Mayfair Children's Clinic
Mayfair Children’s Clinic Ltd (MCC, the Clinic, we or our) is an independent provider of private healthcare in central London. In order to provide healthcare services and receive payment for those services, MCC needs to collect and process certain information about You, which can identify You as an individual or individuals, what is commonly referred to as ‘personal data’. You, or you and your child or children, or you and the child or children for whom you are the legal guardian and for whom you make decisions about their welfare is hereinbefore and hereinafter referred to as “You” or “Your”. We are, in almost all circumstances, the ‘Data Controller’ for the information that we collect and process about You, and You are the ‘Data Subject’ or ‘Data Subjects’. We are responsible for deciding how we hold and use Your personal data, for taking care of Your personal data and ensuring that anyone we work with, who might need to access Your personal data, also takes care of it and follows our rules. If there is ever a situation where some other organisation or person is the data controller of Your personal data, we will let you know. MCC is committed to protecting and respecting Your privacy and Your personal data in accordance with the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR). You are in control of Your personal data. For more information you can contact our Chief Executive Officer at admin@mcc.london. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously. We aim to resolve any concern you might have quickly and easily. If you have contacted us about your personal information but are not satisfied with our response, you can contact the UK’s Information Commissioner’s Office for further information or to make a complaint.
Telephone: 020 7493 0707
Email: admin@mcc.london
We collect personal information about You when you contact us about our services, make an appointment with us for treatment or are referred to us by another medical professional, or apply for a job with us.
In order to support Your care, our clinicians maintain records about You. This can include:
We also collect information about You when you complete our patient satisfaction feedback questionnaire or submit your details for a job application. As you interact with our website, we may automatically collect personal data by using cookies; this will however be dictated by the cookies that you allow.
Most of the personal information we process is provided to us directly by you via our Patient Registration Form. We may also receive personal information indirectly, from Your consultant, general practitioner (GP), NHS Trust, independent healthcare provider, insurer, family member or international medical service. We almost never obtain information about You without your prior knowledge; you should know about personal information being sent to us prior to us receiving it.
Your website usage data may be collected and processed if you choose to allow cookies to collect your information.
Under UK GDPR, we are required to show a clear link between types of personal data processed, the purpose of processing, the lawful basis for using personal data, and what exceptions are relied upon for processing special category data. The table below shows what personal data we process, its purpose and lawful basis, and the exceptions we rely upon to process special category data, at the Clinic.
| Purpose of Processing | Types of Personal Data | Lawful Basis for Processing Personal Data | Lawful Basis for Processing Special Categories of Personal Data |
|---|---|---|---|
| Contacting you following an enquiry | Basic contact details, special category data (health, appointments, genetic info) | Contractual obligation, Article 6(1)(b) | Healthcare condition, 9(2)(h); Vital interests, 9(2)(c); Legal defence, 9(2)(f) |
| Disclose info to regulatory bodies | Basic contact + health info | Legal obligation, Article 6(1)(c) | Public interest, 9(2)(g); Public health, 9(2)(i) |
| To provide You with healthcare | Basic contact + health info | Contractual obligation, Article 6(1)(b) | Healthcare condition, 9(2)(h); Vital interests, 9(2)(c) |
| Sharing updates with third-party professionals or insurers | Basic contact + health info | Consent, 6(1)(a); Contractual obligation, 6(1)(b); Legitimate interests, 6(1)(f) | Healthcare condition, 9(2)(h); Public health, 9(2)(i) |
| Account, billing, payments | Contact details, insurance, bank/card info, health data | Contractual obligation, 6(1)(b); Legitimate interests, 6(1)(f) | Healthcare condition, 9(2)(h); Legal defence, 9(2)(f); Vital interests, 9(2)(c) |
| Marketing info | Contact details, marketing preferences | Consent, 6(1)(a) | - |
| Feedback or legal claims | Contact + health data | Consent, 6(1)(a); Legal obligation, 6(1)(c); Legitimate interests, 6(1)(f) | Legal defence, 9(2)(f) |
| Use of CCTV | Still images, video, time & date | Legitimate interests, 6(1)(f) | - |
| Improve website functionality/security | Technical data (IP, browser, OS, plugins) | Consent, 6(1)(a); Legitimate interests, 6(1)(f) | - |
UK GDPR singles out some types of sensitive personal data and gives them extra protection. Special category data is defined at Article 9 of UK GDPR and includes personal data revealing: racial or ethnic origin; genetic data, relating to inherited genetic characteristics of a natural person; biometric data, which allow the unique identification of a natural person; data concerning health; and data concerning a natural person’s sex life or sexual orientation.
Article 9 prohibits the processing of special category data unless it is for one of the ten provided exceptions. We only process special category data where we can meet the condition of Article 9(2)(h) of UK GDPR, where processing is necessary for the purposes of … medical diagnosis, the provision of health care … pursuant to contract with a health professional …”
In most cases, MCC will rely on Article 6(1)(b) and Article 9(2)(h) of the UK GDPR for the processing of your personal data. Contractual obligation, Article 6(1)(b) — “… necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract …”. Healthcare condition, Article 9(2)(h) – “… necessary for the purposes of … medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of … law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 of Article 9”. In addition, MCC may rely on one or more of the following bases including when sharing personal data: Consent, Article 6(1)(a) – “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Legal obligation, Article 6(1)(c) – “processing is necessary for compliance with a legal obligation to which the controller is subject” Vital interest, Article 6(1)(d) – ” processing is necessary in order to protect the vital interests of the data subject or of another natural person” Public interest, Article 6(1)(e) – “processing relates to personal data which are manifestly made public by the data subject” Legitimate interests, Article 6(1)(f) – “… necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”
Vital interests of the Data Subject, Article 9(2)(c) – “… necessary to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent …” Legal defence, Article 9(2)(f) – “… processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity …”; Substantial public interest, Article 9(2)(g) – “… necessary for reasons of substantial public interest …” Public interest in the area of public health, Article 9(2)(i) – “… necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health … “
We will use information about You to enable us to arrange appointments with the appropriate clinician and/or investigations or treatments to ensure that You are receiving care appropriate to Your clinical needs. We will not disclose Your personal data without your permission except in exceptional circumstances (i.e. life or death situations), unless we are required to do so by law. If You have been referred to us for consultation/investigation/treatment by another medical or allied professional, we may disclose details of Your investigations/treatment to them where appropriate. We will discuss any disclosure with You in advance. You can ask for some information not to be shared but this may result in the delivery of Your care being less efficient. We may share Your information with selected third parties including clinical facilities, suppliers and sub-contractors for the performance of any contract we enter into with them or you; credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you. We will share information about Your treatment with us with your insurance company in line with the terms of the policy that you have in place with them. We will use Your information to provide you with details about other services or products that we offer that we think will be relevant to your ongoing care or of may be of interest to you. We may use Your information to respond or investigate any queries or complaint, or to conduct analysis or evaluate our services. We use the personal information that you have given or third-parties have provided to us:
We would like to send you information about products and services of ours and other companies we work with which may be of interest to you. If you have consented to receive marketing, you may opt out at a later date. You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, please email admin@mcc.london.
Under the UK GDPR you have a number of rights with regard to how Your personal data is handled. You have the right to request a copy of the information that we hold about You. If you would like a copy of some, or all, of Your personal information please email the Chief Executive Officer at admin@mcc.london or write to us at the following address: Mayfair Children’s Clinic, 15 Chesterfield Street, London W1J 5JN. If Your personal details change, or it comes to your attention that the information we hold about You is inaccurate in any way please let us know and we will make the appropriate corrections.
We use systems, technology and support vendors who may store or have access to physical or cloud storage which resides in the UK or abroad. This includes countries both within the European Economic Area (“EEA”) and, in limited circumstances, those further afield, for example in the United States of America. Where we store or share personal data with a third party in a country outside of the UK or EEA, we will put appropriate safeguards in place to protect that data in accordance with relevant data protection laws and the ICO’s guidance. These range from a contract with the third-party supplier through to technical measures to protect it while it gets there. We may also need to share Your data with a third party in a country outside of the UK if you are a resident of another country and that third party is authorising or providing part of your care.
We avoid sharing Your data with anyone outside of the Clinic. There will however be situations where this is not possible, and a third party will need to access or be given a copy of Your personal data. Examples of who we share data with include:
Where personal data identifying You is not required, we will avoid using it as much as possible and may either anonymise the data or hide your details.
As outlined in the UK Data Protection Act 2018, personal data should be limited to only what is necessary and retained no longer than necessary. The Clinic only keeps Your data for as long as it is required either by English Law, health regulatory best practice, codes of practice or our own legitimate business needs. The range of retentions varies per type of data. We align our retention periods for the storage of patient information and records to the NHS Records Management Code of Practice. You can request a copy of the MCC Data Retention Policy from the reception desk or download a copy from our website.
We protect the personal data we hold from theft, accidental loss, corruption, and other threats that would have a negative impact on our patients, consultants, staff and suppliers. These protective measures include:
MCC is committed to ensuring a high level of protection for Your personal data while it is under our control.
Under data protection legislation, with regard to personal data, you have rights including:
Your right of access – You have the right to ask us for copies of Your personal information.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase Your personal information in certain circumstances. (‘Right to be Forgotten’)
Your right to restriction of processing – You have the right to ask us to restrict the processing of Your personal information in certain circumstances.
Your right to object to processing – You have the right to object to the processing of Your personal information in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please contact MCC’s Chief Executive Officer at Mayfair Children’s Clinic, 15 Chesterfield Street, London W1J 5JN, or at admin@mcc.london, if you wish to make a request.
You can withdraw your consent to receive information about our events and news at any time by using the unsubscribe link contained in all relevant communications or by contacting our Chief Executive Officer. You do also have the right to refuse/withdraw consent to information sharing at any time. We will fully explain the possible consequences to you at such a time as withdrawing consent could include delays in you receiving care.
If you have any concerns about our use of Your personal data, you can make a complaint to our Chief Executive Officer at Mayfair Children’s Clinic, 15 Chesterfield Street, London W1J 5JN, or at admin@mcc.london. You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have used Your personal data. The ICO’s address: Information Commissioner’s Office Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF Helpline number: 0303 123 1113 ICO website: https://www.ico.org.uk
Children have the same rights as adults over their personal data. These are set out in Chapter III and VIII of the UK GDPR. A child may exercise their rights on their own behalf as long as they are competent to do so. In England, competence is assessed depending upon the level of understanding of the child, but it does indicate an approach that will be reasonable in many cases. A child should not be considered to be competent if it is evident that he or she is acting against their own best interests. If we decide that a child is competent to provide their own consent then it will usually be reasonable to assume they are also competent to exercise their own data protection rights. If a child is competent then, just like an adult, they may authorise someone else to act on their behalf. This could be a parent, another adult, or a representative such as a child advocacy service, charity or solicitor. Even if a child is too young to understand the implications of their rights, they are still their rights, rather than anyone else’s such as a parent or guardian. We will therefore only allow parents to exercise these rights on behalf of a child (a) if the child authorises them to do so, (b) when the child does not have sufficient understanding to exercise the rights for him or herself, or (c) when it is evident that this is in the best interests of the child.
We regularly review our Privacy Policy and will update this page when necessary. This Privacy Policy was last updated on 10 April 2025, and is in effect from 11 April 2025.
15 Chesterfield Street, London W1J 5JN
020 7493 0707
admin@mcc.london
© 2025 Mayfair Children’s Clinic Ltd. All rights reserved
