Last updated July 01, 2022
The General Data Protection Regulation (GDPR) is a new law that will replace the DPA (Data Protection Act 1998) in the UK in May 2018. It is largely an evolution of the current DPA legislation but increases the rights of individuals considerably.
It is there to protect Personal Data (Data about or relating to a living, identifiable, individual). It relates to a Natural Person, not a legal identity like a company.
GDPR makes it mandatory to adopt a Data Protection-by-Design approach, and the data capture must be fair, lawful and fulfil a condition (refer below).
The Privacy and Electronic Communications Regulations (PECR) will sit alongside the GDPA. There are specific rules on:
Both the GDPA and PECR aim to protect people’s privacy but PECR apply even if the data is not Personal Data – many of the rules protect companies as well as individuals, and the marketing rules apply even if the person being contacted cannot be identified.
It’s important to understand that we must comply with both GDPR and PECR – one concerns the data being held and processed (which includes the reasons why we are holding the data – eg to maintain contact with the person) whilst the other covers how we communicate with the individual.
There are 6 conditions noted in GDPR, fulfilling any one of which will allow the processing of someone’s personal data.
“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”.
It is being interpreted that organisations can lawfully send direct marketing by post or call people by telephone provided that they have not objected and are not registered with the TPS.
Consent is “Any freely given specific and informed indication of wishes by which the data subject signifies their agreement to personal data relating to them being processed”
To obtain Consent it will be necessary to explain to the individual – the ‘data subject’ – what we are doing with their data.
Consent has to be ‘Opt In’ – There is no consent unless it is asked for it specifically, and there is no consent unless the person gives it.
There are 3 further important matters to consider for any type of data processing.
Privacy and Electronic Communications Regulations 2003 applies to marketing and to those they ‘instigate’ to send marketing material.
Any information sent between particular parties over a phone line or internet connection. It includes phone calls, faxes, text messages, video messages, emails and internet messaging.
The communication (by whatever means) of any advertising or marketing material which is directed to particular, specific individuals.
All advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations – for example, it covers a charity campaigning for support or funds.
The marketing must be directed to particular individuals. In practice, all relevant electronic messages (eg calls, faxes, texts and emails) are directed to someone, so they fall within this definition.
Routine customer service messages do not count as direct marketing – correspondence with customers to provide information they need about a current contract or past purchase (eg delivery arrangements, product safety, changes to terms and conditions).
General branding, logos or straplines in messages do not count as marketing. However, if the message includes any significant promotional material means that the message includes marketing material and the rules apply.
Most of the rules in PECR only apply to unsolicited marketing messages. A solicited message is one that is actively requested. So if someone specifically asks to be sent some information, then this does not fall under PECR.
An unsolicited message is any message that has not been ‘specifically requested’. So even if the customer has ‘opted in’ to receiving marketing, it still counts as unsolicited marketing.
The TPS (Telephone Preference Service)
The TPS is the Telephone Preference Service. It is a central register of individuals who have opted out of receiving live marketing calls.
The CTPS is the Corporate TPS. It works in the same way as the TPS, but for companies and other corporate bodies (limited liability partnerships, Scottish partnerships and government bodies).
Summary – GDPR & PECR Communication Rules
Individuals - includes sole traders and partnerships
Business to business - companies and corporate bodies
Who we are and what we do
We are The Limes Dental Practice. We have been providing the highest quality Gloucester dental care for over 60 years. We offer a full range of restorative, preventive and cosmetic dental treatments.
We collect data about patients who use our services that is relevant to their healthcare and that allows The Limes Dental Practice to deliver its services to our patients. We process personal information about our patients, customers, suppliers and employees.
The types of data we may collect are listed below and we will only use that data in ways relevant to carrying out our legitimate purposes and functions and in a way that is not detrimental to the interests of our patients or employees. The Limes Dental Practice will take particular care in the collection and storage of any personal sensitive data. Everyone working within Limes Dental Practice has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.
Collection of data:
The dental professionals caring for you keep records about your health and any treatment and care you receive from our practices. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on computer. These records may include:
It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.
How your personal information is used:
Your records are used to direct, manage and deliver the care you receive to ensure that:
We may collect technical data about the type of Internet browser and computer operating system that you use. This information does not identify you as an individual and is used only for tracking of site use.
The Limes Dental Practice may disclose your personal information to third parties:
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data or unsubscribing via our email communications. You can also exercise the right at any time by contacting us at:
The Limes Dental Practice
168 Stroud Road
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Access to information:
The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee of £10 for computerised records and up to £50 for any non-digital x-ray copies that are required to provide you with details of the information you have requested.
When you visit this site we may send “cookies” to your computer primarily to enhance your on-line experience. “Cookies” are files which can identify you as a unique viewer and store your personal preferences as well as technical information. On their own, cookies do not contain or reveal any personal information. However, if you choose to furnish the site with personal information, this information may be linked to the data stored in the cookies.
We may also collect certain anonymous technical information when you visit many of our web pages such as the type of browser you are using, the type of operating system you are using and the domain name of your Internet service provider.
We may use your personal information to:
(a) enable your use of the services available on the website;
(b) send you general (non-marketing) communications;
(c) send you email notifications;
(d) provide third parties with statistical information about our users – but this information will not be used to identify any individual user;
(e) deal with enquiries and complaints made by or about you relating to the website; and
We will not without your express consent provide your personal information to any third parties for the purpose of direct marketing.
In addition, we may disclose information about you:
(a) to the extent that we are required to do so by law;
(b) in connection with any legal proceedings or prospective legal proceedings;
(c) in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.
We will store all the personal information you provide on our secure (password- and firewall- protected) servers. All electronic transactions you make to or receive from us will be encrypted [using SSL technology].
Of course, data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
You may instruct us to provide you with any personal information we hold about you.
The website may contain links to other websites. We are not responsible for the privacy policies or practices of third party websites.
Please let us know if the personal information which we hold about you needs to be corrected or updated.