The following Privacy Notice outlines how k:SPA gathers, processes and protects your personal data.
It is likely that we will need to update this Privacy Notice from time to time. In these instances, we will notify you of any significant changes. The updated Privacy Notice will appear on our Website, be advertised in the Salon and may also be sent to your email address if we hold that information on our records.
The Data Owner for the organisation is KELLY SHAW. You can contact the k:SPA Data Owner by sending an email to: firstname.lastname@example.org
PURPOSE AND LAWFUL BASIS FOR PROCESSING YOUR DATA
k:SPA’s Lawful Basis for processing personal data is CONSENT.
“The individual has given clear consent for you to process their personal data for a specific purpose.”
Processing your personal information comes with significant responsibilities on our part and we want you to know that we take these responsibilities very seriously.
k:SPA will never sell or rent your personal data to any Third-Party. Sharing of your data and direct marketing activities are only carried out with your express consent, which you are free to withdraw at any time.
We need to obtain and process your personal data in order to:-
- Enter into a contract with you;
- Provide you with our products, services and treatments;
- Fulfil our business and legal obligations;
- Engage in communication with you including confirmation and reminders of appointments, and requests to cancel or change bookings;
- Collect Health information to perform the agreed services appropriately, and potentially highlight areas that products and services may cause issues to clients because of their health;
- Ensure a safe service and provide industry standard advice;
- Select relevant offers, promotions and information for you;
- Estimate the number of Clients we have and store Client records;
- Hold personal data that is required by law or to respond to legal process;
- Hold for insurance purposes.
Where we request sensitive personal data from you (i.e. health or medical data), the reason(s) for the request will be clearly given along with the purposes of the processing. Explicit consent through a signature will always be required for us to obtain and process your health information.
We will never collect any personal information from you that we do not need or retain any data that is no longer necessary for the purposes specified in this Notice.
PERSONAL DATA COLLECTED
The personal data that we collect is:
- First Name/Last Name
- Mobile/Landline Number(s)
- Email Address
- Date of Birth
- Health information
- Appointment data and associated notes
- Photographs – if applicable (prior consent dependent)
- Marketing preferences
SPECIAL CATEGORIES OF PERSONAL DATA COLLECTED
Health questions are asked in our Digital Consultation Cards to potentially highlight treatments that may have a negative effect on your health due to medication you are taking or a condition you have. k:SPA asks for consent prior to gathering and processing this information. At any time after giving consent, you can withdraw your consent, subject to legal, insurance and contractual restrictions (see more on ‘your rights as an individual’).
k:SPA does not collect the personal data of children under the age of 16 without parental or guardian consent. The k:SPA website or k:SPA App are not directed at children. k:SPA does not knowingly collect any personal information from children. If you are a child, please do not attempt to become a registered user of our website or App or provide us with any personal information. If we learn that we have inadvertently obtained personal information from a child, we will delete that information as soon as possible.
If you are aware of a child who has provided their personal information to us, please contact the k:SPA Data Owner immediately by sending an email to email@example.com.
CONSEQUENCES OF NOT PROVIDING YOUR PERSONAL INFORMATION TO k:SPA
In the event that you want to purchase a product or service from k:SPA, certain personal information is required to enter into a contract with you. k:SPA will not be able to enter into a contract with you to fulfil an attempt to purchase a product or service if you do not provide your personal information. As noted in this Privacy Notice, we are processing your personal data to comply with legal and statutory obligations and in the performance of a contract. You can always choose not to provide personal information; however, we will be unable to provide certain products, services and treatments in these instances.
YOUR RIGHTS AS THE INDIVIDUAL
If your personal data is held by k:SPA you hold particular rights over it.
k:SPA have no involvement with any Marketing Third Parties.
Where you have provided consent for us to contact you as part of our marketing services, you have the right to modify or withdraw your consent at any time by the following options:-
using the unsubscribe option accompanied within our direct marketing communications;
updating your Digital Consultation Card marketing settings the next time you visit the Salon;
Contacting the k:SPA Data Owner by sending an email to firstname.lastname@example.org
When you provide consent to k:SPA to process your personal data you have the following additional rights:-
- The right to be informed
- The right to access your data
- The right to ask who we have shared the data with
- The right to rectify your data
- The right to question how long we intend to keep hold of your data
- The right to be forgotten* (withdraw consent/request data deletion)
- The right to move your data elsewhere
- The right to object to processing your data
- The right to request all the information we hold about you
- The right to be notified of a breach in data security
*subject to legal, insurance and contractual restrictions.
Requests concerning any of the above rights should be sent by email to the k:SPA Data Owner by sending an email to email@example.com.
PROCESS OF COLLECTION
Your personal data is collected when you provide it to us through the data processing software we use on our website/k:SPA Client App, over the phone, in salon, by email, social media, at k:SPA events, in writing or any other means by which you provide it to us.
DATA PROCESSING AND SHARING
K:SPA is the Data Controller who collects and processes your personal information for the purposes laid out in this Privacy Notice.
Data Processors are Third Parties who rely on the consent you give k:SPA in order to provide some elements to our business service.
k:SPA shares your personal information with specific Third Party service providers. They only have access to the personal information they need to perform those services. They are required to keep your personal information Confidential and must process the personal information in accordance with this Privacy Notice and as permitted by applicable Data Protection Laws.
PHOREST – is the Data Processor. k:SPA use software provided by Phorest to manage its business of collecting, processing and storing Client data including appointments, treatments and payments. Phorest representatives have access to personal information in case of k:SPA Client support or troubleshooting.
DIGITOOLBOX – Acts as the Host for k:SPA’s website to provide k:SPA Clients with the capability of purchasing gift vouchers & gift cards. DigiToolBox representatives only have access to Client personal data supplied via the online purchase request. Payment is submitted via PayPal of which DigiToolBox see no payment details.
DR.HAYLEY – is Self Employed and offers Botox/Filler treatments upon the request of a k:SPA Client for an appointment. Only the Client’s name is passed by k:SPA to Dr. Hayley. Beyond that, Dr.Hayley keeps her own records concerning Client personal information.
Additionally, any personal information we collect and share on Social Media (eg. photos of treatments or Client name) is strictly uploaded with prior verbal or written consent from the Client. Social Media includes: Facebook, Twitter and Instagram.
SAFEGUARDING YOUR PERSONAL DATA
Appropriate measures are taken to protect your personal data from access from unauthorised persons or inappropriate access. All k:SPA staff are given training on how to handle data carefully and with respect. k:SPA Staff are assigned specific access rights and can only access the Phorest software with the PIN number assigned to them by the management of the salon.
Phorest software used by k:SPA is fully encrypted and secure. Please refer to Phorest’s Privacy Notice for further details on the levels of security used.
HOW LONG DO WE KEEP YOUR DATA?
k:SPA retains your personal data for as long as necessary to provide you with our services as our client. k:SPA are required under Insurance Laws to keep your personal data for a minimum of 7 years. Health and Safety records will be retained for 10 years and where we have your consent for marketing purposes, we will retain the minimum required data until you notify us that you no longer wish to receive such information.
The criteria for which we would continue to process your personal information includes:
- Where there is a legal basis, obligation or legitimate interest
- Where processing is necessary for the establishment, exercise or defence of legal claims
TRANSFER OF PERSONAL DATA
Should the k:SPA Data Owner wish to sell the k:SPA business, the new owners of k:SPA will automatically take ownership of all Client data. k:SPA will stipulate that they have used the data for the reasons detailed in this Privacy Notice and that they must do the same. If the new owners wish to use the data for anything other than what is specified in this notice then they have to physically ask all Clients to re-opt in and issue an amended Privacy Notice.
In the occurrence that you want to make a complaint about how your personal data was gathered, how it is being processed by k:SPA or third parties used by k:SPA or you are not satisfied about how a complaint has been handled, you retain the right to lodge a complaint directly with the Supervisory Authority and the k:SPA Data Owner. k:SPA would appreciate the opportunity to assist you with your query before raising a complaint directly with the Data Protection Authorities.
Data Protection Commissioner
Information Commissioner’s Office
+44 (0) 303 123 1113