Privacy and GDPR compliance

Security and Data Protection

The General Data Protection Regulation (GDPR) May 2018

GDPR is legal protection for personal information, advising what personal information therapists can gather from their website and why, and what client rights are. It provides for the lawful basis for holding and using Client Information

Special Category Data: Association of Reflexologists (AoR) advise- Sensitive information, such as that relating to a person’s health, is termed “Special Category Data” under GDPR, i.e. it needs greater protection.

Reflexologists must identify a separate condition for holding and using such information. Their suggestion is that, providing you are an AoR member adhering to the requirements of AoR membership, you can use the following reason for holding and processing special category data:

To fulfil your role as a health care practitioner bound under the AoR Confidentiality as defined in the AoR Code of Practice and Ethics.

This is AoR’s interpretation of the condition at Article 9(2)(h) and DPA 2018 Schedule 1 Part 1 following discussion with the Information Commissioner’s Office.

The GDPR sets out what information should be supplied to Clients:

  • What information I hold and what I do with it
  • That I need to retain information about client health and that it will only be used  for informing reflexology treatments and any advice given as a result of the treatment. 
  • Client contact details
  • Medical history and other health-related information 
  • Treatment details and related notes from each consultation
  • Client information will not be shared with anyone else except if required for legal process without explaining why it is necessary and gaining client consent.
  • How Long I am legally required to retain client information for

Client information is kept for the following periods:

  • ‘Claims occurring’ insurance: for which I am required to keep client records for 7 years after the last treatment.
  • Law regarding children’s records: for which I am required to keep records until the child is 25, or if 17 when treated- until they are 26 years old.

Registration with the Complimentary and Natural Health Care Council require information is retained for 8 years.

Client data will not be transferred outside the EU without the client’s consent. 

Clients will be contacted using their contact preferences provided in relation to:  

  • Appointment times                                                                                        
  • Reflexology information or information related to client health    
  • Special offers and promotions (clients may unsubscribe from this at any time)

Protecting client Personal Data: I am committed to ensuring that personal data is secure. In order to prevent unauthorised access or disclosure, I have in place appropriate technical, physical and managerial procedures to safeguard and secure the information collected from clients. 

My Email Provider: have committed to complying with all applicable privacy laws and details of their commitment can be found here:

My Website provider:

Client Rights under GDPR:

  • The right to be informed: To know how their information will be held and used 
  • The right of access: To see contact details/treatment records/personal information held, to know what is held about them and can verify it.
  • The right to rectification: To advise the therapist to make changes to their personal information if it is incorrect or incomplete.
  • The right to erasure (also called “the right to be forgotten”): For the client to request the therapist to erase any information they hold about them.
  • The right to restrict processing of personal data: The right to request limits on how the therapist uses clients’ personal information
  • The right to data portability: Under certain circumstances clients can request a copy of personal information held electronically to be reused in other systems.
  • The right to object: Clients can advise therapists that they don’t want certain parts of their information used, or only to use it for certain purposes.
  • Rights in relation to automated decision-making and profiling.
  • The right to lodge a complaint with the Information Commissioner’s Office: To be able to complain to the ICO where a client feels their details are not correct, that they are not being used in a way that they have given permission for, or if they are being stored when they don’t have to be.

Full details of client rights can be found at

Therapist rights under GDPR:

  • If clients don’t agree to the therapist keeping records of information about them and their treatments, or should they not allow them to use the information in the way required for treatments, the therapist may not be able to safely or professionally treat them.
  • Therapists are required to keep client records of treatment as already explained, so even if a client asks to have their details erased, the therapist may have to keep these details until after that period has passed.
  • Therapist can transfer client records between their computers and IT systems, providing the details remain confidential and are protected from being seen by others, without client permission.

I keep all client contact details and records in written format stored in a lockable fire-proof filing cabinet in the treatment room. Only records and client details pertaining to the client I am treating are accessible and available at that time. 

Images on booking micro-site

Images have been used from