Built by LSJ Web & Design Labs

Want a Website & Digital Platform Like This?

From£700
Fully custom & production-readyUK healthcare compliant · CQC-ready · GDPR-compliant

This entire platform — the patient portal, admin dashboard, CQC compliance suite, Stripe payments, CPD tracker, and PDF exports — was built by LSJ Rejuvenate LTD as a fully custom, production-ready solution for UK healthcare clinics.

Get Your Own Custom Designed Website & Digital PlatformRequest a Discovery Call
🏥

Patient Portal

Appointments, progress, messaging, payments

📋

CQC Compliance

Complaints, feedback, CPD, all legal pages

💳

Stripe Payments

Checkout, subscriptions, refunds, history

📄

PDF Reports

CQC-branded exports for every log

Example Weight Loss Clinic

Data Protection

Last updated: 9 March 2026

This page provides supplementary information about how Example Weight Loss Clinic meets its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For our full privacy practices, please read our Privacy Policy.

Data Controller Details

Organisation: Example Weight Loss Clinic (operated by [Clinic Operator Name])
ICO Registration Number: [ICO Registration Number — to be updated]
Registered Address: [Registered Address — to be updated]
Data Protection Contact: [email protected]

We are registered with the Information Commissioner's Office (ICO) as a data controller. Our ICO registration confirms that we process personal data lawfully and transparently. You can verify our registration on the ICO Data Protection Register.

Data Protection Officer / Contact

As a healthcare provider processing special category health data, we have appointed a designated Data Protection Contact to oversee compliance with UK GDPR. If you have any concerns about how your data is handled, or wish to exercise your data subject rights, please contact:

Data Protection Contact
Example Weight Loss Clinic
Email: [email protected]
[Postal address — to be updated]

Lawful Basis for Processing

Under UK GDPR, we must have a valid lawful basis for every processing activity. Where we process special category health data (Article 9), we additionally rely on Article 9(2)(h) — processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care treatment, or the management of health or social care systems. The table below summarises our key processing activities and their lawful bases.

Processing ActivityLawful BasisSpecial Category?
Processing your eligibility questionnaire and clinical assessmentContract (Article 6(1)(b)); Article 9(2)(h) for health dataYes — health data
Providing clinical consultations and prescribing servicesContract (Article 6(1)(b)); Article 9(2)(h) for health dataYes — health data
Managing your patient portal accountContract (Article 6(1)(b))No
Processing paymentsContract (Article 6(1)(b))No
Maintaining clinical records for the required retention periodLegal obligation (Article 6(1)(c)); Article 9(2)(h) for health dataYes — health data
Sending appointment reminders and service communicationsContract (Article 6(1)(b))No
Analytics cookies and service improvementConsent (Article 6(1)(a))No
Marketing communications (if opted in)Consent (Article 6(1)(a))No
Fraud prevention and security monitoringLegitimate interests (Article 6(1)(f))No
Reporting to regulatory bodies (CQC, MHRA) where requiredLegal obligation (Article 6(1)(c))May include health data

Data Protection Impact Assessments (DPIAs)

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms. This includes our clinical record management system and any new technology that processes health data. DPIAs are reviewed annually and whenever significant changes are made to our processing activities.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we are legally required to notify the ICO within 72 hours of becoming aware of the breach, in accordance with Article 33 UK GDPR. Where the breach is likely to result in a high risk to individuals, we will also notify affected individuals without undue delay.

We maintain an internal data breach register and have a documented incident response procedure. All staff are trained to recognise and report potential data breaches to our Data Protection Contact immediately.

Data Subject Rights

Under UK GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month.

  • Right of access (Subject Access Request): to receive a copy of the personal data we hold about you
  • Right to rectification: to have inaccurate data corrected
  • Right to erasure ("right to be forgotten"): to have your data deleted, subject to our legal retention obligations
  • Right to restrict processing: to limit how we use your data in certain circumstances
  • Right to data portability: to receive your data in a structured, machine-readable format
  • Right to object: to processing based on legitimate interests or for direct marketing
  • Rights related to automated decision-making and profiling

Complaints to the ICO

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at [email protected].