As a client (or a potential client) of The Carvalho Consultancy Limited (“The Carvalho Consultancy”, “we”, “us” and “our”) or a visitor to our website, you understand that we will process your personal data on the basis described in this notice.
1. The type of personal data we collect
We currently collect and process the following types of personal data.
- Personal identifiers, contacts and characteristics (for example, name and contact details).
- Health data (for example concerning your state of mind, general health, medication and any relevant medical or psychological conditions).
- Information concerning your use of our website and/or services.
2. How we get your personal data and why we have it
Most of the personal data we process is provided to us directly by you.
We may also receive personal data, from the following sources in the following scenarios:
- Your employer (e.g. where our relationship is based upon a contract between The Carvalho Consultancy and your employer).
- Your GP or other medical practitioner with whom you have an existing relationship (for example, to obtain a report on your current state of health or any medication or other treatment you may be receiving). We would check with you before requesting such information.
Please let us know if any of your personal data you have provided, or that you believe we may have received from a third party, needs to be corrected or updated.
3. Why we process your personal data
Principal uses of your personal data
We will use your personal data to provide you with counselling, therapy or coaching services.
Other uses of your personal data
We will also use your personal data for the following purposes.
- To communicate with you about our services, including services you have requested from us and other information which we feel may interest you or be relevant to you.
- To notify you about changes to our services.
- To administer all aspects of our relationship with you, including to keep business and accounting records, to carry out office administration, to administer and process payments you make, to verify your identity where required to use any of our services, and as otherwise required or permitted by law or in connection with running our business.
- To comply with applicable laws and regulations and requests from statutory agencies / authorities including for such purposes as: health and safety; the detection and prevention of crime; safeguarding.
- To analyse and understand how people use our website and services.
Sharing your personal data with others
We do not, and never will, sell or share your information to a third party for commercial purposes.
We may share your personal data, always on a limited basis and only to the extent necessary, with some or all of the following.
- The Carvalho Consultancy’s administrative support team.
- law enforcement officials, health professionals or others for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person.
- organisations that store and process information on our behalf.
- our insurers and/or professional advisers (such as lawyers and accountants) insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice.
- IT service providers, website and IT/database server providers.
- Professional supervisors for the purposes of our own therapeutic and coaching supervision.
- With your employer/place of business (where your relationship with us is conducted on the basis of your employment/partnership with one of our corporate clients – i.e. you do not have an independent, personal contract with us). We will always obtain your consent before doing so.
- Payment services providers to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds.
- We may also disclose your personal data where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
4. Lawful bases for processing your personal data
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing your personal data are:
- Contractual necessity: It is necessary for the performance of our contract with you (applicable to clients or potential clients and others with whom we enter into contracts – such as suppliers, consultants etc.) or a contract we have with your employer or a member of its group.
- Legal obligations: It is necessary so that we can comply with our legal obligations.
- Vital interests: It is necessary to protect your vital interests or those of another person (e.g. if we consider you are at risk of harming yourself or someone else).
- Legitimate interests: It is necessary in connection with our legitimate interests and those interests are not overridden by your interests or your fundamental rights and freedoms.
- Consent: When we seek your consent, we will try to ensure the process by which we obtain it means your consent is freely given, specific, informed and unambiguous. You are able to withdraw your consent at any time. You can do this by emailing us at email@example.com.
Where we process health etc. personal data, which constitutes a special category of personal data (as described in article 9 of UK GDPR), we will routinely seek your explicit consent to that processing. The processing may also be necessary in connection with the performance of our contract with you and / or to allow us to comply with our legal obligations. Where we have not sought your consent, those are the bases on which we will process such personal data. Where we do seek your consent, you understand that such consent is a condition of our providing the services to you and that if you withhold or withdraw your consent, we will not be able to provide you with the services.
5. How we store your personal data
Your personal data is securely stored on our servers which are located in the USA.
We keep client records for the duration of our relationship and for up to six years following the end of their sessions. Following that, client records are destroyed. If you would like your records to be destroyed sooner than that, please let us know in writing.
We will then dispose of your personal data by shredding hard copy notes and permanently deleting all electronic records from our devices.
You understand that once we destroy your records, we cannot restore them.
6. Your data protection rights
Under data protection law, you have rights including:
- Access – you can ask for copies of your personal data.
- Rectification – you can ask us to rectify inaccurate personal data and to complete incomplete personal data.
- Erasure – you can ask us to erase your personal data in certain circumstances.
- Restriction of processing – you can ask us to restrict the processing of your personal data in certain circumstances.
- Object to processing – you can object to the processing of your personal data in certain circumstances. This applies, in particular, where the lawful basis on which we process your personal data is our legitimate interests.
- Data portability – you can ask that we transfer your personal data to another organisation, or to you, in certain circumstances.
- Make a complaint – you can complain to a supervisory authority (in the UK, this is the ICO – see below) about our processing of your personal data.
- Withdraw consent – to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent at any time. You can do this by emailing us on firstname.lastname@example.org.
You are not required to pay any charge to us for exercising your rights. If you make a request, we will endeavour to respond promptly and within any legally prescribed timeframes.
These rights are subject to certain limitations and exceptions. You can learn more about these rights by visiting https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
Please contact us using the data controller details set out below if you wish to exercise any of your data protection rights.
7. Data Controller
The Carvalho Consultancy is registered with the Information Commissioner’s Office (ICO) as a data controller for the personal data that it processes. The Carvalho Consultancy’s registered address for these purposes is:
c/o Sobell Rhodes LLP
The Kinetic Centre
Our phone number is: 07779 039235
You can contact us by email at: email@example.com
Our registration number with the ICO is ZB078284
8. How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at firstname.lastname@example.org.
You can also complain to the ICO if you are unhappy with how we have used your personal data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk