Naas Cardiology and Endocrinology Clinic takes the privacy and security of your personal and health information seriously. This page explains in plain language how we protect your data, how long we keep it, and how you can exercise your rights under the General Data Protection Regulation (GDPR) and the Health Service Executive guidelines.

Data Controller: Dr Syed Kashif Hussain Kazmi & Dr Imtiaz Ali Kalyar, Naas Cardiology and Endocrinology Clinic, Suite 5, Vista Primary Care, Ballymore Road, Naas, Co. Kildare W91 E6H2. Contact: Syed.Kazmi@healthmail.ie | 089 656 7597.

Why we process your data & our lawful basis

As a medical clinic, we process personal data — including special category health data — for specific, lawful purposes. The legal bases under GDPR are:

Art. 9(2)(h) GDPR — Processing necessary for the provision of medical care, treatment, and management of health systems. This covers clinical records, referral letters, investigation results, and correspondence related to your care.
Art. 6(1)(b) GDPR — Performance of a contract (your appointment booking and clinical services agreement).
Art. 6(1)(c) GDPR — Compliance with legal obligations (e.g. medical record retention under Irish health regulations).
Art. 6(1)(a) / Art. 9(2)(a) GDPR — Consent (e.g. for website analytics cookies, or where we need your express agreement before sharing data with third parties outside your care team).

We do not use your health data for marketing, profiling, or any purpose unrelated to your direct clinical care.

What data we hold and why

Clinical records

We maintain a clinical record for each patient that may include: your name, date of birth, contact details, GP information, referral letters, consultation notes, investigation results (bloods, ECG, imaging), medication lists, correspondence with other healthcare providers, and follow-up plans. This is necessary to provide safe, evidence-based clinical care.

Appointment booking data

When you submit an appointment enquiry via our website, we collect your name, email, phone number, date of birth, and a brief reason for appointment. This data is used solely to schedule your consultation and is processed through Formspree (our form submission service). It is not sold or shared with third parties outside your care.

Website analytics (with consent)

If you accept analytics cookies, we use Google Analytics 4 to understand how visitors use our website. No health information is passed to Google Analytics. See our Cookie Policy for full details.

How we keep your data safe

Clinical records are stored in access-controlled, password-protected systems.
Electronic communications containing patient data use secure, encrypted channels (healthmail addresses for clinical correspondence).
Only authorised clinical and administrative staff have access to patient records, on a need-to-know basis.
We do not store clinical records on personal or unsecured devices.
Paper records are stored securely and disposed of by confidential shredding.
We review our data security procedures regularly in line with HSE and HIQA guidance.

How long we keep your data

We retain clinical records in accordance with the Health Service Executive National Records Management Policy and Irish Medical Council guidelines. In general:

Adult patient records: Retained for a minimum of 8 years from the date of last entry, or until the patient's 25th birthday (whichever is later).
Children's records: Retained until the patient's 25th birthday, or for 8 years after the date of last entry if the patient was aged 17 or older at that time.
Appointment enquiry data only (no appointment taken): Retained for up to 12 months then deleted securely.
Website analytics data: Retained for up to 14 months by Google Analytics. We do not store analytics data locally.

Who we may share your data with

Your clinical information may be shared with other healthcare professionals involved in your care (e.g. your GP, referring specialist, or hospital team) as necessary for clinical continuity. We will always use the minimum data necessary.

We do not share your personal data with:

Insurance companies (without your explicit consent)
Employers or third parties outside your care team
Marketing companies or data brokers

Third-party service providers (Formspree for form handling, Google Analytics for website analytics) process data only as described in their own published privacy policies and under Data Processing Agreements where required.

Your rights under GDPR

As a data subject under GDPR, you have the following rights. To exercise any right, contact us at Syed.Kazmi@healthmail.ie. We will respond within one calendar month.

Right of Access (Art. 15)

You can request a copy of the personal data we hold about you, including your clinical record.

Right to Rectification (Art. 16)

You can ask us to correct inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

You can request deletion of your data where we no longer have a lawful basis to hold it. Note: clinical records must be retained for the periods described above.

Right to Restriction (Art. 18)

You may request that we restrict how we process your data in certain circumstances.

Right to Data Portability (Art. 20)

You may request your personal data in a structured, machine-readable format where processing is automated and based on consent or contract.

Right to Object (Art. 21)

You may object to processing based on legitimate interests. This does not apply to processing necessary for your clinical care.

Right to Withdraw Consent (Art. 7)

Where processing is based on consent (e.g. analytics cookies), you may withdraw consent at any time without affecting earlier processing.

Right to Complain (Art. 77)

You have the right to lodge a complaint with the Data Protection Commission — see below.

How to make a complaint to the Data Protection Commission

If you believe your data has been processed unlawfully, or if you are unhappy with our response to a data rights request, you have the right to lodge a complaint with the Irish Data Protection Commission (DPC):

Website: www.dataprotection.ie
Online complaint form: forms.dataprotection.ie/contact
Phone: +353 57 868 4800
Post: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28

We encourage you to contact us directly in the first instance so we can attempt to resolve any concern promptly.

Data breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours, as required under GDPR Art. 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

Contact us about data protection

For all data protection queries, access requests, or complaints, please contact:

Dr Syed Kashif Hussain Kazmi
Naas Cardiology and Endocrinology Clinic
Suite 5, Vista Primary Care, Ballymore Road, Naas, Co. Kildare W91 E6H2
Email: Syed.Kazmi@healthmail.ie
Phone: 089 656 7597

For our full privacy notice, including details of all data we collect and how it is used, please see our Privacy Policy.

Legal disclaimer: This page is provided for informational purposes and does not constitute legal advice. Data protection law is complex. If you have specific concerns about your data rights, you may wish to seek independent legal advice or contact the Data Protection Commission directly.

Last updated: June 2026