MBD Website Privacy Statement

 

The Purpose of this privacy statement is to explain how Amal Loring processes personal data to fulfil her data protection responsibilities. This statement will be supplemented by ‘specific to client’ privacy notices when needed. The scope of this statement covers the relevant activities by her whilst operating as a sole trader as it relates to her consultancy company, referred to as MBD for the remainder of this statement. 

 

The Role of MBD in data protection terms is that of a data controller where it determines the purpose and use of personal data being processed. Once received it becomes the responsibility of the MBD privacy manager (PM) to ensure that it is processed in accordance with UK legislationThe PM can be contacted by email using amal@mbd-co.uk

The personal data processed by MBD will be basic contact information for the purposes of responding to general enquiries, business development, preparing contracts and billing. Due the services being offered, it’s often necessary to process health related data as well. If MBD is not given the requested information, a less than complete service may result.

MBD’s duty of confidentiality means that MBD will treat clients’ personal data with due respect and in confidence. It is only disclosed to those that need to know it. MBD uses reasonable organisational and technical measures to ensure personal data is kept secure. MBD also expects the same duty of confidentiality of all third parties with whom it shares personal data. Sharing is kept to a minimum and reviewed regularly.

MBD processes personal data against a lawful basis as described below:

  • We have a legitimate interest to respond to your general enquiries and to keep in touch with you after the conclusion of any services provided

  • To comply with our legal obligations such as keeping records for HMRC purposes

  • To fulfil our contractual obligations to you including the preparation of contracts. When this includes the processing of special category data, it is done so for the purposes of preventive or occupational medicine, for the assessment of the working capacity of employees, and the management of health or social care of individuals

  • To act in the vital interests of clients if confronted with an emergency situation

  • When processing a pre-defined purpose for which your consent has been sought and recorded prior to that processing commencing, but please note that you can withdraw your consent at any time by contacting the PM.

In all cases the processing of personal data by MBD shall be done in accordance with the principles of data protection as set out in the UK data protection legislation.

MBD will share personal data, but only when necessary, with some or all of the following third parties:

  • The Inland Revenue (HMRC)

  • Emergency services

  • Other health professionals but only with prior consent

  • Accountants appointed by MBD, but only for accounting purposes

  • A third-party IT support company that is subject to a data processing agreement

  • Unspecified recipients but only when compelled to do so for legal reasons

MBD will process your personal data in the UK and backed up using a cloud service provider based in the UK & the EU. Email is processed using a reputable web-based provider and mobile phone contacts are stored on both office IT equipment and mobile phones. 

MBD follows a retention schedule to determine the length of time it holds different types of personal data. The retention schedule is shown below:

  • Routine correspondence for casual enquiries that do not lead to service provision, whether in hard copy or in emails, will be retained for one year

  • Contract/ service-related data will be retained throughout the life of the service being provided plus another 3 years thereafter

  • Contact data is stored indefinitely unless a valid request to erasure is received from the interested data subject

  • Financial records and invoices, which may include personal data, will be retained for 6 years after the end of the current tax year of processing

  • By exception, documentation that includes personal data may be retained by MBD beyond the schedule, but only for a specific purpose and only when MBD believes there is a legitimate interest or a legal obligation to do so

At the end of the retention schedule MBD will either return, destroy or delete your personal data and any associated emails or relevant documentation. If it is technically impractical to delete electronic copies of personal data, it will put it beyond operational use. It should be noted that MBD allows up to 3 months after the retention schedule to complete the action.

The MBD website uses cookies but visitors to the website are asked to consent to non-essential cookies before these are dropped – please see the separate cookie notice.  

The MBD website has links to certain social media websites. If these are used, you should be aware that the MBD has no responsibility for the control, content or handling of your personal data by the site owners.

The General Data Protection Regulation defines the rights that you have (although these do not apply in all situations); for convenience, these rights are shown below:

  • Right to be informed as to how your personal data is being processed by MBD – this is done through this statement or specific to customer privacy notices

  • Right to access your personal data held by MBD which is done by making a ‘Data Subject Access Request’ (DSAR) to the privacy manager

  • Right to rectification of your personal data if you believe MBD has collected it incorrectly or it needs to be updated

  • Right to erasure of your personal data for which MBD no longer has a legitimate purpose to process

  • Right to restrict processing under certain circumstances, during which time your personal data but will be out of operational use until the related matter is resolved

  • Right to data portability of your personal data in a machine-readable version, as you have provided but only applicable to data provided with your consent or under contract

  • Right to object to MBD processing your personal data for which it does not have a legal or contractual obligation

  • Rights related to automated decision making and profiling, however MBD does not use these techniques in its decision making

Further details on data subjects’ rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.

Raising concerns, exercising rights or making queries about the processing of your personal data can be done by contacting the privacy manager. Please be aware that MBD will need to verify your identity before responding fully, therefore, you may be asked for proof of your ID. Alternatively, you may contact the ICO directly, using the details provided above, but naturally we would welcome the opportunity to handle any concerns you have first.

December 2021.