Trust Centre Under UK GDPR

Your data rights

Access, rectification, erasure, portability, restriction, and objection, with the steps for exercising each one set out plainly.

Under UK GDPR you have a set of rights over personal data Cogent Clinic holds about you, and this page sets out what those rights are, how Cogent acts on them, and how to make a request.

The rights you have

  • Access, including a copy of the personal data Cogent holds about you.
  • Rectification, where data is inaccurate or out of date.
  • Erasure, where the data is no longer needed for the purpose it was collected for or where you have validly withdrawn consent.
  • Restriction, where you want processing paused while a question is resolved.
  • Objection, where you object to specific processing.
  • Portability, for data held under contract or consent.
  • Withdrawal of consent, where consent was the lawful basis for the processing.
  • Complaint to the ICO, if Cogent has handled your request poorly.

How to make a request

Email [email protected] with the request and enough information for Cogent to identify the data concerned. Cogent acknowledges receipt promptly and responds within one calendar month, with an extension only where it is lawfully justified.

Cogent verifies identity where it is necessary and proportionate to do so, and asks for no more information than is needed to make that check.

Controller and processor: what that means for you

For some of your data Cogent acts as the controller; for some, Cogent acts as a processor on behalf of a clinician customer. The distinction changes how a request is handled.

  • Where Cogent is the controller (account data, billing, support, marketing, website enquiries, and operational metadata under Cogent's own purposes), Cogent assesses and responds to your request directly.
  • Where Cogent is a processor (clinician-submitted content and drafts processed on behalf of a clinician customer), Cogent refers the request to that clinician customer without undue delay, provides reasonable assistance under the DPA, and does not respond substantively unless instructed or legally required.

If you are a patient of a clinician using Cogent

If you contact Cogent directly about data processed through your clinician's use of the service, Cogent will explain that your clinician is usually the controller of your clinical data and will direct you to contact them in the first instance. Cogent does not imply that it holds identifiable patient data unless that is verified, and any request that suggests identifiable patient data has reached Cogent unexpectedly is escalated internally and assessed under the incident response plan.

What Cogent does in response

  • Access: Cogent identifies the relevant systems, confirms whether data is held, compiles the response with the required supplementary information, and redacts third-party data where necessary.
  • Rectification: Cogent verifies the correction, updates the relevant system, and confirms completion.
  • Erasure: Cogent assesses whether deletion is required or whether an exemption applies, deletes controller-held data where appropriate, liaises with the clinician controller where the data is processor-held, and confirms the outcome.
  • Restriction or objection: Cogent assesses the lawful basis, determines whether processing must stop or can continue, and records the reasoning.
  • Portability: Cogent provides the relevant controller-held data in a structured and commonly used format where the right applies.

Records

Cogent keeps a record of each request including the date received, the request type, identity-verification steps taken, the controller-or-processor analysis, the systems checked, the decision, the response date, and any exemption relied on. The record is kept so that Cogent can show, on request, how the right was handled.