Privacy Policy Cookie Policy

Privacy Policy and Data Protection

Pro Comfort Counselling

Last updated: June 2026

ICO registration number: ZC095162

1. Legal Framework and Fundamental Principles

Pro Comfort Counselling processes personal data in accordance with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • Official guidance issued by the Information Commissioner's Office (ICO)
  • British Psychological Society (BPS) Code of Ethics and Conduct

In accordance with Art. 5(2) UK GDPR (Accountability Principle), the controller is responsible for, and able to demonstrate compliance with, the following principles:

  • lawfulness, fairness and transparency
  • purpose limitation
  • data minimisation
  • accuracy
  • storage limitation
  • integrity and confidentiality

2. Data Controller (Art. 24 UK GDPR)

Controller: Pro Comfort Counselling

Operated by: Marian Claudiu Ciuhan, MBPsS

Address: 61 Grosvenor Road, Dagenham, London, RM8 1NJ

Email: procomfortcounselling@gmail.com

Telephone: +44 7480 789942

ICO Registration: ZC095162

In accordance with Art. 24 UK GDPR, the controller implements appropriate technical and organisational measures to ensure and demonstrate compliance.

The practice operates as an individual practice / sole practitioner structure, with direct control over data flows.

3. Nature and Purposes of Processing

Data is processed for:

  •  providing counselling and psychological support services
  •  psychological assessment, psychological formulation and non-medical psychological intervention
  •  risk management and compliance with professional obligations
  •  administrative and financial records
  •  professional communication with the client
  •  website operation
  •  interactions through WhatsApp Business, when the client chooses this communication channel
  •  sending information or newsletters, only on the basis of consent
  •  future development of automated informational support systems, including AI tools, without automated decision-making producing legal or significant effects on the person

No automated decision-making processes with legal or significant effects on the person are used, in accordance with Art. 22 UK GDPR.

4. Categories of Data Processed

4.1 Standard data

  • Name
  • Contact details
  • Administrative information

4.2 Special category data (Art. 9 UK GDPR)

  • Health-related data
  • Psychological history
  • Clinical notes
  • Risk assessments

The processing of special category data, including information relating to psychological health, is carried out only when necessary for the provision of counselling, psychological support or psychological assessment services, within the limits of professional competence. The applicable condition under Art. 9 UK GDPR is determined according to the specific purpose of processing and documented internally.

5. Legal Bases

Data processing is carried out on the basis of the relevant legal grounds, depending on the specific purpose of processing.

For ordinary personal data, the legal bases may include:

  •  performance of a contract or pre-contractual steps, when the data is necessary for the provision of the requested services
  •  compliance with legal obligations, including tax, administrative or record-keeping obligations
  •  legitimate interest, when processing is necessary for risk management, protection of rights, administration of services or maintaining a safe professional framework
  •  consent, where this is necessary, for example for newsletters or certain optional forms of communication

For special category data, including information relating to psychological health, Pro Comfort Counselling identifies and documents separately the applicable condition under Art. 9 UK GDPR, depending on the purpose of processing.

Psychological health data may be processed, where applicable, under the relevant conditions of Art. 9 UK GDPR, including when processing is necessary for the provision of psychological support, counselling or psychological assessment services, within the limits of professional competence.

The exact applicable legal bases are established according to the purpose of processing and documented internally.

6. Security of Processing (Art. 32 UK GDPR)

In accordance with Art. 32, measures proportionate to the risk are implemented.

Technical measures:

  • Encrypted devices
  • Strong password authentication
  • Antivirus and firewall protection
  • Secure backup
  • Limited system access

Organisational measures:

  • Direct access control
  • Internal confidentiality policies
  • Periodic review of procedures
  • Active professional insurance

Given the limited volume of data and individual control over the data, the residual risk is assessed as moderate.

7. Data Protection Impact Assessment (Art. 35 UK GDPR)

Taking into account:

  • processing of health-related data
  • the sensitive nature of the therapeutic relationship

A proportionate risk assessment has been carried out internally, as a logical DPIA, which concluded:

  • the need for enhanced security measures
  • strict access control
  • limiting processing to the minimum necessary

There is no large-scale processing or systematic monitoring of public areas.

8. Record of Processing Activities (Art. 30 UK GDPR)

The controller maintains internal documentation which includes:

  • purposes of processing
  • description of the categories of data subjects
  • categories of data
  • recipients
  • international transfers
  • retention periods
  • security measures

The ROPA is available for ICO inspection upon request.

9. International Transfers (Art. 44–49 UK GDPR)

Certain digital providers, including Google LLC and Meta Platforms Inc., may involve transfers outside the UK.

  • Appropriate legal mechanisms are used:
  • Adequacy decisions
  • Standard Contractual Clauses
  • UK Addendum

Technical details are available in the policy generated through iubenda.

10. Retention

Clinical records: 7 years

Financial data: in accordance with HMRC requirements

Newsletter data: until consent is withdrawn

After expiry: secure destruction.

11. Security Breaches

In accordance with Art. 33–34 UK GDPR:

  • immediate assessment
  • ICO notification within 72 hours, where applicable
  • notification of affected individuals where there is a high risk
  • complete internal documentation

12. Rights of the Data Subject

In accordance with Art. 15–21 UK GDPR:

  • access
  • rectification
  • erasure
  • restriction
  • objection
  • portability
  • withdrawal of consent

Response within 30 days.

ICO: https://www.ico.org.uk

13. Relationship with the Website Policy

This policy regulates the professional, administrative and data protection framework within which Pro Comfort Counselling services are provided.

For technical details regarding digital services and trackers used on the website, the official documentation automatically generated through iubenda applies.

https://www.iubenda.com/privacy-policy/73590951

14. Ethical Governance

Data processing is aligned with:

  • BPS ethical principles
  • Professional confidentiality standards
  • Professional liability insurance requirements

Do you have questions about confidentiality or data protection?