- Clinical Services
- Work With Us
- Contact Us
All organisations that process personal data are required to comply with data protection legislation. The General Data Protection Regulations 2018 gives individuals (known as ‘data subjects’) certain rights over their personal data whilst imposing certain obligations on the organisations that process their data.
The Company collects and processes both personal data and sensitive personal data. It is required to do so to comply with legislation and contractual purposes. It is also required to keep this data for different periods depending on the nature of the data.
In this policy the following terms have the following meanings:
‘The Company’ refers to Athona Ltd, Athona Education Limited and Athona Clinical Services Ltd.
‘data controller’ means an individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data;
‘processing’ means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage (including archiving), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘sensitive personal data’* means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, data concerning health, an individual’s sex life or sexual orientation and an individual’s criminal convictions.
* For the purposes of this policy we use the term ‘personal data’ to include ‘sensitive personal data’ except where we specifically need to refer to sensitive personal data.
‘subject access request’ means the rights an Individual has to request access to their personal data on request, free of charge except in certain circumstances.
‘Supervisory authority’ means an independent public authority which is responsible for monitoring the application of data protection. In the UK the supervisory authority is the Information Commissioner’s Office (ICO).
The Company processes personal data in relation to its own staff, work-seekers and individual client contacts and is a data controller for the purposes of the Data Protection Laws.
The Company has registered with the ICO and its registration number is Z8156454
The Company may hold personal data on individuals for the following purposes:
The right to access (‘subject access request’)
Individuals are entitled to obtain access to their personal data on request, free of charge except in certain circumstances.
If the Company transfers the individual’s personal data to a third country or to an international organisation, the individual shall have the right to be informed of the appropriate safeguards in place relating to the transfer.
If the Company processes a large quantity of information concerning the individual making the request, the Company might request that the individual specify the information or processing activities to which the request relates to specifically before the information is delivered. If such a request is required by the Company then it shall be delivered promptly to the individual, taking into consideration the timeframes that subject access requests must be completed.
The individual’s right to access their information shall not adversely affect the rights and freedoms of others and they will not be able to access the personal data of third parties without the explicit consent of that third party or if it is reasonable in all the circumstances to comply with the request without that third party’s consent, taking into consideration any means to redact the personal data of any third party. Persons listed in the Appendix will decide whether it is appropriate to disclose the information to the individual on a case by case basis. This decision will involve balancing the individual’s right of access of their personal data against the third party’s rights in respect of their own personal data.
Data Subjects submitting a request for information must follow this Procedure:
a) Make a request in writing to the Data Protection Officer (DPO) at email@example.com
b) The request should include documents confirming the identity of the Data Subject such as a driving licence, passport or birth certificate. If sufficient ID is not submitted with the original request, the Data Protection Officer will request this identification, and no documentation will be released until identification is confirmed; and
c) The request should provide detail about the information the Data Subject wishes to request such as where and whom the information is believed to be held by. These details allow for efficient location and retrieval of the information requested.
The company reserves the right not to disclose any information about a third party to whom the company owes a duty of confidentiality or privacy. Information given will only be that relating to the Data Subject.
Any queries about requests should be directed to the Data Protection Officer at firstname.lastname@example.org
Once the company receives a request, the Data Protection Officer will issue a response within one month of receipt. If, however, the request is complex or numerous, an extension by a further two months could be made.
Should an extension be required, the Data Subject will be notified of the extension and the reasons as to why it is required, within one month of receipt of the request.
If you have provided enough information in your SAR to collate the personal information held about you, we will gather all documents relating to you and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate your records, we may contact you for further details. This will be done as soon as possible and within the timeframes set out below.
Once we have collated all the personal information held about you, we will send this to you in writing (or in a commonly used electronic form if requested). The information will be in a concise, transparent, intelligible and easily accessible format, using clear and plain language.
The company will provide a copy of the information in response to a request free of charge.
Should a request be manifestly unfounded or excessive, particularly because it is repetitive, a reasonable fee can be charged. A reasonable fee may also be charged for further copies of the same information but not all subsequent requests.
If a request is manifestly unfounded or excessive, particularly where it is repetitive, then the request can be refused.
Should a request be refused, the Data Subject will be informed of the reasons why it is refused and will be informed of their right to complain to the Regulatory Authority within one month of receipt of the request.
Under the GDPR, you have the right to request rectification of any inaccurate data held by us. Where we are notified of inaccurate data, and agree that the data is incorrect, we will amend the details as directed by you and make a note on the system (or record) of the change and reason(s). We will rectify any errors within 30-days and inform you in writing of the correction and where applicable, provide the details of any third-party to whom the data has been disclosed.
If for any reason, we are unable to act in response to a request for rectification and/or data completion, we will always provide a written explanation to you and inform you of your right to complain to the ICO.
In certain circumstances, you may also have the right to request from the company, the erasure of personal data or to restrict the processing of personal data where it concerns your personal information; as well as the right to object to such processing. You can use the contact details below to make such requests.
To submit your subject access request you can write to us at email@example.com or write to the Data Protection Officer at the following address:
The Data Protection Officer
2nd Floor Kingsgate House
1 King Edward Road
To raise a complaint with the Information Commissioner’s Office
You can contact the ICO directly on 0303 123 1113 or at https://ico.org.uk/make-a-complaint/