1Who We Are
Data Controller: Dr George Zoltan Simon, General Practitioner
Practice Location: Vithas Xanit Gibraltar, Gibraltar
Contact: simongeo@drgeorgesimon.org · +350 54 003 573
Website: drgeorgesimon.org
Dr George Zoltan Simon is a registered General Practitioner practising in Gibraltar, registered with both the Gibraltar Medical Registration Board (GMRB) and the General Medical Council (GMC) of the United Kingdom. As a healthcare provider, Dr Simon is a Data Controller under applicable Gibraltar data protection legislation and is responsible for how your personal data is collected, used, and protected.
2Legal Framework
This Privacy Policy is governed by the following legislation applicable in Gibraltar:
- Gibraltar Data Protection Act 2004 (DPA 2004) — the primary data protection legislation in Gibraltar
- UK General Data Protection Regulation (UK GDPR) — applied in Gibraltar by virtue of the Gibraltar Constitution and arrangements with the United Kingdom
- Gibraltar eCommerce Act 2001 — in relation to electronic communications and website use
- Health and Social Care (Safety and Quality) Act 2015 (UK, as applicable) — relating to confidentiality obligations in healthcare settings
Important Note
As a medical practice, we are also bound by professional medical confidentiality obligations under the GMC's Confidentiality guidelines and the ethical standards of the Gibraltar Medical Registration Board. These obligations are in addition to, and consistent with, the legal requirements set out in this policy.
3Personal Data We Collect
We collect and process the following categories of personal data:
Identity & Contact Data
- Full name, date of birth, gender
- Address, telephone number, email address
- Gibraltar Identity Card number or passport number (where required for registration)
- Next of kin and emergency contact details
Appointment & Administrative Data
- Appointment booking information (via Calendly or telephone)
- Consultation dates, times, and attendance records
- Billing and payment information (where applicable)
- Insurance details and GHA (Gibraltar Health Authority) status
- Communications you send us by email, WhatsApp, or telephone
Website Usage Data
- IP address and browser type
- Pages visited and time spent on the website
- Referring website or search engine
- Device type and operating system
Please Note
We do not collect or process medical or health information through this website. All clinical information is collected and managed through secure clinical systems within the practice only.
4Special Category Data — Medical Information
Medical Records — Special Category Data
Health and medical information is classified as Special Category Data under the DPA 2004 and UK GDPR and is afforded the highest level of legal protection. All medical records and clinical information are held and managed securely within the practice, subject to strict medical confidentiality.
As your General Practitioner, Dr Simon will collect and process the following within the clinical setting:
- Medical history, diagnoses, and clinical notes
- Medication records and prescriptions
- Laboratory and investigation results
- Referral letters and specialist correspondence
- Surgical history and procedural records
- Weight management and dietary records (where applicable)
- Any other information relevant to your healthcare
This information is processed under the legal basis of provision of healthcare (Article 9(2)(h) UK GDPR / Schedule 3 DPA 2004) and is subject to the duty of medical confidentiality. It will not be disclosed to third parties without your consent, except where legally required or to facilitate your direct care (e.g. referrals to specialists).
5How We Use Your Personal Data
We use personal data collected through this website and the practice for the following purposes:
Healthcare Purposes
- To provide you with general medical care, consultations, and treatment
- To manage appointments and follow-up care
- To refer you to specialist services where appropriate
- To maintain accurate and complete medical records
- To comply with our professional regulatory obligations (GMC, GMRB)
Administrative Purposes
- To respond to enquiries made via email, telephone, or WhatsApp
- To manage appointment bookings made through Calendly or directly
- To process payments and manage accounts where applicable
- To send appointment reminders and relevant health communications
Website & Legal Purposes
- To ensure the website functions correctly and securely
- To comply with legal obligations under Gibraltar and UK law
- To protect against fraud, unlawful activity, or safety risks
6Legal Basis for Processing
Under the DPA 2004 and UK GDPR, we rely on the following legal bases to process your personal data:
- Contract performance — processing necessary to provide medical services you have requested
- Legal obligation — where processing is required by Gibraltar or UK law (e.g. mandatory reporting obligations)
- Vital interests — where processing is necessary to protect your life or that of another person
- Provision of health or social care (Article 9(2)(h) UK GDPR) — the primary basis for processing special category health data in a clinical context
- Legitimate interests — for administrative and operational purposes where these do not override your rights
- Consent — where we have obtained your explicit consent, for example for certain communications or non-essential cookies. You may withdraw consent at any time.
7Sharing Your Personal Data
We will not sell, rent, or trade your personal data to any third party. We may share your data in the following limited circumstances:
With Your Consent — Clinical Referrals
With your knowledge and consent, your clinical information may be shared with other healthcare professionals involved in your care, such as specialists, hospitals, or diagnostic laboratories, in order to facilitate the best possible treatment for you.
Legal & Regulatory Requirements
We may disclose personal data where required to do so by law, including in response to lawful requests from the Gibraltar Health Authority, courts, law enforcement authorities, or other regulatory bodies.
Third-Party Service Providers
We use the following third-party tools which may process limited personal data on our behalf:
- Calendly — online appointment booking (name, email, telephone). Calendly's own privacy policy applies. Data is hosted on servers subject to appropriate safeguards.
- WhatsApp Business (Meta Platforms) — for appointment communications. Please be aware that WhatsApp communications are subject to Meta's privacy policy.
- Google (Gmail) — for email communications. Data may be processed on Google servers subject to their privacy policy and applicable data transfer safeguards.
- Hostinger — web hosting provider. Website server logs may be retained for security purposes.
International Transfers
Some third-party providers may process data outside Gibraltar or the UK. Where this occurs, we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements, including Standard Contractual Clauses or adequacy decisions where applicable.
8Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with legal requirements:
- Medical records — retained for a minimum of 8 years from the date of last treatment (or until the patient's 25th birthday if later), in accordance with NHS/UK guidance adopted by Gibraltar medical practitioners
- Appointment and administrative records — retained for 7 years following last contact, for accounting and medico-legal purposes
- Email and written communications — retained for 3 years unless forming part of the clinical record
- Website usage data / server logs — retained for up to 12 months
- Cookie consent records — retained for 12 months
On expiry of the applicable retention period, data is securely destroyed or anonymised.
9Your Rights
Under the Gibraltar DPA 2004 and UK GDPR, you have the following rights in relation to your personal data:
- Right of Access — to request a copy of the personal data we hold about you (Subject Access Request)
- Right to Rectification — to request correction of inaccurate or incomplete data
- Right to Erasure — to request deletion of your data, subject to legal and professional retention obligations
- Right to Restriction — to request that we restrict processing of your data in certain circumstances
- Right to Portability — to receive your data in a structured, commonly used format and transfer it to another provider
- Right to Object — to object to processing based on legitimate interests
- Right to Withdraw Consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
How to Exercise Your Rights
To exercise any of these rights, please contact us at simongeo@drgeorgesimon.org or by telephone on +350 54 003 573. We will respond within 30 days. We may need to verify your identity before processing your request. There is no charge for exercising your rights in most circumstances.
10Website, Cookies & Online Services
Cookies
Our website uses cookies — small text files placed on your device. We use only the following categories of cookies:
- Strictly necessary cookies — essential for the website to function (e.g. cookie consent preference). These do not require your consent.
- Analytics cookies — if enabled in future, these help us understand how visitors use the website. We will seek your consent before placing these.
We do not use advertising, tracking, or profiling cookies. You can manage your cookie preferences at any time using the consent banner on this website, or by adjusting your browser settings.
Appointment Booking via Calendly
Our booking system is provided by Calendly LLC. When you book an appointment, Calendly collects your name, email address, and telephone number. Calendly acts as a data processor on our behalf. Please refer to Calendly's Privacy Policy for full details.
WhatsApp Communications
If you contact us via WhatsApp, your message content and contact details will be received by us through WhatsApp Business (Meta Platforms Inc.). Please be aware that WhatsApp messages are subject to Meta's privacy practices. We recommend not sending sensitive medical information via WhatsApp.
Links to Third-Party Websites
Our website may contain links to external websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies.
11Security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration, including:
- SSL/TLS encryption on all website connections (https)
- Password-protected access to all clinical and administrative systems
- Regular review of access rights and security practices
- Physical security measures at the practice premises
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify you directly.
12Patients Under 18
Dr Simon's practice accepts patients aged 10 years and over. Where patients are under 18 years of age, additional considerations apply:
- For patients aged 10–15, parental or guardian consent will generally be required for registration and treatment, except where the patient is deemed to have sufficient understanding to consent to their own care (Gillick competence)
- For patients aged 16–17, the patient may consent in their own right in most circumstances
- Medical records for patients who were minors at the time of treatment are retained until their 25th birthday or for 8 years from last treatment, whichever is later
We do not knowingly collect data from children under 10 years of age through this website.
13Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. The current version will always be available on this website, with the date of last update shown at the top of this page.
For significant changes affecting how we use your health data, we will take reasonable steps to notify you directly.
14Contact Us & How to Complain
How to Make a Complaint
If you have concerns about how we have handled your personal data, please contact us in the first instance at the details above and we will endeavour to resolve the matter promptly.
If you remain dissatisfied, you have the right to lodge a complaint with the relevant supervisory authority:
Gibraltar Supervisory Authority
Gibraltar Regulatory Authority (GRA)
2nd Floor, Eurotowers 4, 1 Europort Road, Gibraltar
Email: info@gra.gi
Website: www.gra.gi
Tel: +350 200 74636
UK Supervisory Authority (if applicable)
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113