Privacy Policy

Last Updated: 16-08-2025

Controller / Contact: Karin Cassar, Malta

1. Introduction

This Privacy Policy explains how we collect, use, disclose and protect personal data when you interact with our psychotherapy services and website. We treat personal data with the highest confidentiality and in accordance with the EU General Data Protection Regulation (GDPR), the Malta Data Protection Act (Cap. 586) and applicable Maltese law.

2. Types of personal data collected

We process:

Identity and contact data: name, date of birth, postal address, phone, email.
Health / psychotherapy data (special category data): medical history, mental health details, therapy notes, risk assessments, medication, session summaries, therapy goals. (Health data are special category data under Article 9 GDPR and require additional safeguards / explicit consent unless another permitted condition applies).
Administrative data: appointment records, payments, invoicing.
Technical data: IP address, device and browser data, analytics from the website (cookies — see Cookie Policy).
Communications: emails, telephone notes, messages via secure portals.

3. Lawful bases for processing

We rely on the following lawful bases:

Performance of a contract / pre-contractual measures — to provide psychotherapy services and manage appointments.
Legal obligation — where Maltese law requires us to retain or disclose information (for example, compliance with statutory obligations or court orders).
Legitimate interests — limited administrative or IT security processing where it does not override your fundamental rights (we will document and balance any such interests).
Consent / explicit consent — for processing health (special category) data, for certain marketing communications, and for non-essential cookies. For health data, explicit consent will usually be obtained prior to intake or processed under a clinical necessity / safeguarding exception when lawful.

4. Purpose of processing

We process personal data to:

Provide psychotherapy and therapeutic care, treatment planning, clinical record keeping and continuity of care.
Communicate with you about appointments, invoicing and administrative matters.
Comply with legal obligations (e.g., court orders, reporting obligations).
Improve our services (analytics, quality assurance) subject to anonymisation where possible.
Obtain your consent for marketing or newsletters only where you opt in.

5. Special category (health) data — additional safeguards

Health data are highly sensitive. We will:

Obtain explicit written consent for the collection and processing of psychotherapy notes and health data, unless another permitted legal basis applies (e.g., to protect life in emergencies or to comply with law).
Limit access strictly to clinical staff and to third parties only where necessary (referrals, specialist consultants) and on the basis of a clear lawful basis or your explicit consent.

6. Recipients / disclosures

We may disclose personal data to:

Clinical supervisors, referral consultants, other healthcare providers (with your consent or as clinically required).
Payment processors and administrative service providers (under written data processing agreements).
Law enforcement, regulator or courts where compelled by law.
Where data are shared with providers outside the EEA, we will use appropriate safeguards (standard contractual clauses, adequacy decisions) and document transfers.

7. Retention

We retain clinical records for a period consistent with professional guidance and Maltese practice. Records required by law or the Data Protection Act may be retained longer. We will securely delete or anonymise data when retention periods expire.

8. Your rights

You have the right to:

Access your personal data and obtain copies.
Request rectification of inaccurate data.
Request erasure (“right to be forgotten”) where lawful limits allow.
Restrict processing or object to processing (subject to clinical/contractual/legal limits).
Withdraw consent at any time for processing based on consent (this does not affect lawful processing prior to withdrawal).
Data portability (where processing is based on consent or contract and is carried out by automated means).
Lodge a complaint with the Maltese supervisory authority: Office of the Information and Data Protection Commissioner (IDPC).

9. Security measures

We apply appropriate technical and organisational security measures: secure storage (locked/encrypted files), access controls, secure electronic records, encrypted email where required, staff confidentiality agreements and regular backups. Breaches will be handled under GDPR rules, and the IDPC will be notified where required.

10. Confidentiality vs. legal exceptions

Psychotherapy confidentiality is fundamental. However, confidentiality is not absolute. We may disclose information without consent where required by law or to prevent serious harm: for example, if there is imminent risk to you or others, safeguarding concerns, court orders, or other statutory obligations. Where possible we will inform you unless notification would increase risk.

11. Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects. If we do in future, we will notify you and obtain consent if required.

12. Children / parental responsibility

We will not normally provide services to children without parental/guardian consent. Special safeguards apply to minors; please consult us for specifics.

13. Changes to this Policy

We may update this Privacy Policy; significant changes will be notified on the website with an updated effective date.

14. How to contact us / make a complaint

Data controller: Karin Cassar. For privacy enquiries or to exercise rights, contact: cassarkarin@gmail.com. To complain to the supervisory authority: Office of the Information and Data Protection Commissioner, Malta (IDPC).