Effective date: 04/05/2020
Infomation about Sonoscope Ltd.
Company Name: Sonoscope Limited
Place of registration: England and Wales
Companies House Number: 9942025
31 Talbot Street
London SG13 7BX
Principal activities: Healthcare services
Sonoscope Ltd. is committed to protecting your privacy and legal rights when dealing with your personal information. This privacy notice intends to provide details about the information we collect about you (or anyone you have provided us with information about, e.g. your child), how we use and protect it. It also provides information about your rights that relate to the data we process.
If you have any queries about this privacy notice, if you are not sure what something means, or if you wish to contact us about personal information we hold, please email us at: email@example.com
The right to object
Please contact us in the first instance if you wish to object.
Definitions of terms within this Privacy Notice
Data Controller, Data Processor, Data Subject and Personal Data all have the meaning given
to them in the Act and GDPR.
Website or site means the Company’s website at: www.sonoscope.co.uk
‘patient’ or ‘patients’ means people who attend or intend to use our services
‘patient or patient’s data’ means either Personal Data or Special Category data, as defined by the GDPR.
‘personal information’ means either Personal Data or Special Category data, as defined by the GDPR.
This Privacy Notice will apply to any person (also known as a ‘data subject’) who enquires about, uses or purchases our services. Please see the section ‘Scope of Healthcare Services’ for more information.
It also applies if you communicate with us in any manner, for the purpose of discussing current or past use of our services.
Scope of Health Care Services
Sonoscope Limited provides the following health care services:
Securing your personal information
Data protection laws require us to take appropriate technical and organisational measures to prevent unlawful access or processing of personal information, that the Data Controller for Sonoscope Limited is responsible for implementing.
The level of technical safeguarding of data should be appropriate to the nature of information in question, and the harm that might result from its improper use, or from its accidental deletion or destruction.
The following list shows some of the technical and organisational measures we put in place to ensure the safety and integrity of your data.
• Our clinicians and administrative staff are trained in the appropriate handing of personal information and how to respond to a data breach
• We practice common sense cyber security requirements, such as locking screens when away, ensuring Windows / Mac OS updates are installed on release
• We ensure passwords are changed regularly on our systems
• We don’t use systems aimed purely at consumers, such as Gmail personal, Dropbox personal and Hotmail
• We ensure we encrypt all our hardware that will store personal information, using industry standard encryption methods
• We use Microsoft Azure Information Protection Premium P1, which is an industry leading encryption technology, to communicate with you and other clinicians directly involved in your health care
• This technology enables us to manage any potential data breaches in a fast and efficient manner
• Our third-party providers of systems used to process your personal data are compliant with data protection laws and requirements, and also have effective data restore capabilities to ensure your data can be recovered
Personal information collection
We collect personal information from you or any third parties that are acting on your behalf.
• We will collect personal and special category information from you, or other third parties. We will collect the information from the following sources:
o Your parent or guardian, if you are under 18 years of age
o A family member, or someone else acting on your behalf
o Your interpreter, acting on your behalf
o From yourself, either in face to face consultations, or via electronic communications such as email, via the telephone, or via postal communications
o When you have given explicit consent to subscribe to educational or marketing email correspondence
o Manually, when you fill in referral, assessment and other forms
o Via postal communications, via electronic or postal communications, or records completed by clinicians involved in your care, and their administrators
o When given directly by social services, carers, relatives and friends – over the phone or in person
o From providers of medical imaging and diagnostic testing involved in your care
o From your private medical insurance provider or referring Embassy
o In emergency situations by the social services, police or ambulance service staff
Categories of personal information that we process
Standard Personal information
which can include (but is not limited to) :
date of birth
next of kin or similar contact details
details of any complaints or grievances raised that relate to the provision of our services
financial details that relate to payments for our services
account details relating to your private medical insurance provider
Special Category personal information This is personal information specifically relating to your:
- health, both physical and mental
- sex life
What we use your personal information for
We will process your personal information for reasons set out in this privacy notice. By law, we need to have a lawful basis or bases for processing your Standard personal information and a lawful basis or bases for processing your Special Category personal information. Additionally, for ‘Special Category’ personal information, we are required to identify a condition for processing this data (as well as a lawful basis).
These two types of information are discussed above in the section “Categories of personal information that we process”
For ‘Special Category’ information:
As we are a provider of health care services to you, and we have several reasons for processing your Special Category personal information. We would not be able to provide health care services to you unless we can process this information.
We undertake to process this information in line with Data Protection Laws as defined in the section “Definitions of terms within this privacy notice” within this document.
We process Standard Personal information about you if it is determined:
• It is in our Legitimate Interests. Details of what constitutes legitimate interests are detailed below.
• It is a Legal Obligation – this means we are required to process your standard personal information in order for us to comply with the law. Details of the Legal Obligation are detailed below.
• We have your Explicit Consent – this only applies when you’ve subscribed and opted in to receive our email newsletters, blogs and marketing offers, or you’ve provided consent to receive email newsletters, blog and marketing offers via our marketing consent form via an opt in checkbox.
We process Special Category information about you if it is determined:
• It is a Legal Obligation – this means we are required to process your standard personal information in order for us to comply with the law. Details of the Legal Obligation are detailed below. We also are required to define an additional condition or conditions to process your Special Category personal information.
The conditions under which we need to process your Special Category personal information are:
• Processing is necessary for the purposes of preventive or occupational medicine, for medical diagnosis or the provision of health care or treatment, including for the purposes of preventive or occupational medicine, on the basis of Union or Member State law or pursuant to contract with a health professional
• Processing is necessary for the establishment, exercise or defence of legal claims (for example, to process a legal claim against us, including your personal information provided to our regulatory body if lawfully requested)
Interpretation and Definitions
The words of which the initial letter is capitalized have meanings defined under the following conditions.
The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
Standard personal information – Legitimate Interests
The law requires us to our balance the processing of your Standard personal data against your interests, rights and freedoms. We conduct a legitimate interests assessment to ensure we ensure the Standard personal data we process does not override your interests, rights or freedom.
The legitimate interests we have identified that allow us to process your standard personal data are:
• To enable us to take sufficient information in order to record who you are when booking appointments
• To ensure we can email you with basic information about your appointments
• To manage our personal relationship with you, with respect to discussing invoices, requesting insurer authorisation codes
• To communicate with you if we need to cancel or rearrange appointments
If you book into our clinic as a potential patient and we hold no previous clinical records that relate to your direct care, and then you cancel the booking, we will no longer have a legitimate interest in processing your data. In most instances, we would delete any personal information that was used to make the booking.
Standard personal information – Legal Obligation
We process standard personal information to fulfil our legal obligation, which requires us to maintain complete records relating to the health care services we supply to you. These records maintain will require that we process a subset of your standard personal information, with the lawful basis being a Legal Obligation, as follows:
date of birth;
contact details (such as an email address or telephone number)
Please note, that whilst we initially use Legitimate Interests as a lawful basis for processing your data, once you attend clinic and we take any notes relating to your clinical care, we will then process your Standard personal information on the lawful basis of our Legal Obligation.
Special Category information – provision of health care or treatment on the basis of UK law
People directly involved in your healthcare that are designated by the Health Act 1999 or the Health Professionals Order 2001 are legally required by our regulatory body to record information about you, that relate to preventive or occupational medicine, for medical diagnosis or the provision of health care or treatment.
We are required to demonstrate we follow the legal requirements as listed in:
The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014
PART 3, Section 2, Regulation 17 (c);
(c) maintain securely an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided to the service user and of decisions taken in relation to the care and treatment provided;
You as the patient are the “service user”
Sharing your personal information
We sometimes need to share your information with other people or organisations for the purposes set out in this privacy notice. We will, where required, share the minimal amount of your personal data as appropriate the other people or organisations we are communicating with.
• Doctors, surgeons, clinicians and other health-care professionals, hospitals, clinics and other health-care providers
• People or organisations that we are required by law or our regulatory body to share your personal information with
• The police or other law enforcement agencies, where we are either required by law or a court order
• A parent or legal guardian if you are a minor
• Any person that you have authorised us to share information with.
Transferring information outside the boundaries of the EEA (European Economic Area)
Generally, we store your personal information on secure systems that reside within the EEA. Where we store systems that are outside of the EEA, we will ensure that there are suitable contractual or other safeguards in place to protect your data.
These measures may include data controller (us) to data processor contracts who we have checked have the required data protection law compliance, or ensuring your data is transmitted from the EEA to other global areas in a highly encrypted format, that is then stored on secure systems using “zero knowledge’ encryption. This means your data cannot be decrypted by a data processor.
How long we keep your personal information for
As we are mainly processing your personal information for provision of health care services, we have a legal obligation to process this data.
There are also industry standard guidelines (the UK NHS) that we follow, in accordance with our regulatory body guidelines; see link HERE.
Normally we will process or store your personal information for eight (8) years if you are an adult, but this can increase if there are specific circumstances. If you have any queries about how long we are processing your data for, please contact us.
We will also store information to ensure we can deal with any legal claims that arise from you using our services, and the data will be stored for as long as is required and advised by our legal counsel.
Your rights on us processing your personal information versus us storing your personal information are discussed in the section ‘Your rights’, below.
Any personal information that is used for marketing purposes, that has been provided using consent, will be erased in accordance with your rights if requested.
You have the following rights, however please note, that the rights are not absolute. The only absolute right you have is to request that we do not use your personal information for direct marketing.
Please do contact us if you are unsure about your rights as detailed below. We will always endeavour to help explain how your rights apply to the personal information we process, for our specified lawful reasons.
The right to be informed
We need to inform you the name and contact details of our organisation, which is at the top of this document.
You have the right to be informed about how we collect and use your personal data. We are obliged to provide this right to be informed in a clear and concise manner.
This privacy notice you are reading is designed to inform you how we collect and use your personal data.
The right of access
You have the right to confirmation that your information is being processed, and the right to view this information. This is known as a Subject Access Request or ‘SAR’, but you do not have to specify this term when requesting your personal information from us. You also have the right to request a copy of your personal data that we process.
We will need to identify you using reasonable means before we will start the process of collating your personal information.
Once we have identified you, we will reply to any requests for your personal information (SARs) within 30 days, unless we deem the request to be complex, or repetitive, where we will notify you that we may take an additional two months to provide your personal information.
We will not charge you to request information from us. However, we will charge a reasonable fee if the request for information is repetitive. If we’ve provided information to you and you wish to request it again, we ask that you contact us before hand to discuss what our reasonable fee is.
If the request is manifestly unfounded or excessive, in particular because they are repetitive, we might decide to:
• charge a reasonable fee taking into account the administrative costs of providing the information; or
• refuse to respond
Where we refuse to respond to a request, we will explain why to you, informing them of your right to complain to the ICO without undue delay and at the latest within one month of our refusal.
The right to rectification
You have the right to request rectification of your personal information. However, we only consider requests to correct factual information. Any clinical opinions will remain valid as they were the opinion at the time of being recorded. If it is later determined that a clinical opinion or diagnosis was then found to have changed, we will update your personal information to reflect this, but we will not change or remove the original clinical opinion.
The right to erasure
You have the right to request erasure of personal information.
If you have subscribed to any of our email educational or marketing correspondence, you have the right to request erasure from our email list, or you can click on the ‘unsubscribe’ link that appears in all emails we send. We will only use your personal information to send you marketing or educational material if you have given us your explicit permission.
We will consider all requests in conjunction with our legal obligation to retain information relating to your health care provided by us, as well as data protection law which clearly states when the right to erasure does not apply. Normally, this means we will not erase any information, unless it was not required for legal reasons. If we determine we cannot delete data, you still have the right to ask us to restrict processing of your personal data.
The right to restrict processing
You can request that we restrict processing of personal information. This means that we will stop actively processing it, and it will just be stored. Stopping processing will mean that we will not add any additional information to your existing information.
The right to data portability
You have the right to data portability for personal information that is processed using a lawful basis of consent.
Where we process data using the lawful basis of ‘legitimate interests’, or ‘legal obligation’, the right to data portability is not applicable. You still have to right to request this, however.
The right to object
You have the right to object if processing is based on legitimate interests, or if processing is being used for direct marketing.
Rights in relation to automated decision making and profiling
We do not make any kinds of automated decisions or perform any profiling with your personal information.
- You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.Under GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.
- Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to Sonsocope Ltd, 31 Talbot Street.For the purpose of the GDPR, the Company is the Data Controller.
- Affiliate means an entity that controls, is controlled by or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
- Account means a unique account created for You to access our Service or parts of our Service.
- Website refers to www.sonoscope.co.uk, accessible from www.sonoscope.co.uk
- Service refers to the Website.
- Country refers to: United Kingdom
- Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.For the purpose of the GDPR, Service Providers are considered Data Processors.
- Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
- Facebook Fan Page is a public profile named Robert Mast specifically created by the Company on the Facebook social network, accessible from https://www.facebook.com/robert.mast.338
- Personal Data is any information that relates to an identified or identifiable individual.For the purposes for GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
- Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
- Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
- Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
- Data Controller, for the purposes of the GDPR (General Data Protection Regulation), refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
Collecting and Using Your Personal Data
Types of Data Collected
While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:
- Email address
- First name and last name
- Phone number
- Address, State, Province, ZIP/Postal code, City
- Usage Data
Usage Data is collected automatically when using the Service.
Usage Data may include information such as Your Device’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.
We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.
Tracking Technologies and Cookies
You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service.
Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser.
We use both session and persistent Cookies for the purposes set out below:
- Necessary / Essential CookiesType: Session CookiesAdministered by: UsPurpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.
- Functionality CookiesType: Persistent CookiesAdministered by: UsPurpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.
- Tracking and Performance CookiesType: Persistent CookiesAdministered by: Third-PartiesPurpose: These Cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new advertisements, pages, features or new functionality of the Website to see how our users react to them.
For more information about the cookies we use and your choices regarding cookies, please visit our Cookies Policy.
Use of Your Personal Data
The Company may use Personal Data for the following purposes:
- To provide and maintain our Service, including to monitor the usage of our Service.
- To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
- For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
- To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
- To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless You have opted not to receive such information.
- To manage Your requests: To attend and manage Your requests to Us.
We may share your personal information in the following situations:
- With Service Providers: We may share Your personal information with Service Providers to monitor and analyze the use of our Service, to contact You.
- For Business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.
- With Business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
- With other users: when You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside. If You interact with other users or register through a Third-Party Social Media Service, Your contacts on the Third-Party Social Media Service may see You name, profile, pictures and description of Your activity. Similarly, other users will be able to view descriptions of Your activity, communicate with You and view Your profile.
Retention of Your Personal Data
The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.
Transfer of Your Personal Data
Your information, including Personal Data, is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.
Disclosure of Your Personal Data
Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other legal requirements
The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
- Comply with a legal obligation
- Protect and defend the rights or property of the Company
- Prevent or investigate possible wrongdoing in connection with the Service
- Protect the personal safety of Users of the Service or the public
- Protect against legal liability
Security of Your Personal Data
The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.
Detailed Information on the Processing of Your Personal Data
Service Providers have access to Your Personal Data only to perform their tasks on Our behalf and are obligated not to disclose or use it for any other purpose.
We may use third-party Service providers to monitor and analyze the use of our Service.
We may use Your Personal Data to contact You with newsletters, marketing or promotional materials and other information that may be of interest to You. You may opt-out of receiving any, or all, of these communications from Us by following the unsubscribe link or instructions provided in any email We send or by contacting Us.
We may use Email Marketing Service Providers to manage and send emails to You.
Legal Basis for Processing Personal Data under GDPR
We may process Personal Data under the following conditions:
- Consent: You have given Your consent for processing Personal Data for one or more specific purposes.
- Performance of a contract: Provision of Personal Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof.
- Legal obligations: Processing Personal Data is necessary for compliance with a legal obligation to which the Company is subject.
- Vital interests: Processing Personal Data is necessary in order to protect Your vital interests or of another natural person.
- Public interests: Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company.
- Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Company.
In any case, the Company will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
Your Rights under the GDPR
The Company undertakes to respect the confidentiality of Your Personal Data and to guarantee You can exercise Your rights.
- Request access to Your Personal Data. The right to access, update or delete the information We have on You. Whenever made possible, you can access, update or request deletion of Your Personal Data directly within Your account settings section. If you are unable to perform these actions yourself, please contact Us to assist You. This also enables You to receive a copy of the Personal Data We hold about You.
- Request correction of the Personal Data that We hold about You. You have the right to to have any incomplete or inaccurate information We hold about You corrected.
- Object to processing of Your Personal Data. This right exists where We are relying on a legitimate interest as the legal basis for Our processing and there is something about Your particular situation, which makes You want to object to our processing of Your Personal Data on this ground. You also have the right to object where We are processing Your Personal Data for direct marketing purposes.
- Request erasure of Your Personal Data. You have the right to ask Us to delete or remove Personal Data when there is no good reason for Us to continue processing it.
- Request the transfer of Your Personal Data. We will provide to You, or to a third-party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which You initially provided consent for Us to use or where We used the information to perform a contract with You.
- Withdraw Your consent. You have the right to withdraw Your consent on using your Personal Data. If You withdraw Your consent, We may not be able to provide You with access to certain specific functionalities of the Service.
Exercising of Your GDPR Data Protection Rights
You may exercise Your rights of access, rectification, cancellation and opposition by contacting Us. Please note that we may ask You to verify Your identity before responding to such requests. If You make a request, We will try our best to respond to You as soon as possible.
You have the right to complain to a Data Protection Authority about Our collection and use of Your Personal Data. For more information, if You are in the European Economic Area (EEA), please contact Your local data protection authority in the EEA.
Facebook Fan Page
Data Controller for the Facebook Fan Page
The Company is the Data Controller of Your Personal Data collected while using the Service. As operator of the Facebook Fan Page (https://www.facebook.com/robert.mast.338), the Company and the operator of the social network Facebook are Joint Controllers.
The Company has entered into agreements with Facebook that define the terms for use of the Facebook Fan Page, among other things. These terms are mostly based on the Facebook Terms of Service: https://www.facebook.com/terms.php
We use the Facebook Insights function in connection with the operation of the Facebook Fan Page and on the basis of the GDPR, in order to obtain anonymized statistical data about Our users.
For this purpose, Facebook places a Cookie on the device of the user visiting Our Facebook Fan Page. Each Cookie contains a unique identifier code and remains active for a period of two years, except when it is deleted before the end of this period.
Facebook receives, records and processes the information stored in the Cookie, especially when the user visits the Facebook services, services that are provided by other members of the Facebook Fan Page and services by other companies that use Facebook services.
Links to Other Websites
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
- By email: firstname.lastname@example.org