booking@pinewave.ie

Privacy Statement - Pinewave Clinical Supervision

Effective Date: [26/02/2026]
Last Updated: [23/02/2026]

1. Introduction

Pinewave Clinical Supervision is committed to protecting your personal data and respecting your privacy.

This Privacy Statement explains how we collect, use, store, and protect your personal data when you:

  • Visit our website
  • Contact us
  • Engage in clinical supervision services

We process personal data in accordance with:

  • The General Data Protection Regulation (EU) 2016/679 (GDPR)
  • The Data Protection Act 2018 (Ireland)

Pinewave Clinical Supervision acts as a Data Controller in respect of the personal data you provide.

2. Personal Data We Collect

a) Information You Provide Directly

We may collect:

  • Full name
  • Email address
  • Telephone number
  • Professional registration details
  • Employer or practice details
  • Billing and payment information
  • Correspondence submitted via website forms
  • Information disclosed within supervision sessions

b) Special Category Data

During supervision, personal data relating to health, client work, or other sensitive matters may be discussed. Where such information constitutes Special Category Data under GDPR, it will be processed in accordance with Article 9 GDPR and applicable professional ethical standards.

Supervisees must ensure that all client information discussed is anonymised wherever possible.

c) Automatically Collected Data

When you visit our website, we may automatically collect:

  • IP address
  • Browser type
  • Device information
  • Pages visited
  • Date and time of visit

This information is collected through cookies and analytics tools.

3. Legal Bases for Processing

Under Article 6 GDPR, we process personal data on the following lawful bases:

  • Contractual necessity – to provide supervision services
  • Legal obligation – to comply with Irish law and professional requirements
  • Legitimate interests – to manage and improve our services
  • Consent – where required (e.g., marketing communications)

Where Special Category Data is processed, this is done under:

  • Article 9(2)(a) – Explicit consent, and/or
  • Article 9(2)(f) – Establishment, exercise or defence of legal claims, where applicable

You may withdraw consent at any time where consent is the legal basis.

4. How We Use Your Personal Data

We use personal data to:

  • Respond to enquiries
  • Provide and manage clinical supervision
  • Maintain supervision records
  • Issue invoices and process payments
  • Comply with professional, regulatory, and legal obligations
  • Improve website functionality

We do not sell or share your personal data for commercial marketing purposes.

5. Confidentiality and Professional Records

Information shared within supervision is treated as confidential and managed in accordance with professional ethical guidelines.

However, confidentiality may be limited where:

  • There is risk of serious harm
  • There is a legal requirement to disclose information
  • Disclosure is required by a court or regulatory authority

Supervision records are maintained in line with professional and legal record-keeping requirements in Ireland.

6. Data Sharing

We may share personal data with:

  • Professional advisors (e.g., accountant, legal advisors)
  • IT service providers (e.g., hosting, secure storage, email services)
  • Payment processors
  • Regulatory authorities where legally required

All third-party service providers are required to process personal data in accordance with GDPR.

We do not transfer personal data outside the European Economic Area (EEA) unless appropriate safeguards are in place.

7. Data Retention

We retain personal data only for as long as necessary for:

  • Provision of services
  • Compliance with legal and professional obligations
  • Insurance and indemnity requirements

When data is no longer required, it is securely deleted or destroyed.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Secure password-protected systems
  • Encrypted communications where available
  • Restricted access to authorised individuals
  • Secure storage of records

While we take reasonable steps to protect data, no online system is completely secure.

9. Your Rights Under GDPR

Under GDPR, you have the right to:

  • Access your personal data
  • Request rectification of inaccurate data
  • Request erasure ("right to be forgotten")
  • Request restriction of processing
  • Object to processing
  • Data portability
  • Withdraw consent (where applicable)

To exercise your rights, please contact us using the details below.

You also have the right to lodge a complaint with:

Data Protection Commission (Ireland)
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Website: https://www.dataprotection.ie
Email: info@dataprotection.ie

10. Cookies

Our website uses cookies to enhance user experience and collect analytics data.

You can manage cookie preferences via your browser settings. A separate Cookie Policy may be provided where required.

11. Children's Data

Our services are intended for qualified professionals. We do not knowingly collect personal data from individuals under 18 years of age.

12. Updates to This Privacy Statement

We may update this Privacy Statement from time to time. Any changes will be published on this website with an updated effective date.

13. Contact Details

If you have any questions about this Privacy Statement or how your data is processed, please contact:
Pinewave Ltd – Trading as Pinewave Clinical Supervision
Email: denis@pinewave.ie
Phone: [Insert Phone Number]
Business Address: Clonard House, Clonteen, Cappamore, Co. Limerick

14. Data Processing and Data Processor Arrangements

14.1 Role of the Parties

Pinewave Clinical Supervision acts as a Data Controller in relation to personal data collected directly from supervisees for the purpose of providing clinical supervision services.

Where Pinewave processes anonymised or pseudonymised client information discussed during supervision, the supervisee remains the Data Controller of their client data. Pinewave processes such information solely for the purpose of delivering supervision services and does not determine the purposes or means of processing that underlying client data.

Where Pinewave engages third-party service providers (e.g., cloud storage providers, online booking systems, video conferencing platforms, payment processors), those providers act as Data Processors on behalf of Pinewave.

14.2 Processing by Third-Party Data Processors

Where Pinewave engages a Data Processor, we ensure that:

  • The processor provides sufficient guarantees to implement appropriate technical and organisational measures in compliance with GDPR (Article 28).
  • A written contract or Data Processing Agreement is in place.
  • The processor acts only on documented instructions from Pinewave.
  • Confidentiality obligations apply to all persons authorised to process the data.
  • Appropriate security measures are implemented in accordance with Article 32 GDPR.
  • Sub-processors are not appointed without appropriate safeguards.

14.3 Nature and Purpose of Processing

Personal data is processed for the following purposes:

  • Provision of clinical supervision services
  • Maintenance of professional records
  • Appointment scheduling and communication
  • Billing and financial administration
  • Compliance with legal and regulatory obligations

The types of personal data processed may include:

  • Identification and contact details
  • Professional registration information
  • Supervision records and notes
  • Financial information
  • Special Category Data where relevant to supervision discussions

14.4 Duration of Processing

Personal data will be processed only for as long as necessary to fulfil the purposes outlined in this Privacy Statement, including compliance with professional indemnity insurance requirements, regulatory guidance, and Irish legal obligations.

14.5 Security of Processing

In accordance with Article 32 GDPR, Pinewave implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Secure password-protected digital systems
  • Encrypted platforms where available
  • Secure physical storage of paper records
  • Restricted access to authorised individuals only

14.6 International Data Transfers

Where third-party service providers process personal data outside the European Economic Area (EEA), Pinewave ensures that appropriate safeguards are in place, such as:

  • EU Standard Contractual Clauses
  • Adequacy Decisions by the European Commission
  • Other lawful transfer mechanisms under GDPR

14.7 Data Breach Procedures

In the event of a personal data breach, Pinewave will:

  • Assess the risk to affected individuals
  • Notify the Irish Data Protection Commission without undue delay and, where feasible, within 72 hours where required under Article 33 GDPR
  • Notify affected individuals where required under Article 34 GDPR

15. Data Breach Policy

Pinewave Clinical Supervision is committed to responding promptly and effectively to any personal data breach in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (Ireland).

15.1 Definition of a Personal Data Breach

A personal data breach means a breach of security leading to the accidental or unlawful:

  • Destruction
  • Loss
  • Alteration
  • Unauthorised disclosure of
  • Or access to

personal data transmitted, stored or otherwise processed.

Breaches may include (but are not limited to):

  • Loss or theft of devices containing personal data
  • Email sent to the wrong recipient
  • Unauthorised access to supervision records
  • Hacking or cyber-attack
  • Accidental deletion of records

15.2 Reporting a Breach

Any suspected or actual data breach must be reported immediately to:

Pinewave Clinical Supervision
Email: [Insert Email Address]
Phone: [Insert Phone Number]

All breaches will be documented internally, including:

  • Nature of the breach
  • Categories and approximate number of data subjects concerned
  • Likely consequences
  • Measures taken or proposed to address the breach

15.3 Assessment and Risk Evaluation

Upon becoming aware of a breach, Pinewave will:

  1. Contain and recover the data where possible
  2. Assess the nature and sensitivity of the data involved
  3. Evaluate the risk to the rights and freedoms of affected individuals

15.4 Notification to the Data Protection Commission

Where a breach is likely to result in a risk to the rights and freedoms of individuals, Pinewave will notify the:

Data Protection Commission (Ireland)

without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.

If notification is not made within 72 hours, reasons for delay will be documented.

15.5 Notification to Affected Individuals

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, Pinewave will notify affected individuals without undue delay, in accordance with Article 34 GDPR.

Notification will include:

  • A clear description of the breach
  • Likely consequences
  • Steps taken to address the breach
  • Advice on protective measures

15.6 Record Keeping

All personal data breaches, regardless of whether they require notification, will be documented in a Breach Register maintained by Pinewave Clinical Supervision.

16. Supervisee Data Protection Responsibilities

Pinewave Clinical Supervision recognises that supervisees act as independent Data Controllers in respect of their own clients' personal data.

Accordingly, supervisees are responsible for ensuring that their client data is processed in compliance with:

  • The General Data Protection Regulation (EU) 2016/679 (GDPR)
  • The Data Protection Act 2018 (Ireland)
  • Relevant professional ethical codes

16.1 Anonymisation of Client Information

Supervisees must ensure that all client information discussed in supervision:

  • Is anonymised wherever possible
  • Does not contain identifying details unless strictly necessary
  • Is shared securely

Where identifiable data is disclosed, the supervisee confirms that they have an appropriate lawful basis for doing so.

16.2 Lawful Basis and Transparency

Supervisees must ensure:

  • Clients are informed that supervision forms part of professional practice
  • A lawful basis exists for discussing client material in supervision
  • Privacy notices provided to clients reflect this practice

16.3 Security Obligations

Supervisees are responsible for:

  • Secure storage of client records
  • Secure transmission of documents
  • Ensuring confidentiality during online supervision sessions
  • Using secure devices and password protection

16.4 Responsibility for Client Data Breaches

Where a data breach relates to a supervisee's client data, the supervisee remains responsible for:

  • Assessing the breach
  • Notifying the Data Protection Commission where required
  • Informing affected clients

Pinewave Clinical Supervision will cooperate where reasonably necessary but does not assume Data Controller responsibility for supervisees' client data.

16.5 Professional and Ethical Compliance

Supervisees are responsible for compliance with any applicable professional regulatory or accreditation bodies and their respective data protection and confidentiality requirements.