If you require this policy in a different format, an alternative language, or you need any help reading this document, please get in touch with our governance department by emailing email@example.com.
As a leading healthcare provider for physical and mental health solutions in the United Kingdom, we at Vita Health Group Limited (VHG) are committed to safeguarding the privacy and fundamental rights of those who use our services.
We are registered with the Information Commissioner’s Officer (ICO) under registration number Z119838X.
This Privacy Notice (this Notice) covers how Vita Health Group collect, use, disclose, transfer and store your personal data when interacting with us through use of this website (this site/our site/our sites). When engaging with us through use of our products and services, we will provide you with a more specified privacy notice related to that product or service.
This Privacy Notice will be reviewed and updated on a yearly basis, or earlier when significant changes to relevant legislation warrants it. It was last updated 22/04/2020
3. Identity of the data controller and scope of this notice
Vita Health Group Limited consists of:
- RehabWorks Ltd
- Right CoreCare Ltd
- WorkplaceWellness Ltd
- Crystal Palace Physio Group Ltd
And including subsidiary companies or trading names.
For the purposes of Data Protection Legislation (including the Regulation (EU) 2016/679, General Data Protection Regulation (GDPR) and The Data Protection Act 2018) the parent company, Vita Health Group Limited acts as the data controller for all personal data processed by us.
We provide healthcare and wellbeing services to the NHS, occupational health providers, employers, insurance companies and other private customers.
This Privacy Notice serves as the basis to enable transparent communication between us and you, as data subjects. It sets out and explains how we collect, process and securely store any of your personal data submitted to us through use of our sites as well as the rights you have over your personal data, with whom we may share your personal data with and how to contact us about your personal data we process should the need arise.
If you have any further questions about the scope of this notice, please contact the Data Protection Officer (DPO), whose details are listed in the relevant section below.
4. Collection, processing and retention of personal data
Categories of Personal Data
We collect the following personal data both directly from you and via third-parties whom you instruct to act on your behalf through forms on our site:
- Full name
- Postal address including postcode
- Email address
- Telephone number
Processing of Personal Data
VHG are responsible for identifying and applying the appropriate lawful basis before processing any of your personal data. All lawful bases are considered equal, and no lawful basis is more valid than another. Below are the following lawful bases we rely upon:
- Consent – In cases where you have offered specific consent to do so for a certain processing operation, we will process your personal data
- Contractual Necessity – We need to process your personal data pursuant to a contract you have entered into, or have taken steps to enter into
- Legal Obligation – We need to process your personal data in order to comply with our overriding legal and regulatory commitments
- Legitimate Interest – We process your personal data when we have a legitimate interest to do so. For example this may be when we need to arrange for your treatment to be referred to a third party such as the NHS or other private practice. When processing on the basis of legitimate interest, we only do so if the processing does not adversly affect your fundamental rights and freedoms as a data subject. For more information please contact our DPO using the details included below.
We will use your personal data you submit via our site in order to effectively operate the functioning of it. Specific uses of your personal data are to:
- Administer our website and business
- Personalise your experience of the website
- Enable you to best use the services offered on our website
- Effectivly handle and deal with enquiries and complaints made by you relating to our site
- Verify compliance with the terms and conditions of use governing our site
- Statistical analysis for improvement of our site
We will only process your personal data for the original purpose for which it was collected. If we do intend to utilise your personal data for further processing, we shall contact you directly with information on the expanded purpose as well as any other relevant information to the nature of the processing.
Sharing of Personal Data
We may share your personal data with third parties when you have either consented for us to do so, or we are under a legal or regulatory duty to do so.
Where permitted, we share your personal data within our group of companies, including the holding company and subsidiaries insofar as reasonably necessary for the purposes set out in this Notice.
Retention and Disposal of Personal Data
Personal data we collect is only retained for as long as it is necessary to fulfil the purpose for which it was originally collected and in order to comply with our legal and regulatory obligations. (For example, we are obliged to retain medical records for a period of 8 years). This is under our duty to the principle of data minimisation. Any retention periods for your personal data are strictly in line with what is required by our regulators or professional bodies of which we are a member of.
At the end of the data lifecycle, any personal data which is no longer necessary is securely disposed of via destruction or anonymisation via our internal policies and procedures for information assets. Anonymised data is outside the scope of Data Protection Legislation.
If you require further information about the retention of any of your personal data, please contact our DPO, whose contact details are listed below.
5. Cookies and our site
This website uses Cookie technology to provide increased functionality and enhance the user experience. Cookies are small text files stored by your internet browser at the request of our site. You may voluntary opt-in to various, non-essential cookies.
Please refer to our specific Cookie Notice for more information on how the Cookies on our site are utilised: https://www.vitahealthgroup.co.uk/our-policies-and-procedures/cookie-policy/
6. International transfer of personal data
We may transfer your personal data to countries outside the European Economic Area (EEA) for the purposes set out in this privacy notice. When making such an international transfer we ensure the that the adequate protection and appropriate safeguards are in place to securely protect your personal data. If we intend to transfer your personal data outside the EEA, we will contact you for your consent to do so.
If you would like any further information about how we transfer personal data outside of the EEA, please contact our DPO whose details are below.
7. Security of your personal data
The inherent nature of the internet means we cannot guarantee that any transmission of your personal data is 100% secure.
However, we have implemented the appropriate technical and organisational measures to ensure any of your personal data either stored or processed by us is protected against loss, misuse or alteration.
8. Rights of data subjects
The General Data Protection Regulation (GDPR) empowers data subjects with a variety of rights giving them control over their personal data processed by organisations. These rights are designed in a way to ensure that the data subject is in the driving seat when it comes to how their personal data is handled.
Please see below for the rights available:
Right of Access
You are entitled to request a copy of the personal data we hold on you as well as the following information:
- The Purpose of processing your personal data
- The categories of personal data concerned
- Any recipients to whom your personal data has been disclosed to
- The retention/envisioned retention period of your personal data
- The source of where we obtained your personal data if it was collected from a third-party
Right to Rectification
If you suspect that any of your personal data that we process is either inaccurate or incomplete, you may request that we correct or complete this data. Typically, this right is used in conjunction with The Right to Restrict Processing in order to ensure that any inaccurate or incomplete personal data is not processed.
Right to Erasure (Right to be Forgotten)
You may request the erasure of any personal data we hold on you where one of the below grounds apply:
- Your personal data is no longer necessary in relation to the original purpose it was collected/processed for
- You withdraw your consent from the processing and no other lawful ground applies
- You exercise your right to object and no other overriding legitimate ground for processing applies
- You believe your personal data has been unlawfully processed
- You believe your personal data has to be erased for compliance with an overriding legal obligation
- You believe your personal data has been collected in relation to the offer of information society services
Please be aware that the right to erasure is not an absolute right. We may retain certain personal data about you under our legal obligations, however we will endeavour to remove as much as we practically can, including from backups of our system.
The Right to Restrict Processing
Alternative to the right of erasure outlined above, you may ask us to temporarily cease processing your personal data, but not erase it entirely from our systems. This is available to you when one of the following grounds apply:
- You contest the accuracy of your personal data
- You believe processing your personal data is unlawful
- You believe that your personal data is no longer required to be processed, but must still be retained as part of a legal process
- There has been a sucessful right to object to the request and the processing has been temporarily halted to reach a decision on the status of the processing.
The Right to Data Portability
The right to data portability is a new right afforded to data subjects under the GDPR. Using this right, you may request for your personal data to be transferred from us to another data controller. This transfer of personal data must be done so in a commonly used, machine-readable format.
The right to data portability can only be exercised when all of the below grounds apply.
The Right to Object
The right to object allows you to request us to cease using your personal data at any time. A right to object can only be exercised if we are processing your personal data for one of the reasons listed below:
- For a task carried out in the public interest
- The exerise of official authority
- Under the “legitimate interest” lawful basis
- For scientific or historical research, or statistical purposes
- For direct marketing purposes
You may request to exercise any of the rights outlined above by contacting firstname.lastname@example.org. Making a request is free of charge, however in cases where it is deemed that such a request is deemed manifestly unfounded, we reserve the right to charge a small administrative fee. You will be informed of any administrative charge before we fulfil your request giving you the chance to decide whether you want to proceed further with the request.
We endeavour to respond to any of these requests within the period of one calendar month, however in cases where numerous or complex requests are made, this time period may be extended by a further two calendar months.
For security purposes, we typically request a form of identification from the data subject making the request, or written instruction from a representative of the data subject. Once identity has been verified any documents provided to us are immediately destroyed.
From time-to-time, we may use your personal data to communicate marketing offers to you by post, by email, by telephone or via our social media channels. We will only undertake marketing activities in instances where you have either given us permission, or when we are pursuing a legitimate interest to do so.
If you no longer wish to receive marketing communication from us, you may click on the ‘unsubscribe’ link included with email communications. Alternatively, you may contact us using the details below to specifically request this.
You have the right to object to any direct marketing communications sent to you. If you wish to exercise this right to object, please see the relevant section about your data protection rights.
10. Data protection officer (DPO) and contact
As VHG engage with the NHS and other public bodies on a regular basis to provide various services which involve the processing of personal data a Data Protection Officer (DPO) has been appointed. The DPO in in charge of addressing and managing data protection matters concerning your personal data within VHG.
The DPO is embedded within VHG to ensure continued compliance with any relevant data protection legislation. If you wish to contact the DPO directly, please send an email to email@example.com.
Alternatively, The DPO is also available for contact at the following postal address:
Vita Health Group
Data Protection Officer
7 Angel Hill
Bury St. Edmunds
If you wish to raise or discuss a complaint about how your personal data has been handled by us, please contact the Compliance Officer at firstname.lastname@example.org who will be happy to assist you.
If you are in any way dissatisfied with the Compliance Officer’s response to any concern raised, under Article 77 of the GDPR you have the right to directly lodge a complaint with the Information Commissioner’s Officer (ICO). Under Article 80, you may also authorise certain third parties (such as legal representatives) to make such a complaint on your behalf.