How we use your personal information
Identity and contact details of Controller

BASSAGE Body & Mind is a controller of personal information for the purposes of the General Data Protection Regulation (GDPR). Our contact details for data protection purposes are as follows:

Barbara Dziasek

58E Salusbury Road, NW6 6NP, London

07919 487 546

contact@bassage.co.uk

Purpose of this Privacy Policy

This Privacy Policy tells you what to expect when BASSAGE Body & Mind processes personal information. It applies to information collected about our customers that benefit from our massage and wellness services. This Privacy Policy explains the legal basis for which we process personal information.

Why do we collect and store personal information?

BASSAGE Body & Mind needs to process and store personal information about customers in order to arrange meetings and provide massage and wellness services. We will also do this for the purpose of sending commercial information.

Legal basis for processing

There are a few main legal bases for which we are processing your data:

“the data subject has given consent to the processing of his or her personal data for one or more specific purposes” – we rely on consent given by you to process your data. We as the service provider ask for your freely given consent and you as the service user acknowledge that consent can be withdrawn at any time by contacting us at: contact@bassage.co.uk

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child” – we might use legitimate interest to contact or send you information about our services and products based on the services and products you have previously enquired or used. You as the service user acknowledge that we will stop sending you and information at your request. You can request this by contacting us anytime at contact@bassage.co.uk

Other reasons where we might process personal information under GDPR are:

“processing is necessary for compliance with a legal obligation to which the controller is subject” – where we are under a legal obligation or an obligation under a contract to process / disclose the information

“processing is necessary in order to protect the vital interests of the data subject or of another natural person” – where we need to protect the vital interest (your health and safety)

Information we may hold about you and how we use it

The information we hold about you strictly concerns our relationship with you, the process or booking treatments and attending and providing our services.

The information we hold about you may contain:

• Full name
• Address
• Email address
• Phone number
• Age
• Sex

We use this information to identify you as a service requestor, and to be able to attend to your location or the location commonly agreed in order to provide our services.

We might collect information about your medical condition, any medication that you might take and also any allergies you might suffer from, in order to tailor our service to your needs. We rely on consent in order to process these special categories of personal data and we ask for it part of our Medical Consultation Form

How we manage your personal information

We process your personal information in accordance with the principles of GDPR.

We will treat your personal information fairly and lawfully and we will ensure that information is:

• Processed for limited purposes
• Kept up-to-date, accurate, relevant and not excessive
• Not kept longer than it is necessary
• Kept secure

Access to personal information is restricted to authorised individuals on a strictly need to know basis.

We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate.

We will not discuss your personal information with anyone other than you, unless you have given us prior written authorisation to do so.

Periods for which we store your information

We will only hold your records during the period of our relationship with you and for a set period afterwards to allow us to meet our legal obligations including resolving any follow up issues between us.

Sharing your personal information

Only BASSAGE Body & Mind therapists will have access to your personal information, however, there may be times when we will share relevant information with third parties for the purposes as outlined, or where we are legally required to do so.

• to comply with the law
• where there is a clear health or safety risk to an individual or members of the public

Your rights under GDPR

As a data subject, you have certain rights under GDPR:

Access to personal information

Under the GDPR, you have a right to ask us what personal information we hold about you,

and to request a copy of your information. This is known as a ‘subject access request’

(SAR). SARs need to be made in writing and we ask that your written request is accompanied by proof of your identity. We have one calendar month within which to provide you with the information you’ve asked for although we will try to provide this to you as promptly as possible.

Rectification

If you need us to correct any mistakes contained in the information, we hold about you, you

can let us know by contacting us at: contact@bassage.co.uk

Erasure (‘right to be forgotten’)

You have the right to ask us to delete personal information we hold about you.

Restriction on processing

You have the right to require us to stop processing your personal information. When

processing is restricted, we are allowed to store the information, but not do anything with it. You can do this where:

• you challenge the accuracy of the information (we must restrict processing until we have verified its accuracy)
• you challenge whether we have a legitimate interest in using the information
• if the processing is a breach of the GDPR or otherwise unlawful
• if we no longer need the personal data but you need the information to establish, exercise or defend a legal claim.

If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so.

We must inform you when we decide to remove the restriction giving the reasons why we did this.

Objection to processing

You have the right to object to us processing your personal data, you can do this where:

• you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of GDPR, including profiling based on those provisions.

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

• where personal data is being processed for marketing

Right to data portability

You have the right to ask us to move, copy or transfer your personal data from an IT environment to another in a safe and secured way. The right only applies to personal data you have provided to us where the reason we are relying on to use the information is either your consent or for the performance of a contract. It also only applies when processing is carried out by us using automated means.

Further information

For further information on how to request your personal information and how and why we

process your information, you can contact us at: contact@bassage.co.uk

The Information Commissioner (ICO) is also a source of further information about your data

protection rights. The ICO is an independent official body, and one of their primary functions is to administer the provisions of the GDPR.

You have the right to complain to the ICO if you think we have breached the GDPR. You can

contact the ICO at:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire,

SK9 5AF

0303 123 1113 / http://www.ico.org.uk/

You also have the right to withdraw your consent for us to process your personal information at any time. If the basis for which we are processing your information is consent, then we will stop processing your data immediately. If there are other lawful bases through which we can contact you, we might use those reasons.