Privacy Policy and Data Protection
Pro Comfort Counselling
Last updated: June 2026
ICO registration number: ZC095162
1. Legal Framework and Fundamental Principles
Pro Comfort Counselling processes personal data in accordance with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
- Official guidance issued by the Information Commissioner's Office (ICO)
- British Psychological Society (BPS) Code of Ethics and Conduct
In accordance with Art. 5(2) UK GDPR (Accountability Principle), the controller is responsible for, and able to demonstrate compliance with, the following principles:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- accuracy
- storage limitation
- integrity and confidentiality
2. Data Controller (Art. 24 UK GDPR)
Controller: Pro Comfort Counselling
Operated by: Marian Claudiu Ciuhan, MBPsS
Address: 61 Grosvenor Road, Dagenham, London, RM8 1NJ
Email: procomfortcounselling@gmail.com
Telephone: +44 7480 789942
ICO Registration: ZC095162
In accordance with Art. 24 UK GDPR, the controller implements appropriate technical and organisational measures to ensure and demonstrate compliance.
The practice operates as an individual practice / sole practitioner structure, with direct control over data flows.
3. Nature and Purposes of Processing
Data is processed for:
- providing counselling and psychological support services
- psychological assessment, psychological formulation and non-medical psychological intervention
- risk management and compliance with professional obligations
- administrative and financial records
- professional communication with the client
- website operation
- interactions through WhatsApp Business, when the client chooses this communication channel
- sending information or newsletters, only on the basis of consent
- future development of automated informational support systems, including AI tools, without automated decision-making producing legal or significant effects on the person
No automated decision-making processes with legal or significant effects on the person are used, in accordance with Art. 22 UK GDPR.
4. Categories of Data Processed
4.1 Standard data
- Name
- Contact details
- Administrative information
4.2 Special category data (Art. 9 UK GDPR)
- Health-related data
- Psychological history
- Clinical notes
- Risk assessments
The processing of special category data, including information relating to psychological health, is carried out only when necessary for the provision of counselling, psychological support or psychological assessment services, within the limits of professional competence. The applicable condition under Art. 9 UK GDPR is determined according to the specific purpose of processing and documented internally.
5. Legal Bases
Data processing is carried out on the basis of the relevant legal grounds, depending on the specific purpose of processing.
For ordinary personal data, the legal bases may include:
- performance of a contract or pre-contractual steps, when the data is necessary for the provision of the requested services
- compliance with legal obligations, including tax, administrative or record-keeping obligations
- legitimate interest, when processing is necessary for risk management, protection of rights, administration of services or maintaining a safe professional framework
- consent, where this is necessary, for example for newsletters or certain optional forms of communication
For special category data, including information relating to psychological health, Pro Comfort Counselling identifies and documents separately the applicable condition under Art. 9 UK GDPR, depending on the purpose of processing.
Psychological health data may be processed, where applicable, under the relevant conditions of Art. 9 UK GDPR, including when processing is necessary for the provision of psychological support, counselling or psychological assessment services, within the limits of professional competence.
The exact applicable legal bases are established according to the purpose of processing and documented internally.
6. Security of Processing (Art. 32 UK GDPR)
In accordance with Art. 32, measures proportionate to the risk are implemented.
Technical measures:
- Encrypted devices
- Strong password authentication
- Antivirus and firewall protection
- Secure backup
- Limited system access
Organisational measures:
- Direct access control
- Internal confidentiality policies
- Periodic review of procedures
- Active professional insurance
Given the limited volume of data and individual control over the data, the residual risk is assessed as moderate.
7. Data Protection Impact Assessment (Art. 35 UK GDPR)
Taking into account:
- processing of health-related data
- the sensitive nature of the therapeutic relationship
A proportionate risk assessment has been carried out internally, as a logical DPIA, which concluded:
- the need for enhanced security measures
- strict access control
- limiting processing to the minimum necessary
There is no large-scale processing or systematic monitoring of public areas.
8. Record of Processing Activities (Art. 30 UK GDPR)
The controller maintains internal documentation which includes:
- purposes of processing
- description of the categories of data subjects
- categories of data
- recipients
- international transfers
- retention periods
- security measures
The ROPA is available for ICO inspection upon request.
9. International Transfers (Art. 44–49 UK GDPR)
Certain digital providers, including Google LLC and Meta Platforms Inc., may involve transfers outside the UK.
- Appropriate legal mechanisms are used:
- Adequacy decisions
- Standard Contractual Clauses
- UK Addendum
Technical details are available in the policy generated through iubenda.
10. Retention
Clinical records: 7 years
Financial data: in accordance with HMRC requirements
Newsletter data: until consent is withdrawn
After expiry: secure destruction.
11. Security Breaches
In accordance with Art. 33–34 UK GDPR:
- immediate assessment
- ICO notification within 72 hours, where applicable
- notification of affected individuals where there is a high risk
- complete internal documentation
12. Rights of the Data Subject
In accordance with Art. 15–21 UK GDPR:
- access
- rectification
- erasure
- restriction
- objection
- portability
- withdrawal of consent
Response within 30 days.
13. Relationship with the Website Policy
This policy regulates the professional, administrative and data protection framework within which Pro Comfort Counselling services are provided.
For technical details regarding digital services and trackers used on the website, the official documentation automatically generated through iubenda applies.
https://www.iubenda.com/privacy-policy/73590951
14. Ethical Governance
Data processing is aligned with:
- BPS ethical principles
- Professional confidentiality standards
- Professional liability insurance requirements
