Privacy Policy
A) Introduction
At Sophistique Beauty Specialists, we may collect and process personal data from individuals with whom we engage in the course of our business. Whether recorded on paper, electronically, or by other means, all personal data must be handled with care, lawfully, and securely.
We consider the proper and lawful treatment of personal data as fundamental to our success and to maintaining trust with our clients and stakeholders. As such, we fully endorse and adhere to the principles set out in the UK General Data Protection Regulation (UK GDPR).
This policy outlines how we process personal data, respond to data breaches, and respect the rights of individuals. It applies to all personal data we hold in both manual and digital formats and covers the data of clients, referred to herein as "relevant individuals."
B) Definitions
Personal data: Any information relating to an identifiable person who can be directly or indirectly identified (e.g. name, ID number, location data, or online identifiers). This includes pseudonymised data.
Data processing: Any operation performed on personal data, such as collection, recording, organisation, structuring, storage, retrieval, use, disclosure, erasure, or destruction.
C) Data Protection Principles
Under GDPR, personal data must be:
a) Processed lawfully, fairly, and transparently
b) Collected for specific, explicit, and legitimate purposes
c) Adequate, relevant, and limited to what is necessary
d) Accurate and kept up to date
e) Retained only as long as necessary
f) Processed securely to prevent unauthorised access, loss, or damage
g) Transferred outside the UK or EEA only in compliance with specific conditions
D) Types of Data Held
We retain various types of client data, including but not limited to:
Full name, address, email, phone number
Medical history (if relevant to treatment)
Bank/payment details (for transaction purposes)
All data collected is essential for client care, treatment planning, and business administration.
E) Client Rights
Clients have the following rights under GDPR:
a) To be informed about how their data is used
b) To access the data we hold on them
c) To correct inaccuracies in their data
d) To request erasure (the right to be forgotten)
e) To restrict processing in certain circumstances
f) To data portability
g) To object to data processing
h) To prevent automated decision-making and profiling
F) Responsibilities
All employees involved in data processing are trained on our data protection policies and are responsible for safeguarding client data. A designated compliance officer oversees regular reviews and updates to our data protection practices.
G) Lawful Basis for Processing
We only process personal data when a lawful basis exists. This may include:
Consent (freely given, specific, informed, and unambiguous)
Contractual necessity
Legal obligations
Legitimate interests
Where consent is required, it will be obtained explicitly, and clients will be informed of their right to withdraw consent at any time.
H) Access to Data
Clients can request access to their personal data by submitting a Subject Access Request. We will respond within one calendar month, or notify the client if an extension is necessary. No charge will be made unless the request is excessive, repetitive, or unfounded.
I) Data Disclosures
Data may be disclosed when:
Required by law (e.g. to law enforcement or HMRC)
Necessary to prevent or detect a crime
Requested by a court order
Such disclosures are made only when strictly necessary and in accordance with GDPR.
J) Data Security
We ensure data security through the following measures:
Hard copy records are stored in locked cabinets
Digital data is encrypted and password-protected
Only authorised personnel have access to client records
No sensitive data is stored on unprotected mobile devices
Staff use screen locks and follow secure login protocols
Failure to comply with our data protection procedures may result in disciplinary action.
K) Third-Party Processors
Where third-party services are used (e.g. booking platforms, payment providers), we ensure they comply with GDPR through Data Processing Agreements (DPAs) to safeguard client data.
L) International Data Transfers
We do not transfer personal data outside of the UK or EEA. If this changes, it will be done in full compliance with international transfer safeguards.
M) Data Breach Reporting
All data breaches are logged in our Data Breach Register. If a breach presents a risk to individual rights, we will notify the ICO within 72 hours and inform the affected individual(s) where required.
N) Staff Training
All staff receive data protection training upon induction and on a regular basis thereafter. This includes:
Understanding confidentiality and client rights
Recognising data breaches
Following secure handling and storage procedures
Our compliance officer and other relevant staff are trained in GDPR responsibilities and response procedures.