Introduction and summary of our Privacy Policy

Welcome to Concierge Choice UK LLP’s privacy policy in relation to the functions which we undertake to support participating GPs and their Concierge programs.

Concierge Choice UK LLP’s goals are:

  • To provide information to enquirers about the Concierge program and participating GPs who operate the program (referred to as “participating GPs”)
  • To support GPs who operate a Concierge program and members of the GP’s Concierge program (referred to as “members”) in their relationship.
  • To facilitate the registration process for members
  • To provide accounting and billing support for participating GPs
  • To comply with legal and regulatory requirements

We process the personal data of enquirers and members in support of those aims. We respect the confidentiality of your personal data. We share your personal data in a limited number of ways permitted or required by law.

This privacy policy will tell you about:

  1. how we look after and use your personal data provided to us in connection with the functions which we undertake; and
  2. your privacy rights under the data protection law including, the General Data Protection Regulation (and data protection law made under that regulation) and how that law protects you.

In addition to the above, where we use personal data for purposes other than core functions (for example human resources) we have separate privacy policies which describe what personal data we collect for those purposes and what we do with such personal data.

As we are collecting personal data about you, relevant laws protect your personal data and give you rights in relation to your data. Your ‘legal rights’ mean you can:

  • Request access to your personal data
  • Ask us to correct your personal data
  • Ask us to delete your personal data
  • Object to the processing of your personal data
  • Request restriction of processing of your personal data
  • Request the transfer of your personal data
  • Withdraw consent at any time

Each of these ‘legal rights’ is explained in more detail in the next sections.


Details of our privacy policy


This privacy policy is provided in accordance with the requirements of the GDPR. It is divided into sections outlined below and you can click through to the specific section. Please also use the Glossary to understand the meaning of some of the terms used in this privacy policy.

  1. [IMPORTANT INFORMATION AND WHO WE ARE]
  2. [THE DATA WE COLLECT ABOUT YOU]
  3. [HOW IS YOUR PERSONAL DATA COLLECTED]
  4. [HOW WE USE YOUR PERSONAL DATA]
  5. [DISCLOSURES OF YOUR PERSONAL DATA]
  6. [INTERNATIONAL TRANSFERS]
  7. [DATA RETENTION]
  8. [YOUR LEGAL RIGHTS]
  9. [GLOSSARY]



  1. Important information and who we are purpose of this privacy policy

  2. This privacy policy aims to give you information on how Concierge Choice UK LLP collects and processes personal data in connection with the functions which it performs for GPs providing services through the Concierge program.

    It is important that you read this privacy policy together with any other privacy policy or fair processing notice, and other communications we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements the other notices and is not intended to override them.

    Controller

    Concierge Choice UK LLP (referred to as Concierge Choice UK LLP, "we", "us" or "our" in this privacy policy) is a limited liability partnership with registration number OC420716. Concierge Choice UK LLP is data controller of the personal data to which this privacy policy relates.

    We have appointed a data protection lead (“DPL”) whose role includes overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise [your legal rights], please contact our DPO using the details set out below.

    Contact details

    Our contact details are:

    Our full name: Concierge Choice UK LLP
    DPL contact name: Wayne Lipton

    Email and postal address for contacting us and our Data Protection Lead:

    Email address: dplead@choicegp.co.uk
    Postal address: Ramsey House, 18 Vera Avenue, Grange Park, London, N21 1RA

    You have the right to make a complaint at any time to the Information Commissioner's Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

    Changes to this privacy policy

    This version was last updated on 8 October 2018 and historic versions can be obtained by contacting us

    The need for you to inform us of changes to personal data about you or others

    It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us by contacting us. Please use the contact details in the previous section.

    Similarly, it is important that the personal data we hold about others is accurate and current. Please keep us informed if others’ personal data that you have given us changes during your relationship with us.

  3. The data we collect about you
  4. Personal data means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

    We may collect, use, store and transfer different kinds of personal data about you and in any given case the kind of personal data we collect, use, store and transfer will be influenced by the nature of your interaction with us e.g. as an enquirer or as a member of a participating GP’s program. Whilst the personal data which we collect, and process relates principally to you it may include personal data which relates to others including family members, carers and other healthcare professionals.

    We have grouped together kinds of personal data as follows:

    Personal Identifiers including name, date of birth, address, NHS number

    Financial Information including information necessary for invoicing, payment and accounting purposes.

    Special Categories of Personal: Enquirers/members should not provide Concierge Choice UK LLP with any details of their medical conditions. That information will be collected by participating GPs where necessary.

    Sources of Personal Data

    We may collect personal data from a number of different sources including, but not limited to:

    Organisations or professionals involved in the enquirer' or member’s care, including:
    • Their GPs
    • Participating GPs contracting with us
    • The information which we collect in relation to our clients may include information about a variety of third parties including the client’s relatives, friends or carers.


    Directly from enquirers or members

    Data may be collected directly from you when:

    • You submit information via forms on our website, or by telephone
    • You submit a query to us
    • You correspond with us by letter, email, telephone or social media
    • You take part in our marketing activities


    Directly from enquirer’s relatives, friends or carers Data may be collected directly from enquirer’s or member’s relatives, friends or carers when they:

    • submit information via forms on our website, or by telephone
    • submit a query to us
    • correspond with us by letter, email, telephone or social media
    • take part in our marketing activities


    From other third parties

    We may also collect data about enquirers or members from third parties when:

    • We liaise with client’s insurance policy provider in relation to our private services
    • We deal with NHS health service bodies about services you have received or are receiving from us which they have commissioned
    • We liaise with Government agencies or public bodies, including HMRC, and social services


    If you fail to provide personal data

    Where we need to collect personal data by law, or to undertake the functions which we perform for participating GPs or for your benefit, and you fail to provide that data when requested, we may not be able to perform our functions in your case. This may lead to cancellation by the GP whose program you are participating in of the services provided to you but they will notify you if this is the case at the time.

  5. How is your personal data processed?
  6. We may 'process' your personal data for a number of different purposes. Each time we use your data we must have a legal basis to do so. The particular justification will depend on the purpose for which the data is processed and the nature of our relationship with you e.g whether you are an enquirer or a member. When the data that we process is classed as “special category of personal data”, we must have a specific additional legal justification in order to use it as proposed.

    In most instances, we will rely on the following legal justifications, or 'grounds':

    • Taking steps at your request so that you can enter into a contract with a GP to provide services through their Concierge programme.
    • We have, or a third party has, a Legitimate Interest in processing the personal data and those interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Note that where the enquirer/member is not the data subject we may rely on the enquirer’s or member’s legitimate interest in receiving healthcare. For example, we may process some information about an enquirer’s/member’s next of kin as the enquirer/member has a legitimate interest in the next of kin being contactable and the processing will not adversely affect the next of kin. We will rely on legitimate interests for activities such as quality assurance, maintaining our business records, developing and improving our products and services and monitoring outcomes.
    • It is necessary to comply with a legal or regulatory obligation.
    • We, or participating GPs who have provided services to you, need to use such personal data to establish, exercise or defend legal rights.
    • You have provided your consent to our use of your personal data.


    Generally, we do not rely on consent as a legal basis for processing your personal data in connection with the functions which we undertake for you or others. This does not affect the role which informed consent plays in the context of your decisions about your care and treatment.

    Note that we may process your personal data on more than one lawful ground depending on the specific purpose, or purposes, for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out below.

    Purpose 1: Where you have made an enquiry and we are responding to your enquiry

    Purpose 2: Where we you are taking steps to enter a contract with a participating GP, to set you up on our IT systems

    As is common with most business, we may have to carry out necessary checks in order for you to become a member. These include suitability checks for our services, which we cannot perform without using your personal data.

    Legal ground:

    • Taking the necessary steps so that you can enter into a contract with a participating GP for the delivery of services.

    Additional legal ground for special categories of personal data:

    • The use is necessary for reasons of substantial public interest under UK law.

    Purpose 3: To assist in managing the relationship between participating GP’s and patient’s who are members of their Concierge program

    Legal grounds:

    • For the GP to provide you with services on the basis of a contract with you.
    • Our member’s legitimate interests in obtaining services from participating GPs.
    • Participating GP’s legitimate interests in managing their relationship with their members.

    Purpose 4: For account settlement purposes

    In respect of member’s, we will use your personal data in order to maintain account and billing information which is accurate and up-to-date.

    Legal grounds:

    • Fulfilling our contract with participating GPs to support the operation of their Concierge programs.
    • Our having a legitimate interest in using your personal data.


    Additional legal grounds for special categories of personal data:

    • The use is necessary in order for us to establish, exercise or defend our legal rights.
    • We need to use the personal data for reasons of substantial public interest such as fraud prevention.


    Purpose 5: Communicating with you and resolving any queries or complaints that you might have.

    From time to time, members may raise queries, or even complaints, with us. It is important that we resolve such matters fully and properly, and so we will need to use your personal data in order to do so.

    Legal grounds:

    • Our having a legitimate interest in addressing your queries or complaints for the purpose of maintaining the standard of performance.


    Additional legal grounds for special categories of personal data:

    • The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.
    • The use is necessary for reasons of substantial public interest under UK law.


    Purpose 6: Complying with our legal or regulatory obligations, and defending or exercising our legal rights

    We are required to keep records in respect of the processing of personal data including records of any relevant consents and objections.

    From time to time, we or clinicians who deliver care to members of their program may be the subject of legal actions, regulatory proceedings or complaints. In order to fully investigate and respond to those actions, it may be necessary to access your personal data (although only to the extent that it is necessary and relevant to the subject-matter). We may be required to disclose your personal data in response to a court order.

    Legal grounds:

    • The use is necessary in order for us to comply with our legal obligations.
    • The use is necessary for the Legitimate Interest of Concierge Choice UK LLP or participating GPs in responding to their regulator or in dealing with legal proceedings or otherwise complying with their professional obligations.


    Additional legal ground for special categories of personal data:

    • The use is necessary for establishing, exercising or defending legal claims
    • The use is necessary for reasons of substantial public interest under UK law


    Purpose 7: Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (eg tax or legal advice), the sale, transfer or restructuring (or prospective sale, transfer or restructuring) of our business or its assets whether in whole or in part.

    Legal grounds:

    • Our legitimate interest in running our business
    Additional legal ground for special categories of personal data:

    • The use is necessary for establishing, exercising or defending legal claims.
    Purpose 8: Provide information in relation to new offerings by Concierge Choice UK LLP or to invite you to participate in business development activities

    Legal grounds:

    • Our legitimate interest in running our business


    Change of purpose

    Except as noted below, we will only use your personal data for the purposes for which we collected it, or have previously notified to you, except where further processing is compatible with those purposes. If you wish to get an explanation as to how the processing for the new purpose is compatible with the previous purpose(s), please contact us.

    Except as noted below, if we propose to use your personal data for a purpose which is not compatible with those previously notified, we will notify you and we will explain the legal basis which allows us to do so.

    Please note that, as exceptions to the two previous paragraphs, we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

  7. Disclosures of your personal data


  8. We may share your personal data with the parties set out below for the purposes set out above.

    From time to time, we may share your personal data with third parties.

    Disclosures to third parties:

    We may disclose personal data to the third parties listed below for the purposes described in this Privacy Notice where that disclosure is required or permitted by law. This might include:

    • Participating GPs in respect of members of their Concierge program or prospective members of their program.
    • Members of our support staff
    • Anyone that you ask us to communicate with
    • Third parties who assist Concierge Choice UK LLP in the administration of our business
    • Government bodies and public authorities
    • Our insurers
    • Our third-party advisers including actuaries, lawyers


    We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.


  9. International transfers


  10. In most cases we do not transfer personal data outside of the EEA. On occasion personal data may be transferred outside of the EEA for example at the request of the data subject. On such occasions we will consider the necessity of any transfer and the adequacy or protections for the personal data in the country to which the data is transferred.

    How long will you use my personal data for?

    We will only retain your personal data for as long as necessary to fulfil the purposes we collected it and/or processed it for, including for the purposes of satisfying any legal, accounting, regulatory or reporting requirements.

    To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal and regulatory requirements, including requirements on participating GPs.

    In some circumstances you can ask us to delete your data: see [Request erasure] below for further information.

    In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

  11. Your legal rights


  12. Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:

    • [Request access to your personal data].
    • [Request correction of your personal data].
    • [Request erasure of your personal data].
    • [Object to processing of your personal data].
    • [Request restriction of processing your personal data]
    • [Request transfer of your personal data].
    • [Right to withdraw consent].


    If you wish to exercise any of the rights set out above, please contact us.

    No fee usually required

    Except as described below, you will not have to pay a fee to access your personal data (or to exercise any of the other rights).

    As exceptions to the previous sentence, if your request is clearly unfounded, repetitive or excessive:

    1. we may charge a reasonable fee; or
    2. alternatively, we may refuse to comply with your request in those circumstances.


    What we may need from you

    We may need to request specific information from you to help us confirm your identity and verify your right to access the requested personal data (or to exercise any of your other rights). This is a security measure to reduce the risk of disclosure of personal data to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

    Time limit to respond

    We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.


  13. Glossary


  14. LAWFUL BASIS

    Legitimate Interest means the interest in conducting and managing our business or a third party’s interest. For example, a client’s interest in receiving our services. We make sure we consider and balance any potential impact on you (both positive and negative) and the data subject’s rights before we process personal data for Legitimate Interests. We will not rely on the “Legitimate Interests” ground for processing personal data where our, or the third party’s, interests are overridden by the impact on the data subject, but we may still process it if we have your consent or are otherwise required or permitted to by law. You can obtain further information about how we assess the relevant Legitimate Interests against any potential impact on you in respect of specific activities by contacting us.

    Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

    Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to (which, amongst other legal obligations, includes any regulatory obligation where there is a statutory basis underpinning the regulatory regime and which requires regulated controllers to comply).

    THIRD PARTIES

    External Third Parties

    • Service providers acting as controllers, joint controllers or processors based in the UK, other European Economic Area (“EEA”) countries who provide IT (including, but not only, website) and system administration services and services in relation to emails, including the following:

      Concierge Choice Physicians LLC

      Those organisations publish their own privacy policies which are available on-line. The processing which they undertake on our behalf is subject to the requirements for compliance with the General Data Protection Regulation.
    • The following, who may be based inside or outside the European Economic Area (“EEA”), acting as controllers, joint controllers or processors: participating GPs who contract with Concierge Choice UK LLP, other professionals and service suppliers we use or who are involved in matters we are working on, banks and other financial or investment providers or advisers, and public authorities in the UK and elsewhere;
    • HM Revenue & Customs, regulators and other authorities acting as controllers, joint controllers or processors, based inside or outside the European Economic Area (“EEA”) who require reporting of processing activities in certain circumstances or otherwise for the purposes of, or in connection with the healthcare services and other services we provide.


    YOUR LEGAL RIGHTS

    Please note that Concierge Choice UK LLP is not the Data Controller in respect of any clinical records. Patients wishing to exercise their rights in relation to their clinical records should see the relevant clinician’s privacy notice for contact details.


    In certain circumstances you have the right to:

    Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are processing it lawfully. This is not an absolute right and is subject to specific limitations in the GDPR.

    Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you, or your agent or someone else acting on your behalf, provide to us.

    Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we have processed your data unlawfully or where we are required to erase your personal data to comply with law. Note, however, that the right to erasure is not an absolute right and that we will not always be required to comply with your request for erasure because of specific legal reasons which will be notified to you, if applicable, at the time of your request.

    Object to processing:

    The right to object to other uses of your personal data

    You have a range of rights in respect of your personal data, as set out in detail in the section entitled "Your rights". This includes the right to object to us using your personal data in a particular way (such as sharing that data with third parties), and we must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing treatment.

    1. you have the right to object to processing of your personal data where we are relying on
    • our Legitimate Interests (or those of a third party); or
    • the ground that the processing is necessary for the performance of a task carried out in the public interest


    and there is something about your particular situation which makes you want to object to processing on this ground because you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that there are compelling legitimate grounds to process your personal data which override your rights and freedoms.

    Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

    1. where you contest the accuracy of your personal data, such suspension to be for a period enabling us to verify the accuracy of the personal data;
    2. where our processing of your personal data is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
    3. where we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
    4. you have objected to processing pursuant to the right described in the paragraph (a) of the description of your right to “Object to Processing” described above, pending the verification whether there are compelling legitimate grounds to process your personal data which override your rights and freedoms.


    Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to personal data which you provided to us and that is processed by automated means which you, or your agent or someone else acting on your behalf, initially provided consent for us to use or that we used to perform a contract with you.

    Withdraw consent at any time where we are relying on consent as the lawful ground to process your personal data under the GDPR. However, this will not affect the lawfulness of any processing carried out before you withdraw yyour consent. If you withdraw your consent, we may not be able to provide certain services to you.



2018 © All Rights Reserved.