Well Gel Nails General Data Protection Regulation Policy
The name and contact details of the data processor:
Well Gel Nails
Ellenor Smith
3 Roosevelt Way
I am both the controller and processor. At present our data is held on paper based records. A screen shot of your data will be stored as back up in the event of breach, on a secure encrypted cloud database.
Data may also be stored on an on line booking system, but only with explicit, opt in,signed for consent. This data will not be shared with any third parties, but will be used for appointment making, reminders, promotions and product information.

The purpose of the processing:
Personal data at Well Gel Nails is processed in order to comply with business insurance policy, to ensure a responsive appointment booking system and to keep track of any medical conditions that may affect or change a treatment.

A Description of the categories of data subjects and of the type of personal data related to them that the organisation holds:
Well Gel Nails hold personal data relating to our customers. We store the following information in order to comply with requirements of our insurance policy.
Personal Data:
Name, Address, Email, Telephone number, Date of birth, Doctors name and address

Sensitive Data:
Medically history, health details and medication.
The type of recipients that the organisation have or will disclose the data to particularly

those based in third parties:
The data is only disclosed to insurance companies in the result of a claim being made against Well Gel Nails. The data is also disclosed to working colleague Elizabeth Harold for purposes listed above.
With opt in, signed for consent the data may be stored on an on line booking system. This data will not be shared with any third parties, but will be used for appointment making, reminders, promotions and product information.
In the event of using photographs on social media consent will be obtained prior to use.

Individual Rights:
A client can make a written request to access the information/data being held on them. Well Gel Nails will fulfil this within 30 days from the date of the receipt of the request.
As a data subject (client)  can withdraw that consent at any time by contacting the data processor, Ellenor Smith 07886774431, 3 Roosevelt Way, Colchester, Essex, CO2 8SX or via email to ellenorsherman@hotmail.co.uk

If the data subject chooses to opt out, Well Gel Nails will have to keep the details for 7 years in compliance with insurance. If the data subject decides to opt out, Well Gel Nails will no longer be able to perform treatments on said data subject.  Well Gel Nails will cease all future contact with the data subject and destroy the data once the legal term for insurance purposes has finished.

 When the organisation intends to erase the data (where possible):
Well Gel Nails will destroy client records through a shredding and secure disposal.
All data files stored on a cloud will be deleted effectively and securely.
The data will be erased when the client has not purchased services for a period of 7 years, at this point they are deemed to be no longer a client of the company.

 A description of the security measures taken to keep data:
All records that are kept in paper format are stored in alphabetical order in a locked, fire proof cabinet. The key is held by Ellenor Smith.
When the salon is closed the cabinet remains locked within the locked salon and keys are stored in a key cabinet.
A copy of this data will also be held in a remote secure cloud, as back up in the event of a breach.
Data held by on line booking systems such as “Shedul” follow their own GDPR Policy which can be obtained by contacting them directly. Shedul store data which is backed up on encrypted cloud database. Shedul uses SSL security and hardware has firewalls.
All programmes, on line booking systems are password protected.
All data processors and controllers will have a knowledge of Well Gel Nails GDPR Policy.

Breach Reporting:
Individual data subjects (clients) will be notified if a breach is likely to result in high risk to the rights and freedoms of the data subject.
A breach that is likely to result in a risk to the rights and freedom of the data subject, will be reported to the ICO (The Information Commissioners Office) no later than 72 hours of becoming aware of the breach.pe your paragraph here.