Adonia Data Policy 20/08/2021

This Data Policy concerns personal information captured, stored and/or processed by Adonia Boutique Hammam Spa in the course of our business and demonstrates compliance with the UK General Data Protection Regulation (GDPR).

Compliance with the UK GDPR shall be evidenced by reference to a data protection compliance folder in the Adonia filing system. This shall include this policy and any supporting information.


Data Protection Officer: Mrs Najat Campbell


Data Types:


Client Data - Essential:

These data allows Adonia to provide a safe and optimal experience to our clients and is essential for the business to conduct its transactions with them.

Names

Addresses

Medical health consultation records

Telephone numbers and texts

Email addresses and content

Treatments undertaken

Client notes


Client Data - Optional:

These data are optional and are provided entirely at client discretion.

Customer feedback

Approval to opt-in to mailing list (email)


Client Data – Incidental:

Enquiries, background information etc in the form of email or letters will be destroyed after the matter has been closed.


Data about employees and contractors engaged, or potentially engaged at Adonia:

These data are essential in order to operate the business using staff and contractors.

Names

Addresses

Email addresses

Telephone numbers

Bank sort codes and account numbers

Qualification Certificates (if applicable)

National Insurance details (if applicable)

Insurance certificates (if applicable)

Proof of right to work in the UK

Information on disciplinary, grievances, or awards

CVs and application forms/letters


Data about services and suppliers engaged at or with Adonia:

These data are essential to engage services and suppliers for maintenance, repair, or specialist services.

Contact details

Transaction records

Contracts


CCTV Records:

CCTV recording to hard disk operates in the premises 24 hours a day. Visible signage indicates that CCTV recording is in operation.



Data Storage, Retention, and Destruction:

Adonia operates a paper-based filing system for most data. The exceptions are CCTV video, an Opt-in feedback and mailing list, emails, texts, and card payment system.

Paper records are kept in a locked cabinet with access limited to Adonia management and its delegates.

Essential Client Data is reviewed at least annually for relevance and can be kept for up to 10 years before being destroyed unless a request is made to erase the data earlier.

Employee or contractor data will be retained throughout their time working with Adonia but will be destroyed if they leave the business. CVs, forms and letters relating to unsuccessful applicants for work will be retained for 3 months and then destroyed.

Optional Client Data shall be reviewed annually but retained as long as the relationship with the client continues. The client can request to opt-out at any time.

The CCTV recording system over-writes the recorded video after approximately 15 days so there are no long-term records kept. The CCTV recording system is remote and within a locked cabinet, viewing of CCTV imagery is only provided to Adonia management or delegates. An exception to the above may occur if the recorded video is used as evidence in relation to any criminal act and a copy is required by the relevant authorities.

The Card Payment system includes the use of a tablet computer and a card reader. These are kept in a locked cabinet when not being used under the direct supervision of Adonia management or delegate. Personal data interaction between the cardholder and the GDPR compliant card reader provider SumUp does not involve Adonia directly and SumUp assures that their data management system is GDPR compliant.

Copies of data (photocopy, scan, electronic storage media such as USB and disks) may be necessary to transfer data from one location to another. These copies shall be kept in a locked cabinet when not in use. Such copies (other than where the copy forms permitted data as per this policy) shall be destroyed or erased immediately after the transfer has taken place.

Destruction of paper-based records will be undertaken by cross-cut shredder and disposal of the paper fragments, or incineration.

Destruction of any electronic records shall be undertaken by formatting, over-writing, or physical destruction.


Data Access, Erasure, or Correction Requests:

These shall be addressed to the Data Protection Officer at Adonia in accordance with GDPR requirements.


Risk Mitigation/Compliance:

Adonia will maintain this data policy taking into account any arising risks highlighted by staff, contractors, or clients, and subsequent actions required to mitigate them, thus ensuring that compliance with the GDPR is maintained. Any breaches shall be logged.


Website and Social Media:

Access is controlled via a password system managed by the Data Protection Officer. Adonia does not store personal client data in these systems and there is no on-line booking system. Terms and conditions for clients accessing and inputting data to their own social media are beyond the scope of Adonia.


 Card Payment System


Our current card payment provider is UK GDPR compliant SumUp. Transfer of personal data relating to payments is between the client and SumUp and is beyond the scope of our Data Policy. Their privacy policy can be found here: https://sumup.co.uk/privacy/




Prevention of Sharing, Sale, or Leaking of Data to Third Parties

Any personal data provided to Adonia will be used only for the purposes, and with the permissions, described above and will not be passed in any way to third parties other than if the business is sold and continues with a new owner. Rigorous controls are in place to prevent leakage and dissemination of client data. Adonia will follow the guidance provided by the Information Commissioner’s Office (ICO) when and if the business is sold as follows:


The ICO requirements:

•         The seller must make it clear that the buyer can only use the data for the purposes for which it was originally collected. The database should therefore only be sold to a business that will make the same or similar use of it.

•         The buyer must obtain the consent of the individuals referred to on the database if it wishes to use the data for a new purpose.

•         The buyer should tell the individuals referred to on the database about the change of ownership.

•         The buyer can only use the database for unsolicited marketing if the individuals referred to in it have agreed to receive such marketing, or receipt of such marketing is “likely to be within their reasonable expectations”.

•         Where this is the case the buyer can only market products and services similar to those that have been advertised through the database before.

•         The buyer must delete any unnecessary personal information held on the database.



Inadvertent leakage of client data

In the unlikely event of leakage of client data immediate steps will be taken to stem the leakage and a full assessment of the cause will be made by Adonia management and the relevant authorities in the Information Commissioner’s Office (ICO) will be informed.


Privacy Policy

This Adonia Data Policy should be read in conjunction with the Adonia Privacy Policy.