Lyra Spain

Home
How We Work
Channel Partners and Brokers Sales Affiliates Global Footprint
What We Do
Global EAP Wellness Coaching Crisis Management Learning and Development
Company
About Us Privacy Policy Our Policies
Work with Us
EN
English Spanish
Contact Us
Home
How We Work
Channel Partners and Brokers Sales Affiliates Global Footprint
What We Do
Global EAP Wellness Coaching Crisis Management Learning and Development
Company
About Us Privacy Policy Our Policy
Work with Us
EN
English Spanish
Contact Us

Lyra International Global Privacy Policy

Last Updated: 24 September 2025

Introduction

Lyra Health International Ltd and its subsidiary companies and branches (referred to as Lyra International going forward) is a wholly owned subsidiary of Lyra Health, Inc. Lyra International supports organisations through the promotion of the health and wellbeing of their employees, while at the same time improving productivity and reducing absence. We have been an Employee Assistance Programme (“EAP”) provider since 1987 and today, we are one of the major global players in the sector. We are committed to ensuring your privacy and Personal Information is protected.

What is Data Protection Law?

Data Protection law gives individuals certain rights about the way in which their Personal Information is processed. If organisations do not comply with data protection law, they may be subject to penalties imposed by the data protection authorities and the courts. When Lyra International processes Personal Information, this activity and the Personal Information in question are covered and regulated by applicable data protection law, specifically the UK Data Protection Act 2018 and the UK GDPR – as the principal regulations in the Policy – and the EU’s General Data Protection Regulation (GDPR) which covers all EU countries plus Norway, Iceland, and Liechtenstein. For countries outside these regions where we – or our subsidiaries – gather and process data, additional conditions may apply, where this is the case, you will find these in our ‘Jurisdictional Clauses’ at the bottom of this Policy.

Data Privacy Policy

This Data Privacy Policy (Global) (“Policy”) establishes Lyra International’s approach to global compliance and the lawful processing of Personal Information. As a UK company, the UK Data Protection Act 2018, the UK e-Privacy Regulations (‘PECR’), and the UK-adopted version of the EU GDPR (‘UK GDPR’) apply directly to all our UK processing, as such, for the purposes of this Policy, we use ‘GDPR’ to refer to both the UK and EU versions due to their similarities, except when we refer to International Data Transfers for example.

 

We always seek to comply with the applicable data protection laws relevant to our processing of Personal Information, as such where local laws and regulations mandate additional restrictions on the collection, use and disclosure of Personal Information that exceed those contained in this Policy, the local laws and regulations will prevail. These Addendums can be found at the bottom of this Policy under the ‘Jurisdiction Specific Terms’ tab.

 

This Policy describes how Personal Information must be processed to meet Lyra International’s data protection standards and to comply with privacy laws and regulations. Additional instructions and/or guidelines regarding Personal Information processing activities at Lyra International are provided to employees in internal policies.

What does this mean for Lyra International?

Lyra International must take proper steps to ensure that it processes Personal Information on an international basis in a safe and lawful manner. Lyra International has therefore developed policies and procedures to ensure appropriate governance and compliance with such data privacy laws. This framework will apply to all Personal Information processing activities conducted by Lyra International globally subject to our jurisdictional legal requirements.

Data Protection Principles​

Below is the summary of basic data protection principles that Lyra International must observe when it processes Personal Information.

Principle 1 – Lawfulness of processing, fairness and transparency

  • Lyra International will ensure that all processing is carried out in accordance with applicable laws.
  • Lyra International will inform and explain to individuals, at the time when their Personal Information is collected, how their Personal Information will be processed.

Principle 2 – Purpose limitation

  • Lyra International will only obtain and process Personal Information for those purposes which are known to the individual or which are within their expectations and are relevant to Lyra International.
  • Lyra International will only process your data for the express purposes for which it was given, for example out of contractual obligation, because you’ve given your express consent, or where there is a legal basis for doing so. Where we consider ‘Legitimate Interest’ a legal basis, we will balance this against the potential risks to the rights and freedoms of the individual — for example, limiting what we keep, who we send your data to, how long we keep it for, what we do with it and the technical measures we use to protect your information.

How do we collect your Personal Information?

We collect Personal Information directly from you:

  • when you use our Employee Assistance Program (EAP) services generally and which may be by phone, via e-mail through the web, mobile or web applications, any other internet-based application or in person;
  • when you contract with Lyra International to provide services on our behalf or where we agree to provide services on your behalf.
  • via cookies. You can find out more about this in our Cookie Policy;
  • through feedback forms;
  • via our telephone calls with you, which may be recorded;
  • when you provide your details to us either online or offline;
  • when you respond to any job advertisement or are employed by Lyra International;

 

We also collect your Personal Information from many different sources including third parties such as:

  • your employer
  • medical professionals.

Principle 3 – Data minimisation

Lyra International will ensure that data collected and processed is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

What Personal Information do we collect?

As the Data Controller and/or joint Data Controller Lyra International may collect and process the following information about you:

  • Personal information
    • gender, contact details such as name, email address, postal address and telephone number;
    • factors specific to physical, physiological, economic, cultural or social identity;
    • call recordings;
    • information obtained through our use of cookies. You can find out more about this in our Cookie Policy.
  • Sensitive Personal Information
    • details of your current or former physical or mental health;
    • details regarding criminal offences, including alleged offences, criminal proceedings, court judgments, outcomes and sentences;
    • marital status
    • details concerning sexual life or sexual orientation.

Principle 4 – Accuracy

  • Lyra International will keep Personal Information accurate and, where necessary, kept up to date.
  • Take every reasonable step to ensure that Personal Information that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘accuracy’).

Principle 5 – Limited retention of personal information

  • Lyra International will only keep Personal Information for as long as is necessary for the purposes for which it is collected, and to comply with our legal and regulatory obligations. The time we retain your Personal Information for, will differ depending on the nature of the Personal Information and what we do with it. In some cases, such as if there is a dispute or a legal action, we may keep Personal Information for longer.

  • Lyra International will retain call recordings for a period of 6 months after your last interaction with us or as required for operational needs. However, please note that certain local or national laws may require us to keep your data for a longer period. In such cases, we will hold your information in accordance with those legal requirements.

  • Your personal information will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal information are processed; personal information may be stored for longer periods insofar as the personal information will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by data protection law in order to safeguard the rights and freedoms of individuals.

  • We may retain anonymised or aggregated data to help evaluate and improve our services. This data cannot be used to identify any individual.

Principle 6 – Integrity and confidentiality (security)

Lyra International has a dedicated security team who maintain stringent controls over the Personal Information we collect, maintaining it in firewalled and secured systems and databases with strictly limited and controlled access rights, to ensure it is secure. If you would like to know more about how we secure your data you can contact us by emailing globalprivacy@lyrahealth.com.

  • Where processing is necessary for us to provide you with the services you require, such as assessing your needs, setting you up as a user, communicating with you, and assisting you with technical support, for example on our LYRA Hub App, your data will be processed and stored within the EU. Please be aware that if you reside outside of the EEA, your data may also be processed at one of our regional servers, depending on the technical and operational requirements of the service provided. All processing will be in line with the relevant data protection regulations, details of which can be found in Principle 8 (below), as well as in the Jurisdiction Specific Terms at the bottom of this Policy.
  • Lyra International will implement appropriate technical and organisational measures to ensure a level of security of Personal Information that is appropriate to the risk for the rights and freedoms of the individuals.
  • Lyra International will ensure that providers of services to us also adopt appropriate and equivalent security measures.
  • Lyra International will comply with data security breach notification requirements as required under applicable law.
  • Lyra International will ensure that information is processed in a manner that ensures appropriate security of the Personal Information, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

How do we use your Personal Information?

We use your Personal Information to provide you with the services you require based on your situation. So, if you have a problem, we make sure the right network of providers and specialists are in place. However, there are other reasons why we use your Personal Information.

 

Under UK and EU data protection laws we need a reason to use and process your Personal Information and this is called a legal basis. Generally speaking, most countries we operate in require a legal basis for us to process user data, where this is the case, you can view our Jurisdictionally specific sections at the bottom of this Policy however as the GDPR sets such a high bar, we refer to this as a reliable benchmark.

 

We have set out below the main reasons why we process your Personal Information and the applicable circumstances when we will do so. When the Personal Information we process about you is classed as sensitive Personal Information (such as details about your health, sexual orientation, or criminal offences) we must have an additional legal ground for such processing. Legal grounds are as follows:

 

  • Processing is necessary for us to provide you with the services you require, such as assessing your needs and setting you up as a user of the services and communicating with you.
  • We have a legal or regulatory obligation to use such Personal Information, for example, when the relevant data protection regulator requires us to maintain certain records of any dealings with you.
  • We need to use your Personal Information to establish, exercise or defend our legal rights, for example when we are faced with any legal claims or where we want to pursue any legal claims ourselves.
  • We need to use your Personal Information for reasons of substantial public interest, such as investigating fraudulent or criminal activities.
  • In certain instances, you may elect to use our EAP services anonymously. However, where necessary we will ask for your consent in relation to processing your sensitive Personal Information (such as health data) such as where you are in a safety-critical role. This will be made clear when you provide your Personal Information. We will ask for your consent and explain why it is necessary. Without your consent in these circumstances, we may not be able to provide you with some of our services. Where you provide sensitive Personal Information about a third party, we will ask you to confirm that the third party has provided his or her consent.
  • We have appropriate legitimate business need to use your Personal Information (such as call recordings if applicable) to maintain our business records, developing and improving our products and services (when expressly permitted), to train our staff and complaints handling all while ensuring that such business need does not interfere with your rights and freedoms and does not cause you any harm.
  • We need to use your sensitive Personal Information such as health data because it is necessary for your vital interests, this being a life-or-death matter, or where there is a risk to others.

Principle 7 – rights of individuals​

  • Lyra International will adhere to the data subject rights procedure under the GDPR, and where we operate in a country outside of the EU, UK or the broader EEA, your rights will be based on our obligations in that country, as such, we will respond to any requests from individuals to access their Personal Information in accordance with applicable law.
  • Lyra International will also deal with requests to rectify or erase inaccurate or incomplete Personal Information, or to cease processing Personal Information in accordance with the data subject rights procedure. Please see below the contact details for each of our regional offices where you can exercise these rights.

The right to access your personal information

You are entitled to a copy of the personal information we hold about you and certain details of how we use it. In Europe, there will not usually be a charge for dealing with these requests. Your personal information will usually be provided to you in writing, unless otherwise requested, or where you have made the request by electronic means, in which case the information will be provided to you by electronic means where possible. For requests to access medical records, we will provide a summary of clinical interactions.

The right to rectification

We take reasonable steps to ensure that the Personal Information we hold about you is accurate and complete. However, if you do not believe this is the case, please contact us and you can ask us to update or amend it.

The right to erasure

In certain circumstances, you have the right to ask us to erase your Personal Information, for example where the Personal Information we collected is no longer necessary for the original purpose or where you withdraw your consent. However, this will need to be balanced against other factors, for example according to the type of Personal Information we hold about you and why we have collected it, there may be some legal and regulatory obligations which mean we cannot comply with your request. Please note that if you withdraw your consent, we may not be able to provide you with the services you have requested.

The right to restriction of processing

In certain circumstances, you are entitled to ask us to stop using your Personal Information, for example where you think that the Personal Information we hold about you may be inaccurate or where you think that we no longer need to process your Personal Information.

The right to data portability

In certain circumstances, you have the right to ask that we transfer any Personal Information that you have provided to us to another third party of your choice. Once transferred, the other party will be responsible for looking after your Personal Information.

The right to object

Direct Marketing: You can ask us to stop sending you marketing messages at any time.

 

Legitimate Interest: You have the right to object at any time to our processing of your personal data when the processing is based on legitimate interests pursued by us or a third party, including profiling based on these provisions.

The right not to be subject to automatic decision making

None of our decisions are made automatically.

The right to withdraw consent

For certain uses of your Personal Information, we will ask for your consent, as the legal basis for processing. Where we do this, you have the right to withdraw your consent to further use of your Personal Information. Please note that, in some cases, we may not be able to deliver the services you require if you withdraw your consent. Please also note that withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal, and we may continue to process your Personal Information where we have another lawful basis to do so.

The right to make a complaint

You have a right to complain to the relevant regulator at any time if you object to the way in which we use your Personal Information. More information can be found below on the appropriate regulator for the regions covered.

Principle 8 – Ensuring adequate protection for cross-border transfers

  • Lyra International is a global business. To offer our services, we may need to transfer your Personal Information to companies within the Lyra Group of companies and with third parties in other countries.
  • Lyra International will not transfer Personal Information that is subject to the GDPR to parties outside the UK or the EEA without ensuring adequate protection.
  • With the exception of those countries that benefit from an adequacy decision under the GDPR, where data is transferred outside the United Kingdom, EEA or Switzerland – for example to the US where the parent company, Lyra Health, Inc. is registered – the EU Standard Contractual Clauses, and the associated UK and Swiss Addendums will apply to Personal Information that is transferred. This will also apply where Personal Information is either directly, or via onward transfer, transferred to any country or recipient outside the UK, EEA or Switzerland, that is not recognised by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland).
  • When we send your Personal Information from the EEA, UK, or Switzerland to the United States, Lyra International also uses trusted processes to keep your information safe. We follow the EU-US Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework when the US recipient receiving your data is approved under these programs. These frameworks meet strict EEA, UK, and Swiss data protection rules to ensure your data is handled securely.
  • We use “cookies” and other web technologies to collect information and to support certain features of our websites, this will include the transfer of identifiable cookie data to countries outside the UK, EEA and Switzerland that have different privacy laws and requirements, and some provide less legal protection for your Personal Information than others. For more information see our Cookie Policy.

Who do we share your Personal Information with?

We might share your Personal Information with two types of organisations – companies within the Lyra Health, Inc. group of companies, i.e. group companies, subsidiary and affiliated (sister companies) (“Group”), and other third parties outside the Group – for example our broad independent counsellor network.

 

We will not share any of your Personal Information other than for the purposes described in this Privacy Policy and if we share anything outside the Group, it will be subject to strict confidentiality obligations, and will only be used for specific reasons that we have communicated to you agreed in advance, where required.

Principle 9 – Safeguarding the use of sensitive personal information

  • Owing to the services that we offer, Lyra International sometimes needs to process sensitive Personal Information (known as special category data) about you, in order to fulfil our contractual requirements – referred to as a ‘Legal Basis’. Where we collect such information, we will only request and process the minimum necessary for the specified purpose and identify a compliant legal basis for doing so based on your jurisdiction.
  • Where we rely on your consent for processing special category data, we will obtain your informed and explicit consent. You can modify or withdraw consent at any time, which we will act on immediately, unless there is a legitimate or legal reason for not doing so.
  • Additional security measures and safeguards will be implemented to ensure that this sensitive Personal Information remains confidential and is deleted as soon as reasonably possible.

Principle 10 – Accountability

  • Lyra International takes responsibility for compliance with the other data protection principles.
  • Lyra International implements appropriate technical and organisational measures – including maintaining accurate records of processing activities, conducting regular assessments, and applying data protection by design and by default – in order to be able to demonstrate compliance with data protection obligations.

Legally Binding Effect of This Policy

Lyra International and its employees (including new hires, individual contractors, and temporary staff) that process Personal Information worldwide must comply with, and respect, this Policy when processing Personal Information, irrespective of the country in which they are located.

Lyra International reserves the right to change, modify or update this Policy, including changes to the Jurisdictional specific sections below at any time. Please review it frequently for any updates.

Contact Details and Your Rights to Complain

If you have any questions regarding the provisions of this Policy, your rights under this Policy or any other data protection issues, you can contact the Lyra International Data Privacy Officer at the address below who will either deal with the matter or forward it to the appropriate person or department at Lyra International.

 

Our Data Protection Officer is available to facilitate requests for access or correction to users own Personal Information and to describe how you can file a complaint with the applicable regulator regarding our handling of your Personal Information where required by law:

 

To log a data subject access request or exercise any other rights under applicable data privacy law, please e-mail globalprivacy@lyrahealth.com.

 

If you wish to comment, or make a complaint about the way we process your data or to find out more about your rights, you can contact our Data Protection Officer using the details below:

 

Attention: The Data Protection Officer

Email: globalprivacy@lyrahealth.com

Address: Lyra Health International Ltd, 85 Gresham Street, London, EC2V 7NQ

 

Please note that in some cases we may not be able to comply with a request relating to your rights under this Policy for reasons such as our own obligations to comply with other legal or regulatory requirements. However, we will always respond to any request you make within one month or whatever the requirement is under your regional legislation and if we are unable to comply with your request, we will tell you why. In some circumstances exercising some of these rights (including the right to erasure, the right to restriction of processing and the right to withdraw consent) will mean we are unable to continue providing you the services you have selected and may therefore result in the cancellation thereof.

Regional enquiries

Lyra International operates in over 150 territories worldwide, and some business operations are independent ‘non-Lyra’ subsidiaries which will process, maintain, and store service user data locally, and as such, will be solely responsible, and wholly accountable, under applicable law in their own countries laws for how they manage this data. Where this is not the case, and where data is potentially processed outside of its borders by Lyra International or its parent company, we provide a non-exhaustive list of regional offices below who you can contact for data related queries. If you do not see your country listed below, please contact globalprivacy@lyrahealth.com.

Group Entity

Jurisdictions covered

Lyra group contact for data related enquires, including Access Requests

The regulatory authority

ICAS Belgium BV

Belgium

globalprivacy@lyrahealth.com

Data Protection Authority

Lyra Health Canada ULC

Canada

globalprivacy@lyrahealth.com

Office of the Privacy Commissioner of Canada (PIPEDA)‎
Office of the Information and Privacy Commissioner of Alberta (PIPA Alberta)‎
Office of the Information and Privacy Commissioner for British Columbia (PIPA ‎BC), and
Commission d’accès à l’information du Québec (the “CAI”) (‘Quebec Privacy Act’)

Lyra Health Hungary Kft

Hungary

globalprivacy@lyrahealth.com

Hungarian National Authority for Data Protection and Freedom of Information

Lyra Mental Health India Private Ltd

India

globalprivacy@lyrahealth.com

Ministry of Electronics and Information Technology

Lyra Health Malaysia Sdn Bhd

Malaysia

dpomy@lyrahealth.com

Department of Protection of Personal Data 

Lyra Health International Ltd (DMCC) 

Algeria
Bahrain
Egypt
Iraq
Jordan
Kuwait
Lebanon
Libya
Mauritania
Morocco
Oman
Pakistan
Palestine
Qatar
Saudi Arabia
Senegal
Tunisia
UAE
Yemen

globalprivacy@lyrahealth.com

The Commissioner of Data Protection, Dubai International Financial Centre Authority

Lyra Mexico and Central America S. de R.L. de C.V.

Mexico

Costa Rica

República Dominicana

El Salvador

Honduras

Venezuela

Panamá

Guatemala

Nicaragua

globalprivacy@lyrahealth.com

Secretaría Anticorrupción y Buen Gobierno

Lyra Netherlands BV

Netherlands

globalprivacy@lyrahealth.com

Dutch Data Protection Authority

Lyra Health Singapore Pte Ltd

Singapore

globalprivacy@lyrahealth.com

Personal Data Protection Commission

Lyra Health Spain SLU

Spain

globalprivacy@lyrahealth.com

Agencia Española de Protección de Datos (AEPD)

Lyra Southern Africa Pty Ltd

South Africa

paia@icas.co.za

Information Regulator

Lyra Schweiz GmBH

Switzerland

dpo.eu@lyrahealth.com

Federal Data Protection and Information Commissioner (FDPIC)

Lyra France SASU

France

dpo.eu@lyrahealth.com

Commission Nationale de l’Informatique et des Libertés (CNIL)

Lyra Deutschland GmbH

Germany

dpo.eu@lyrahealth.com

Bundesbeauftragter für Datenschutz und Informationsfreiheit (BfDI)

Lyra Italy SRL

Italy

dpo.eu@lyrahealth.com

Garante per la protezione dei dati personali (Garante)

Lyra International Luxembourg SARL

Luxembourg

dpo.eu@lyrahealth.com

Commission Nationale pour la Protection des Données (CNPD)

ICAS Austria GmBH

Austria

dpo.eu@lyrahealth.com

Österreichische Datenschutzbehörde

Lyra UK & Ireland Ltd

United Kingdom
Ireland

globalprivacy@lyrahealth.com

Information Commissioners Office (ICO)

Lyra Health Israel Ltd

Israel

globalprivacy@lyrahealth.com

Privacy Protection Authority (PPA)

ADDENDUM

Addendum Mexico

Applicable Law and Jurisdiction

This Mexico Jurisdictional Addendum (“Addendum”) is incorporated into and forms an integral part of the Privacy Policy of Lyra International and is applicable to all Personal Information collected or processed by us from Data Subjects located in Mexico.  If there is any conflict between this Addendum and the rest of the Privacy Policy, the provisions of this Addendum will prevail for the protection of Personal Information of Data Subjects residing in Mexico.

 

Mexico’s data protection framework is governed by the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (“LFPDPPP”) enacted on March 21, 2025. The law applies to all private-sector individuals and entities that process personal data in connection with individuals located in Mexico, regardless of where the data processor is based.

 

The competent authority for oversight and enforcement is the Secretaría Anticorrupción y Buen Gobierno, acting through the Unidad de Protección de Datos Personales.

Key Definitions

  • Personal Data: Any information relating to an identified or identifiable person. A person is considered identifiable when their identity can be determined, directly or indirectly, through any information.
  • Sensitive Personal Data: Those personal data that affect the most intimate sphere of the data subject, or whose improper use may lead to discrimination or entail a serious risk for them. By way of example, but not limited to, sensitive personal data includes information revealing racial or ethnic origin, current or future health status, genetic information, religious, philosophical, and moral beliefs, political opinions, and sexual preference.
  • Controller: A controller is any private-sector individual or legal entity that processes personal data, including determining the purposes and means of such processing.
  • Processor: A processor is a natural or legal person who, alone or jointly with others, processes personal data on behalf of the controller.

Data Processing Principles

Data must be processed in accordance with the following principles:

 

  • Lawfulness: Processing must be based on a legitimate legal basis.

 

  • Consent: Must be free, specific, informed, and unambiguous.

 

  • Purpose limitation: Data must be collected for clearly defined, lawful purposes.

 

  • Data minimisation: Only data strictly necessary for the stated purpose should be processed.

 

  • Transparency: Individuals must be properly informed via a clear and accessible privacy notice.

 

  • Accountability: Controllers and processors must implement appropriate policies, procedures, and safeguards.

Data Transfers

Transfers of personal data to third parties, whether national or international, require the data subject’s express consent, unless a statutory exception applies (e.g. legal obligation, contract performance, public interest).

 

Controllers must ensure that recipients provide equivalent levels of protection, typically through contractual or other binding mechanisms.

Data Breach

Controllers and processors are required to:

 

  • Implement robust technical and organisational measures to protect data.

 

  • Notify affected individuals without undue delay when a security breach poses a material risk to their rights or freedoms.

 

  • Maintain incident response protocols and cooperate with the supervisory authority if required.

Data Subject Rights

Data subjects have the right to:

 

  • Access their personal data and understand how it is used.

 

  • Rectify inaccurate or incomplete data.

 

  • Cancel or delete data that is no longer necessary or is processed unlawfully.

 

  • Object to certain types of processing, including profiling or automated decision-making that significantly affects them.

 

Controllers must respond to rights requests within 20 business days, with a possible 10-day extension where justified.

Contact

If you have any additional questions about how Lyra International handles other Personal Information, please contact globalprivacy@lyrahealth.com.

 

This email address can also be used if we are processing your personal data and you are located in:

  • Costa Rica
  • Dominical Republic
  • El Salvador
  • Honduras
  • Venezuela
  • Panama
  • Guatemala
  • Nicaragua
  1. “Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  2. “Personal information” / “Personal information” means any information relating to an identified or identifiable natural person (“Data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  3. “Sensitive Personal Information” means “special categories of Personal Information” as set out in the GDPR as well as Article 6 in the UK GDPR, which must be treated with extra security. These categories include health information and also genetic data and biometric data where processed to uniquely identify an individual. Personal information relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
  4. For the purpose of this Policy, reference to Europe means the EEA which incorporates Norway, Iceland, Lichtenstein as well as Switzerland.