Patient and Medical Practitioner Privacy Policy

(Last updated 13th May 2021)


Data subjects whose personal data is collected (whether they are users of the Company’s services or contracted with the Company as the provider of medical advice to users of the Company’s services) in line with the requirements of the GDPR.


The GDPR Owner is responsible for ensuring that this notice is made available to data subjects prior to Medstars collecting/processing their personal data.
All employees of Medstars who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and their consent to the processing of their data is secured.


In this statement We have used certain terms which are set out in the EU’s General Data Protection Regulation (GDPR or the Regulation):
  • personal data means: any information relating to an identified or identifiable natural person (data subject)
  • an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
  • controller means: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • processor means: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
  • processing means: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
  • sensitive personal data means: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation


Who are we?

We are Medstars Limited, a company registered in England and Wales under company number 08982663 who registered office is situated at The Oakley, Kidderminster Road, Droitwich, Worcestershire, England WR9 9AY.

For the purpose of the Data Protection Act 1998 and the General Data Protection Regulation 16/679, the data controller is Medstars, which has ICO registration number ZB047428.

What we do

We offer an online service under which prospective patients can contact Medical Doctors with a view to receiving medical advice and treatment.

Our Status under GDPR

As we determine the purposes and means of the processing of your personal data, we are a controller under GDPR. In certain circumstances, such as where we are subject to the instructions of the Medical Doctors who we introduce to you, we are a processor.

Contacting Us

Our GDPR Owner can be contacted directly here:

  • Tel: 00 44 330 088 9279
  • Email:
The Personal Data We Collect

Upon registration as a prospective patient, we collect personal data from you. The personal data we would like to collect from and process on you is:

Personal data type: Source: (where Medstars obtained the personal data from if it has not been collected directly from you, the data subject. Note if the personal data has been accessed from publicly accessible sources): Name and address of the registrant or adviser Direct Contact Summary details of the reason for the call; interaction Direct Contact Additional data requested in online interaction relating to the data subject’s requirement for the Company services Direct Contact Adviser only: extensive liaison with regard to the adviser’s academic and work qualifications, including third party verification such as DBS checks. Direct contact and third party verification

The Purpose of Collecting Personal Data

The personal data we collect will be used for the following purposes:

  1. To establish the suitability of our service for the data subject
  2. To connect the data subject with a Medical Doctor qualified to provide tailored medical advice and as necessary, diagnosis
Recipients of the Personal Data We Collect

Personal data will be shared with Medical Doctors with whom Medstars has a commercial relationship in addition to third party service providers for the purposes of secure retention of personal data under the terms of a data processing agreement

The Legal Basis Under Which We collect Personal Data

The two lawful reasons Medstars uses to process personal data are set out in Article 6 of the Regulation. Processing will only be lawful if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) (Consent).
  2. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6 (1) (f) (Legitimate Interest).


Where We process personal data as a result of data subject consent, We ensure that consent is freely given, specific and informed, and established by a clear affirmative act. Where consent is withdrawn, we have set out (below) how this may be undertaken by the data subject.

Legitimate Interest

Where We process personal data as it is necessary for the purpose of our legitimate interests, We do so on the basis of a balanced evaluation of our interests and the rights and freedoms of the data subject which require protection. Presently, We have concluded that the way We manage the processing of personal data results in a cumulation of data subject protections which show that the balance is in favour of Medstars being able to rely on Article 6.1(f) of the Regulation as a lawful reason to process personal data.

Our Legitimate Interests

In providing our services to you, Medstars offers prospective patients the option of obtaining medical advice and treatment with suitably qualified Medical Doctors. On balance, given that this is a service that is both necessary and of general utility, and, Medstars does not process personal data for any other reason than facilitating the provision of medical advice and treatment, Medstars deems the legitimate interest lawful reason for processing personal data to be appropriate.

Sensitive Personal Data

Where you provide us with sensitive personal data, we may only process this under an exception to the general prohibition set out in Article 9 of GDPR. Under Article 9(2)(h) GDPR processing of personal data for inter alia, the purposes of medical diagnosis, is a lawful reason for the processing of personal data.


By consenting to our processing personal data as set out in this privacy notice you are giving us permission to process your personal data specifically for the purposes identified. Consent is required for Medstars to process your personal data, and it must be freely given, specific and informed and established by a clear affirmative act. Where we are asking you for Sensitive Personal Data we will always tell you why and how the information will be used.

Withdrawing Consent

You may withdraw consent at any time by emailing us at the following address: with the following statement:


I [STATE YOUR NAME] hereby withdraw my consent for Medstars Limited to process my personal data. Signed by data subject: [STATE YOUR NAME ]


Medstars will periodically disclose your personal data to third parties. The recipients of your personal data are as follows:

  1. Service providers to you, being Medical Doctors with whom the Company has contracted to provide medical services
  2. Data storage businesses, with whom we have entered into data processing agreements pursuant to the terms of Article 28 GDPR
  3. Businesses and organisations which provide email and business efficiency tools, such as Google, with whom we have entered into data processing agreements pursuant to Article 28 GDPR
  4. Businesses which specialise in marketing, such as Mailchimp with whom we have entered into data processing agreements pursuant to Article 28 GDPR
  5. Occasional access, which is limited to the specific needs of the Company, subject at all times to the provisions of Article 5 GDPR
Retention period

The Company will process personal data in accordance with the principles set out in Article 5 GDPR, namely that personal data will only be stored for as long as necessary. Where personal data is not required, it is deleted; where it is not required but may be subject to legal proceedings in the future, personal data is kept pursuant to the appropriate limitation period, namely 6 years. Tax-related data is kept for 7 years. In each case, such personal data will be archived with restricted access.

Your rights as a data subject

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

  1. Right of access: you have the right to request a copy of the information that we hold about you.
  2. Right of rectification: you have a right to correct data that we hold about you that is inaccurate or incomplete.
  3. Right to be forgotten: in certain circumstances you can ask for the data we hold about you to be erased from our records.
  4. Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
  5. Right of portability: you have the right to have the data we hold about you transferred to another organisation.
  6. Right to object: you have the right to object to certain types of processing such as direct marketing.
  7. Right to object to automated processing, including profiling: you also have the right to be subject to the legal effects of automated processing or profiling.
  8. Right to judicial review: in the event that Medstars refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 4.16 below.

All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.


In the event that you wish to make a complaint about how your personal data is being processed by Medstars, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and Medstar’s data protection representatives GDPR Owner. The details for each of these contacts are:

 Supervisory authority contact detailsGDPR Owner contact details
Contact Name:Information CommissionerDirector, Medstars Limited
Address:Information Commissioner's Office
Wycliffe House
Water Lane
Tel: 0303 123 1113 (local rate)
01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510
The Oakley
Kidderminster Road
Email us:
Call us: +44 330 088 9279

Document Owner and Approval

THE GDPR Owner is the owner of this document.