Echo Eighty Ltd
12 Sea Kings
Echo Eighty Ltd trading (trading as “Echo Eighty”) is a limited company, registered in England and Wales/Northern Ireland/Scotland. Company Number 11740965. The Data controller and Processor is Timothy Ryan.
The Lawful basis for processing data
The basis on which we keep data is that of ‘Legitimate Interests’. This means that the data is necessary for us to fulfil the objectives of Echo Eighty Ltd and that it is data that would reasonably be expected for us to hold and use.
The data we hold includes client information as provided on the paper forms required for treatment.
Data is shared in the following circumstances:
- With the client, if they request their personal records.
- With our accountant who will see bank, credit card and Paypal records which will contain information that is submitted when making a payment. It asked we will redact identifiable data before sending it to the accountants.
The data is primarily used to enable us to provide the service that we have been engaged to provide. It may also be used for scientific and statistical purposes.
Where the data is held
Any emails are either help on a hard drive or are archived in cloud-based secure storage which in itself is GDPR compliant. Credit card information is shredded as soon as it proceeds. Standing order mandates are deleted as soon as payments commence.
Client data is kept for 7 years. After this time any paper records are shredded and computer records are permanently deleted.
We take all the security of data seriously and as such:
- All data is held securely (as detailed above).
- Any sensitive data transmitted is sent encrypted where possible.
- We are not in control of the data (including emails) that are sent to us.
- If there is any breach of data security, we will give full details to the Commissioner’s Office and any person affected within 72 hours of the breach and take any actions necessary to minimise potential impact.
Clients have rights with regard to the data held:
- The right of access. We will provide all data we hold on you as soon as we can following a request (within 30 days unless impossible due to holiday, illness or pandemic).
- The right to erasure. If a client request all their data is erased we will delete all computer records and shred any paper records.
- The right to restrict processing. Correction of any errors as a stop-gap before erasure.
- The right to data portability. This might apply if a client wants notes sent to another therapist. The easier option would be to grant the right to access, therefore the data would be sent to the client.
- The right to object to. Processing based on legitimate interest or the performance of a task in the public interest/exercise of official authorities (including profiling). We do not engage in these things. Clients can opt out at any time.