Trust Centre UK GDPR Article 6
Lawful basis
The lawful basis Cogent relies on for each category of processing, and how that basis is reflected in the privacy notices.
This page maps Cogent Clinic's core processing activities to the lawful basis under which each one is carried out, with the processor-side activities set out separately and the special-category-data position named explicitly.
Controller processing
| Processing activity | Data subjects | Data categories | Lawful basis |
|---|---|---|---|
| Website enquiry handling | Prospects, website visitors | Name, email, enquiry details, phone if supplied | Article 6(1)(b) for pre-contract steps, or Article 6(1)(f) legitimate interests for general business enquiries |
| Waitlist management | Prospects | Name, email, organisation, interest notes | Article 6(1)(f) legitimate interests, or Article 6(1)(a) consent where framed as marketing signup |
| Marketing emails | Prospects, customers | Email, preferences, engagement data | Article 6(1)(a) consent, with PECR compliance where applicable |
| Customer onboarding and account setup | Clinician customers, authorised users | Name, work email, credentials, MFA, account data | Article 6(1)(b) contract |
| Billing and financial administration | Clinician customers | Billing details, invoices, payment identifiers | Article 6(1)(b) contract and Article 6(1)(c) legal obligation |
| Support and service communications | Clinician customers, authorised users | Contact details, support messages, service context | Article 6(1)(b) contract and Article 6(1)(f) legitimate interests |
| Security logging and fraud prevention | Customers, users, some visitors | IP, user IDs, timestamps, audit metadata | Article 6(1)(f) legitimate interests, with Article 6(1)(c) where legal accountability applies |
| Cookie or analytics processing | Visitors | Cookie identifiers, analytics data, IP-derived metrics | Consent for non-essential cookies, in line with the cookie policy |
Processor processing
| Processing activity | Controller | Data categories | UK GDPR position |
|---|---|---|---|
| Draft generation from clinician-submitted content | Clinician customer | De-identified or tokenised clinical content by design, with residual-risk personal data only if tokenisation fails | Cogent Clinic acts as processor under Article 28 terms |
| Optional saved drafts | Clinician customer | Draft text, metadata, timestamps | Cogent Clinic acts as processor |
Special category data
Where special category health data is involved, the clinician customer is generally responsible for the applicable Article 9 condition (likely Article 9(2)(h)) in their role as a healthcare professional, and Cogent Clinic's design intent is to reduce the likelihood that identifiable special category data ever reaches the platform.