Contact Us

Privacy Policy

1. About Us

harleypharmacy.co.uk (the “Website”) is operated by Harley Pharmacy (“we”, “us”, “our”), a company incorporated in England and Wales.

This Privacy Policy explains what information we collect about you, how we use it, and the steps we take to ensure that it is kept secure. We also explain your rights and how to contact us.

We are only responsible for the privacy practices and security of this Website. Please note, our Website may contain links to other websites which are provided for your convenience. We do not control these third-party websites and are not responsible for their privacy statements. We recommend that you check the privacy and security policies and procedures of each and every other website that you visit.

If you have any questions about this Privacy Policy, please contact our Data Protection Officer using the contact details provided in Section 14.

2. Changes to this Privacy Policy

We may amend this Privacy Policy at any time. Any changes we may make will be posted on this page, so please check back frequently for updates. Please be assured that, if there is a substantial change in the way we use your personal data, we will contact you directly.

3. What is Personal and Special Category Data?

Personal data means any information relating to a person who can be identified, either directly or indirectly, by that information. It may include, but is not restricted to, name, address, email address, phone number, credit or debit card number, IP address, location data and purchase history.

Special category data is personal data that may be more sensitive. In practice, this is likely to mean things like health data, ethnicity, religious or political views and trade union membership details. We may process some health information about you, but this is only ever provided directly by you and for a specific purpose.

Wherever special category data is used, there are additional legal safeguards we must adhere to, which include:

  • Establishing a legal basis to use this information, as well as an additional condition for our use
  • Depending on the condition selected to use this data, we may also be required to establish a further condition for use
  • Adhering to a specific ‘Appropriate Policy Document’, which governs our compliance
  • Completing a data protection impact assessment to measure any risks to you, the data subject, as a result of the use of your data

This is in addition to all other internal safeguards we take to protect your personal data.

4. The Personal Data We Collect

We process personal data either directly or indirectly taken from you. The below provides some examples of situations where we directly and indirectly process your personal data, alongside the type of personal data this is likely to be.

Information you directly provide to us

In order to provide the services you require you may provide us with:

  • Health information related to a prescription or service we deliver in our pharmacy
  • Written or verbal information by creating an account with us
  • Answering questions
  • Filling in forms on our Website
  • Using applications
  • By corresponding with us by email, telephone or otherwise
  • Information you provide when you purchase products and/or services from us
  • Reply to an email
  • Enter a competition, promotion or survey
  • When you report a problem with our Website

This personal information may include:

  • Your name
  • Gender
  • Date of birth
  • Billing and delivery address
  • Orders, receipts
  • Email address
  • Telephone number
  • NHS number
  • GP details
  • Medical history and medication history
  • Financial and billing information (including your payment card information if you pay for any order by credit or debit card)

For your security, we will also keep an encrypted record of your login password.

Information you indirectly provide to us

We may collect your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.

We will also collect details of your interactions with us through our contact centres, online and when you use any of our mobile applications.

All personal information, including where carts are abandoned and where personal information is obtained about you and/or any other person whose details you provide will be recorded, used, and protected by us in accordance with current data protection legislation, our Terms and Conditions and this Privacy Policy.

To deliver the best possible web experience, we collect technical information about your computer or device, internet connection and browser, as well as the country where your computer or device is located; your IP address, the pages viewed during your visit, the advertisements you clicked on, any search terms you may enter on our Website and other information about your visit and how you used our Website.

Information we receive from other sources

We also work closely with third parties (including, for example, business partners, service providers, advertising networks, analytics providers, and search information providers) and may receive information about you from them. This may be combined with other information you provide to us, in order to carry out a requested service, or to analyse how we might better deliver services to our customers.

We may also receive information from:

  • Your GP surgery or hospital (for prescription services)
  • NHS Business Services Authority
  • Identity verification partners
  • Delivery service providers

Information about other people

If you provide information to us about any person other than yourself, you confirm that you have made that person aware of how we may collect, use and disclose their information, the reason you have provided it, how they can contact us, the terms of this notice and that they have consented to such collection, use and disclosure.

5. How We Will Use Your Information

We use your personal data for the following purposes:

  • To fulfil a prescription – we capture your name, address, date of birth, NHS number and the medication required (this includes the name of the medication and the dosage instructions) as detailed on the prescription. Capturing this information is necessary to provide the service to you. Additionally we would also capture the prescriber’s details
  • To deliver our health services – we may need to understand wider information about your health & wellbeing, including any family history of medical conditions
  • To create and maintain your customer account – once you become a registered customer
  • To process and fulfil any orders – that you place with us (through our Website or mobile applications). If we don’t collect your personal data during checkout, we won’t be able to process your order
  • To fulfil our contractual requirements – with the NHS, we may need to share your personal data with your GP and others in the wider NHS, such as the NHS Business Services Authority, and sometimes Local Authorities to provide you with NHS or Local Authority funded services
  • To deliver medications – we will share your personal data with delivery service providers to ensure the safe delivery of any medication. We may also share your mobile number so they can keep you updated via SMS on the status of your delivery
  • To respond to your queries, refund requests and complaints – Handling the information you submit to us enables us to respond effectively. We may also keep a record of these queries to inform any future communications between us
  • For marketing purposes – (where you consent) we may use your personal data, preferences and details of your transactions to keep you informed by email, web, text, telephone about relevant products and services including tailored special offers, discounts, promotions, events, competitions and so on. You are free to opt out of hearing from us at any time
  • To allow you to participate in interactive features – of our services, when you choose to do so
  • To process your booking and/or appointment requests
  • To communicate with you – in the event that any services requested are unavailable or if there is a query or problem with your order
  • To notify you about changes to our services – and to send you service emails relating to the activities you have asked us to undertake on your behalf
  • As part of our efforts to keep our Website safe and secure
  • To comply with applicable law – for example, in response to a request from a court or regulatory body, where such request is made in accordance with the law

6. Lawful Basis to Process Personal Data

To process your data lawfully we need to rely on one or more valid legal grounds. The grounds we may rely upon for the processing of your personal data include:

  • Your consent – to processing activities. For example, where you have consented to us using your information for electronic marketing purposes
  • Contract performance – your request for content, products or services necessitating steps including processing of your personal data to be taken prior to entering into contract with you and any processing that is necessary for the performance of such contract
  • Legal obligation – compliance with any legal obligation to which we are subject, for example, the processing for the purposes of complying with applicable law and regulatory requirements
  • Public interest – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (such as dispensing NHS prescriptions)
  • Vital interests – protecting your vital interests, for example, where the processing of your personal data is absolutely necessary to protect your life
  • Legitimate interests – we pursue as a business, except where such interests are overridden by your interests and fundamental rights

For special category data (health information), we rely on:

  • Explicit consent where you have provided clear consent for us to process your health data for specific purposes
  • Healthcare provision under Article 9(2)(h) of UK GDPR for the provision of health or social care or treatment
  • Vital interests where necessary to protect your life or that of another person

7. Disclosure of Your Personal Data

There are circumstances where we wish to disclose, or are compelled by law to disclose, your personal data to third parties. This will only take place in accordance with the applicable law and for the purposes listed above. These scenarios may include:

  • Healthcare providers – Your GP surgery, hospitals, NHS Business Services Authority, and other healthcare professionals involved in your care
  • Delivery service providers – Royal Mail, courier services and other delivery partners to facilitate the delivery of your medications and products
  • Identity verification partners – to verify your identity against public databases, where there is a regulatory need to do so
  • Payment processors – to process your payments securely
  • Our outsourced service providers or suppliers – to facilitate the provision of our products and/or services to you
  • Analytics and search engine providers – that assist us in the improvement and optimisation of our Website
  • Third party service providers and consultants – in order to protect the security or integrity of our business
  • Regulatory bodies – General Pharmaceutical Council (GPhC), Medicines and Healthcare products Regulatory Agency (MHRA), Care Quality Commission (CQC)
  • Public authorities – where we are required by law to do so
  • Legal advisors – if required, in order to receive legal advice
  • Any other third party – where you have provided your consent

8. Offers and Opportunities – Direct Marketing

We would like to contact you to tell you about offers and opportunities that are available and about a range of other initiatives by post, telephone, text/picture/video message or by email.

Details of how to opt-in to receiving details of offers are on relevant pages of our Website. You can change your mind at any time (see Section 14 “How to Contact Us”).

9. Security

We take the security of personal information very seriously. We employ security technology, including:

  • Firewalls
  • Secure Socket Layers (SSL) encryption
  • Secure data storage systems
  • Access controls and authentication procedures
  • Regular security audits and assessments

We have procedures in place to ensure that our paper and computer systems and databases are protected against unauthorised disclosure, use, loss and damage.

All staff members receive data security training and are required to maintain confidentiality of patient information in accordance with professional standards and UK GDPR requirements.

10. International Transfers of Personal Data

We primarily store and process your data within the United Kingdom. However, we may need to transfer your information outside the UK to service providers, agents, and subcontractors in countries where data protection laws may not provide the same level of protection.

Where this happens, we:

  • Agree specific safeguards and assurances in our contracts with those providers
  • Ensure there are appropriate controls in place to protect your data
  • Conduct full Transfer Risk Assessments alongside any necessary contractual obligations
  • Implement International Data Transfer Agreements where required

11. Retention of Personal Data

We will retain your personal data for as long as we are legally or contractually required to do so, or for a period which is justifiable to meet our business needs.

Specific retention periods:

  • Medical records and prescription data: 10 years after the last interaction (in accordance with NHS and healthcare standards)
  • Account information: For the duration of your account plus 2 years
  • Marketing consent records: Until you withdraw consent, plus 3 years
  • Financial transaction records: 7 years (in accordance with tax and accounting requirements)
  • General correspondence: 3 years

We may keep an anonymised form of your personal data, which will no longer refer to you, for statistical purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so.

12. Your Information Rights

Under UK GDPR and data protection laws, you have the following rights:

Right of Access (Subject Access Request or “SAR”)

You have the right to know how we process your personal data (as explained in this notice) and also a right to receive a free copy of your personal data.

Right to Rectification

You can ask us to change or complete any inaccurate or incomplete personal data held about you.

Right to Object

You have the right to object, in certain circumstances, to us processing your personal data. For example, you can object to us sending you marketing material, or using your personal data to create a profile about you that is related to direct marketing.

Right to Erasure

In certain circumstances, you can ask us to delete your personal data. For example, where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis to keep it.

Note: We may be legally required to retain certain medical and prescription data for specified periods and cannot delete this data upon request during the retention period.

Right to Portability

You have the right to ask us to send a copy of certain elements of your personal data (predominantly information you have shared directly with us) to another company.

Right to Restrict Processing

You can ask us to restrict the personal data we use about you where you have asked for it to be erased (and the erasure has not taken place, or we were unable to erase the data when we should have) or where you have objected to our use of it.

Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time.

Exercising Your Rights

It is free to exercise your privacy rights and we will respond to any request as quickly as we can. Under current data protection law, we have 30 days to respond to any request, unless an exemption applies. We will contact you as soon as we can where we are applying an exemption, which may extend the time we have to process your request.

National Data Opt-Out

You may choose to opt out of the NHS using your data for planning and research purposes. This is referred to as the ‘National Data Opt-Out’. You can find more information and opt-out online by visiting the NHS website.

13. Cookies

In common with many other website operators, we use standard technology called ‘cookies’ on this site. Cookies are small pieces of information that are stored by your browser on your computer’s hard drive and they are used to record how you navigate this website on each visit.

Our cookies help us to:

  • Remember your preferences and settings
  • Keep you signed in
  • Understand how you use our website
  • Improve website performance

You can control and/or delete cookies as you wish. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. However, if you do this, you may have to manually adjust some preferences every time you visit our website and some services and functionalities may not work.

For detailed information about cookies and how to manage them, please visit www.allaboutcookies.org.

14. How to Contact Us

You can make a complaint about how we have used your personal data, exercise your data protection rights, or ask us a general question by contacting:

Data Protection Officer
Harley Pharmacy
18-22 Queen Anne Street
London
W1G 8HU

Email: dpo@harleypharmacy.co.uk
Phone: +44 (0)20 4513 2244

Complaints to the ICO

You are entitled to complain to the UK’s data protection supervisory authority – which is the Information Commissioner’s Office (“ICO”). You can find out more information about how to contact the ICO using the following link: https://ico.org.uk/global/contact-us/

Alternatively, the ICO can be reached here:

Tel: 0303 123 1113

Address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF