Coastal Cardiology – Privacy Notice
Effective date: 31 October 2025 Last updated: 31 October 2025
1) Who we are
Coastal Cardiology (Dr Chris Critoph and his medical secretarial team) provides private cardiology
services at venues including Nuffield Health Hospital Bournemouth and Dorset Heart Clinic. In
this notice, “we/us/our” means Coastal Cardiology.
Data Protection Lead: Dr Chris Critoph
Email: info@coastalcardiology.co.uk Tel: 01202 084550
We are a Data Controller for the personal data we handle about you for the purposes set out below. Where
your care takes place at a partner hospital, that provider will also be a Data Controller for records they create.
See their privacy notices for details:
• Nuffield Health: see their website privacy notice
• Dorset Heart Clinic: see their website privacy notice
2) The data we collect
Personal/contact details: name, address, email, phone, date of birth, next of kin/emergency
contact, GP details, referral information, insurance details, and billing information.
Special category data: your health information (history, examinations, investigations, imaging,
results, diagnoses, treatments, medications), genetic/biometric data where relevant, and other
sensitive data you disclose (e.g., ethnicity/religion where clinically relevant).
Communications: emails, letters, messages, appointment records, and (if applicable) call recordings
(see Section 8).
Website/Cookies: see Section 11 and our separate Cookie Policy.
3) How we get your data
Directly from you (online forms, email/phone, in consultation, Coastal Cardiology Members site).
From other healthcare providers (GPs, NHS/private hospitals, dentists, allied health professionals),
and diagnostic services.
From insurers, referring clinicians, or your authorised representatives.
3A) Members of the Coastal Cardiology Membership Site
The Coastal Cardiology Membership site provides educational content, articles, and lifestyle
information relating to cardiovascular health and wellbeing. Some members are also clinical patients,
but others join purely for general health education and are not under medical care.
For these non-patient members:
• Personal data collected may include your name, contact details, login credentials, subscription
information, and payment details (if applicable).• No medical information is collected or processed unless you explicitly provide it (for example, in a
voluntary message or feedback form).
• Your data is used to manage your membership account, send updates about new posts or member
content, and respond to enquiries.
• The lawful basis for this processing is contract (Article 6(1)(b)) for membership administration, and
consent (Article 6(1)(a)) for any optional marketing communications.
• Member data is stored separately from patient clinical records.
• You can request deletion of your membership account or update your preferences at any time by
emailing info@coastalcardiology.co.uk.
If you later become a clinical patient, a separate clinical record will be created and governed by the
relevant sections of this Privacy Notice.
Understanding “contract” as a lawful basis
When we refer to “contract” as a lawful basis for using your personal data, this means that we need to
process your information in order to deliver a service you have requested from us. For example,
when you book a consultation, join our membership site, or ask us to arrange tests or reports, we
must use certain personal details to organise appointments, manage payments, and provide those
agreed services. Without this information, we would not be able to fulfil our professional or
administrative obligations to you. This basis applies only to the personal data needed to perform the
agreed service — not to unrelated uses such as marketing, which rely on your separate consent.
4) Why we use your data (purposes) and our legal bases
We only use your data when we have a lawful basis under the UK GDPR and Data Protection Act
2018. This includes providing healthcare, managing billing, audit/research, communications,
complaints handling, and fulfilling legal obligations.
5) Sharing your data
We share data only when necessary and with appropriate safeguards with GPs, hospitals, insurers,
and service providers. Processors operate under contract. Feedback via Doctify/TopDoctors is
optional and anonymised unless you consent.
6) International transfers
Where data is transferred outside the UK (e.g. secure email or cloud providers), we use approved
safeguards such as the UK International Data Transfer Agreement (IDTA) or UK adequacy decisions.
7) How long we keep your data
Records are kept in line with clinical best practice — usually 8 years after treatment for adults, or until
age 25/26 for young people. Longer where legally required.
8) Communications, email, SMS/WhatsApp & call recording
We use email as the default for correspondence. SMS/WhatsApp may be used for reminders. If calls
are recorded, you will be informed at the start. Recordings are stored securely and deleted after a set
period.9) Use of AI transcription tools
We may use AI transcription (e.g. ChatGPT) to assist in drafting letters. No identifiable information is
included. This is done under legitimate interests for administrative efficiency, with strict safeguards
and a DPIA in place.
10) Your rights
You can request access, correction, deletion, restriction, or transfer of your data. You may object to
certain uses or withdraw consent. Contact info@coastalcardiology.co.uk or 01202 084550. If
unresolved, contact the ICO (ico.org.uk / 0303 123 1113).
11) Cookies & online identifiers
We use cookies for essential functionality and, with your consent, for analytics or advertising.
Preferences can be updated at any time via our cookie banner. See our Cookie Policy for details.
12) Updates
We may update this notice to reflect legal or operational changes. The latest version is always
available on our website.