Privacy Policy Cookie Policy
Open daily — flexible hours available
procomfortcounselling@gmail.com
+44 7480 789942
en
 Different cultures, one science.

Privacy Policy & Institutional Data Protection Framework

Pro Comfort Counselling
Last updated: January 2026
ICO Registration Number: ZC095162

1. Legal Framework and Fundamental Principles

Pro Comfort Counselling processes personal data in accordance with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • Official guidance issued by the Information Commissioner's Office (ICO)
  • British Psychological Society (BPS) Code of Ethics and Conduct

In accordance with Article 5(2) UK GDPR (Accountability Principle), the Controller is responsible for and able to demonstrate compliance with the principles of:

  • lawfulness, fairness and transparency
  • purpose limitation
  • data minimisation
  • accuracy
  • storage limitation
  • integrity and confidentiality

2. Data Controller (Article 24 UK GDPR)

Controller: Pro Comfort Counselling
Operated by: Marian Claudiu Ciuhan, MBPsS
Address: 61 Grosvenor Road, Dagenham, London, RM8 1NJ
Email: procomfortcounselling@gmail.com
Telephone: +44 7480 789942
ICO Registration: ZC095162

In accordance with Article 24 UK GDPR, the Controller implements appropriate technical and organisational measures to ensure and demonstrate compliance.

The practice operates as a sole practitioner entity, with direct control over data flows.

3. Nature and Purposes of Processing

Personal data is processed for:

  • the provision of psychological services
  • clinical assessment and therapeutic intervention
  • risk management
  • administrative and financial records
  • professional communication
  • website functionality
  • WhatsApp Business interactions
  • newsletter implementation (based on consent)
  • future development of automated support systems (including informational AI, without automated clinical decision-making)

No automated decision-making processes with legal or similarly significant effects on the individual are used (Article 22 UK GDPR).

4. Categories of Personal Data Processed

4.1 Standard Data

  • name
  • contact details
  • administrative information

4.2 Special Categories (Article 9 UK GDPR)

  • health-related data
  • psychological history
  • clinical notes
  • risk assessments

The processing of these data is based on Article 9(2)(h) – provision of health services.

5. Lawful Bases

Purpose Article 6 Article 9
Therapeutic services 6(1)(b) 9(2)(h)
Legal obligations 6(1)(c) 9(2)(h)
Legitimate interest (risk management) 6(1)(f) 9(2)(h)
Newsletter 6(1)(a) —
Website analytics 6(1)(a) —

6. Security of Processing (Article 32 UK GDPR)

In accordance with Article 32, measures proportionate to the risk are implemented.

Technical measures:

  • encrypted devices
  • robust password authentication
  • anti-virus and firewall protection
  • secure backup
  • limited system access

Organisational measures:

  • direct access control
  • internal confidentiality policies
  • periodic review of procedures
  • active professional insurance

Given the limited volume of data and the individual control over processing, the residual risk is assessed as moderate.

7. Data Protection Impact Assessment (Article 35 UK GDPR)

Given:

  • the processing of health-related data
  • the sensitive nature of the therapeutic relationship

a proportionate risk assessment has been carried out (internal logical DPIA), which concluded:

  • the need for enhanced security measures
  • strict access control
  • limitation of processing to the minimum necessary

There is no large-scale processing or systematic monitoring of public spaces.

8. Records of Processing Activities (Article 30 UK GDPR)

The Controller maintains internal documentation including:

  • the purposes of processing
  • a description of the categories of data subjects
  • the categories of data
  • recipients
  • international transfers
  • retention periods
  • security measures

ROPA is available for ICO inspection upon request.

9. International Transfers (Articles 44–49 UK GDPR)

Certain digital providers (Google LLC, Meta Platforms Inc.) may involve transfers outside the United Kingdom.

Appropriate legal mechanisms are used:

  • Adequacy Decisions
  • Standard Contractual Clauses
  • UK Addendum

Technical details are available in the policy generated through iubenda.

10. Retention

  • Clinical records: 7 years
  • Financial data: in accordance with HMRC requirements
  • Newsletter data: until consent is withdrawn

After expiry: secure destruction.

11. Personal Data Breaches

In accordance with Articles 33–34 UK GDPR:

  • immediate assessment
  • ICO notification within 72 hours where applicable
  • notification of affected individuals where high risk exists
  • full internal documentation

12. Data Subject Rights

In accordance with Articles 15–21 UK GDPR:

  • access
  • rectification
  • erasure
  • restriction
  • objection
  • portability
  • withdrawal of consent

Response time: 30 days.

ICO: https://www.ico.org.uk

13. Relationship with the Website Policy

This policy regulates the professional and clinical framework.

For technical details regarding digital services and trackers used on the website, the official documentation generated automatically through iubenda applies.

https://www.iubenda.com/privacy-policy/73590951

14. Ethical Governance

Data processing is aligned with:

  • BPS ethical principles
  • professional confidentiality standards
  • professional indemnity insurance requirements