GDPR & Data Protection

1. Our Data Protection Commitment

Who We Are

Dalton Pharmacy is a registered pharmacy operating at Valley Health Centre, 1 Saville Street, Dalton, Rotherham, S65 3HD. We are the Data Controller for personal data we process through our website and pharmacy services.

Our Principles

We process personal data in accordance with the following GDPR principles:

Lawfulness: We only collect and process data where we have a legal basis to do so
Fairness & Transparency: We are clear about what data we collect and why
Purpose Limitation: Data is used only for the purpose stated at collection
Data Minimization: We only collect data that is necessary
Accuracy: We take steps to keep data accurate and up-to-date
Storage Limitation: Data is kept only as long as needed
Integrity & Confidentiality: Data is kept secure and protected

2. Legal Bases for Processing

We process personal data under the following lawful bases as set out in GDPR Article 6:

Consent: When you agree to us processing your data (e.g., marketing emails)
Contract: When processing is needed to fulfil a service you request from us
Legal Obligation: When required by law (e.g., NHS regulations, health records retention)
Vital Interests: To protect your health and safety or someone else's
Public Task: When carrying out functions in the public interest
Legitimate Interests: When we have a legitimate business reason that does not override your rights

3. Types of Data We Process

Patient Health Data

We process health data to provide pharmacy services, including:

Prescription information and medication history
Allergy and adverse reaction information
Consultation notes and consultations
NHS and private health records

Website Data

When you visit our website, we may collect:

Your name, email, and contact details
Any messages or enquiries you submit
IP address and browsing information via cookies
Device and browser information

Special Category Data

Health data is treated as special category data under GDPR Article 9. We process this only where you have given explicit consent or where we have a legal basis such as provision of health services.

4. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right of Access

You can request a copy of all personal data we hold about you.

Right to Rectification

You can ask us to correct inaccurate or incomplete data.

Right to Erasure

You can request deletion of your data under certain circumstances (the "right to be forgotten").

Right to Restrict

You can ask us to limit how we use your data in certain situations.

Right to Data Portability

You can receive your data in a structured format and transfer it to another organisation.

Right to Object

You can object to certain types of processing, including marketing.

Rights Related to Automated Decisions

You have rights if we make decisions based solely on automated processing.

Right to Withdraw Consent

You can withdraw consent you have given at any time.

5. How to Exercise Your Rights

Subject Access Requests (SAR)

To request a copy of your personal data, please submit a Subject Access Request. We will respond within 30 calendar days. In most cases, this is free, though we may charge a reasonable fee for repeat requests.

Other Requests

To exercise any other right, please contact us in writing with your request and evidence of your identity. We will respond within 30 days.

Contact Details for Requests

Please send requests to:

Email: info@daltonpharmacy.co.uk
Post: Valley Health Centre, 1 Saville Street, Dalton, Rotherham, S65 3HD

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected:

Prescription Records: Typically 2 years from the last transaction (subject to NHS requirements)
Consultation Notes: Retained according to pharmacy and health service regulations
Website Enquiries: Retained for a reasonable period to respond to your query, then deleted unless you consent otherwise
Cookies: Retained according to your browser settings and our cookie policy

7. Data Sharing & Third Parties

We may share your personal data with the following types of organizations:

NHS Services: Doctors, hospitals, and healthcare providers for continuity of care
Regulatory Bodies: Pharmacy regulator (GPhC) and health authorities
Payment Processors: For processing payments securely
Website Hosts: To store and maintain our website
Legal Requirements: When required by law or court order

We never sell your data to third parties. Any third parties who process your data on our behalf are contractually obligated to protect your data.

8. Data Security

We take data security seriously and employ appropriate technical and organizational measures:

Secure password protection and access controls
Encryption of data in transit and at rest
Regular security assessments and testing
Staff training on data protection
Physical security of premises and records
Incident response procedures

9. Data Breach Notification

In the event of a personal data breach, we will:

Notify affected individuals within 72 hours where there is high risk to their rights and freedoms
Notify the Information Commissioner's Office (ICO) where legally required
Provide details of the nature of the breach and steps taken to mitigate harm
Make reasonable efforts to assist you in protecting your information

10. International Transfers

We operate within the UK and do not routinely transfer personal data outside the UK/EEA. If any transfer is necessary, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V.

11. Changes to This Policy

We may update this GDPR policy to reflect changes in our practices or legal requirements. We will notify you of any material changes by updating this page and the date below.

Last Updated: May 2026