Enquire
Search a ProcedureMake an appoinment
Menu
Find your Procedure

Your Data Protection Rights

This page explains your data protection rights under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), and how to exercise those rights with Sapien Medica Limited. This page summarises information that is also contained in our Privacy Policy. Where there is any difference, the Privacy Policy is the authoritative document.

1.Sapien Medica’s Role

Sapien Medica Limited is the data controller for the personal information described in our Privacy Policy. “Data controller” means we are the organisation that decides why and how your personal information is processed.

2.The Principles We Apply

The UK GDPR requires us to handle your personal information in accordance with seven core principles. We have built our processes around them:

  • Lawfulness, fairness, and transparency, we process your information on a recognised legal basis, in a way that is fair to you, and we tell you what we are doing.
  • Purpose limitation, we collect your information for specified, explicit, and legitimate purposes, and we do not use it for incompatible purposes.
  • Data minimisation, we collect only the information necessary for the purposes we have explained.
  • Accuracy, we take reasonable steps to keep your information accurate and up to date, and we correct it when we are told it is wrong.
  • Storage limitation, we keep your information only for as long as necessary.
  • Integrity and confidentiality, we protect your information against unauthorised access, loss, or damage using appropriate technical and organisational measures.
  • Accountability, we are responsible for complying with these principles and we can demonstrate that compliance.


    • 3.Your Rights in Detail

    3.1 The right to be informed
    You have the right to be told, in clear language, what we do with your personal information. We meet this right through our Privacy Policy, this notice, our cookie banner, and the case-specific consent forms we provide before sharing your information with Partner Providers.

    3.2 The right of access
    You can ask us for a copy of the personal information we hold about you. This is sometimes called a “subject access request”. We will respond within one month. There is normally no charge. We may ask you to verify your identity before we release information.

    3.3 The right to rectification
    If any information we hold about you is inaccurate or incomplete, you can ask us to correct or complete it. Where we have shared the information with a Partner Provider, we will, where reasonable and where you ask us to, also notify the Partner Provider of the correction.

    3.4 The right to erasure
    You can ask us to delete your personal information in certain circumstances, including where the information is no longer necessary for the purpose for which we collected it, or where you withdraw the consent on which the processing was based and there is no other lawful basis for it. The right is qualified-we may need to keep clinical, financial, or legal records for the periods set out in our Privacy Policy, even after you ask us to delete other information.

    3.5 The right to restrict processing
    You can ask us to limit the way we use your information, for example, while we investigate the accuracy of information you have asked us to correct, or while we consider an objection you have raised. We will tell you before any restriction is lifted.

    3.6 The right to data portability
    Where we process your personal information by automated means on the basis of your consent or a contract with you, you can ask us to provide it to you, or to another organisation you nominate, in a structured, commonly used, machine-readable format. We will do this where it is technically feasible.

    3.7 The right to object
    You can object to processing that we carry out on the basis of our legitimate interests, and to direct marketing in any case. Where you object to direct marketing we will stop processing your information for that purpose without delay. Where you object to other legitimate-interests processing we will stop unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is required for the establishment, exercise, or defence of legal claims.

    3.8 Rights related to automated decision-making
    We do not make decisions about you that produce legal or similarly significant effects using solely automated means. If we ever introduce such processing, we will tell you in advance and ensure that you have the right to obtain human review.

    3.9 The right to withdraw consent
    Where we process your information on the basis of your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of any processing carried out before the withdrawal, and it does not affect processing that is based on a different lawful basis. If you withdraw consent to our cross-border sharing of your health information with a Partner Provider, we may no longer be able to facilitate that part of your care.

    4.How to Exercise Your Rights

    To exercise any of these rights, please email us at [privacy@sapienmedica.com] or write to us at the registered office address shown below. Please tell us which right you are exercising and provide enough information for us to identify you and locate the relevant records. We may ask for proof of identity before we respond.

    We will respond within one month of receiving your request. For complex or numerous requests we may extend that period by a further two months, in which case we will tell you within the first month and explain why.

    5.Special Considerations for Health Data

    Health information is treated as “special category data” under the UK GDPR and is subject to additional protections. We process your health information in accordance with the conditions described in our Privacy Policy-typically your explicit consent and, where applicable, the provision-of-healthcare condition under Article 9(2)(h).
    Some health records are required by professional standards or by law to be retained for long periods even after you ask us to delete other information. Where the right to erasure is qualified for this reason, we will explain to you why we cannot fully comply with your request and we will limit our use of the retained information to the purposes for which retention is required.

    6.Complaints to the ICO

    If you are not satisfied with how we have handled your request or any other data protection matter, you have the right to complain to the Information Commissioner’s Office. The ICO can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom; helpline 0303 123 1113; ico.org.uk.

    Sapien Medica Limited, [Registered office address], London, United Kingdom. Email: [contact@sapienmedica.com]. Company number: [●]. ICO registration: [●].