top of page




Your personal data is data which by itself or with other data available to The Endometriosis Clinic Ltd can be used to identify you as an individual. Peter Barton-Smith is the data controller. This Privacy Notice sets out how we will use your personal data. You can contact the data controller if you have any questions.


Types of personal data we collect and use


We will use your personal data for the reasons set out below. We will collect most of this directly during the registration and/or admission process but there may be sources of personal data collected indirectly as set out later in this policy. The personal data we use may include:


Your name, address and contact details, including email address and home and mobile telephone numbers, date of birth and gender. Your previous and current medical health records, whether provided by yourself to us or other via third parties. Your financial information (your bank account and national insurance number) if you are a ‘self pay’ patient, or the financial information of the company or individual who is responsible for the payment of invoices or bills relating to your care (e.g. insurer or sponsor).

We may also hold data on:

Information about your marital status, next of kin, dependants nominated and/or emergency contacts

Information about your nationality and entitlement to treatment in the UK

Information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments

Information about medical or health conditions of your family

Information received in response to any surveys or complaints claims

Equal opportunity monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief

Information about how you use our website.


This data may also include visual images. This data may be collected at the start of your treatment; from correspondence with you; through the Admission and Registration process or through interviews, meetings or other assessments. In some cases, we may collect personal data about you from third parties, such as insurer providers, referral agencies, sponsors and checks permitted by law.


Providing your personal data


We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, we need you to provide your personal data so we can provide care and treatment and receive payment for these services.


Monitoring of communication


Subject to applicable laws, we may monitor and record staff calls, emails, text messages, social media messages and other communications in relation to our dealings with you. We will do this to ensure an appropriate standard of care, for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications networks and systems, to check for unlawful content, obscene or profane content, for quality control and staff training, and when we need to see a record of what has been said. We may also monitor activities on our network and systems where necessary for these reasons and this is for our legitimate interests or other legal obligations.


Using your personal data and the legal basis for processing


We will process your personal data under Article 6 (1) and Article 9 (2) of the General Data Protection Regulations:


To support the provision of your healthcare

To decide how best to provide treatment to you

As necessary to support the healthcare contract with you and to allow us to receive [full] payment for those services

To take steps at your request during the course of your treatment

To keep your records up to date


We will process your personal data under Article 6 (1) f of the General Data Protection Regulations:


As necessary for our own legitimate interests or those of other persons and organisations, e.g.:


For good governance, accounting, and managing and auditing our clinical and business operations

To monitor emails, calls, other communications, and activities on HCA UK networks and systems

For market research, analysis and developing statistics for improving clinical performance


As necessary to comply with a legal obligation:


When you exercise your rights under Data Protection Laws and make requests

For compliance with legal and regulatory requirements and related disclosures

For establishment and defence of legal rights

For activities relating to the prevention, detection and investigation of crime

To verify your identity, make credit fraud prevention and anti-money laundering checks; and to investigate complaints, legal claims and data protection or clinical incidents.

Based on your consent:

If you ask us to disclose your personal data to other people or organisations such as a company handling a claim on your behalf; or otherwise agree to disclosures

When we process any special categories of personal data about you at your request (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation).

You are free at any time to change your mind and withdraw your consent. The consequence might be that we cannot continue to provide full healthcare services to you.


Sharing of your personal data


Subject to applicable Data Protection Laws we may share your personal data with:


Consultants, doctors and other healthcare professionals who provide treatment to you at our facilities

Other healthcare providers where we feel this will enhance the quality of your care

Sub-contractors and other persons who help us to provide healthcare products and services to you

Companies and other persons providing services to you as part of your extended care

Our legal and other professional advisors, including our auditors

Fraud prevention agencies, credit reference agencies and debt collection agencies

Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators and the Information Commissioner’s Office (ICO), Courts, to comply with legal requirements, and for the administration of justice

Third parties in an emergency or to otherwise protect your vital interests.

Third Parties to protect the security or integrity of our business operations and other patients.

Third parties when we restructure or sell our business or its assets or have a merger or re-organisation

Payment systems and providers

Anyone else where we have your consent or as required by law


Sharing of your personal data for research purposes


Subject to applicable Data Protection Laws and your explicit written consent we may share your personal data for the purpose of scientific research.


Sharing of your personal data for marketing purposes


Your contact details may be used to send you newsletters and other information about new facilities, services and treatments which we think may be of interest to you. We will not sell your personal data to a third party without your written consent.

You are free at any time to change your mind and withdraw your consent.

This will not affect the healthcare services we provide to you.


International transfers


Your personal data may be transferred outside the UK and the European Economic Area. While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to it. These include imposing contractual obligations of adequacy or requiring the recipient to subscribe or be certified with an ‘international framework’ of protection.


How long do we keep your data?


Information will be kept in in accordance with the retention periods outlined in the Information Governance Alliance (IGA) Records Management Code of Practice


for Health and Social Care (2016). Information may be held for longer periods where the following apply:


Retention in case of queries:


We will retain your personal data as long as necessary to deal with any queries you may have


Retention in case of claims:


We will retain your personal data for as long as you may legally bring claims against us


Retention in accordance with legal and regulatory requirements:


We will retain your personal data after you have received healthcare services at our facilities based on our legal and regulatory requirements.


Your rights under applicable data protection law


Your rights are as follows (noting that these rights do not apply in all circumstances):

The right to be informed about processing of your personal data

The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed

The right to object to processing of your personal data

The right to restrict processing of your personal data

The right to have your personal data erased (the ‘right to be forgotten’)

The right to request access to your personal data and information about how we process it

The right to move, copy or transfer your personal data (‘data portability’)

Rights in relation to automated decision making including profiling

You may exercise these rights by contacting the Data Controller

You have the right to complain to the Information Commissioner’s Office (ICO). It has enforcement powers and can investigate compliance with Data Protection Laws. Visit for more information.


For more details on all the above you can contact our Data Protection Officer.

The Endometriosis flowers logo
bottom of page