The GDPR and the Data Protection Act in Ireland

The European Union’s General Data Protection Regulation (GDPR) and the Data Protection Act 2018 guarantees individuals’ rights regarding the processing of their personal data in Ireland. Both laws work to protect citizens’ rights to privacy and ensure that personal data is not being used without proper authority. These laws enhance consumer protection and create additional obligations for physiotherapists when collecting and storing patient data.

West Coast Physio is committed to protecting your rights under the GDPR and the Data Protection Act in Ireland. The purpose of this Privacy Statement is to inform you of the reasons we collect your data, how your information is stored and retained, and your rights with respect to us processing your data. 

Purposes and Use of Personal Data

We collect personal and medical data as necessary for the provision of physiotherapy services, massage therapy, and rehabilitation strategies. We keep this information so that we can diagnose and assess your current condition as well as improve our understanding and treat future or recurring injuries you may later present with. The legal bases on which we process your personal data are that individual patient consent was given, to meet our contractual obligations for physiotherapy treatment, and this is necessary for our legitimate interests in conducting our physiotherapy business.

We ask for information regarding your current and past health so that a detailed and accurate physiotherapy assessment may take place and an appropriate treatment plan put into action. We ask for your occupation and hobbies as both occupational and physical factors can contribute to musculoskeletal problems. 

We use your mobile number and email address to contact you with your booking confirmations, appointment reminders, invoices, receipts, and home exercise plans. We also use this in order to follow up with you in relation to the management of your pain or injury. Your date of birth and gender are used to uniquely identify you for our records. We ask whether you are a student or have an HSE medical card because we provide a discount for the same.

Data Storage and Protection

Your personal information and treatment notes are securely hosted on a practice management software package called TM3. TM3 is GDPR-compliant and has advanced security in storing sensitive data and preventing unlawful access or disclosure of personal data.

All staff members at West Coast Physio have access to client records. All staff members are bound by the Irish Chartered Society of Physiotherapy (ICSP) and the CORU standards of conduct, performance and ethics.

We may share your personal information with third parties such as a virtual administrator for telephone reception and an accountant for tax and audit purposes. If we need to talk with your General Practitioner or another healthcare provider on your behalf, we will obtain your consent before doing so. Other than set out above, no personal data will be released to a third party without your express authorization except when required by law or in the public interest to prevent harm to others. 

Data Retention

West Coast Physio will retain your personal information for as long as is deemed necessary for the purposes of this Privacy Statement and to comply with our obligations under applicable laws and regulations. We will typically retain patient data for a minimum of eight years. For children’s records, the period of eight years begins at the time they reach 18 years old.

Your Data Rights

Under data protection regulation, and subject to certain circumstances and restrictions, you have the following rights in relation to your personal data: 

  • The right to access your personal data1;
  • The right to rectification and/or amendment of your personal data2;
  • The right to erasure and deletion of your personal data3;
  • The right to restrict processing of your personal data in order to verify the way we are using it4;
  • The right to object to the collection, use and storage of your personal data if it is being used for direct marketing or automated decision-making5;
  • The right to data portability meaning the right to receive your personal data you provided to us in a structured, commonly used and machine-readable format. You also have the right to request that we transmit your data to another controller6; and
  • Where the processing of your personal data is based on you having provided consent, you have the right to withdraw your consent at any time7.

If you think that West Coast Physio has not processed your data in accordance with data protection legislation, you have a right to lodge a complaint with the Data Protection Commissioner (DPC). In the unlikely event of a data breach, you and the DPC will be notified.

If you have any questions or wish to exercise any of the rights set out above, please contact us at westcoastphysioireland@gmail.com


(1) GDPR art 15.

(2) GDPR art 16.

(3) GDPR art 17.

(4) GDPR art 18.

(5) GDPR art 21.

(6) GDPR art 20.

(7) GDPR art 7.