ForMotion Clinic Privacy Notice

ForMotion Clinic is made up of different legal entities. This privacy notice is issued on behalf of all our clinics operating under the ForMotion brand so when we mention “ForMotion”, “we”, “us” or “our” in this privacy notice, we are referring to the relevant clinic responsible for processing your data. 

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, or our privacy practices, please contact the DPO at:  

ForMotion 
Grjótháls 5, 110 Reykjavík, Iceland  
[email protected]

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows: 

• Identity Data includes first name, maiden name, last name, username or similar identifier, title, date of birth and gender.  
• Contact Data includes billing address, delivery address, email address and telephone numbers.  
• Financial Data includes bank information and payment card details.  
• Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.  
• Health Data includes information about your physical health, medical history, clinical treatment, and care received, including details of orthotic and prosthetic assessments, prescriptions, device fittings, rehabilitation progress and related healthcare services. 
• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences. 
• Profile Data includes your username, purchases or orders made by you, your interests, preferences, feedback and survey responses. 
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our websites, applications and services. 
• Usage Data includes information about how you use our website, products, applications and services. 
• Professional Background Data includes information which is usually provided on a resume, such as academic qualifications, degrees, certifications, work history, professional achievements and experiences. 

Where we need to collect personal data by law, or to provide you with clinical care or related services under a contract we have with you, and you do not provide that data when requested, we may not be able to deliver the care, treatment or services you require. In such cases, we may need to postpone or cancel your appointment, treatment or the provision of a device or service. We will inform you if this is the case at the time.  

We use your personal data for the purposes outlined below. We have also included the type of data involved in each case and the lawful basis for using it. Because health data is particularly sensitive, we only use it when it is necessary to provide you with care, to meet our legal responsibilities, or when you have given us clear consent. 

To register you as a new patient 

• Types of data: Identity, Contact 
• Lawful basis: Legitimate interests (to establish and manage your care with us)  

To assess, plan, and deliver clinical care and services, including the provision of orthotic and prosthetic devices 

• Types of data: Identity, Contact, Health, Financial, Transaction 
• Lawful basis: Legal obligation (to comply with healthcare regulations and record-keeping requirements) or in certain cases, legitimate interests (providing products and services outside of healthcare systems) 
• Condition for processing sensitive data: Necessary for the provision of healthcare 

To manage appointments, referrals, and communications related to your care 

• Types of data: Identity, Contact, Health 
• Lawful basis: Legitimate interests (to coordinate your care with us) 
• Condition for processing sensitive data: Necessary for the provision of healthcare 

To communicate with you about your care, respond to enquiries, and manage our relationship with you 

• Types of data: Identity, Contact 
• Lawful basis: Legitimate interests (to provide good patient service and maintain accurate records) 

To conduct clinical audits, quality assurance, and service improvement 

• Types of data: Identity, Contact, Health 
• Lawful basis: Legitimate interests (to monitor and improve the quality and safety of our services) 
• Condition for processing sensitive data: Necessary for the management of health care systems and services 

To carry out research and service development (where applicable) 

• Types of data: Identity, Contact, Health 
• Lawful basis: Consent – we will only use your personal data for research if you have given us your explicit permission 
• Condition for processing sensitive data: Explicit consent 

To process job applications and maintain records of applicants 

• Types of data: Identity, Contact, Professional Background 
• Lawful basis: Consent – when you apply for a role with us 

We only share your personal when it is necessary and appropriate to support your care or to run our services safely and effectively. This may include sharing information with:  

• Healthcare professionals and referring providers involved in your treatment, such as your primary care doctor, hospital consultants or rehabilitation teams.  
• Medical device manufacturers and suppliers who help us provide and maintain orthotic and prosthetic devices.  
• Service providers who support our operations, such as IT support, appointment booking systems, and secure data storage providers.  
• Regulatory bodies or public authorities where we are legally required to do so, for example for health and safety reporting or professional oversight.  

When we share your data with third parties, we ensure that they are contractually required to protect your information, use it only for agreed purposes and comply with data protection laws.  

In general, we store and process your data within the country where you receive care when this is required by local law. In some cases, we may use service providers located outside your country, for example for secure cloud-based systems or technical support. When this happens, we ensure that appropriate safeguards are in place to protect your data, such as approved data transfer agreements and strict confidentiality obligations.  

We have a range of technical and organisational measures in place to protect your personal data from loss, misuse, or unauthorised access. 

Access to our clinics and systems is carefully controlled. Digital systems are protected by role-based access controls, meaning employees can only access the information they need to carry out their work. Medical records are stored in secure, specialised systems, separate from administrative data. 

We also use secure networks, encryption, and regular data backups to protect your information during storage and transmission. Employees receive training on data protection and confidentiality, and we regularly review our security practices to ensure they remain effective. 

We often provide care to children and young people, and we take extra care when handling their personal data. When a patient is a minor, we collect and use their data in line with laws that apply to healthcare for children. This includes involving parents or legal guardians in decisions about care and data use, unless the child is considered capable of making their own healthcare decisions under applicable rules.  

We only collect the personal data needed to provide safe and appropriate care, and we protect children’s data with the same high standards we apply to all personal data. Where consent is required – for example, for certain types of communication or research – we will seek the appropriate person, depending on the child’s age and capacity to understand.  

We keep your personal data only for as long as necessary to fulfil the purposes for which it was collected, such as providing care, managing our relationship with you, and meeting legal or regulatory requirements. In some cases, we may need to retain your data for longer, for example if there is an ongoing complaint, legal claim, or audit.  

When deciding how long to keep your data, we consider factors such as the type and sensitivity of the data, the potential risks of keeping it too long or not long enough, and any legal and professional rules that apply. In some countries, we are required by law to store medical records for a minimum period and to keep them within national borders.  

You may exercise any of the rights described in this section by contacting us at [email protected]. To make sure your information stays secure, we may ask you to prove your identity before we continue. 

You have the right to:  

• Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.  
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.  
• Request erasure of your personal data in certain cases. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Please note that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.   
• Object to processing of your personal data when we are relying on a legitimate interest and you want to object to the processing because you feel it impacts your fundamental rights and freedoms.  
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data if needed. 
• Request the transfer of your personal data to you or to a third party. We will provide you, or a third party you have chosen, with your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to information kept in an electronic form which you initially provided with consent for us to use or where we used the information to fulfil a contract with you. 

You can withdraw your consent at any time where we are relying on consent to process your personal data, including data processing for marketing purposes. Please note that this will not affect the lawfulness of any processing that took place before you withdrew your consent.  

You have the right to make a complaint at any time to your country´s supervisory authority for data protection issues. We would, however, greatly appreciate the chance to deal with your concerns before you approach the supervisory authority, so please reach out to us in the first instance.   

Being that ForMotion Clinic's headquarters are in Iceland, the group’s main supervisory authority for data protection issues is the Icelandic Data Protection Authority (Persónuvernd) -  Data Protection Authority. The Icelandic Data Protection Authority with its seat at Laugavegur 166, 105 Reykjavík, Ísland, can be contacted by e-mail: [email protected]. If you reside in the European Economic Area, you may also lodge a complaint directly with your local supervisory authority.