Privacy Policy

1. Introduction
At DPRC Physiotherapy & Rehabilitation Clinic, we are committed to protecting and
respecting your personal data. This privacy policy explains how we collect, use, store, share, and protect your personal and health information, in line with the General Data Protection Regulation (EU 2016/679) (“GDPR”) and relevant Irish data protection laws.

​

2. What personal data we collect
We collect personal data that is necessary to provide physiotherapy and rehabilitation
services. This may include:
• Identity and contact details: name, date of birth, address, telephone, email.
• Health and medical information: current and past medical history, diagnoses,
treatment plans, referrals, medications, imaging reports.
• Appointment and visit details: dates, notes from sessions, any home visits.
• Payment and billing information: insurance details, receipts, invoices.
• Other relevant information: occupation, hobbies (where relevant to treatment), next
of kin/emergency contact details.
Some of this data is special category data (health data) under GDPR, which requires extra
protection.

​

3. Legal basis for processing
We process your personal data under one or more of the following lawful bases:
• Contract: to deliver the services you have requested (physiotherapy / rehabilitation).
• Legal obligation: to comply with professional, regulatory, or statutory obligations.
• Consent: in some cases, particularly for sharing data with other professionals,
marketing, or non-essential services.
• Legitimate interest: for example, for management, internal record-keeping, or
improving our services - provided that this does not override your rights and
freedoms.

​

4. How we use your data
We use your personal data for the following purposes:

• To assess, diagnose, treat and monitor your rehabilitation / physiotherapy.
• To manage appointments (booking, reminders, cancellations).
• To prepare referrals to / communicate with other healthcare providers (GPs,
consultants, specialists), with your consent.
• To produce invoices, receipts, accounts, insurance claims.
• To provide exercise programs, treatment plans, updates.
• To communicate with you via email, telephone or SMS for clinic updates,
appointment reminders.
• Occasionally, to send you clinic news, events or other information, but only if you
have opted in.

​

5. Who has access to your data / Data sharing
We maintain confidentiality of your information. Data may be shared with:
• Our staff who need access to your records to provide your care.
• Other healthcare professionals (e.g. GP, consultant) with your consent or as required.
• Third-party service providers (e.g. IT systems, software for appointment management,
billing, backups) who act as data processors and are contractually obligated to protect
your data.
• Regulatory or legal bodies if required by law.
We will not share your data for marketing to third parties without your explicit consent.

​

6. How we store and protect your data
• Records may be paper-based and/or electronic.
• Paper records are stored securely in locked cabinets.
• Electronic records are stored in secure systems, password-protected, encrypted where
appropriate.
• Access to electronic systems is restricted to authorised personnel only.
• Backups are done regularly and stored securely.
• Old records are destroyed securely once they are no longer needed, in accordance
with retention policies.

​

7. Data retention
• Medical records and treatment notes will be retained for 7 years following the date of
your last visit or treatment, or longer if legally required.
• In the case of minors, records may be kept according to specific legal requirements
(often until a period after they reach majority).
• Old paper records will be securely destroyed (e.g. shredding) when retention period
ends.

​

8. Your rights
Under GDPR you have the following rights in relation to your personal data:
• The right to access the data we hold about you.
• The right to rectification of inaccurate or incomplete data.
• The right to erasure (“right to be forgotten”) in certain circumstances.
• The right to restrict processing.
• The right to object to processing (e.g. for direct marketing).
• The right to data portability (where applicable).
• The right to withdraw consent where we rely on consent.
If you wish to exercise these rights, please contact us at [insert contact details].

9. Cookies and website
If we operate a website:
• We may collect technical and usage data via cookies (e.g. IP address, browser type),
analytics, log files.
• Necessary cookies (for website functioning) only. Optional cookies (e.g. analytics,
marketing) will require your consent.
• You can decline or disable cookies via your browser settings, though some features
may not work if you do.

​

10. Data breaches
We have procedures in place to detect, report and investigate a personal data breach. In the
unlikely event of a breach involving your personal data, we will notify both you and the Data
Protection Commissioner where required by law.

​

11. Changes to this Policy
We may update this policy from time to time. When we do, we will publish the updated
version, and notify you in an appropriate manner (for example on our website or in-clinic).

​

12. Contact & Complaints
If you have any questions about this policy or how your data is handled, or if you have a
complaint, please contact:
• Practice Manager
• Email: manager@dprc.ie
You also have the right to lodge a complaint with the Irish Data Protection Commission if
you believe your data protection rights have been breached.