Privacy Policy Cookie Policy
Open daily — flexible hours available
procomfortcounselling@gmail.com
+44 7480 789942
en
 Different cultures, one science.

Privacy Policy & Institutional Data Protection Framework

Pro Comfort Counselling
Last updated: January 2026
ICO Registration Number: ZC095162

1. Legal Framework and Accountability

This Privacy Policy establishes the institutional data protection framework governing the activities of Pro Comfort Counselling.

Personal data is processed in accordance with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Privacy and Electronic Communications Regulations (PECR)

  • Guidance issued by the Information Commissioner's Office (ICO)

  • British Psychological Society (BPS) Code of Ethics and Conduct

In accordance with Article 5(2) UK GDPR (Accountability Principle), the Data Controller is responsible for and able to demonstrate compliance with the principles of:

  • Lawfulness, fairness and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality

2. Data Controller (Article 24 UK GDPR)

Data Controller: Pro Comfort Counselling
Operated by: Marian Claudiu Ciuhan, MBPsS
Address: 61 Grosvenor Road, Dagenham, London, RM8 1NJ
Email: procomfortcounselling@gmail.com
Telephone: +44 7480 789942
ICO Registration: ZC095162

Pursuant to Article 24 UK GDPR, the Controller implements appropriate technical and organisational measures to ensure and demonstrate that processing is performed in accordance with UK GDPR.

Pro Comfort Counselling operates as a sole practitioner entity. The Controller retains direct and exclusive control over the purposes and means of processing.

3. Nature and Purposes of Processing

Personal data is processed for the following purposes:

  • Delivery of psychological counselling and therapy

  • Clinical assessment and therapeutic intervention

  • Risk management and safeguarding

  • Administrative and financial record keeping

  • Professional communication

  • Website functionality and analytics

  • WhatsApp Business communication

  • Future newsletter distribution (subject to consent)

  • Planned implementation of AI-supported informational tools (non-clinical, non-automated decision-making)

No automated decision-making producing legal or similarly significant effects under Article 22 UK GDPR is carried out.

4. Categories of Personal Data

4.1 Standard Personal Data

  • Full name

  • Contact details

  • Appointment records

  • Administrative correspondence

4.2 Special Category Data (Article 9 UK GDPR)

  • Health-related information

  • Psychological history

  • Clinical notes

  • Risk assessments

  • Assessment outcomes

Special category data is processed under Article 9(2)(h) UK GDPR (provision of health or social care).

5. Lawful Bases for Processing

Purpose Article 6 Basis Article 9 Condition
Provision of therapy 6(1)(b) – Contract 9(2)(h)
Clinical record keeping 6(1)(c) – Legal obligation 9(2)(h)
Risk management 6(1)(f) – Legitimate interest 9(2)(h)
Administrative communication 6(1)(f) —
Newsletter (future) 6(1)(a) – Consent —
Website analytics 6(1)(a) – Consent —

6. Security of Processing (Article 32 UK GDPR)

In accordance with Article 32, the Controller implements measures appropriate to the risk presented by the processing.

Technical Measures:

  • Encrypted devices

  • Strong password authentication

  • Anti-virus and firewall protection

  • Secure cloud storage (where used)

  • Encrypted backup procedures

Organisational Measures:

  • Restricted data access (sole practitioner)

  • Internal confidentiality procedures

  • Periodic data protection review

  • Professional indemnity insurance

Given the volume and structure of processing, residual risk is assessed as moderate and appropriately mitigated.

7. Data Protection Impact Assessment (Article 35 UK GDPR)

Due to the processing of special category health data, a proportional internal DPIA assessment has been conducted.

The assessment considers:

  • Sensitivity of therapeutic data

  • High expectation of confidentiality

  • Potential harm from unauthorised disclosure

Mitigation measures include:

  • Strict access limitation

  • Encryption

  • Storage limitation

  • Ethical governance under BPS standards

Processing does not constitute large-scale systematic monitoring.

8. Records of Processing Activities (Article 30 UK GDPR)

The Controller maintains internal Records of Processing Activities (ROPA), including:

  • Categories of data subjects

  • Categories of personal data

  • Processing purposes

  • Recipients

  • International transfers

  • Retention periods

  • Security measures

ROPA documentation is available to regulatory authorities upon lawful request.

9. International Transfers (Articles 44–49 UK GDPR)

Certain digital service providers (e.g., Google LLC, Meta Platforms Inc.) may involve international data transfers outside the United Kingdom.

Where applicable, transfers are safeguarded through:

  • Adequacy decisions

  • Standard Contractual Clauses

  • UK International Data Transfer Addendum

Technical details relating to website tracking technologies are documented in the iubenda-generated website policy.

10. Retention Periods

Clinical records: 7 years from final session
Financial records: in accordance with HMRC requirements
Newsletter data: until consent withdrawal
Digital communications: retained only as necessary for professional purposes

After expiry, data is securely deleted or destroyed.

11. Personal Data Breaches (Articles 33–34 UK GDPR)

In the event of a personal data breach:

  • Immediate internal assessment is conducted

  • ICO is notified within 72 hours where required

  • Affected individuals are informed where high risk exists

  • Corrective measures are documented and implemented

12. Data Subject Rights (Articles 15–21 UK GDPR)

Individuals have the right to:

  • Access their personal data

  • Rectification

  • Erasure (subject to legal limits)

  • Restriction of processing

  • Objection

  • Data portability

  • Withdrawal of consent (where applicable)

Requests are responded to within one calendar month.

ICO: https://www.ico.org.uk

13. Relationship with Website Policy

This document governs the professional and clinical data protection framework.

Technical information regarding trackers, third-party services and cookies used on the website is provided through the official iubenda-generated Privacy & Cookie Policy.

https://www.iubenda.com/privacy-policy/73590951

14. Professional and Ethical Governance

Data processing is aligned with:

  • British Psychological Society ethical standards

  • Confidentiality principles in psychological practice

  • Professional indemnity insurance requirements