Privacy Policy

**CoVid Privacy Notice**

(This Privacy Notice is to run alongside our standard Practice Privacy Notice)

Due to the unprecedented challenges that the NHS and we, Fenny Compton & Shenington face due to the worldwide COVID-19 pandemic, there is a greater need for public bodies to require additional collection and sharing of personal data to protect against serious threats to public health. 

Please click on the link for the full Covid 19 privacy notice COVID19 Privacy Notice v2.0 extended to 31 October 2022

Privacy Notice

Privacy Policy Statement (GDPR Compliant)

Introduction

This Privacy Policy Statement explains what personal or company data we may collect and how we might use your data. It also explains reasons we may need to disclose your personal or company data to others and how we store your data securely.

Our website may contain links to other websites, which are provided for your convenience. We are only responsible for the privacy practices and security of this website and not external websites. You should therefore check any other linked website’s privacy policies.

This policy may be subject to change, so you are advised to check our website regularly for any further changes.

You can access our home page and browse our site without disclosing any personal or company data except for information automatically collected by cookies that we use.

Cookies on this website

We may send a small file to your computer when you visit our website. This will enable us to identify you on future visits and to track your movement within it for ‘user-friendly’ development purposes. We may use cookies to collect and store data and to link information stored by them with the personal or company data you supply to us.

Except for the use of cookies, we only collect information you specifically provide to us. You can set your computer browser to reject cookies, but this may impede your use of certain parts of this website.

Who are we?

We are SurgeryWeb, our core business is providing customised websites for medical centres and doctor’s surgeries, primarily within an NHS framework.

How the Law Protects You

Data protection laws (GDPR) state that we are only able to process personal or company data if we have valid reasons to do so. The basis for processing your personal or company data includes, but is not limited to, your consent, performance of a contract, to enable billing and to contact you for customer service purposes.

How Do We Collect Personal or Company Data From You?

We receive information about you, when you use our website, complete registration forms on our website and if you contact us by phone, email or otherwise in respect of any of our services.

Secure Hosting Facilities

This website is provided by SurgeryWeb and hosted by either TMZVPS within a UK data centre located in Maidstone, Kent, UK or a cloud based server provided by Amazon Web Servers (AWS).

Some of the data centre’s more notable security features are as follows:

• Security: on-site officers, CCTV, key card controls
• Pre-action fire suppression systems
• 24-hour data centre monitoring
• 24-hour Operations Support Centre
• Diesel back-up generators
• Full details of TMZVPS’s data centre can be found here.
• All traffic (including transferral of files) between our website and your browser is encrypted and delivered over HTTPS.

Your personal or company data may automatically be collected when you use our website, including but not limited to, your IP address, device-specific information, server logs, device event information and location information.

What Type of Data Might We Collect From You?

The personal or company data that we may collect from you may include your name, address, email address, phone numbers and medical information submitted by online forms.

• IP address (automatically collected)
• Web browser type and version (automatically collected)
• Operating system (automatically collected)
• A list of URLs starting with a referring Site, your activity on this Site, and the Site you exit to (automatically collected)
• Personal or company data submitted via a contact form or email link is emailed to the Practice and stored in a Content Management System (CMS) database or on the server that this website is hosted upon. This information is only accessible by authorised employees of the Practice or SurgeryWeb developers, and will auto-delete after 30 days.

We may also retain records of your enquiries and correspondence, in the event you contact us.

How Do We Use Your Data?

We may use information about you in the following ways:

• To provide you with access to our services.
• To comply with our contractual obligations we have with you.
• To help us identify you and any accounts you might hold with us.
• To enable us to review, develop and improve our website and services.
• To provide customer care, including responding to your requests if you contact us.
• To notify you about any changes to our website and services.
• To provide you with information about services that you request from us, or where you have consented to be contacted for such purposes.
• To inform you of any new service or price changes.

Retention Periods

We shall retain your data only for as long as necessary in accordance with applicable laws. Third party information, relating to patients, may be retained for up to 30 days only.

We assure you that your data shall only be used for the purposes stated herein.

Who Has Access to Your Personal or Company Data?

We process your data for administration, billing, support and the provision of services. Management and officers of SurgeryWeb may have access to your data for the process of conducting business related activities only.

Third Parties

We do not sell, rent or share your personal or company data to third parties for marketing, advertising or any other purposes.

We will only ever share information about you that is necessary to provide the service and we have specific contracts in place, which ensure your personal or company data is secure and will not be used for any marketing purposes by any third parties.

We may need to share your information if we are acquired by a third party and therefore your data will be deemed an asset of the business. In these circumstances, we may disclose your personal or company data to the prospective buyer of our business, subject to both parties entering into appropriate confidentiality undertakings.

Similarly, we may share your personal or company data if we are under a duty to disclose data in order to comply with any legal obligation or to protect the rights, property, or safety of SurgeryWeb, or others.

Your Rights

Under data protection legislation (GDPR), you have several rights regarding the use of your personal or company data, as follows:

The Right of Confirmation and Access

You have the right to obtain confirmation from the data controller appointed by SurgeryWeb, as to whether or not personal or company data concerning you is being processed or stored. You also have the right to request a copy of this information. You have the right to be informed of the appropriate safeguards relating to any transfer of your data to any international company.

Right to Rectification and Erasure (Right to be Forgotten)

You have the right to ask us to correct any inaccurate data or to complete any incomplete personal or company data that we may hold. You have the right to request that we erase your personal or company data without delay where one of the statutory grounds applies, so long as the processing is not necessary. If you request us to erase your personal or company data, then this means that our business relationship with you will end as we cannot provide our service without processing your data.

Right of Restriction of Processing/Right to Object

You have the right to object, on grounds relating to your particular situation, at any time, to the processing of personal or company data concerning you. You also have the right to restrict the processing of your personal or company data under certain circumstances, including if you have contested its accuracy and while this is being verified by us, or if you have objected to its processing and while we are considering whether we have legitimate grounds to continue to do so.

Right of Data Portability

You have the right for certain data you have given us to be provided to you in a structured and commonly used electronic format (for example, a MS document, XLS file), so that you can move, copy or transfer this data easily to another data controller. You may also request that we transmit this data directly to another organisation where it is practical for us to do so.

Automated Individual Decision-Making, Including Profiling

You have the right not to be subjected to a decision, based solely on automated processing, including profiling. We do not process any personal or company data in this way.

How to Exercise Your Rights

If you wish to contact us in respect of any of your rights as described above, please contact the Practice – We will respond to your request free of charge and usually within 30 days.

How to Complain About the Use of Your Data

If you wish to complain about how we have handled your personal or company data, including any of the rights outlined above, please contact the Practice.

Accessing and Updating Your Data

You must ensure all your details, including but not limited to, name, address, phone number and email address are kept up to date at all times. All changes should be notified to us directly.

Where We Store Your Personal or Company Data

All information you provide to us is stored on our secured, GDPR compliant system, which is protected by firewalls and anti-virus software programs. From time to time, your information may be transferred to and stored on other storage media and kept securely at our business premises. By providing your data to us, you agree to this transfer and storage.

Please note: As the transmission of information via the internet and email is not completely secure, we cannot guarantee the security of your data during transmission, therefore any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to prevent unauthorised access.

All sensitive data are encrypted and fully protected.

Liability

We agree to take all reasonable measures to protect your data in accordance with applicable laws and in accordance with our General Terms and Conditions.

Data Breaches

In the event of a data breach, we shall ensure that our obligations under applicable GDPR data protection and UK Privacy laws are complied with, which may include, and is not limited to, notifying the Relevant Supervisory Authority.

Contact Us

Please contact us with any questions or comments you have about privacy issues.

Data Protection Officer
We have appointed a Data Protection Officer to ensure that we continuously process your personal or company data in an open, accurate and legal manner. If you have any questions about the processing of your personal or company data, please contact our Data Protection Officer at the Practice.

Your Right to Make a Complaint

You have the right to make a complaint about how we process your personal or company data to: https://edps.europa.eu/data-protection/our-role-supervisor/complaints_en

This notice was last updated on 20/09/2022. Should any information provided within this policy be subject to change then this page will be updated to reflect any changes in the law or our privacy practices. However, we will not use your personal or company data in any new ways without your prior consent.

All requests for information relating to your personal or company data and how we use and process this data will be provided free of charge.