GDPR Compliance
Your data protection rights under UK GDPR
Our Commitment to Data Protection
Circuit Muse is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise the importance of protecting your personal information and maintaining your trust.
This page provides specific information about how we meet our obligations under GDPR and how you can exercise your data protection rights.
Data Controller Information
For the purposes of UK GDPR, the data controller is:
Circuit Muse
42 Highbury Grove
London N5 2EA
United Kingdom
Email: [email protected]
Legal Basis for Processing Personal Data
We process personal data only when we have a lawful basis to do so. The legal bases we rely on include:
Consent
In some cases, we process personal data based on your explicit consent. When we rely on consent, you have the right to withdraw it at any time. This includes:
- Marketing communications (if applicable)
- Non-essential cookies and tracking
- Sharing information beyond what is contractually necessary
Performance of Contract
We process your data when necessary to fulfill our contract with you, including:
- Delivering the services you've requested
- Managing appointments and sessions
- Processing payments
- Communicating about your service
Legal Obligation
We process data when required to comply with legal requirements, such as:
- Maintaining records for tax purposes
- Responding to lawful requests from authorities
- Complying with professional regulatory requirements
Legitimate Interests
In certain situations, we process data based on legitimate interests, provided these don't override your fundamental rights. This includes:
- Improving our services and website
- Ensuring security and preventing fraud
- Internal administrative purposes
Your Rights Under GDPR
UK GDPR grants you specific rights regarding your personal information. We respect these rights and have processes in place to facilitate their exercise.
Right to Access (Subject Access Request)
You have the right to request a copy of the personal information we hold about you. This includes:
- Confirmation that we are processing your data
- A copy of your personal data
- Information about how we use your data
- Details of who has access to your data
We will respond to access requests within one month, free of charge. In complex cases, we may extend this by up to two months and will inform you if this is necessary.
Right to Rectification
If personal information we hold about you is inaccurate or incomplete, you have the right to have it corrected. We encourage you to keep your information up to date and will amend our records promptly when you notify us of changes.
Right to Erasure (Right to be Forgotten)
In certain circumstances, you can request deletion of your personal data. However, this right is not absolute and may be limited by:
- Legal obligations to retain records (such as financial records for tax purposes)
- Professional obligations to maintain clinical records for specified periods
- Legitimate interests that override the right to erasure
We will assess each request on a case-by-case basis and explain our decision.
Right to Restriction of Processing
You can request that we limit how we process your data in specific situations, such as:
- When you contest the accuracy of the data
- When processing is unlawful but you don't want data erased
- When we no longer need the data but you need it for legal claims
- When you've objected to processing and we're verifying legitimate grounds
Right to Data Portability
Where technically feasible, you have the right to receive your personal data in a structured, commonly used format and to transmit it to another controller. This applies to data you've provided to us where processing is based on consent or contract and is carried out by automated means.
Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. We do not currently engage in automated decision-making of this nature.
How to Exercise Your Rights
To exercise any of your data protection rights, please contact us in writing:
- Email: [email protected]
- Post: Circuit Muse, 42 Highbury Grove, London N5 2EA, United Kingdom
When submitting a request, please include:
- Your full name and contact details
- Details of your request and which right you're exercising
- Any relevant reference numbers or dates
- Proof of identity (we may request this to protect your data)
Data Protection Measures
We implement appropriate technical and organisational measures to ensure data protection by design and by default:
Technical Measures
- Encryption of sensitive data both in transit and at rest
- Regular security assessments and penetration testing
- Secure backup procedures with encryption
- Access controls and authentication requirements
- Regular software updates and security patches
Organisational Measures
- Data protection policies and procedures
- Staff training on data protection and confidentiality
- Confidentiality agreements with all staff and contractors
- Regular review and audit of data processing activities
- Incident response procedures for data breaches
Data Breach Procedures
In the unlikely event of a personal data breach, we have procedures in place to:
- Detect and contain the breach promptly
- Assess the risk to individuals' rights and freedoms
- Notify the Information Commissioner's Office within 72 hours if required
- Notify affected individuals without undue delay if there is a high risk to their rights
- Document the breach and our response
International Data Transfers
We primarily store and process data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:
- Adequacy decisions recognising equivalent data protection
- Standard contractual clauses approved by the ICO
- Other legally approved transfer mechanisms
Data Protection Impact Assessments
For processing activities that may result in high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) to identify and mitigate risks before processing begins.
Third-Party Processors
When we engage third parties to process data on our behalf, we:
- Conduct due diligence on their data protection practices
- Ensure written contracts are in place with appropriate data protection clauses
- Verify they provide sufficient guarantees of GDPR compliance
- Monitor their compliance on an ongoing basis
Record Retention
We maintain documented retention schedules specifying how long different types of personal data are kept:
- Client clinical records: 7 years from end of service
- Financial records: 6 years as required by law
- Correspondence and communications: Varies by purpose
- Website analytics: Maximum 26 months
Data is securely destroyed or anonymised when the retention period expires and there is no legal reason to retain it.
Complaints and Concerns
If you have concerns about how we handle your personal data, please contact us first so we can address your concerns directly. If you remain unsatisfied, you have the right to lodge a complaint with the supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk
Updates to This Information
We review our GDPR compliance regularly and update this page as necessary to reflect changes in our practices or legal requirements. Please check back periodically for updates.
Further Information
For comprehensive information about how we handle your data, please also review our Privacy Policy.
For questions specific to GDPR or to exercise your rights, contact us at [email protected].