Privacy notice

I, Fen Gerry, hold some of your personal data and act as the data controller and data processor for this information. This privacy notice outlines how that information is used, shared and held. It also states the legal basis on which I hold that data for the purposes of the General Data Protection Regulation (GDPR).

This document does not provide exhaustive detail, but I will try to provide any additional information or explanation you may need. Any requests for this should be sent to me, the data controller, and my contact details are given at the end of this notice.

What I do

I’m a natural healthcare practitioner and provide direct complementary healthcare including Mindfulness-based Massage, Shiatsu, Pregnancy Massage, Pregnancy Yoga and Yoga Therapy to patients and clients.

How I obtain your personal data

You provide me with personal data in the following ways:

  • completing a questionnaire
  • during a consultation
  • through emails and other electronic messages that I may exchange with you
  • through telephone calls I may have with you
  • by taking payment from you using credit cards and online payment methods
  • through contact made via the Nailsworth Natural Health Clinic or Lam Rim, Centre for Whole Health, reception services

This may include the following information:

  • name
  • address
  • email address
  • next of kin details
  • general practitioner details
  • details of appointments and other contacts that I have had with you
  • any communications preferences you may have
  • Health information you have supplied may include details of:
    • previous medical history
    • current and historical medications
    • supplements
    • diet
    • lifestyle
    • results of tests performed by third parties that you have shared with me
    • health improvement plans
    • advice from other practitioners where you have consented
    • personal statements that you have made about yourself and others

Information from other sources

I may obtain sensitive information from other healthcare providers and testing companies, subject to you giving me your express consent. The legal bases for holding your personal data is that of consent and legitimate interest.

How do I use this information?

I use your personal information to provide you with direct healthcare.  The legal basis for holding your personal data and using it is that of a legitimate interest.

How do I store this information?

The personal information that I hold on you is stored as:

  • handwritten notes that are not copied
  • diary information
  • electronic format

How I use your personal data?

I act as a data controller for your personal data to provide direct healthcare. I also act as a controller and processor of your data from third parties. I act as a data controller and processor regarding the processing of credit card and online payments.

I undertake at all times to protect your personal data consistent with our duty of professional confidence and the requirements of the General Data Protection Regulation(GDPR). I also take reasonable security measures to protect your personal data storage.

I may use your personal data where there is an overriding public interesting using the information, e.g. to safeguard an individual order to prevent serious crime or where there is a legal requirement such as a court order. The legal bases for doing so is that of legal obligation, criminal offence or vital interests.

I may use your data to for promotional and marketing purposes but this would be subject to you giving me express consent for content and communication channels. The legal basis for doing so is that of consent.

Sharing your data with third parties

I will keep information about you confidential. I will only disclose your information to other third parties with your express consent except for the following categories of third parties:

  • My registered professional associations, the Shiatsu Society and the International Federation for Professional Aromatherapists, for the processing of any complaint you make.
  • Contractors and advisers that provide a service to me or act as my agents on the understanding that they keep information confidential and that they are GDPR compliant.
  • Anyone to whom I may transfer our rights and duties.
  • Legal or crime prevention agencies or to satisfy any regulatory request if I have a duty to do so or the law allows me to do so

I may share your information with pharmacies as part of providing you with direct healthcare. I will not include any sensitive information.

I will seek your express consent before sharing your information with your GP or other healthcare providers. However, if I believe that your life is in danger then I may pass your information onto an appropriate authority (such as the police, social services in the case of a child or vulnerable adult, or GP in case of self-harm) using the legal basis of vital interests.

I may share your case history in an anonymised form with my peers for professional development purposes. This may be at clinic supervision meetings, conferences, online forums and through publishing in medical journals, trade magazines or online professional sites. I will seek your explicit consent before processing your data in this way.

What are your rights?

You have the right to see, amend, delete and have a copy of data held that can identify you with some exceptions. You do not need to give a reason to see your data. You can exercise these rights free of charge.

If you want to access your data you must make a request in writing to me. Under special circumstances some information may be withheld.  I shall respond within 20 working days of receiving your request. My response will include details of the personal data I hold on you including:

  • sources from which I acquired the information
  • purpose of holding and processing the information
  • third parties with whom I share the information

You have the right, subject to exemptions, to ask to:

  • Have your information deleted
  • Have your information corrected or updated where it is no longer accurate
  • stop processing your personal data, unless I am required to do so by law
  • Receive a copy of your personal data, which you have provided to me, in a structured, commonly used and machine-readable format
  • transmit that data to another controller.

I do not carry out any automated processing which may lead to automated decision based on your personal data.

What safeguards exist to secure your personal data?

I only use the information that may identify you in accordance with the GDPR. This requires me to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

Within the health sector I also must follow the common-law duty of confidence, meaning that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared with third parties for providing direct healthcare. I will protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

How long do I keep this information?

Following the completion of your healthcare I retain your personal data for the period recommended by the appropriate professional association. The legal basis for holding this is contract administration.You do not have the right to delete your data within this period.


If you require further information, wish to exercise your rights over your personal data or have a complaint regarding the use of your personal data, then please contact me (the data controller) at Nailsworth Natural Health Clinic, Smith House, George Street, Nailsworth, GL6 0AG.

If request or complaint is not resolved to your satisfaction, you may make a formal complaint to the information Commissioners Office(ICO), you may contact them on 016255457454 or 0303 123 1113.


21 May 2018