GDPR Policy | CureAll Pharmacy

CureAll Pharmacy is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines our obligations and approach to data protection.

1. Data Protection Principles

All personal data we process must be:

Lawfully, fairly, and transparently processed — we are clear about how and why we use data.
Collected for specified, explicit, and legitimate purposes — we do not use data in ways incompatible with the original purpose.
Adequate, relevant, and limited — we only collect what is necessary.
Accurate and kept up to date — we correct inaccurate data promptly.
Retained only as long as necessary — we follow defined retention schedules.
Processed securely — we apply appropriate technical and organisational safeguards.

2. Lawful Basis for Processing

We identify and document the lawful basis for all data processing activities. For pharmacy services, our primary lawful bases are:

Article 6(1)(b) — Performance of a contract (dispensing your prescription)
Article 6(1)(c) — Legal obligation (GPhC, MHRA, NHS requirements)
Article 9(2)(h) — Healthcare provision (processing health data for treatment)
Article 6(1)(a) — Consent (for marketing communications)

3. Special Category Data

Health data is a special category under Article 9 of UK GDPR. CureAll Pharmacy processes health data only for the purpose of providing healthcare services, under Schedule 1 of the Data Protection Act 2018 and our professional obligations as a registered pharmacy.

4. Data Subject Rights

We respect all data subject rights under UK GDPR, including the right to:

Be informed about data processing (this policy)
Access personal data (Subject Access Request)
Rectification of inaccurate data
Erasure ("right to be forgotten"), where applicable
Restriction of processing
Data portability
Object to certain processing
Not be subject to solely automated decision-making

Submit requests to: seva@pdluk.com. We will respond within one calendar month.

5. Data Breach Procedure

In the event of a personal data breach, we will:

Contain and assess the breach immediately
Notify the ICO within 72 hours if the breach poses a risk to individuals
Notify affected individuals without undue delay if there is a high risk to their rights
Document all breaches, regardless of whether they require notification

6. Data Protection Officer

Our Data Protection Officer (DPO) oversees all GDPR compliance. Contact the DPO at seva@pdluk.com.

7. International Transfers

We do not routinely transfer personal data outside the UK. Where any such transfer is necessary, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V.

8. Privacy by Design

We implement data protection principles from the outset of any new process, system, or service — not as an afterthought. This includes data minimisation, pseudonymisation where appropriate, and regular privacy impact assessments.

9. Staff Training

All staff who handle personal data receive regular GDPR training. We maintain records of all training undertaken.

10. ICO Registration

CureAll Pharmacy is registered with the Information Commissioner's Office (ICO). You can lodge a complaint with the ICO at ico.org.uk or call 0303 123 1113.

Data Controller: CureAll Pharmacy, AMBE House, Commerce Way, Edenbridge TN8 6ED | seva@pdluk.com