General Data Protection Regulation (GDPR) & Privacy Policy

Your privacy is very important to me and you can be confident that your personal information will be kept safe and secure and will only be used for the purpose it was given to me. I adhere to current data protection legislation, including the General Data Protection Regulation (EU/2016/679) (the GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.


This privacy notice tells you what I will do with your personal information from initial point of contact through to after your therapy has ended, including:


  • Why I am able to process your information and what purpose I am processing it for
  • Whether you have to provide it to me
  • How long I store it for
  • Whether there are other recipients of your personal information
  • Whether I intend to transfer it to another country
  • Whether I do automated decision-making or profiling, and
  • Your data protection rights.


I am happy to chat through any questions you might have about my data protection policy and you can contact me by phone or email.


Data controller is the term used to describe the person or organisation that collects and stores and has responsibility for people’s personal data. In this instance, the data controller is me.


I am registered with the Information Commissioner’s Office, Registration Number ZA674468.

My lawful basis for holding and using your personal information

The GDPR states that I must have a lawful basis for processing your personal data. There are different lawful bases depending on the stage at which I am processing your data and these are explained below.


If you have had therapy with me and it has now ended… I will use legitimate interest as my lawful basis for holding and using your personal information.


If you are currently having therapy or if you are in contact with me to consider therapy… I will process your personal data where it is necessary for the performance of our agreement.


The GDPR also makes sure that I look after any sensitive personal information that you may disclose to me appropriately. This type of information is called:


Special Category Personal Information... that is, the lawful basis for me processing any special categories of personal information is that it is for provision of health treatment (in this case counselling) and necessary for a contract with a health professional (in this case, a contract between me and you).

How I keep, store and use your Information

Data Security:

I take the security of the data I hold very seriously and as such I take every effort to make sure it is kept behind password protected electronic devices (i.e. my laptop, remote servers and mobile phone) and/or in a locked filing cabinet.


Storage of information will be:


  • Paper… contact sheets, agreements and assessment notes.
  • Computer/Mobile phone… I will store brief session notes, signed agreements & correspondence between us on my laptop and remote servers (recordings in phone Apps by prior agreement only). Backed up information is to a standalone encrypted secure hard drive held in a locked cabinet.
  • Emails/SMS… your email address will be stored in my email account, currently Gmail and Protonmail and SMS details on my mobile phone. Your telephone number may be stored by Gmail and Protonmail or mobile SMS or Contact App, should we exchange messages this way.
  • Website… none of your personal information is stored on my website.

Initial contact

When you contact me with an enquiry about my counselling services I will collect information to help me satisfy your enquiry. This will include:


  • Name.
  • Gender (or preferred identity).
  • Age.
  • Date of Birth.
  • Relationships & Progeny.
  • Occupation.
  • Address.
  • Telephone/SMS number (plus permission to send SMS & leave voice message).
  • Email address.
  • Counselling History.
  • Medical conditions/drug & alcohol use relevant to counselling.
  • Prescribed medication.
  • Reasons for counselling now.


If you decide not to proceed I will ensure all your personal data is deleted within 1 calendar month. If you would like me to delete this information sooner, just let me know.

While you are accessing counselling

Everything you discuss with me is confidential, however:


I have a professional arrangement with a supervisor and your case may be discussed. No names or identifying information is given, and he/she too is also bound by a framework of professional ethics.


In exceptional circumstances I might be put in a position where I feel it necessary to break confidentiality. These situations would be where:


  • I believe you may be at risk of harming yourself or others. The break in confidentiality would be to prevent harm, by contacting your GP for example.
  • If you make a disclosure where we identify that a vulnerable adult or young person or child is in danger of harm or abuse.
  • If I am obliged to do so by a court of law.


I would always try to speak to you about these situations first, unless there are safeguarding issues that prevent this.


In the event of my sudden death, my therapeutic executor will have access to your contact details so you can be informed of the event.

After counselling has ended

Once counselling has ended your records will be kept for up to 7 years from the end of our contact with each other, in case you wish to return to counselling or have consented to case study work and will then be securely destroyed.


If you want me to delete your information sooner than this, please inform me.

Your Rights...

Where I do hold information, I will inform you by giving /sending to you a paper/ electronic version of this statement following our first meeting and if we continue to work together.


I will be as open as I can be in terms of giving you access to your personal information. You have a right to ask me to:


  • delete your personal information
  • (though I can decline whilst this information is needed for me to practice lawfully & competently),
  • to limit how I use your personal information; or,
  • to stop processing your personal information.


You also have a right to ask for a copy of any information that I hold about you and to object to the use of your personal data in some circumstances. You can read more about your rights at ico.org.uk/your-data-matters.


You can also ask me at any time to correct any mistakes there may be in the personal information I hold about you.


You can make a request for any personal information I may hold about you, please put the request in writing or make the request by email.


If you have any complaint about how I handle your personal data please do not hesitate to get in touch with me in writing or by email.


If you need to make a formal complaint about the way I have processed your personal information you can contact the ICO which is the statutory body that oversees data protection law in the UK. For more information go to ico.org.uk/make-a-complaint.

Should you wish to make a complaint about how I have used your data…

The complaints procedure below provides a clear, step-by step guide to how concerns about data use are managed, ensuring fairness, security, and compliance with the Data Use and Access Act 2025. This procedure ensures your complaints about data use are handled transparently, fairly, and securely. It outlines clear steps from raising a concern to investigation, response, correction, and escalation options, all while maintaining strict data protection and audit standards.

Here…I explain clearly what I will do, step by step, so you know exactly how your concern will be handled.

You can raise your complaint in whatever way feels easiest for you.

1. You can contact me by email, secure form, post, or by speaking to me directly. I will only ask for the minimum information I need to understand your concern. You can complain about anything related to how I have used, accessed, stored, shared, or protected your data.

2. I will acknowledge your complaint and within 5 working days I will send you a written confirmation that I've received your complaint. I will give you a reference number so you can follow up or ask for updates. I will log your complaint securely on my system, which keeps a full audit trail of who accesses it and when.

3. I will investigate your concern carefully and fairly. I will review what happened by checking:

• who accessed your data

• how your data was used

• whether consent or authorization was in place

• whether my security and privacy measures were followed

I will keep a complete record of the investigation in a secure, tamperproof audit trail, as required by the Data Use and Access Act 2025. If I discover that something has gone wrong, I will immediately activate my data breach process.

4. I will give you a full response within 30 working days. I will write to you with:

• a clear summary of what you told me

• what I found during the investigation

• any actions I have taken to put things right

• what changes I'm making to prevent similar issues in future

If I need more time because the issue is complex, I will Iet you know and give you a revised timeline.

5. If something needs correcting, I will put it right. This may include:

• correcting inaccurate data

• restricting access to your information

• improving my internal processes

• reviewing how long I keep certain data

I will record all corrective actions in my DUAA compliance log.

6. You have the right to escalate your complaint If you're not satisfied with my response, you can escalate your complaint to:

• an independent reviewer (if applicable)

• the national Data Protection Regulator under the DUAA 2025

I will give you the contact details and explain what each route involves.

7. I will store your complaint securely. I will keep complaint records for at least six years. They will be stored with strict access controls, encryption, and full audit trails. Only authorised staff will be able to view them.

8. I review complaints annually and look for patterns, risks, and areas where I can improve. This helps me strengthen my data protection practices and ensure I continue to meet DUAA 2025 standards.

The next step forward & services offered

Visiting my website may already mean you have made the decision to take the next step forward... so I would be very pleased to hear from you by phone or email and would be very happy to have an initial conversation or meet with you to explore whether we can work together and if I can offer the support and help you’re looking for.


My counselling service is on an individual basis for adults (18+) and can be: on a personal face to face basis at either Chilton or Wantage (including walk and talk therapy sessions from my home location); or by, video link, mobile or landline phone by mutual agreement.


©GFC Counselling & Therapy is powered by WebHealer

Privacy PolicyAdmin Login