GDPR and PECR

The General Data Protection Regulation (GDPR) is a new law that will replace the DPA (Data Protection Act 1998) in the UK in May 2018. It is largely an evolution of the current DPA legislation but increases the rights of individuals considerably.

It is there to protect Personal Data (Data about or relating to a living, identifiable, individual). It relates to a Natural Person, not a legal identity like a company.

GDPR makes it mandatory to adopt a Data Protection-by-Design approach, and the data capture must be fair, lawful and fulfil a condition (refer below).

The Privacy and Electronic Communications Regulations (PECR) will sit alongside the GDPA. There are specific rules on:

  • marketing telephone calls, emails, texts and faxes;
  • cookies (and similar) to track information about people;
  • keeping communications services secure; and
  • customer privacy as regards traffic and location of data, itemised billing, line identification (eg caller id) and directory listings.

Both the GDPA and PECR aim to protect people’s privacy but PECR apply even if the data is not Personal Data – many of the rules protect companies as well as individuals, and the marketing rules apply even if the person being contacted cannot be identified.

It’s important to understand that we must comply with both GDPR and PECR – one concerns the data being held and processed (which includes the reasons why we are holding the data – eg to maintain contact with the person) whilst the other covers how we communicate with the individual.

Conditions which allow the Processing of Personal Data

There are 6 conditions noted in GDPR, fulfilling any one of which will allow the processing of someone’s personal data.

  • Contracts (employment, sales, agreements)
  • Legal Obligation (need to be able to quote a specific law))
  • Vital Interest (immediate risk of death)
  • Official functions / administration of justice / public interest
  • Legitimate Interest
  • Consent

Legitimate Interest

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”.

It is being interpreted that organisations can lawfully send direct marketing by post or call people by telephone provided that they have not objected and are not registered with the TPS.

Consent

Consent is “Any freely given specific and informed indication of wishes by which the data subject signifies their agreement to personal data relating to them being processed

To obtain Consent it will be necessary to explain to the individual – the ‘data subject’ – what we are doing with their data.

  • the purpose for processing their data,
  • how their data is to be used,
  • the condition (i.e. legal basis)
  • what their rights are
  • the retention period for the data and
  • the source of the data if obtained from a third party.

Consent has to be ‘Opt In’ – There is no consent unless it is asked for it specifically, and there is no consent unless the person gives it.

Other Considerations

There are 3 further important matters to consider for any type of data processing.

  1. There must be a clear ability to unsubscribe
  2. There will need to be a Suppression list. A list of all the people who have said that not wish to be contacted.
  3. There is a Right to Be Forgotten. The right to have certain or all of the information relating to a person to be forgotten (or removed)
  4. Profiling – the use of automated techniques (using a computer or machine) to “evaluate” certain aspects of the individual. Consent or disclose required for this.

PECR
Privacy and Electronic Communications Regulations 2003 applies to marketing and to those they ‘instigate’ to send marketing material.

What is Electronic Communication?

Any information sent between particular parties over a phone line or internet connection. It includes phone calls, faxes, text messages, video messages, emails and internet messaging.

What is (Direct) Marketing?

The communication (by whatever means) of any advertising or marketing material which is directed to particular, specific individuals.

All advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations – for example, it covers a charity campaigning for support or funds.

The marketing must be directed to particular individuals. In practice, all relevant electronic messages (eg calls, faxes, texts and emails) are directed to someone, so they fall within this definition.

Routine customer service messages do not count as direct marketing – correspondence with customers to provide information they need about a current contract or past purchase (eg delivery arrangements, product safety, changes to terms and conditions).

General branding, logos or straplines in messages do not count as marketing. However, if the message includes any significant promotional material means that the message includes marketing material and the rules apply.

Solicited and Unsolicited

Most of the rules in PECR only apply to unsolicited marketing messages. A solicited message is one that is actively requested. So if someone specifically asks to be sent some information, then this does not fall under PECR.

An unsolicited message is any message that has not been ‘specifically requested’. So even if the customer has ‘opted in’ to receiving marketing, it still counts as unsolicited marketing.

The TPS (Telephone Preference Service)

The TPS is the Telephone Preference Service. It is a central register of individuals who have opted out of receiving live marketing calls.

The CTPS

The CTPS is the Corporate TPS. It works in the same way as the TPS, but for companies and other corporate bodies (limited liability partnerships, Scottish partnerships and government bodies).

Summary – GDPR & PECR Communication Rules

 Individuals     Business-to-business 
includes
sole traders and partnerships
  companies and corporate bodies
 
Telephone Calls OK to call provided
Not registered with the TPS
OK to call provided
Not registered with the Corporate TPS
  Or Opt Out Can Opt Out
Email & Texts Specific Consent Required Can email or text Corporates
  Soft Opt-In Good practice to offer opt out
Individual employees can opt out
Mail Can send direct mail provided Name and address obtained fairly Can mail corporate bodies
Can Opt out Individual employees can opt out

Our Privacy Statement

The Limes Dental Practice is committed is committed to protecting your privacy. We ensure that all your personal information is held securely and safely. This privacy policy explains how we collect, use and store information, and what that might mean for you.

Who we are and what we do
We are The Limes Dental Practice. We have been providing the highest quality Gloucester dental care for over 60 years. We offer a full range of restorative, preventive and cosmetic dental treatments.

What information do we collect?

We collect data about patients who use our services that is relevant to their healthcare and that allows The Limes Dental Practice to deliver its services to our patients. We process personal information about our patients, customers, suppliers and employees.
The types of data we may collect are listed below and we will only use that data in ways relevant to carrying out our legitimate purposes and functions and in a way that is not detrimental to the interests of our patients or employees. The Limes Dental Practice will take particular care in the collection and storage of any personal sensitive data. Everyone working within Limes Dental Practice has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.
Collection of data:
The dental professionals caring for you keep records about your health and any treatment and care you receive from our practices. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on computer. These records may include:
•Basic details about you such as name, address, date of birth, next of kin, etc.
•Contact we have had with you such as appointments.
•Notes and reports about your health, treatment and care.
•Results of x-rays.
•Relevant information from people who care for you and know you well such as health professionals and relatives.
•Financial information for payment of any treatments
It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.
How your personal information is used:
Your records are used to direct, manage and deliver the care you receive to ensure that:
•The dental professionals involved in your care have accurate and up to date information to assess your oral health and decide on the most appropriate care for you.
•Healthcare professionals have the information they need to be able to assess and improve the quality and type of care you receive.
•Your concerns can be properly investigated if a complaint is raised.
•Appropriate information is available if you see another dental professional, or are referred to a specialist.
•Fromtime-to-time we may use your contact information to send you details of products and services offered in our practices that directly relate to your oral healthcare.
We may collect technical data about the type of Internet browser and computer operating system that you use. This information does not identify you as an individual and is used only for tracking of site use.
The Limes Dental Practice may disclose your personal information to third parties:
•In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
•If The Limes Dental Practice or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
•If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use, and other agreements; or to protect the rights, property, or safety of The Limes Dental Practice, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud prevention and credit risk reduction.
Your rights:
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data or unsubscribing via our email communications. You can also exercise the right at any time by contacting us at:
The Limes Dental Practice
168 Stroud Road
GL15JX
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Access to information:
The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee of £10 for computerised records and up to £50 for any non-digital x-ray copies that are required to provide you with details of the information you have requested.
Changes to our privacy policy:
Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail.
We use cookies to improve our users experience. By closing this message you agree to our use of cookies, unless you decide to disable them.

Cookies

When you visit this site we may send “cookies” to your computer primarily to enhance your on-line experience. “Cookies” are files which can identify you as a unique viewer and store your personal preferences as well as technical information. On their own, cookies do not contain or reveal any personal information. However, if you choose to furnish the site with personal information, this information may be linked to the data stored in the cookies.
We may also collect certain anonymous technical information when you visit many of our web pages such as the type of browser you are using, the type of operating system you are using and the domain name of your Internet service provider.
We use cookies and technical information to personalise your visit to our site (e.g., to recognise you by name when you return to our site) and to track customer trends and patterns. This helps us improve the design and content of our Website for visitors and assists us in our communications, marketing initiatives. Although most browsers are initially set up to accept cookies, you can set most browsers at any time to refuse all cookies or indicate when a cookie is being sent. However, please note that some parts of this Website may not function properly if you refuse cookies. For more information on cookies and how to disable them you can consult the information provided by the Interactive Advertising Bureau UK at www.allaboutcookies.org.

Using your personal data

Personal data submitted on this website will be used for the purposes specified in this privacy policy or in relevant parts of the website.
We may use your personal information to:
(a) enable your use of the services available on the website;
(b) send you general (non-marketing) communications;
(c) send you email notifications;
(d) provide third parties with statistical information about our users – but this information will not be used to identify any individual user;
(e) deal with enquiries and complaints made by or about you relating to the website; and
We will not without your express consent provide your personal information to any third parties for the purpose of direct marketing.

Disclosures

We may disclose information about you to any of our employees, officers, agents, suppliers or subcontractors insofar as reasonably necessary for the purposes as set out in this privacy policy.
In addition, we may disclose information about you:
(a) to the extent that we are required to do so by law;
(b) in connection with any legal proceedings or prospective legal proceedings;
(c) in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
Except as provided in this privacy policy, we will not provide your information to third parties.

Security of your personal data

We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.
We will store all the personal information you provide on our secure (password- and firewall- protected) servers. All electronic transactions you make to or receive from us will be encrypted [using SSL technology].
Of course, data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.

Policy amendments

We may update this privacy policy from time-to-time by posting a new version on our website. You should check this page occasionally to ensure you are happy with any changes.
We may also notify you of changes to our privacy policy by email.

Your rights

You may instruct us to provide you with any personal information we hold about you.

Third party websites

The website may contain links to other websites. We are not responsible for the privacy policies or practices of third party websites.

Updating information

Please let us know if the personal information which we hold about you needs to be corrected or updated.

Contact

If you have any questions about this privacy policy or our treatment of your personal data, please write to us by email to reception@limesdentalpractice.com