Promedica24 – Guidance to ensure data processing is lawful

This guidance relates to initial contact. 

‘Data Subject’ means the persons whose personal data is being provided (so it means the care user and also any person calling on their behalf)

Privacy Portal‘ means www.promedica24.co.uk/gdpr-privacy-notices

Assigned Telephone Number‘ means a number that is specially designated for potential clients or franchise partners and carries the Interactive Voice Response (IVR) message

IVR‘ means a recorded message that asks the caller to confirm consent to the processing of their personal data and provides the caller with the Privacy Portal link above

Basic Personal Data‘ means names and contact details.  It does not include any medical or other health information about the care user

In our operations we draw a distinction between initial contact  where only basic personal data required, and the full assessment where health data is recorded.  

By the time full assessment takes place we must have consent from the data subject or their power of attorney.

(if you have an initial contact scenario that is not covered below please let us know at once)


1. A potential client or franchise partner’s details have been provided by an online form on our website.

The form that captures their personal data also requests their consent and should link* to the Privacy Portal.

*check this is the case from time to time and let me (davidcharity@gdparmour.co.uk) know if it is not!

Provided this is the case we are compliant 🙂

The personal data is processed on the legal basis of consent and GPPR article 13 privacy notice information was provided at the time the personal data was collected.


2. A potential client or franchise partner has come to us through an assigned telephone number.

In this case the data subject will have listened to the IVR and given consent to our processing of their data.

The IVR gives the link to the Privacy Portal*.

*check this is the case from time to time and let me (davidcharity@gdparmour.co.uk) know if it is not!

Again, we are compliant 🙂

The personal data was processed on the legal basis of consent and GDPR article 13 GDPR privacy notice information was provided before the data was collected.

3. A potential client or franchise partner reaches us by some method other than 1 and 2 above.

Here the privacy notices for both franchise partners and customers are wide enough to cover our processing of basic personal data (i.e. names and contact details) on the legal basis of legitimate interest until we have consent in place.  

However, we have the challenge of ensuring that the data subject is provided with the privacy notice information.  To resolve this refer the caller to the Privacy Portal by saying:

‘Please can I refer you to the relevant privacy notice on our website www.promedica24.co.uk/gdpr-privacy-notices’

This covers us where the caller is the data subject. 

If the caller is not the data subject don’t worry.

Article 14 GDPR allows us 30 days to provide the privacy notice information to the data subject.  

So, if the caller is not the data subject we must ensure we provide the data subject with the privacy notice information or a link to the Privacy Portal within 30 days of the call.

4. Whenever the caller is not the data subject (but a relative or friend)

It is important to note that for us to rely on legitimate interest or consent to process personal data, either:

(i) the data subject must be the caller, or

(ii) the caller has power of attorney for the data subject because he/she lacks capacity, or

(iii)  the data subject has capacity and knows that the caller is providing their basic personal data to us*

*We say this because we cannot safely rely on legitimate interest to process a data subject’s personal data if that person does not know that their data is being provided (and if the caller is not the data subject we won’t have their consent yet).

So, to avoid a situation where the caller provides a data subject’s personal data without that person’s knowledge our practice is to ask the caller:

‘Does the person you are calling about know you are contacting us and providing their information?’

If the answer is ‘yes’, the call can proceed and we can record the data subject’s basic personal data only.

If the answer is ‘no’, we must decline to receive any personal data relating to the data subject, but we can still take the caller’s contact details.

We can also provide general information about our services and discuss care in broad principle.

The distinction between ‘basic personal data’ and health related personal data.

Whereas we can process basic personal data on the legal basis of legitimate interest, we require consent to process health related personal data.

 So we must be careful to avoid collecting, recording or otherwise processing anyone’s health related data until we have a consent in place.

As explained above though, this does not mean we cannot discuss types of care requirement and our services in general.  It simply means that we cannot record or otherwise process information about a data subject’s health until we have consent.