top of page


3RPhysiotherapy in compliance with GDPR.

The GDPR includes the following rights for individuals: · the right to be informed; · the right of access; · the right to rectification; · the right to erasure; · the right to restrict processing; · the right to data portability; · the right to object; and · the right not to be subject to automated decision-making including profiling. On the whole, the rights individuals will enjoy under the GDPR are the same as those under the Data Protection Act but with some significant enhancements.

Transparency with 3RPhysiotherapy patients.

We have reviewed our privacy notices and customer consent journeys. This is to make sure that we’re giving our patients the information they need about when and why their information may be shared with third parties (including healthcare professionals treating them), and obtaining any consents needed for this. We have published this updated privacy notice on our website, this explains how we handle personal information.


Where is your personal data held?

Your data is held as a paper copy in a locked filing cabinet.  Email addresses are held on an encrypted computer. Insurance cases are also held by your insurance provider. We will review consents to check that they are still in line with our processing and purposes periodically.

Why is your data held?

Data retention - an individual has three years to bring a personal injury claim (with some exceptions) and six years if they wish to bring a claim under contract law. Therefore, records must be retained at least until the limitation period has expired.

Data is held for many reasons. To contact current patients, contact old patients for follow up enquiries and special offers. Data about treatments are held in accordance with physiotherapy guidelines of 7 years.

Where did your data come from?

Your data has come from yourself as a patient and written down on the new patient forms. We may also obtain medical notes/contact from your doctor (or other healthcare practitioners) if we have an agreement to be in correspondence with them as part of your treatment.  This will only happen if orally agreed by yourself. Data will only have come from a third party if 3RPhysiotherapy has received you from an insurance company (all of which conform to new GDPR laws). 

Who do we share your data with?

Your data is only shared with employers of 3RPhysiotherapy on a need-to-know basis. Third parties will only include your GP or Consultant who may contact us for your medical information.  No other third parties will come in to contact with your data if you are a self-funding patient.  If you have become a patient through an insurance company, data will only be shared through secure emails with that specific company.

Having your personal data deleted.

An individual to able request the deletion or removal of personal data where there is no compelling reason for its continued processing.  Data about a condition that has been treated has to comply with guidelines and be held for 7 years.  Data for advertising via post and email can be deleted upon request with immediate request. We will act upon withdrawals of consent as soon as we can and will not penalise any clients for wanting to do so.

May it be noted that:

Records shall be kept for at least 7 years following the last occasion on which treatment was given. In the case of treatment to minors, it is advisable that records should be kept or at least 7 years after they reach the age of majority (18).

Record Keeping - Condition 14 c, on page 35

Fairness of collecting data.

The main elements of fairness include:

  • using information in a way that people would reasonably expect. This may involve undertaking research to understand people’s expectations about how their data will be used;

  • thinking about the impact of our processing. Will not have unjustified adverse effects on our clients

  • being transparent and ensuring that you know how your information will be used. This means providing privacy notices or making them available, using the most appropriate mechanisms. In a digital context this can include all the online platforms used to deliver services.


How WIX is covered by GDPR.

3RPhysiotherapy website has been created using Wix. Please see Wix Policy sections 8, 12 & 13 0n their Privacy Policy on information regarding visitors to our site and how the website gathers, uses, discloses, and manages our site visitors' data.  Our website is HTTPS secure.

Lawful Basis - Consent.

We have documented our decision in which lawful basis applies to help us demonstrate compliance.

Processing special category data. – Special category data of Health.

Special category data is personal data which the GDPR says is more sensitive, and so needs more protection.The conditions below are appropriate to 3RPhysiotherapy and are listed in Article 9(2) of the GDPR:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes. Being for treatment and for contact in the future.  Where insurance companies are involved, appropriate data will be sent to them.

(b)  processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(c) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.

bottom of page