WHAT IS GDPR?
The GDPR was adopted by the EU Parliament to:
Create consistency within all the member states of the EU as to the rules regarding data protection, implementation of the law, and how the rules are enforced.
Modernise the principles laid out in the 1995 Data Protection Directive (Directive 95/46/EC), which was written before the advent of social media, ‘smart’ mobile devices that now can access things like cameras and geo-location information, and the ubiquity of online services and communications.
Reinforce the rights of individuals to control and protect their personal data.
Strengthen the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards .
THE GDPR APPLIES TO:
Organisations located within the EU; Organisations located outside of the EU if they offer goods or services to (even for free), or monitor the behaviour of, EU residents; and Organisations processing and holding personal data of EU residents, regardless of the Organisation’s location.
WHAT IS PERSONAL DATA?
GDPR defines personal data broadly as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
A Data Controller is an organisation that determines the purposes, conditions, and means of the processing of personal data. Carter Skin and Massage Clinic is a Data Controller, for the purposes of operating its beauty business in Dublin.
The Data Protection Officer for Carter Skin and Massage Clinic is Barbara Carter who can be contacted at email@example.com
A Data Processor is an organisation that processes personal data on behalf of Controllers. Third party data processors with which Carter Skin and Massage Clinic is associated includes (but is not limited to):
Shedul Salon and Spa Management Software, Mailchimp e-marketing/mailing list platform (and associated external marketing services), Sumup Payments, social media platform of Facebook and website analytics using contact forms via our website.
Please be assured, we only work with third party data processors who comply with the GDPR and at all times your personal details are secure.
HOW DO WE USE PERSONAL DATA?
Carter Skin and Massage Clinic uses your data for the following legitimate purposes:
To enable our business to respond to your enquiries and booking requests for beauty treatments and to send text message and email reminders of booked appointments 24 hours prior to booked appointments.
Enquiries include those made in person, by email, text message or telephone, through e-newsletters, or via our website at www.carterskinandmassageclinic.com and associated social media platform of Facebook.
To enable provision of beauty services according to your instructions.
To keep in touch with you during the course of treatment(s) you have asked us to provide.
To contact you occasionally by email newsletters (via our third party platform mailchimp and subject to your positive opt-in) you have received or to inform you of similar services and products we offer that are relevant to you. You can update your details or unsubscribe from these contacts at any time.
We will keep your personal data on our secure systems indefinitely as a requirement of insurance cover (unless you request removal according to your rights under the GDPR).
SECURITY OF DATA
We operate a ‘safe file’ system in the salon. This applies to all client files and contacts whether securely stored in physical files or held via desktop/handheld devices. Non-essential paperwork is routinely shredded and recycled and physical records are scanned and shredded afterwards.
When making card payments to Carter Skin and Massage Clinic, your details are input direct into our secure payment terminal provided by Sumup Payments and we do not keep identifiable credit card details after use. SumUp is responsible for the security of cardholder data which is processed, transmitted and stored within their systems. To this end, SumUp is certified as compliant under the Payment Card Industry Data Security Standard (PCI-DSS). SumUp applies best industry practice to safeguard this sensitive data and to ensure that it operates in line with these requirements, and to this end SumUp undergoes annual audits to ensure that they continue to meet this high standard
YOUR RIGHTS UNDER THE GDPR
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
The right to request a copy of your personal data which Carter Skin and Massage Clinic holds.
The right to request that Carter Skin and Massage Clinic corrects any personal data if it is found to be inaccurate or out of date.
The right to request your personal data is erased where it is no longer necessary for Carter Skin and Massage Clinic to retain such data.
The right to withdraw your consent to the processing of personal data at any time.
The right to request that Carter Skin and Massage Clinic provides you with your personal data and where possible, transmits that data directly to another data controller, (known as the right to data portability).
The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
The right to object to the processing of personal data.
The right to lodge a complaint with the Information Commissioners Office.
To exercise all relevant rights, queries or complaints please in the first instance contact our Data Protection Officer:
Barbara Carter at firstname.lastname@example.org
Or write to: Barbara Carter, Carter Skin and Massage Clinic, 4 Lower Mount Street Dublin 2