This is the Privacy Notice of Flourish Therapy.

This privacy notice explains how we collect and use personal information about individuals.


All data subjects whose personal data is collected, in line with the requirements of the EU’s General Data Protection Regulation (GDPR). Under the GDPR, personal data is defined as:


any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


Privacy Notice

Who are we?

This is Flourish Therapy. Flourish Therapy is the trading name of Susan Chambers-Downie’s counselling and psychotherapy business.

I, Susan Chambers-Downie, am a registered and accredited member of the BACP (British Association of Counsellors and Psychotherapists). I adhere to the BACP Ethical Framework for Good Practice.

Flourish Therapy (referred to in this Privacy Notice as “I”, “me”, “myself”, “she”, “her”, “we”, “our” or “us”) is the Data Controller under the GDPR. This privacy notice sets out how we process personal data (referred to in this Privacy Notice as “you” or “your”).

Contact details are as follows:

  • Address: Suite 328, Central Chambers, 11 Bothwell Street, Glasgow, G2 6LY
  • Telephone number: 0775 3837992
  • Website:

An online contact form can be found in the Contact page on the aforementioned website.

I am registered as a data controller with the UK Information Commissioner and the reference number is: ZA448722.

How I use your personal data

I process any personal data under the requirements of the General Data Protection Regulation (EU) 2016/679 (the GDPR) and the Data Protection Act 2018 (the DPA).

What is personal data?

Personal data is any information from which a living individual can be identified.
I will hold all personal data securely; I will only use it for the purposes it was collected or acquired for, and I will only pass it on to third parties with your consent or according to a legal obligation.

Further information about the data protection legislation and your rights is available here:

Why do I need your personal information?

The only information I need is for contact details and mutually agreed referral (for example to your GP). Your personal notes are handwritten and, unless otherwise requested earlier by you, will be securely disposed of by shredding after five years.

What types of personal data do I collect and process?

The personal data I may collect and process from you could include:

Name, postal address, email address, telephone number, date of birth, GP and emergency contact details.

How will I use your personal data?

The legal basis for processing personal data:

Data protection law states that I must have a legal basis for handling your personal data. The permitted legal bases can be found in the GDPR and the DPA. Our legal basis for processing your personal data is dependent on the purpose for processing and may vary. In general, we process your personal data under the following legal bases:

Your consent

We process your personal data if you have consented to the processing activity. You may revoke your consent at any time. Doing so will bar us from further processing of your personal data based on your consent but will not impact the lawfulness of processing based on your consent before it was withdrawn.

Legal obligations

We process your personal data as needed to comply with laws and regulations.

Other processing activities

For other activities and functions which involve the processing of personal data, the legal basis for processing may, depending on the circumstances, be:

  • Processing necessary to protect vital interests of individuals.
  • Processing necessary for the performance of a contract.

Categories of processing activities and corresponding legal basis:

Processing of personal data means anything from collecting, storing, using to sharing and deleting (see link above for more information).

I process personal data in the following ways:

Processing activityThe legal basisHow long I retain the data
Receiving, storing and responding to general enquiries by letter, email or in person.Consent. As this data has been received, I shall generally have the consent to store such information.I will store this data for no longer than necessary. Data which is written on or received by paper will be disposed of by a micro-cut shredder, once dealt with. Unless request by you this will be for 5 years.
Receiving, storing and responding to complaints by letter, email or in person.I will store this data until the 1st May (or closest working day before this date), in the year five years after the year the complaint was received. For example, a complaint received in November 2016, will be retained until 1st May 2021, unless still ongoing. Data will be reviewed on the 1st May (or closest working day before this date) from 2021 and each year thereafter. On review, if there is no further action to be taken (e.g. complaints are no longer open, no response from the person whose data is being held), then this data will be securely destroyed.
Receiving and storing data in relation to a personal issue or problem raised by a patient.All data will be disposed of in accordance to our contract; after 5 years unless you indicate otherwise.
Collect and use data for the purpose of sending out newsletters.N/A
Take, store and use photos and videos in connection with my work. N/A

Further information on the types of data collected:

  • Personal data related to which is received as a letter, will be shredded within one month of receipt. Documentation, casework and non-casework (i.e. bills and invitations) is kept in a secure office a door which is locked with a key (and a security door which requires a PIN), and within a locked filing cabinet.
  • E-mails are kept on a secure system.
  • Voicemails are immediately erased after being dealt with, unless kept for a particular purpose. For example, a voicemail left which may be retained to be provided to the police (whilst ensuring DPA and GDPR legislation is adhered to).

Sharing of Personal Data

I may pass your personal data on to third party service providers in the course of dealing with your enquiry, such as, with your explicit consent, referral to an alternative therapist or communication with a medical practitioner. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to provide us with information relating to the specific enquiry you have raised with us.

I sometimes may be required to share the personal information I hold with other individuals or organisations including (non-exhaustive) for example:

  •  healthcare, social and welfare organisations.
  • statutory law enforcement agencies.
  • investigating bodies.
  • elected representatives and other holders of public office.
  • crime prevention agencies and the police.

Depending on the circumstances, the legal basis for sharing data with these organisations may be that:

  • the sharing is necessary for complying with a legal obligation to which I am subject (Art 6(1)(c) GDPR);
  • the sharing is necessary in order to protect the vital interests of the data subject or of another person (Art 6(1)(d)); or
  • the sharing is necessary for the performance of a task carried out in the public interest or substantial public interest (Art 6(1)(e) or Art 9(2)(g) GDPR).

I may seek your prior express consent to share your personal data with any of the following:

  • family, associates and representatives of the person whose personal data I am processing.

The consequences of my not processing personal data are:

Where I am processing personal data for the performance of a contract, the consequence of not processing the personal data is that I may not be able to fulfil my obligations under that contract.

Where I am processing personal data in accordance with a statutory obligation, the consequence of not processing personal data may be that I am liable to regulatory fines for non-compliance with that statutory duty.

Automated data processing

I do not use automated processing techniques to process your data.

Sharing or processing personal data outside the EEA

I do not intend to share or process personal data in locations outside the EEA.

Using my website

My website contains an enquiry form which is directed to my email address. Any information supplied via this form is confidential.

Your rights

The GDPR sets out the rights which individuals have in relation to personal information held about them by data controllers. These rights are listed below, although whether you will be able to exercise each of these rights in a particular case may depend on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place (see the individual privacy notices listed above for further details in relation to specific processing activities).

Access to your information – You have the right to request a copy of the personal information about you that I hold.

Correcting your information – I want to make sure that your personal information is accurate, complete and up to date. Therefore, you may ask me to correct any personal information about you that you believe does not meet these standards.

Deletion of your information –  You have the right to ask me to delete personal information about you where:

  • You consider that I no longer require the information for the purposes for which it was obtained.
  • I am using that information with your consent and you have withdrawn your consent.
  • You have validly objected to my use of your personal information –my use of your personal information is contrary to law or our other legal obligations.

Objecting to how we may use your information – You have the right at any time to require me to stop using your personal information for direct marketing purposes. In addition, where I use your personal information to perform tasks carried out in the public interest or for a legitimate interest then, if you ask me to, I will stop using that personal information unless there are overriding legitimate grounds.

Restricting how we may use your information – in some cases, you may ask me to restrict how I use your personal information. This right might apply, for example, where I am checking the accuracy of personal information about you that I hold or assessing the validity of any objection you have made to my use of your information. The right might also apply where this is no longer a basis for using your personal information, but you don’t want me to delete the data. Where this right is validly exercised, I may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Withdrawing consent using your information – Where I use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.

Please contact me using the contact details provided above.

Changes to my privacy statement

I keep this privacy statement under regular review and will place any updates on my website. Paper copies of the privacy statement may also be obtained using my contact information.

This privacy statement was last updated on 5th August 2018.

Contact information and further advice

Please contact me using the contact details provided above.


I seek to resolve directly all complaints about how I handle personal information but you also have the right to lodge a complaint with the Information Commissioner’s Office.

By telephone: 0303 123 1113
By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF