Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the agreement between PsyMentalHealth Ltd ("Data Controller") and clients ("Data Subjects") for the provision of therapeutic services. This DPA supplements our Privacy Policy and outlines how we process personal data in compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

This agreement applies to all personal data processing activities undertaken by PsyMentalHealth Ltd in connection with providing therapeutic services, managing appointments, and operating our website.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion
• "Data Controller" means PsyMentalHealth Ltd, which determines the purposes and means of processing personal data
• "Data Processor" means any third party that processes personal data on behalf of PsyMentalHealth Ltd
• "Data Subject" means the individual whose personal data is being processed
• "Special Categories of Data" means sensitive personal data including health information, racial or ethnic origin, religious beliefs, etc.
• "Sub-processor" means any processor engaged by a data processor

3. Roles and Responsibilities

3.1 PsyMentalHealth Ltd as Data Controller

PsyMentalHealth Ltd acts as Data Controller for:

• Contact information collected through appointment requests
• Website usage data and analytics
• Email communications and correspondence
• Marketing preferences (where applicable)
• Administrative records and billing information

3.2 Independent Practitioners as Data Controllers

Individual therapists associated with PsyMentalHealth operate as independent practitioners and act as separate Data Controllers for:

• Clinical notes and therapy session records
• Assessment results and clinical observations
• Treatment plans and therapeutic correspondence
• Clinical supervision records

Each practitioner is responsible for their own data protection compliance and maintains a separate therapeutic contract with clients.

4. Categories of Personal Data

4.1 Standard Personal Data:

• Name, email address, phone number
• Postal address
• Date of birth and age
• Appointment preferences and history
• Communication records
• Payment and billing information

4.2 Special Categories of Personal Data:

• Mental health information
• Medical history and current health status
• Psychological assessment results
• Therapy session notes and clinical observations
• Information about children (processed with parental consent)

5. Purposes of Processing

We process personal data for the following purposes:

• Service Delivery: Providing therapeutic services, managing appointments, and facilitating communication between clients and practitioners
• Clinical Care: Maintaining clinical records, conducting assessments, and supporting ongoing treatment
• Administrative Functions: Managing bookings, processing payments, and handling inquiries
• Legal Compliance: Meeting professional standards, responding to legal requirements, and maintaining required records
• Service Improvement: Analyzing service usage to improve quality and user experience
• Communication: Sending appointment confirmations, reminders, and service-related updates

6. Legal Basis for Processing

6.1 Contract Performance (Article 6(1)(b) GDPR):

Processing necessary to provide therapeutic services you have requested.

6.2 Explicit Consent (Article 9(2)(a) GDPR):

For processing special categories of data (health information), we obtain your explicit written consent. You have the right to withdraw this consent at any time.

6.3 Legal Obligation (Article 6(1)(c) GDPR):

Processing required to comply with legal obligations, including:

• Professional body requirements
• Safeguarding obligations
• Tax and financial regulations
• Court orders or legal proceedings

6.4 Vital Interests (Article 6(1)(d) and 9(2)(c) GDPR):

Processing necessary to protect life or physical safety in emergency situations.

6.5 Legitimate Interests (Article 6(1)(f) GDPR):

For administrative purposes, fraud prevention, and service improvement, where not overridden by your rights and interests.

7. Data Processing Operations

7.1 Collection:

• Directly from you via appointment forms and intake questionnaires
• During phone calls and email correspondence
• Through therapeutic sessions and assessments
• Automatically via website cookies and analytics

7.2 Storage:

• Secure servers located within the European Economic Area (EEA)
• Encrypted databases with access controls
• Individual practitioner record systems (compliant with professional standards)
• Regular backups with secure storage

7.3 Use:

• Accessing records to provide ongoing care
• Sharing information with your assigned practitioner
• Processing payments and managing accounts
• Analyzing anonymized data for service improvement

7.4 Disclosure:

• To independent practitioners for service delivery
• To authorized service providers (IT support, hosting)
• As required by law or professional obligations
• With your explicit consent for referrals or insurance claims

7.5 Deletion:

• Upon request (subject to legal retention requirements)
• When data is no longer necessary for stated purposes
• After applicable retention periods expire
• Secure deletion methods ensuring data cannot be recovered

8. Data Retention Periods

9. Security Measures

9.1 Technical Measures:

• SSL/TLS encryption for data transmission
• Database encryption at rest
• Multi-factor authentication for administrative access
• Regular security updates and patches
• Firewall and intrusion detection systems
• Secure backup procedures with encryption
• Regular security audits and vulnerability assessments

9.2 Organizational Measures:

• Staff training on data protection and confidentiality
• Access controls and role-based permissions
• Confidentiality agreements with all staff and contractors
• Clear data handling procedures and policies
• Incident response and breach notification procedures
• Regular review of security practices
• Secure disposal of physical records

10. Sub-processors and Third Parties

We engage the following categories of sub-processors to assist with data processing:

All sub-processors are carefully selected and bound by data processing agreements that ensure GDPR compliance. We conduct due diligence on their security practices and monitor their performance.

11. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses approved by the European Commission
• Transfers to countries with adequacy decisions under GDPR
• Binding Corporate Rules for multinational processors
• Explicit consent for specific transfers where necessary

You have the right to request information about any international transfers and the safeguards in place.

12. Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

12.1 Right of Access (Article 15): Request a copy of your personal data and information about how it's processed.

12.2 Right to Rectification (Article 16): Request correction of inaccurate or incomplete data.

12.3 Right to Erasure (Article 17): Request deletion of your data, subject to legal retention requirements and legitimate grounds for retention.

12.4 Right to Restrict Processing (Article 18): Request limitation of processing in certain circumstances.

12.5 Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format and transfer it to another controller.

12.6 Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.

12.7 Rights Related to Automated Decision-Making (Article 22): We do not use automated decision-making or profiling.

12.8 Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

12.9 Right to Lodge a Complaint: File a complaint with the Data Protection Commission (Ireland) if you believe your rights have been violated.

To exercise any of these rights, contact us at info@psymentalhealth.ie. We will respond within one month of receiving your request.

13. Data Breach Procedures

In the event of a personal data breach, we will:

• Assess the breach and contain it immediately
• Document the breach, including facts, effects, and remedial action
• Notify the Data Protection Commission within 72 hours if the breach poses a risk to rights and freedoms
• Notify affected individuals without undue delay if the breach poses a high risk
• Implement measures to prevent future breaches
• Review and update security procedures as necessary

14. Professional and Legal Obligations

Processing may be required or permitted by professional and legal obligations, including:

• Safeguarding: Disclosure may be necessary to protect children or vulnerable adults from harm
• Court Orders: We may be required to disclose information in legal proceedings
• Professional Standards: Maintaining records as required by accreditation bodies (IACP, ICP, PSI, etc.)
• Clinical Supervision: Anonymized case discussions for professional development
• Insurance: Providing information to support insurance claims (with your consent)

15. Children's Data

When processing data about children and adolescents:

• We obtain parental or guardian consent before processing
• We recognize that children may have a right to confidentiality in therapeutic contexts
• We balance child protection with therapeutic confidentiality
• We retain records for extended periods (until age 25 or 7 years after last contact)
• We follow professional guidelines on sharing information with parents/guardians

16. Updates to This Agreement

We may update this Data Processing Agreement to reflect changes in:

• Legal or regulatory requirements
• Our data processing practices
• Technology or security measures
• Professional standards and guidelines

Significant changes will be communicated via email or website notice. The "Last Updated" date indicates the most recent revision.

17. Contact and Complaints

For questions about data processing or to exercise your rights, contact:

You have the right to lodge a complaint with the supervisory authority:

18. Governing Law

This Data Processing Agreement is governed by Irish law and the General Data Protection Regulation (EU) 2016/679. Any disputes arising from data processing shall be subject to the jurisdiction of the Irish courts.