Cookie Policy for Physiomove London

This is the Cookie Policy for Physiomove London, accessible from www.physiomove.com

What Are Cookies

As is common practice with almost all professional websites this site uses cookies, which are tiny files that are downloaded to your computer, to improve your experience. This page describes what information they gather, how we use it, and why we sometimes need to store these cookies. We will also share how you can prevent these cookies from being stored; however, this may downgrade or 'break' certain elements of the sites functionality.

For more general information on cookies see the Wikipedia article on HTTP Cookies.

How We Use Cookies

We use cookies for a variety of reasons detailed below. Unfortunately, in most cases, there are no industry standard options for disabling cookies without completely disabling the functionality and features they add to this site. It is recommended that you leave on all cookies if you are not sure whether you need them or not in case they are used to provide a service that you use.

Disabling Cookies

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of this site. Therefore it is recommended that you do not disable cookies.

The Cookies We Set

Account related cookies

If you create an account with us, then we will use cookies for the management of the signup process and general administration. These cookies will usually be deleted when you logout however in some cases they may remain afterwards to remember your site preferences when logged out.

Log-in related cookies

We use cookies when you are logged in so that we can remember this fact. This prevents you from having to log in every single time you visit a new page. These cookies are typically removed or cleared when you log out to ensure that you can only access restricted features and areas when logged in.

Email newsletter related cookies

This site offers newsletter or email subscription services and cookies may be used to remember if you are already registered and whether to show certain notifications which might only be valid to subscribed/unsubscribed users.

Surveys related cookies

From time to time, we offer user surveys and questionnaires to provide you with interesting insights, helpful tools, or to understand our user base more accurately. These surveys may use cookies to remember who has already taken part in a survey or to provide you with accurate results after you change pages.

Forms related cookies

When you submit data to through a form such as those found on contact pages or comment forms cookies may be set to remember your user details for future correspondence.

Site preferences cookies

In order to provide you with a great experience on this site, we provide the functionality to set your preferences for how this site runs when you use it. In order to remember your preferences, we need to set cookies so that this information can be called whenever you interact with a page is affected by your preferences.

Third Party Cookies

In some special cases, we also use cookies provided by trusted third parties. The following section details which third party cookies you might encounter through this site.

This site uses Google Analytics which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content.

For more information on Google Analytics cookies, see the official Google Analytics page.

Third party analytics are used to track and measure usage of this site so that we can continue to produce engaging content. These cookies may track things such as how long you spend on the site or pages you visit which helps us to understand how we can improve the site for you.

From time to time we test new features and make subtle changes to the way that the site is delivered. When we are still testing new features these cookies may be used to ensure that you receive a consistent experience whilst on the site whilst ensuring we understand which optimisations our users appreciate the most.

As we sell products it's important for us to understand statistics about how many of the visitors to our site actually make a purchase and as such this is the kind of data that these cookies will track. This is important to you as it means that we can accurately make business predictions that allow us to monitor our advertising and product costs to ensure the best possible price.

We also use social media buttons and/or plugins on this site that allow you to connect with your social network in various ways. For these to work the following social media sites including; Facebook Twitter Instagram Linked In will set cookies through our site, which may be used to enhance your profile on their site or contribute to the data they hold for various purposes outlined in their respective privacy policies.

More Information

However if you are still looking for more information then you can contact us through one of our preferred contact methods: 

Email: Info@physiomove.com

By visiting this link: www.physiomove.com Phone: 0335775663

This privacy notice (“Privacy Notice”) describes how Papastamos Limited trading as Physiomove London and its subsidiaries and affiliates acting in its role as data controller (“Papastamos Limited trading as Physiomove London”, “our,” “us” or “we”) may collect, use and share information relating to you as an identified or identifiable natural person (“personal data”).

Please carefully read this privacy notice in its entirety before using our websites, email notifications, mobile apps, social media apps, widgets, and other online services of Papastamos Limited trading as Physiomove London (the “Services”). This privacy notice will clarify to you what data we collect, how we use and share it, and help you understand your choices with respect to that data.

About Us

Papastamos Limited trading as Physiomove London

07466112

8 Compton Terrace, Hermitage Road, N4 1LS

www.physiomove.com

Contacting us

If you wish to exercise your data privacy rights in line with this notice, or if you have any questions about your data privacy rights our contact information is as follows:

Nominated Data Protection Person

info@physiomove.com

03335775663

For individuals outside the EEA:

info@physiomove.com

Overview

This Privacy Notice only governs the use of Papastamos Limited trading as Physiomove London services that specifically link to this Privacy Notice.

Personal data we collect about you when you use our services

When you use our services we may collect personal data from you including but not limited to:

• Name email username phone number company and address other contact information

We collect personal information from third parties via usage data, including but not limited to:

• Your email address and other personal data collected about you may be forwarded to the Company by a third-party website when you request for us to contact you through such a third-party website
• Your personal data may be forwarded to the Company when you opt in to participate in a third-party offer or application or feature such as live chat or by interacting on one of our social media pages or a similar app or feature on a third-party website
• Additional personal information may be forwarded to the Company from a third party in combination with personal information we collect through your use of our services. This is in order to enhance our services to focus particular content we provide and to offer various offers and opportunities available to purchase products or services that we feel may be of interest to you based upon the analytical information we have collected.
• We will apply the terms of our Privacy Notice and Data Protection Policies to any personal data we receive from third parties unless we have disclosed to you otherwise. the Company is not responsible for third parties' distribution of your personal data.

How we use your personal data

We may use your personal data for the following purposes, as permitted by data protection regulations and legislation:

• Customer Service: We may use your received contact information to respond to any questions you ask us about our products and services and to communicate with you generally about offers competitions surveys or sweepstakes. To adequately respond to any queries we may also request information about your industry and other relevant questions regarding your interest in our product.
• Feedback: We may use information such as your username email address purchases and other relevant user-generated content you provide when you comment on or review our products.
• Website Registration: We may use your contact information when you create an account with us in order to allow us to provide you with a more personalised user experience.
• Analytics: When you use our services we automatically collect and use data for analytical purposes to allow us to improve your experience with us and our services and to target market relevant products for you.
• Marketing: We use personal data to determine what products may be of interest to users provide relevant marketing communications and to carry out market research. We may also use information provided including industry information to generate information of products owned experience with products and other user generated content to allow us to market services effectively.
• We may also use your personal data in different ways that are consistent with the above-described purposes to administer our websites and provide our services to you.

Legal Bases for the Processing and Consequences

Papastamos Limited trading as Physiomove London rely on the following legal bases for the collection, processing, and use of your personal data:

• The processing is necessary to provide our services as requested by you;
• Your consent;
• The processing is necessary for the performance of a contract to which you are a party, or to commence at your request before entering into a contract;
• The processing is necessary for compliance with a legal obligation to which we are a party;
• The processing is necessary for purposes of legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data; such legitimate interests are the fulfilment of the processing purposes set out in this Privacy Notice.

Generally, the provision of your personal data is voluntary. However, in some cases, it is necessary in order to enter into a contract with us or to receive our products or services as explicitly requested by you.

By not providing your personal data may result in disadvantages for you. However, unless otherwise specified, by not providing your personal data will not result in legal consequences for you.

Personal data shared with third parties

We will only ever share personal data with companies, organisations and individuals outside of Papastamos Limited trading as Physiomove London as explained below.

Recipients within Papastamos Limited trading as Physiomove London and Third Parties. We may share your personal data with affiliates of Papastamos Limited trading as Physiomove London and other companies worldwide, including unaffiliated agents, suppliers or manufacturers, in order for these companies to contact you about relevant products, services or other offers that may be of interest to you. We may also share your personal data with relevant business partners.

Subject to the categories of personal data and the reasons for the collection of personal data, your data may be shared with and provided to various entities within our internal departments. For example, IT, marketing and sales departments may have access to your data, depending upon product orders. Other departments, such as finance, auditing, legal and compliance may require access to certain personal data, albeit on a “need to know” basis.

This Privacy Notice does not oversee unaffiliated third-party websites or any other website that does not link back to this Privacy Notice.

Service Providers. We share personal data with both affiliated and unaffiliated companies. These companies perform certain tasks on our behalf related to our business. These service providers include, but not limited to:

• Market campaigns
• Location services
• Website analysis applications
• Data service providers
• Electronic and postal mail services
• Social commerce services for example forums reviews and ratings

Any third-party service providers we use will receive your personal data only as necessary to perform their role and are instructed not to use your personal data for any other purposes.

We will use and disclose your personal data as permitted by data protection laws and regulations as follows:

• To comply with legal processing and responding to requests from legal, public and government authorities.
• To enforce our terms and conditions, including investigating potential violations;
• To detect and prevent fraud, cyber security or other technical issues;
• To protect our business operations or those of our affiliates;
• To protect the rights of our customers, our company our property, and that of our affiliates and others;
• To allow us to pursue remedies or limit any damages that we may sustain.
• Business Transfers

As our business continues to develop, we may at some time sell or buy further products, brands, subsidiaries, stores or business units. In this respect, we may share or transfer personal data we hold about you with third parties as part of transactions including but not limited to company reorganisation, sale, merger, assignment, joint venture, transfer or disposition of any or all of our business, brands, subsidiaries, affiliates, or other company assets.

Customer information normally is a part of a business asset to be transferred but remains subject to any pre-existing applicable Privacy Notice.

We may share aggregated data that has been anonymised (data that is not identified) with third parties – for example, publishers, advertisers or associated websites and, accordingly, this data will be publicly available. An example of when we may do this is when we wish to share information publicly to show trends about the use of our services or products.

Public Forums

Our websites may provide publicly accessible blogs, message boards, and community forums. Any information provided or contributed to in these public areas may be read, commented on, collected and used by others who access them.

Links to Social Networking and other Third-Party Websites
Our services contain links to social networking websites and other third party mobile applications. These are operated and controlled by third parties. While we endeavour to link to reputable websites that equally share our high data privacy standards, we cannot take responsibility for any content or privacy practices deployed by these third party websites. Any personal data you provide to such third party websites will be collected by that third party and not by Papastamos Limited trading as Physiomove London and will be subject to that third party’s privacy policy, rather than Papastamos Limited trading as Physiomove London Privacy Notice. In this situation, Papastamos Limited trading as Physiomove London shall not be responsible, or have any control over that third party’s use of any personal data you provide to them.

Your Rights

If you have declared your consent regarding certain collecting, processing and use of your personal data you can withdraw this consent at any time with immediate effect.

Further, you have the right to object to the use of your personal data for the purposes of marketing.

Please note that the rights mentioned above and below may be subject to modification under the applicable data protection law.

For the avoidance of doubt this Privacy Notice applies only for data subjects located in the EEA:

Right to request access to your personal data

You have a right to request from us confirmation as to whether or not your personal data is being processed and, where that is the case, to request access to the personal data.

The access information includes information regarding the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom your personal data is disclosed.

You have the right to request and receive a copy of any personal data we are processing. In the case of repeated requests however, we may charge a reasonable fee based on administrative costs.

Right to request rectification

You have the right to request that we rectify inaccurate personal data concerning you.

Right to request erasure (Right to be forgotten)

You have the right, in certain circumstances, to request from us the erasure of personal data concerning you and we are obliged to erase such personal data.

Right to request processing restriction

You have the right to request that we restrict processing your personal data. In such cases.

Right to request data portability

You have the right to request and receive all personal data concerning you, which you have provided to us, in a structured, conventionally used, easy to read format. You have the right to transmit this downloaded data to another entity without obstruction from us.

Right to object

You have the right to object at any time to the processing of your personal data by us.

In this case, we can no longer process your personal data.

Such rights to object may especially apply if Papastamos Limited trading as Physiomove London collects and processes your personal data for the purposes of profiling.

You also have to right to object to the use of your data for direct marketing purposes.

If you exercise this right, your personal data will no longer be processed for such purposes by us.

If you wish to exercise this right, please contact us at Yes

Please note that this right to object may not exist if the processing of your personal data is deemed necessary to facilitate the creation of a contract between you and Papastamos Limited trading as Physiomove London or to execute a contract already concluded.

In the case where you have already provided us with your consent for direct marketing purposes, for example, you have completed an online form or actively subscribed to our newsletters, you can withdraw your consent as already explained within this Privacy Notice.

Rights in connection with automated decision-making

With respect to automated individual decision-making, you have the right to

• Request human intervention
• Express your point of view
• Contest the decision.
• You also have a right to lodge a complaint with your local data protection supervisory authority.

Data Retention Periods

We retain personal data for as long as necessary to provide you with the services and products requested.

Once you have terminated your relationship with us, we will either destroy your personal data or anonymise it in line with the GDPR requirements ensuring that data can never again be identified.

There are some exceptions, where statutory retention requirements are in force for example for taxation or legal purposes.

Where you show interest in our products and services and allow us to send you marketing information, we may retain your contact details for a longer period of time.

We may also be obligated to retain your personal data after the termination of the contractual relationship if it is necessary to ensure compliance with applicable laws, or if we need to retain your personal data on the basis of establishing, exercising or defending a legal claim. However, this will be on a need to know basis. To this extent and as far as possible we will restrict any processing of your personal data to such limited purposes as required for the above and in any event, destroy personal data once any legal bases are fulfilled and terminated.

Children

This website and our services are not intended for children and we do not knowingly collect data relating to children.

Alterations to this Privacy Notice

We may amend and update this Privacy Notice from time to time.

We will notify you of any such changes, including when any proposed changes will take place.

This policy document is compliant with the provisions of the EU General Data Protection Regulation 679/2016. 

This policy document sets out the policies and procedures Papastamos Limited trading as Physiomove London will comply with when dealing with personal data.

Personal data must be protected in accordance with the provisions of the General Data Protection Regulation 679/2016. Dependence on personal data for the normal conduct of business necessitates the creation of this policy to set out the procedures and measures to protect personal data.

This policy defines rules, procedures and measure to collect, use and store personal data in a GDPR-compliant manner as well as control and prevent unauthorised access to personal data. A breach of data security can lead to regulatory fines, an inability to provide services, loss of customer confidence, and physical, financial and emotional damage to the affected persons.

This policy therefore discusses:

• Data categories
• Data classification
• Data ownership
• Data collection/generation
• Data usage
• Data storage
• Data disposal
• Data transfer
• Data security

This policy defines the Papastamos Limited trading as Physiomove London overall data protection objectives and procedures that we endorse.

This embodies the principles of data protection as described in Article 5 of the GDPR, namely:

• Lawfulness, fairness and transparency,
• Purpose limitation,
• Data minimisation,
• Accuracy,
• Storage Limitation,
• Integrity and confidentiality

Breach of the policy and its consequences

A breach of this policy could have severe consequences to Papastamos Limited trading as Physiomove London, its ability to provide services, or maintain the integrity, confidentiality, or availability of services.

Intentional misuse of data resulting in a breach of any part of this policy will result in disciplinary action at the discretion of the senior management of Papastamos Limited trading as Physiomove London. Severe, deliberate or repeated breaches of the policy by any employee may be considered grounds for instant dismissal; or in the case of a Papastamos Limited trading as Physiomove London vendor, termination of their contracted services. All employees and vendors are bound by these policies and are responsible for their strict enforcement.

Scope of the Policy

This policy applies to all Papastamos Limited trading as Physiomove London and customer data assets that exist in any processing environment of Papastamos Limited trading as Physiomove London, on any media during any part if its life cycle. The following entities or users are covered by this policy:

• Visitors

This document forms part of our contractual agreements for vendors, suppliers, and third party processor or agents, hereafter referred to as vendors. . All parties must read this policy completely, and confirm that they understand the contents of the policy and agree to abide by it.

Data Life Cycle

The security of data can be understood through the use of a data life cycle. The typical life cycle of data is: collection/generation, use, storage and disposal. The following sections provide guidance as to the application of this policy through the different life cycle phases of data.

Users of data assets are personally responsible for complying with this policy. All users will be held accountable for the accuracy, integrity, and confidentiality of the information to which they have access. Data must only be used in a manner consistent with this policy.

Data Protection Policy Statement

Goals 

This policy has been written with the following goals in mind:

• To ensure the security integrity and availability of all the company and customer data
• To establish the company baseline data security stance and classification schema
• that it should enable the firm to meet its own requirements for the management of personal information
• that it should ensure that the firm meets applicable statutory regulatory contractual and/or professional duties;

Processing environment 

Papastamos Limited trading as Physiomove London's processing environment that this policy applies to is comprised of:

1. Data Protection Responsibilities

The Management department is responsible for:

• Defining the security requirements controls and mechanism
• Defining the methods and guidelines used to identify and classify all data assets
• Defining the procedures for identifying data owners for all data assets
• Defining the labeling requirements for all data assets
• Defining procedures for data usage processing transmission storage and disposal
• Defining the procedures necessary to ensure compliance to this policy
• Facilitating the evaluation of new regulatory requirements and best practices

1. Management Responsibilities

Other departments within Papastamos Limited trading as Physiomove London also have various responsibilities for ensuring compliance with this policy, such as:

• All individual department must ensure that staff complies with this policy.
• The Managementmust ensure that adequate logs and audit trails are kept of all data access.
• The Managementmust ensure the activation of all security mechanisms.
• The Management is responsible for communicating business requirement and issues for business processes and the data those include, to ensure their correct data classification.
• The Management is responsible for regularly evaluating the data classification schema for consistent application and use.

1. Other Responsibilities

Other departments and related entities have responsibilities to comply with this policy, such as:

All Papastamos Limited trading as Physiomove London agents, vendors, content providers, and third party providers that process customer data must have a documented data protection policy that clearly identifies those data and other resources and the controls that are being imposed upon them.

All Papastamos Limited trading as Physiomove London agents, vendors, content providers, and third party providers that access the Papastamos Limited trading as Physiomove London processing environment and its data or provide content to it must have a security policy that complies with and does not contradict the Papastamos Limited trading as Physiomove London data protection policy.

All agents, vendors, content providers, and third party providers must agree not to bypass any of our security requirements.

Data Classification

Data classification is necessary to enable the allocation of resources to the protection of data assets, as well as determining the potential loss or damage from the corruption, loss or disclosure of data.

To ensure the security and integrity of all data the default classification for all data not classified by its owner must be Confidential Data Policy

The Management is responsible for the classification of data.

The Management is responsible for evaluating the data classification schema and reconciling it with new data types as they enter usage. It may be necessary, as we enter new business endeavors, to develop additional data classifications.

All data found in the processing environment must fall into one of the following categorie(s):Confidential Customer Data – Confidential customer data is defined as data that only authorized internal “the company” entities or specific authorized external entities can access. The disclosure, use, or destruction of confidential customer data can have adverse effects on Papastamos Limited trading as Physiomove London and their relationship with their customers, and possibly carry significant liability for both. Confidential customer data is entrusted to and may transit or is stored by Papastamos Limited trading as Physiomove London (and others) over which they have custodial responsibility but do not have ownership.

Data Ownership

In order to classify data, it is necessary that an owner be identified for all data assets. The owner of the data is Heba Massri.

The owner of data is responsible for classifying their data according to the classification schema noted in this policy.

The Management is responsible for developing, implementing, and maintaining procedures for identifying all data assets and associated owners.

Data collection/generation

Data will be collected in accordance with the Article 13 and 14 of the GDPR, confirming to the transparency principle and ensuring that the data protection principles are duly observed.

Data may be collected in the following ways:User generated content on the website of Papastamos Limited trading as Physiomove London.

Each mode of data collection should have a specific purpose accompanied by one or more of the legal bases as defined in the GDPR.

Data Usage

All users that access Papastamos Limited trading as Physiomove London or customer data for use must do so only in conformance to this policy. Uniquely identified, authenticated and authorized users must only access and use data.

Data should be used only for the stated purpose of its collection or generation. Any purpose outside the defined scope will be considered “misuse of data” and will entail consequences for the involved parties.

Each user must ensure that Papastamos Limited trading as Physiomove London data assets under their direction or control are properly labelled and safeguarded according to their sensitivity, proprietary nature, and criticality.

Access control mechanisms must also be utilised to ensure that only authorized users can access data to which they have been granted explicit access rights.

Data Storage

The general premise for the data storage period is:

• for a time period necessary to fulfil that purpose.

All users that are responsible for the secure storage of Papastamos Limited trading as Physiomove London or customer data must do so only in accordance with this policy.

Access control mechanisms must also be utilised to ensure that only authorised users can access data to which they have been granted explicit access rights.

Data Transmission

All users that access Papastamos Limited trading as Physiomove London or customer data to enable its transmission must do so only in accordance with this policy.

The media used to distribute data should be classified so that it can be identified as confidential and if the media is sent using courier or other delivery method, it should be accurately tracked.

No data can be distributed in any media from a secured area without proper management approval.

Data Disposal

The Management must develop and implement procedures to ensure the proper disposal of various types of data. These procedures must be made available to all users with access to data that requires special disposal techniques.

Data should be disposed in a secure manner so that it is completely destroyed and no information can be obtained from the waste.

• For electronic data the process of deletion will be carried out by electronic shredding.
• For paper records physical paper shredders will be used.
• All digital storage devices i.e. hard drives or flash drives will be completely destroyed so that no data is recoverable from them.

Policy Review

It is the responsibility of the Management to facilitate the review of this policy on a regular basis. This policy will be reviewed Annually. Senior management should, at a minimum, be included in the Annually review of this policy.

Last updated: 15-10-2019

This document sets out Papastamos Limited trading as Physiomove London Data Consent Policy. It covers the processing and sharing of personal data. If you require advice and assistance around any data protection matter please contact Papastamos Limited trading as Physiomove London Nominated Data Protection Person

The GDPR and Consent

The GDPR sets a high standard for consent. Consent means offering individuals the power to choose and take control of their data.

Genuine consent will put individuals in charge, build customer trust and engagement, and enhance Papastamos Limited trading as Physiomove London's reputation.

The GDPR states that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in).

It specifically bans pre-ticked opt-in boxes. It also requires individual, also known as “granular”. Consent options for distinct processing operations. Consent is kept separate from other terms and conditions and should not be a precondition of signing up to a service.

The GDPR gives a specific right to withdraw consent. Papastamos Limited trading as Physiomove London will inform individuals about their right to withdraw and offer easy ways for customers to withdraw consent at any time.

Papastamos Limited trading as Physiomove London will keep clear records to demonstrate consent and regularly review existing consents and consent mechanisms that we rely upon to ensure they meet the GDPR standards.

Employees of Papastamos Limited trading as Physiomove London must have respect for privacy and people's right to determine what happens to their personal and sensitive information.

If there is any doubt, contact the Nominated Data Protection Person

Papastamos Limited trading as Physiomove London and its employees and third-party providers have been trained, appraised and understand that:

• Individuals have the right to withdraw/withhold consent in most circumstances, and this right must be respected and recorded appropriately
• Consent must be freely given, specific and informed
• All employees must ensure they consider the safety and welfare of the individual when making decisions on whether to share information about them.
• All employees must establish the capacity of the individual's ability to provide consent
• When requesting consent, staff must ensure that information is provided in a suitable, accessible format or language. If necessary, provide large print or Braille versions, accredited interpreters, signers, or other appropriate special communication skills.

Employees must record the decision to share personal information on an appropriate register or specific system which can be readily accessed in line with Papastamos Limited trading as Physiomove London policies and procedures on data protection.

What if there is no consent?

Papastamos Limited trading as Physiomove London acknowledges that obtaining consent is not always possible, or consent may be refused. However, not obtaining consent or the refusal to give consent may not constitute a reason for not processing or sharing information.

There are certain situations where an individual's information can be disclosed without obtaining

Consent, if there is a lawful basis for processing without consent in place.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply. Whenever you process personal data without consent:

1. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
2. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
3. Vital interests: processing is necessary to protect someone’s life.
4. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
5. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Different criteria apply to sensitive personal information (now called “special categories of personal data”). This is now defined as data relating to:

• race;
• ethnic origin;
• politics;
• religion;
• trade union membership;
• genetics;
• biometrics (where used for ID purposes);
• health;
• sex life; or
• sexual orientation.

In order to process special category data legally, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. These do not have to be linked.

In summary, these are:

1. explicit consent of the person concerned
2. for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection
3. to protect the vital interests of the data subject or of another natural person
4. processing is carried out with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim
5. the processing relates to personal data which are manifestly made public by the data subject
6. processing is necessary for the establishment, exercise or defence of legal claims
7. processing is necessary for reasons of substantial public interest
8. for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment
9. for reasons of public health
10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Special Case Children 

The duty of confidentiality owed to a child/young person who lacks capacity is the same as that owed to any other person. Occasionally, children/young people will lack the capacity to consent. An explicit request by a child that information should not be disclosed to parents or guardians, or indeed any third party, must be respected except where it puts the child at risk of significant harm, in which case disclosure may take place in the 'public interest' without consent.

Criminal Offences

The GDPR rules for sensitive (special category) data do not apply to information about criminal allegations, criminal proceedings or convictions. Instead, there are separate safeguards for personal data relating to criminal convictions and offences, or related security measures, set out in Article 10 of the GDPR.

To process personal data about criminal convictions or offences, you must have both a lawful basis under Article 6 of the GDPR and either legal authority or official authority for the processing under Article 10.

Article 10 also specifies that you can only keep a comprehensive register of criminal convictions if you are doing so under the control of the official authority.

If you are in any doubt as to how to go about handling special categories of data, such as data concerning children, sensitive data such as race and sexuality, or criminal data see the checklist at the end of this policy statement and consult Papastamos Limited trading as Physiomove London ’s Nominated Data Protection Person for further advice and guidance

Policy Breach Statement

Any breach of this Policy will be investigated and may result in disciplinary action. Serious breaches may be considered gross misconduct and result in dismissal without notice, or legal action being taken against you. Papastamos Limited trading as Physiomove London as well as those individuals affected is also at risk of financial and reputational harm. Fines of up to €20 million may be imposed on organisations for serious data breaches.

Please report any actual or potential data breaches or other concerns relating Data Protection or consent to Papastamos Limited trading as Physiomove London Nominated Data Protection Person as soon as possible, in accordance with Papastamos Limited trading as Physiomove London Data Breach Policy

Checklist

Asking for consent

• We have checked that consent is the most appropriate lawful basis for processing.
• We have made the request for consent prominent and separate from our terms and conditions.
• We don't use pre-ticked boxes or any other type of default consent
• We use clear plain language that is easy to understand.
• We specify why we want the data and what we are going to do with it.
• We name organisations and any third-party controllers who will be relying on the consent.
• We tell individuals they can withdraw their consent.
• We ensure that individuals can refuse to consent without detriment.

Recording consent

• We maintain a record when and how we obtained consent from the individual.
• We maintain a record of exactly what they were told at the time

Managing consent

• We regularly review existing consent to check that the relationship the processing and the purposes have not changed.
• We have processes in place to refresh consent at appropriate intervals including any parental consents.
• We use privacy dashboard or other preference-management tools as a matter of good practice.
• We make it easy for individuals to withdraw their consent at any time and publicise how to do so.
• We act on withdrawals of consent as soon as we can.
• We do not penalise individuals who wish to withdraw consent.