General Data Protection Regulation Policy for




GDPR stands for General Data Protection Regulation and replaces the previous Data Protection

Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on

25th May 2018.


How is your data used?

Security and safety is very important to us at MIND BODY MEDICAL. In line with the new General Data Protection Regulations we have updated our terms of service and how we use and process your data which you can read below.


Your personal data will be handled and processed sensitively by Mind Body Medical and it’s staff.

Personal details are kept only for the purposes of running the practice efficiently. Data will be kept

secure at all times. We will only submit your information to a relevant third party in the event we

have a safeguarding concern and/or we are required by government bodies or law enforcement

agencies to do so. The only other place your data is shared is on our fully compliant GDPR online



GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified,

explicit and legitimate purposes’ and that individuals data is not processed without their knowledge

and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to



The Data Protection Act gives individuals the right to know what information is held about them. It

provides a framework to ensure that personal information is handled properly.


Storage and use of personal information

Your information will be obtained directly via e-mail communication and our secure online

Patient Database, Facebook messaging (if you choose to contact us that way), phone call or in

person, but never through a third party. All data is stored on our software company Pabau and we also keep paper records in a secure facility on site at our clinic.


 We use this data for booking appointments, and relevant reminders and confirmations, invoicing and if you have agreed, marketing.


Staff have access to Pabau on both iphones, Ipads and laptops. All are password protected, and

 all staff are compliant to the regulations of GDPR.


We maintain records for up to 10 years.


Our main point of contact is via email and phone. We also have a Facebook page which you can contact us on and we will reply. Emails may be sent to you in the event of appointment alterations, cancellations, reminders or a last minute update, and we also use SMS messages for appointment reminders and confirmations.


MIND BODY MEDICAL will not store personal data held visually in photographs or video clips or as sound recordings, unless written consent has been obtained. No names are stored with images in photo albums, displays, on the website or on MIND BODY MEDICAL’s social media sites.


In the event you have completed an enquiry or registration form on the MIND BODY MEDICAL website or sent us your personal details by other means and subsequently decide not to proceed with engaging with us, we will delete your details from our database at your request.


Access to all Office computers is password protected. When a member of staff leaves the company

these passwords are changed in line with this policy and our Safeguarding policy. Any portable data

storage used to store personal data, e.g. USB memory stick, are password protected and/or stored in

a locked filing cabinet.


GDPR means that MIND BODY MEDICAL must;

* Manage and process personal data properly

* Protect the individual’s rights to privacy

* Provide an individual with access to all personal information held on them



GDPR includes 7 rights for individuals


1) The right to be informed

MIND BODY MEDICAL is an Ayurvedic practice and Training Academy, registered with the CMA .

We need to know full names, names, addresses, telephone numbers, email addresses, along with a certain amount of medical history to be able to safely and effectively manage your case.

MIND BODY MEDICAL uses Cookies on its website to collect data for Google Analytics, this data is anonymous.


2) The right of access

At any point an individual can make a request relating to their data and MIND BODY MEDICAL will need to provide a response (within 1 month). MIND BODY MEDICAL can refuse a request, if we have a lawful obligation to retain data but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.


3) The right to erasure

You have the right to request the deletion of your data where there is no compelling reason for its

continued use. However MIND BODY MEDICAL has a legal duty to keep records for a minimum of 7 years.


4) The right to restrict processing:

Clients can object to MIND BODY MEDICAL processing their data. This means that records can be stored but must not be used in any way, for example reports or for communications.


5) The right to data portability

MIND BODY MEDICAL requires data to be transferred from one IT system to another; such as from Pabau to another patient software system.


6) The right to object

Patients can object to their data being used for certain activities like marketing or research.

7) The right not to be subject to automated decision-making including profiling.

Automated decisions and profiling are used for marketing based organisations. MIND BODY MEDICAL does not use personal data for such purposes.






This Policy was adopted by MIND BODY MEDICAL in September 2019


Signed on behalf of Mind Body Medical


Holly Watts