Privacy Notice for Patients

1. Introduction

Este Medical Group (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store and share your personal data when you interact with us, including when you visit our website, make enquiries, attend consultations, or receive medical treatments.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, together with any other applicable data protection legislation.

2. Personal data we collect

We may collect and process the following categories of personal data:

• Identity data (such as name, date of birth, gender)
• Contact data (such as address, email address, telephone number)
• Medical and health information, including medical history and treatment details
• Appointment and consultation records
• Payment and billing information
• Website usage data (such as IP address, browser type, and pages visited)
• Communications with us (including emails, phone calls, and messages)

3. Lawful basis for processing personal data

Under the UK GDPR, we must have a lawful basis to process your personal data. We rely on the following lawful bases:

Performance of a contract (Article 6(1)(b))

Where processing is necessary to provide consultations, treatments, procedures, aftercare, and other services requested by you.

Legal obligation (Article 6(1)(c))

Where processing is required to comply with legal, regulatory, or professional obligations, including healthcare record-keeping and safeguarding requirements.

Legitimate interests (Article 6(1)(f))

Where processing is necessary for the operation and administration of our business, improving our services, preventing fraud, ensuring system security, and managing complaints, provided that such interests do not override your rights and freedoms.

We do not generally rely on consent as the lawful basis for processing personal data where another lawful basis is more appropriate.

4. Special category data

In the course of providing medical services, we process special category personal data, including information relating to your physical or mental health and medical history.

We process special category data under:

Article 9(2)(h) UK GDPR – where processing is necessary for medical diagnosis, the provision of health care or treatment, or the management of health care systems and services.

Such data is processed by, or under the responsibility of, healthcare professionals who are subject to a duty of confidentiality.

5. Consent

Where we rely on consent to process personal data (for example, for certain marketing communications), consent will be:

• Freely given, specific, informed and unambiguous
• Actively provided (for example, by ticking a box or signing a form)
• Recorded and capable of being withdrawn at any time

You may withdraw consent at any time by contacting us using the details set out below. Withdrawal of consent does not affect the lawfulness of processing carried out before consent was withdrawn.

6. How we use personal data

We use personal data to:

• Provide medical consultations, treatments and aftercare
• Communicate with you regarding appointments and services
• Maintain accurate medical and business records
• Process payments and manage billing
• Improve our services and website functionality
• Comply with legal, regulatory and professional obligations

7. Who we share personal data with

We may share personal data where necessary with:

• Medical professionals, surgeons, nurses and clinical staff involved in your care
• Laboratories, diagnostic providers, and pharmacies
• IT and systems providers who support our clinical and administrative operations
• Professional advisers, insurers, and auditors
• Regulatory bodies, authorities, or law enforcement where required by law

All third parties are required to process personal data securely and in accordance with applicable data protection legislation.

8. International data transfers

We do not routinely transfer personal data outside the United Kingdom.

Where personal data is transferred outside the UK (for example, via certain IT service providers), we ensure appropriate safeguards are in place, such as UK adequacy regulations or approved contractual safeguards, to protect your data in accordance with UK GDPR.

9. Data security

We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, or alteration. Access to personal data is limited to those who have a legitimate need to know.

10. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to comply with legal, regulatory, and professional obligations. Medical records are retained in accordance with applicable healthcare retention requirements.

11. Your rights

Under the UK GDPR, you have the right to:

• Access your personal data
• Request correction of inaccurate or incomplete data
• Request erasure of your data (where applicable)
• Request restriction of processing
• Object to processing
• Request data portability (where applicable)

To exercise your rights, please contact us using the details below.

12. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters.

Website: www.ico.org.uk

13. Contact us

If you have any questions about this Privacy Policy or how we process your personal data, please contact us at:

Info@estemedicalgroup.uk

14. Updates to this policy

We may update this Privacy Policy from time to time. Any changes will be published on our website.