Privacy Notice


Phil Elliott Chiropractic is committed to protecting and respecting your privacy. The basis on which we collect and process any of your personal data and your rights under The General Data Protection Regulations (GDPR) regarding that, are set out in this policy. For full definitions of terms and more information about GDPR please refer to the Information Commissioner's Office (ICO): website
The Data Controller and your data.
Philip Elliott is the data controller. This means how your personal data is processed and for what purposes is controlled by him. Contact details are: 'Ty Nant', Tower View, Monmouth, NP25 5FD. || Tel: 07840733275 ||

We collect and process the following categories of your personal data:
   Personal data: such as Name, Date of Birth, Address, Phones, Email, Occupation, IP address
   Special categories of data: such as Health Data: e.g. medical history, diagnostic & treatment info
You may provide us with personal data when you contact us via telephone, text, email, web-form or writing and where we use paper-based forms we complete in conjunction with you. We collect your IP address, and use cookies when you visit our website. (See Cookie Policy) With your additional explicit consent we may also obtain specific relevant medical information from your GP or other Healthcare Professionals and communicate relevant info to them regarding your assessment and treatment.
Why we collect and process your personal data - our purposes and lawful bases for processing.

The purposes of processing your personal data, and corresponding lawful bases, are:

  • For the performance of a contract for the provision of health services as a chiropractor (e.g. recording contact details, health history, assessment and treatment data), or necessary for taking steps prior to entry into such a contract e.g. preliminary discussions of a health condition and spinal checks. The lawful bases for this include, "performance of a contract" and as it involves special category data the additional condition for processing under GDPR article 9 is, "Processing necessary for "the provision of health.. care or treatment or the management of and services …pursuant to contract with a health professional." Another lawful basis is "compliance with legal obligations", see 3 below

  • To maintain two-way communication with you about appointments, and treatment as part of the delivery of our services e.g. via phone, text, web-form, email and writing. The legal basis is, "performance of a contract"

  • To comply with legal obligations e.g. under the Chiropractic Act and Professional regulation we must process sufficient history and examination data  to provide, & review, appropriate treatment and meet requirements in maintaining Insurance. The lawful basis is, "compliance with legal obligations".

  • To communicate with your GP or other Healthcare Professionals if we need to obtain specific relevant information from them or provide them with information on referral. This will only occur with your additional explicit consent and so the lawful basis is "consent" - unless there is a need to protect "vital interests" or sufficient "legitimate interests".

  • To administer and monitor the performance of our website and improve user experience via cookies and IP logging. As we ask for cookie consent, the lawful basis is "consent".

  • For any establishment, exercise or defence any legal claims whether in court proceedings or in an administrative or out-of-court procedure. The legal basis is our "legitimate interests" namely the protection and assertion of our legal rights, your legal rights and the legal rights of others. The article 9 condition is "the establishment, exercise or defence of legal claims"

  • To protect the vital interests of the data subject/individual or another person, e.g. in emergency situations where the individual is physically or legally incapable of giving consent & paramedics need the information. The legal basis and article 9 condition is "vital interests"

Is it really necessary to collect and process your data?
We need to collect and process your personal data as it is a contractual requirement, or necessary to take steps prior to entry into a contract for provision of a health service. If you do not give it you will not be able to receive chiropractic assessment and care.

Do we share your personal data?
Your personal data will be treated as strictly confidential. Only with your additional explicit consent will we share personal data (and special category personal data-health info) with your GP, or other Healthcare Professionals.
We may also have to disclose personal data if required to do so by law enforcement agencies, statutory regulators and insurers and in order to establish, exercise or defend our legal rights. Minimal initial contact data: e.g. name, telephone number is shared where necessary with the independent, separate Data Controllers Monmouth natural health centre, Abergavenny natural therapy centre or Morgan Chiropractic ,as appropriate, so that they can coordinate appointment/room scheduling across the centre. They might also independently request your explicit consent to email you news of centre services and events.
How long your data will be retained.
We keep your data for a minimum period of 8 years after your: last appointment, or attaining the age of majority (18); to comply with Professional regulatory legal guidance and Insurance legal obligations. Some records may be kept indefinitely, for the protection of patients & the practitioner, to show a history of the healthcare received. 
Your individual rights under GDPR regarding your personal data.
Regarding your personal data, unless subject to an exemption under the GDPR, you have various rights. The right to be informed is the purpose of this privacy notice, other rights are listed below:
To exercise these rights please make requests in writing or by email to Philip Elliott, (contact details above) providing your name, address, telephone number and email address. Before modifying or conveying data we will need to verify your Identity so may ask for a copy/scan of your Passport, Driving License and/or a recent utility bill.
The right to request that we correct personal data if it is found to be incorrect or incomplete- please let us know if any of your information needs to be updated as this is your responsibility.
If consent was the lawful basis for processing data, the right to withdraw consent at any time.
Where there is a dispute regarding the accuracy or processing of your personal data, the right to request a restriction is placed on further processing.
The right, where applicable, to request data is erased if it is no longer necessary for us to retain it. There are general exclusions to this right including where processing is necessary for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.

Where applicable, the right to object to processing of data for certain purposes e.g. marketing.
The right to make a Subject Access Request - requesting a copy of your personal data.
Applicable only where the data controller processes data by automated means, the right to request that the data is transmitted directly to another data controller (the right to data portability).

Transfer of personal data outside the EU.
The secure email service we use for sensitive communications is based in Germany so within the EU. Any cloud based services used in future with servers based outside the EU, will be certified under the EU-Swiss-US Privacy Shield and thus compatible with GDPR.
What happens if we want to use your data for a new purpose?
We will give you a new notice explaining any new use of your personal data, not mentioned in this Privacy Notice, before commencing processing and describing the relevant purposes and conditions.
Data Security and what happens if there is a problem.
We have implemented processes, procedures & technical measures to guard against loss, disclosure and abuse of your data. No transmission of data via the internet is 100% secure - for this we cannot accept liability but, for any sensitive info an EU-based email service using end-to-end encryption which does not store data can be used.
Should your personal data that we control be lost, stolen or otherwise breached, where this constitutes a high risk to your rights and freedoms, we will contact you without delay. We will contact you to explain to you the nature of the breach and the steps we are taking to deal with it.
Any future changes to our privacy policy.
Any changes we may make to our privacy policy in the future will be posted on this page. Please check back frequently to see any updates or changes to our privacy policy.
How to make a query or complaint about the way your data is processed.
To exercise all relevant rights, for queries or complaints please in the first instance contact Philip Elliott on 07840733275 || || 'Ty Nant', Tower View, Monmouth, NP25 5FD.If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) .You can contact ICO via their website