Data & GDPR Compliance
1. Terms and Definitions
We, the Company National Centre for Electromagnetic Therapies trading as The National Centre for Electromagnetic Therapies CIC, refer to either company name as well as “Us, We, I, Ourselves, Company” in both singular and plural in reference to the legal entity National Centre for Electromagnetic Therapies CIC.
The following have been agreed upon between Company and its Data Controllers and Data Processors in keeping with the European General Data Protection Regulation:
1.1 Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998;
1.2 “Controller”, “Processor”, “Processing” and “Data Subject” shall have the meanings given to them in the Data Protection Legislation;
1.3 ICO means the Information Commissioner’s Office;
1.4 Personal Data means all such “personal data” as defined in the Data Protection Legislation as is, or is to be, processed by the Processor on behalf of the Controller;
1.5 Services means bioresonance and/or reiki therapy given to the client/patient as well as the Services performed by data controllers and processors (such as web hosts, email programmes, etc.) which are provided by the Processor to the Controller and which the Controller uses for the purpose[s] described in their respective agreements.
1.7 Clause, Schedule and paragraph headings shall not affect the interpretation of this agreement.
1.8 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
1.9 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.10 Non-Binary terminology: Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular. Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
2. Warranties and Indemnities
2.1 Each party warrants to the other that it will process the Personal Data in compliance with this Agreement and in accordance with the Data Protection Legislation.
2.2 The Parties shall each be liable for and shall indemnify (and keep indemnified) each other against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demand incurred by the other which arise directly or in connection with any data processing activities which are subject to this Agreement.
3. Security Measures
3.1 The Processor shall implement appropriate technical and organisational measures as stipulated in Data Protection Legislation and/or measures imposed by the ICO to ensure an appropriate level of security and these are outlined in Section 3 “Security Measures”.
3.2 The Processor shall assess the appropriate level of security and take into account the risks related to the processing, including risk for accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Person Data transmitted, stored or otherwise processed.
3.3 All transmissions of Personal Data between the Processor and the Controller or between the Processor and any third party shall be done by means of adequate encryption agreed between the Parties in writing, verbally, or in practice / deed.
3.4 The Processor shall provide the Controller with general descriptions of the Processor’s and its Sub-processors’ (to the extent that the Processor has access to such Sub-processors information) technical and organisational measures implemented to ensure an appropriate level of security.
3.5 The Processor shall provide reasonable assistance to the Controller, taking into account relevant information available to the Processor, if the Controller is obliged to perform an impact assessment and/or consult ICO in connection with the processing of Personal Data. The Controller shall bear any costs accrued by the Processor related to such assistance.
3.6. We store data in electronic, digital, cloud-based and/or hard copy form. Hard copies are always stored in locations that are under lock and key when not supervised by Us. Digital, electronic, and cloud-based copies of data are always password protected, often use 2-step authenication methods, and are often encrypted.
4. Personal Data
Under the GDPR you may request to view the data Company holds about you. Please submit enquiries in electronic or hard copy written form. Please allow up to four (4) weeks for Company’s response.
You may invoke your right to erasure of personal information. Please submit this request in written form, and allow up to six (6) weeks for erasure. Confirmation will be sent in written form.
Please note that financial records will not be erased for up to ten (10) years after the date of transaction.
Our Data Protection officer in the UK and EU is Kasey J. N. Phifer, contactable at +44 7394 870 156 and firstname.lastname@example.org as well as via post to Badger House, Oldmixon Crescent, Weston-Super-Mare, BS24 9AY.