The Nail Club Client Privacy Notice
What is the purpose of this document?
The Nail Club is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you. This privacy notice makes you aware of how and why your personal data will be used and how long it will usually be retained for. It provides you with certain information that must be provided under the General Data Protection Regulation ((EU) 2016/679) (GDPR).
Data protection principles
We will comply with data protection law and principles, which means that your data will be:
* Used lawfully, fairly and in a transparent way.
* Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
* Relevant to the purposes we have told you about and limited only to those purposes.
* Accurate and kept up to date.
* Kept only as long as necessary for the purposes we have told you about.
* Kept securely.
Your personal information is collected by us when you and your technician complete our client record card. This includes identity data, contact data and information about your health. Information about your health is a special category of personal data which has enhanced data protection rights.
How we will use information about you
We will use the personal information we collect about you to:
* perform the contract we are about to enter into or have entered into with you;
* to comply with legal or regulatory requirements; and
* where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. We also need to process your personal information to decide whether to enter into a contract with you.
How we use particularly sensitive personal information
We will use your medical information to determine whether a particular treatment or product is suitable for you.
We may also process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests).
We will only disclose your personal data to third parties where required by law or to our employees or third-party service providers who require such information to assist us with administering the relationship with you. Third-party service providers may include, but not be limited to data storage or hosting providers. These third-party service providers may be located outside of the UK. We require all third-party service providers to implement appropriate security measures to protect your personal data consistent with our policies and any data security obligations applicable to us.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long will you use my information for?
We will not usually retain your personal information for more than 7 years from the date of your treatment. We have a legitimate business interest to retain your data for this period. After this period, we will securely destroy your personal information in accordance with applicable laws and regulations.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
* Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
* Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
* Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
* Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
* Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
* Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact Clare Woodcock at email@example.com in writing.
Right to withdraw consent
You have the right to withdraw your consent to us processing your personal data at any time. To withdraw your consent, please contact firstname.lastname@example.org. Once we have received notification that you have withdrawn your consent we will dispose of your personal data securely.