumstances, to receive some personal data in a structured, commonly used and machine-readable format and/or request that the Company transmit those data to a third party where this is technically feasible. Please note that this right only applies to personal data which you have provided to the Company;
- in some circumstances, to request that the Company delete your personal data;
- the right to object to, and the right to request that the Company restrict processing of your personal data in certain circumstances. Again, there may be circumstances where you object to, or ask the Company to restrict, our processing of your personal data but the Company is legally entitled to continue processing your personal data and / or to refuse that request; and
- the right to lodge a complaint with the data protection regulator (details of which are provided below) if you think that any of your rights have been infringed by the Company.If you would like to exercise any of these rights, please contact firstname.lastname@example.org.
You can find out more information about your rights by contacting the Information Commissioner’s Office, contact details for which can be found at www.ico.org.uk.