Privacy Policy

At Soma Health we are committed to protecting your personal data and respecting your privacy.  This statement is provided with the intention to comply with your right to be informed, to access, to amend or remove your personal information in accordance with the Data Protection Act 1998 (DPA) and the General Data Protection Regulation (GDPR) 2018.

Soma Health as both the Data Controller and Data Processor is committed to protecting the rights of the individual and acknowledge that any personal data we handle will be processed in accordance with the Data Protection Act 1998 (DPA) and the new General Data Protection Regulations (GDPR) 2018.

What Data will be collected:

The following data maybe collected and shared by Soma Health:

  • Personal information (e.g. Name, Address, Date of Birth)
  • Characteristics (ethnicity, gender)
  • Past and present Job roles
  • Health Records

Who will it be collected from:

  • Human Resources
  • Managers
  • Group Leads
  • Employees
  • Occupational Health Physicians

Who do we process the personal data of:

Soma Health collects and processes personal data on former, current and prospective:

  • customers
  • corporate clients
  • corporate client employees

How will it be collected:

  • Post
  • E mail & OH software system Cohort.
  • Verbal

How will it be stored:

Your records will be stored in accordance with Soma Health’s medical records storage policy following GDPR regulations.

Who will my information be shared with:

We will not share information about ‘you’ with third parties without your consent unless the law allows us to.

Why do we process your personal data?

Soma Health will only process your personal information for the purpose for which we collected it. Please see below for further information.

Soma Health is a provider of occupational health services, designed to support business’s in the management of health issues in the workplace.  Therefore, Soma Health process’s personal data for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee.

To ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work.

To provide you with up to date information regarding our range of services and to answer any queries raised from our contact form.

To send you communications which you have requested and that may be of interest to you.

To seek your views and comments on the range of services we provide through surveys and questionairres

Data may also be used for research, audit or statistics but will be anonymised if this is the case.

If we need to use your information for an unrelated purpose, we will contact you and we will explain the legal basis that allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with our obligations in the case of criminal investigation.

Lawful Basis for processing the information:

Lawful basis for processing this sensitive personalised information is for consent.

Additional condition –  Article 9(2)(h) specifically authorises processing of data as Occupational Medicine is a special category thus “processing is necessary for the purposes of Occupational Medicine” and Article 9(3) which states that processing is permitted “When this data is processed by a regulated health professional”.

How long will data be held for:

Management referral information will be held for 6 years after the employee has left their job or 75 years of age (whichever is soonest) as recommended by the British Medical Association (BMA).

Pre-placement medicals/assessments will be discarded after 2 years if the employee doesn’t take up the offer of the job.

Pre-Placement medicals/assessments who accepted the job offer, will be discarded after 3 years.

Health care students & non-health students will be discarded after 6 years, this date commences post the student leaving date of the University programme.

Medical retirement/Deceased employees, to wait until any appeals have lapsed then plus 3 years.

40 years in relation to Health Surveillance as required by the Health and Safety Executive (HSE).

What are your rights?

You have the right to be informed of fair processing information with a view to transparency of data.

You have the right to access the information we hold.  You should make such a request in writing to our Data Protection Officer using the above contact information.  We shall provide the data within 1 month.  In exceptional cases we may extend this to 3 months.  You will be notified within 1 month when we believe this to be an exceptional case requiring a longer period of compliance.  Where a request is manifestly unfounded or excessive we may charge a reasonable fee or refuse the request.  In the event of a fee or refusal, you will be advised of this and your further rights relating to the fee or refusal.

You have the right to request the information we hold is rectified if it is inaccurate or incomplete.  You should contact our Data Protection Officer and provide them with the details of any inaccurate or incomplete data.  We will then ensure that this is amended within one month.  We may, in complex cases, extend this period to two months.

You have the right to erasure in the form of deletion or removal of personal data where there is no compelling reason for its continued processing.  We have the right to refuse to erase data where this is necessary in the right of freedom of expression and information, to comply with a legal obligation for the performance of a public interest task, exercise of an official authority, for public health purposes in the public interest, for archiving purposes in the public interest, scientific research, historical research, statistical purposes or the exercise or defence of legal claims.  You will be advised of the grounds of our refusal should any such request be refused.

You have the right to restrict our processing of your data where you contest the accuracy of the data until the accuracy is verified.  You have the right to restrict our processing of your data where you object to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our organisation’s legitimate grounds override your interests.

You have the right to restrict our processing of your data when processing is unlawful and you oppose erasure and request restriction instead.

You have the right to restrict our processing of your data where we no longer need the data and you require the data to establish, exercise or defend a legal claim.  You will be advised when we lift a restriction on processing.

You have the right to data portability in that you may obtain and reuse your data for your own purposes across different services, from one IT environment to another in a safe and secure way, without hindrance to usability.  The exact method will change from time to time.  You will be informed of the mechanism that may be in place should you choose to exercise this right.


You have the right to object to the following:

Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics. The data collected is not anticipated to fall within the above categories.

Do I have the right to withdraw?

You have the right to withdraw your consent at any time.  Once we have received notification that you have withdrawn your consent, we will no longer process your information, unless we have a legitimate basis to do so in law.

How can you contact us about your data or your data rights?

If you wish to contact us about your data, or if you require any further information in addition to what is included in this privacy notice, please contact our Data Protection Officer at – Soma Health, Suite 9A, Malvern Gate Business Park, Bromwich Road, Worcester, WR2 4BN, Email –, Telephone – 01905 422808

How do I make a complaint about the way my data is being processed?

Soma Health is committed to protecting your data. If you are not happy with the way in which we process your data, you may wish to make a complaint. In the first instance, please contact our Data Protection officer in writing, stating your name, date of birth, contact details and the nature of your complaint against Soma Health

If you are not happy with the response you receive you may also wish to contact the UK data protection regulator, the Information Commissioner, whose contact details are available at

Changes to this privacy policy

We reserve the right to update this privacy policy at any time.

Review of this policy

We keep this policy under regular review.  The Privacy policy was last updated in May 2018