Data Protection & GDPR Compliance Policy

Last updated: April 2026 | Version 1.0 | Document Ref: AMS-DP-001

Document Title	Data Protection & GDPR Compliance Policy
Document Reference	AMS-DP-001
Version	1.0
Date Issued	April 2026
Next Review Date	April 2027
Document Owner	Artensia Medical Services
Classification	Confidential – authorised recipients only

Purpose and Scope

This policy sets out how Artensia Medical Services meets its obligations under UK GDPR and the Data Protection Act 2018. It applies to all personal data processed by us in connection with our occupational health services, including data relating to clients, employees, referrers, and workers whose health is assessed.

Data Controller

Artensia Medical Services is the data controller for all personal data processed in connection with our business activities.

Email: admin@artensiamedical.com
Website: www.artensiamedical.com

Data Protection Principles

We are committed to processing personal data in accordance with the six principles of UK GDPR. Personal data must be:

Processed lawfully, fairly, and transparently
Collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes
Adequate, relevant, and limited to what is necessary (data minimisation)
Accurate and kept up to date
Retained for no longer than necessary (storage limitation)
Processed in a manner that ensures appropriate security (integrity and confidentiality)

Categories of Personal Data Processed

General Personal Data

We process name, contact details, employer information, and correspondence data for the purposes of delivering and administering our occupational health services.

Special Category Health Data

As an occupational health provider, we process health data. This is special category data under Article 9 UK GDPR and is handled with the highest level of confidentiality and security. It is processed solely under Article 9(2)(h) – provision of health or occupational medicine services by a health professional subject to a professional secrecy obligation.

Lawful Basis for Processing

We rely on the following lawful bases:

Legitimate interests (Article 6(1)(f)) – for delivering and administering occupational health services
Legal obligation (Article 6(1)(c)) – for compliance with professional and regulatory requirements
Article 9(2)(h) – for processing health data in the context of occupational medicine

Data Minimisation

We collect only the personal data necessary for the specific purpose of each service or interaction. We do not collect data speculatively or for undefined future use. Clinical data is collected only where a formal referral or assessment is in progress.

Data Subject Rights

We respect and facilitate the rights of data subjects under UK GDPR, including:

Right of access (Subject Access Requests responded to within one calendar month)
Right to rectification
Right to erasure (where lawfully applicable – noting that clinical records may need to be retained for legal or professional reasons)
Right to restriction of processing
Right to object
Right to data portability

Requests should be directed to admin@artensiamedical.com and will be acknowledged promptly and responded to within the statutory timeframe.

Third Parties and Data Processors

We use the following data processors, with whom appropriate Data Processing Agreements (DPAs) in accordance with Article 28 UK GDPR are maintained:

Microsoft 365 – email, document management, and business communications (UK data residency)
Orchid Live – clinical management system for occupational health records (UK-hosted)

We do not transfer personal data outside the United Kingdom. We do not sell personal data.

Information Security

We apply appropriate technical and organisational measures to protect personal data, including:

Microsoft 365 enterprise security controls and UK-based data hosting
Orchid Live secure clinical system with access controls
Encrypted communication for external data transfer
Role-based access controls restricting data to authorised personnel only
Regular review of information security practices

Whilst we do not currently hold ISO 27001 or SOC 2 certification, our platforms (Microsoft 365 and Orchid Live) operate under recognised security frameworks, and we are subject to regulatory oversight as an occupational health provider.

Data Breach Management

In the event of a suspected or confirmed personal data breach:

We will investigate and contain the breach without undue delay
We will notify the ICO within 72 hours where the breach is likely to result in a risk to individuals’ rights and freedoms (Article 33 UK GDPR)
We will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 UK GDPR)
We will document all breaches, whether or not notification is required

Data Retention

Personal data is retained in accordance with applicable professional and legal requirements:

Occupational health clinical records: minimum 8 years from the end of the professional relationship, in line with Faculty of Occupational Medicine guidance
General business correspondence and enquiry data: retained for no longer than reasonably necessary for the purpose collected
Financial records: retained in accordance with HMRC requirements (typically 6 years)

Data is securely deleted or anonymised at the end of the applicable retention period.

Complaints

Any individual who believes their personal data has not been handled in accordance with this policy or UK GDPR may raise a complaint with us at admin@artensiamedical.com. They also have the right to complain directly to the ICO at ico.org.uk or by calling 0303 123 1113.

Policy Review

This policy will be reviewed at least annually and updated as required to reflect changes in law, regulation, or our business practices. The next scheduled review date is April 2027.

Contact

Artensia Medical Services
Email: admin@artensiamedical.com
Website: www.artensiamedical.com

Version History

Version	Date	Author	Summary of Changes
1.0	April 2026	Artensia Medical Services	Initial version – policy created