Last updated: 3 rd November 2025
This Privacy Statement describes our personal data processing practices, including the types of personal data we obtain, how we may use that personal data, with whom we may share it, and how individual data subjects may exercise their rights regarding our processing of their personal data. The Privacy Statement also describes the measures we take to safeguard the personal data we obtain and how you can contact us about our privacy practices.
Who we are
“Obsidian” / “we” / “us”/ “our” means Obsidian Healthcare Group Limited with a registered address: Eastcastle House, 27/28 Eastcastle Street, London, England, W1W 8DH, United Kingdom. Email: dpo@clanwilliam.co.uk.
Obsidian Healthcare Group Limited is part of Lanas Healthcare Technologies Ltd’s group of companies. Lanas Healthcare Technologies Ltd has its registered business address: Suite 17, The Courtyard, Carmanhall Road, Dublin 18, Ireland. Further details on the Lanas’ data privacy statement can be found at www.lanas.com.
Depending on the nature of the personal data processed, we may be a data controller of your personal data or a data processor of your personal data on behalf of our clients, and in that case our client would be the data controller. This Privacy Statement relates to processing where we are the data controller and applies to personal data we obtain through website, marketing and recruitment channels.
Where we are a data processor, we may only process personal data in accordance with the controller (eg our client)’s documented instructions as set out in a specific data processing agreement or other contractual arrangements with the controller. In this context questions relating to client’ privacy practices should be sought from relevant data controller.
This Privacy Statement does not apply to personal data that our employees provide us in connection with their employment, which is covered by separate privacy notice. Any personal data collected by a third party or third-party websites will be subject to the terms of their respective privacy notices.
Legal Basis and Compliance
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), Data (Use and Access) Act 2025 and Privacy and Electronic Communications Regulations 2003 (PECR). Where applicable, we also comply with the EU GDPR for data subjects located in the European Economic Area (EEA).
Personal Data We Collect
When we use the term “personal data” in this Privacy Statement, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual, or as otherwise defined under applicable privacy and data protection laws. The information regarding the type of personal data we may collect and how we process same depends on your interaction with us:
- Basic Information: name, surname, country location, preferred language;
- Contact Information: email, mailing address, contact phone number, or online form, and
- Technical and network activity information – information about your device and your usage of our websites, apps and systems, including your IP address, browser type, operating system, domain name, access times and referring website addresses
For details on personal data collected in the following areas, please consult the relevant privacy notice:
- Website visitors: Please see Website Privacy Notice
- Marketing recipients: Please see Marketing Privacy Notice
- Job applicants: Please see Recruitment Privacy Notice
- Vendors and clients: Please consult the data processing agreement and schedules to the commercial agreement entered into with us.
We collect this information directly from you:
- when you use our websites and systems.
- when you get in touch to provide information, for support or to provide
feedback. - as part of an interview or screening telephone call.
We collect and process information from third parties, including:
- from our third-party service providers.
- Our affiliates
You can choose not to give us personal information when we ask you for it. If you decide not to give us your personal data, it may restrict our relationship with you. For example, we may not be able to provide you with our services or respond to communications from you via our website.
Children’s Personal Data
Our online channels are designed for a general audience and are not directed to children under the age of 13. We do not knowingly collect or solicit personal information from children under the age of 13 through the online channels. If we become aware that we have collected personal information from a child under the age of 13, we will promptly delete the information from our records. If you believe that a child under the age of 13 may have provided us with personal information, please contact us as specified in the How To Contact Us section of this Privacy Statement. If we process children’s data in our role as data processor on behalf of client as data controller, we will do so in line with terms of data processing agreement with data controller and their written instructions with regard to this personal data.
Lawful Bases for Processing
We rely on the following lawful bases:
- Consent: for marketing communications, recruitment, and where required for special category data
- Legitimate interests: responding to queries, improving services, recruitment operations
- Legal obligation: compliance with employment law, fraud prevention, and regulatory reporting
- Contract: fulfilling service agreements with clients or vendors
- Where we process special category data (e.g. health information), we do so under Article 9 UK GDPR and Schedule 1 of the DPA 2018, such as for employment or health and safety obligations or booking travel arrangements.
How We Use Your Data
We use your data only for the purposes described in this notice. We do not sell or trade your personal data. We may use your data to:
- respond to website queries and to deliver the information or services offered by our websites;
- identify and authenticate your rights to access our websites;
- respond to your queries and requests;
- provide support to queries on website or related to our services;
- protect the security of our websites;
- improve our services and website;
- maintain website functionality and analytics, and
- send marketing communications (with consent);
- process job applications and carry out interviews regarding your experience;
- comply with legal obligations
We will not use your personal information for purposes that are incompatible with the above purposes, unless it is required or authorised by law
Who we Share Your Data with
We may disclose personal information we collect about you to other parties. We may share your personal data with these third parties:
- Lanas group companies: We may share your personal information within our group of companies for the purposes described above
- Third party service providers: We may share your personal data with our third party service providers, contractors that provide web hosting services, cloud storage services, and professional services on our behalf.
- Legal and regulatory authorities (where required): we may have to share your personal information in response to authorised requests of government authorities or where required by law.
- In connection with a corporate transaction: As part of any merger, sale, joint venture, transfer, or other disposal of all or any portion of our business (including as part of any bankruptcy or similar proceedings), we may transfer your personal information to other parties involved in these transactions. Under these circumstances, all parties will enter into a confidentiality agreement to protect personal information and must only use personal information for the purpose it was collected for in the first instance.
Data Transfer
We may need to transfer your personal data internationally. We do not share your data outside the EEA and UK unless adequate safeguards are in place, such as standard contractual clauses or adequacy decisions.
Data Retention
We hold data for as long as there is a need by considering (i) the length of our relationship with you, and whether we need to keep your personal information to respond to or process a question or request from you (ii) in light of our legal position (due to statutes of limitations, (iii) whether there is a requirement to keep your personal data for a period required by law and (iv) whether we should keep your personal data in connection with legal action or an investigation involving us.
Your Rights
Under UK GDPR, you have the following rights:
- Right to access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to object (including to direct marketing)
- Right to data portability
- Right to withdraw consent
- Right not to be subject to automated decision-making (we do not use automated profiling).
You do not usually need to pay a fee to exercise your rights. To exercise your rights, please contact us at dpo@clanwilliam.co.uk to initiate the request.
Security
We implement appropriate technical and organisational measures to protect your personal data. While we take reasonable steps, we cannot guarantee the security of any information that you submit via email or over the Internet. Submission of personal data using such networks is done at your own risk, since no internet transmission is ever 100% secure or error free. You should take special care in deciding what information you send to us via email or when posting on our websites.
Third-party websites
You can choose to access certain third-party websites and services through our website. Obsidian is not responsible for the privacy policies or practices of other websites. You should examine their websites for further information on their privacy policy.
We have a LinkedIn and Glassdoor page relating to some of our services. When you choose to share information with the social media platform, the information you share will be governed by their privacy policies. You can modify your privacy settings with LinkedIn and Glassdoor.
Cookies
We use cookies to improve website functionality and user experience. For details, see our https://www.obsidianhg.com/cookie-policy/. You can manage your cookie preferences via our website.
How to Contact Us
If you have questions, requests or concerns relating to one of our customer’s handling of your personal data, please contact the relevant customer. If you have any questions or comments about our privacy practices, this Privacy Statement, or your privacy rights and preferences, you may contact us at:
Data Privacy Team,
Lanas Healthcare Technologies Ltd
Suite 17, The Courtyard,
Carmanhall Road,
Dublin 18, Ireland
dpo@clanwilliam.co.uk
Complaints
If you are unhappy with how we handle your data, you may contact the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: +44 (0) 303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
Updates to This Privacy Statement
Technology and data privacy best practice are constantly developing. We reserve the right to revise and publish changes on the Privacy Statement page of our website. We review and update this Privacy Statement regularly. We encourage you to review this page periodically to ensure you are aware of what information we collect and how we process it.
Our Website – Privacy Notice
Personal data provided to or collected by us
The following is a non-exhaustive list of the main purposes in summary form for which your personal data may be processed depending on which category of data subject you fall within.
Retention periods vary, and Obsidian shall assess cases according to the processing itself and the risks to you as the data subject. There are some general guidelines set out below. For all other situations, your personal data shall be held for as long as it is necessary, in line with applicable laws, to prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, enforce our Terms of Service, and for other actions permitted by law or strict criteria developed within our Obsidian group data protection programme.
| Type of processing and purpose | Personal data type | Lawful basis | Retention period |
|---|---|---|---|
| General queries received from you via the contact details provided, or you provide information via Obsidian’ website which requires a reply from us | Name, email address, telephone number, detail of the conversation | Legitimate interest | 2 years |
| Technical Usage Data (Server Logs) Automatic logging of visits to the website for security monitoring, fraud prevention, and performance analytics | Online identifiers and technical data: IP address of your device, browser type and version, device type, pages visited and time stamps, referring site or search terms | Legitimate interests in operating, securing, and improving the website’s service | Raw log data is retained only as long as needed for security monitoring and analysis. |
| Cookies Essential Functionality using cookies that are strictly necessary for the website to function correctly | Unique identifiers stored in cookies and local storage (e.g. session ID, preference flag) that may recognize your browser. These cookies generally | Legitimate interests in providing the service requested and ensuring it works securely | Duration of session for most essential cookies (they are removed when you close your browser). |
| Website Analytics through collecting and analysing website usage data (via cookies or similar trackers) to understand visitor interactions and improve | Online identifiers (IP address, cookie IDs), device and browser details, usage logs (page visits, clicks). This data is collected in aggregate and not used to identify individuals | Consent (via cookie consent for analytics) | Analytics cookies and data are retained only temporarily for 12-14 months. |
| Third-Party Integrations (External Links & Services) | Typically just referral information or anything you choose to share. | Legitimate interests in providing ease to reference material on third party site | Not stored by Obsidian |
Where we get personal information from
The data we collect is provided by you and your Internet browser via cookies. To read about the cookies this website uses, please see our cookie policy.
Who we share information with
We may disclose personal information we collect about you to other parties. We may share your personal data with these third parties
- Lanas group companies: We may share your personal information within our group of companies for the purposes described above.
- Third party service providers: We may share your personal data with our third party service providers, contractors that provide web hosting or website development services, cloud storage services, and professional services on our behalf.
Sharing information outside the UK
We do not share your data outside the EEA and UK unless adequate safeguards are in place, such as standard contractual clauses or adequacy decisions
Marketing – Privacy Notice
Personal data provided to or collected by us
The following is a non-exhaustive list of the main purposes in summary form for which your personal data may be processed depending on which category of data subject you fall within.
Retention periods vary, and Obsidian shall assess cases according to the processing itself and the risks to you as the data subject. There are some general guidelines set out below. For all other situations, your personal data shall be held for as long as it is necessary, in line with applicable laws, to prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, enforce our Terms of Service, and for other actions permitted by law or strict criteria developed within our Obsidian group data protection programme.
| Type of processing and purpose | Personal data type | Lawful basis | Retention period |
|---|---|---|---|
| Marketing through mediums such as email, newsletters, websites, promotional material | Email address, name, telephone number, home address | Consent. Legitimate interests may apply for existing business customers under soft opt-in, per PECR) | As set out in the consent form |
| Third-party IT administrators for purpose of maintaining the website functionality | Access to all data on the server | Legitimate interests | As long as it remains on the server |
| Marketing through mediums such as social media platforms | Social profile usernames, associated email addresses and other public profile data | Users consent by following our page or participating, and any use of their data for targeted ads is based on prior consent or the platform’s terms. | Once they are no longer required for the purpose they were placed and up to 2 years maximum |
We do not receive or collect any personal information from you as part of our advertising activities, unless you respond to an advertisement directly using the contact details provided as part of said advertisement.
We also promote our services and events we are supporting through the use of LinkedIn using posts for advertising, promotion, recruitment and business reasons. We do not use the information for any other purposes and only respond to comments or requests for further information. Followers of the company pages may use the unfollow or unfriend features should they no longer wish to have their data connected to, or to be seen by, the company.
We may use this data to communicate with all classes of individual by telephone, email, fax, post and other electronic means about services we are providing or future opportunities that may be of interest to them. An individual data subject can obtain further information on the legitimate interests and balancing of interests of their data, where legitimate interests is the lawful reason for processing the data, by contacting: dpo@clanwilliam.co.uk.
Where we get personal information from
The data we collect is provided by you, via direct interactions with our marketing activities and/or cookies from your Internet browser. To read about the cookies this website uses, please see our cookie policy.
Who we share information with
We may share your personal data with these third parties:
- Lanas group companies: We may share your personal information within our group of companies for the purposes described above
- Third party service providers: We may share your personal data with our third party service providers, contractors that provide web hosting services, cloud storage services, and professional services on our behalf.
Sharing information outside the UK
We may need to transfer your personal data internationally. We do not share your data outside the EEA and UK unless adequate safeguards are in place, such as standard contractual clauses or adequacy decisions
Our Recruitment services – Privacy Notice
Personal data provided to or collected by us
The following is a non-exhaustive list of the main purposes in summary form for which your personal data may be processed depending on which category of data subject you fall within.
Retention periods vary, and Obsidian shall assess cases according to the processing itself and the risks to you as the data subject. There are some general guidelines set out below. For all other situations, your personal data shall be held for as long as it is necessary, in line with applicable laws, to prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, enforce our Terms of Service, and for other actions permitted by law or strict criteria developed within our group data protection programme.
| Type of processing and purpose | Personal data type | Lawful basis | Retention period |
|---|---|---|---|
| Job applicant as part of the application process to assess suitability for job applying for and conduct interviews, meeting during recruitment process | Name, email address, CV, cover letter, emails, test scores and references | Consent | 1 year following application |
| To make travel arrangements for you, where needed. | If it is necessary to collect special categories of data for this purpose, such as health data, we will obtain your explicit consent where required by law. | Legitimate interests | 6 months following meeting |
| To consider you for opportunities we have now, or future ones, with Obsidian and its affiliates, and to let you know about those opportunities. | Name, email and CV | Consent | 1 year following application |
| To keep records in respect of recruitment | Name, role, feedback on process | Legitimate interests | 6 months following recruitment process |
| To check your references and other information you gave us, to the extent allowed by law. We share your personal information with companies who do these pre-employment screening checks for us. | Reference Information and referee information | If required by local law, we will process your personal information for this purpose on the basis of your consent. Where consent is not appropriate, we rely on legitimate interest to ensure we hire qualified and suitable individuals that meet legal requirements and the requirements of our clients. | 1 year following application |
| To prepare an offer of employment | Name, email, address and other information needed for offer letter | This is to take steps before entering an employment contract with you or performing an employment contract with you. | Employment period plus additional 8 years post leaving |
| Transfer of personal data within the Obsidian group required in the general course of business | Business details or relevant details depending on the nature of the query | Legitimate interests | Depending on the nature of the query but usually one year unless other time is required |
| Third-party IT administrators for purpose of maintaining the server operations | Access to all data on the server(s) | Legitimate interests | As long as it remains on the server |
| To comply with our legal obligations. | we are required by law to keep certain records for specific periods of time, and to process your requests to exercise your rights in respect of your personal information. | Legal Obligations | Duration of legal obligations |
| To exercise or defend Obsidian against potential, threatened or actual litigation | We process your personal information for this purpose for the establishment, exercise or defence of legal claims or proceedings. | Legitimate Interest | Duration of any claim or proceedings. |
Your data may also be used as we believe it to be necessary or appropriate under applicable law, including outside of the country of residence, to comply with legal process, to respond to requests from the public or government authorities, including
outside of the country of residence, or to comply with specific code(s) related to the industry requirements and disclosure and to fulfil other purposes for which you provide personal data, or with your explicit consent.
An individual data subject can obtain further information on the legitimate interests and balancing of interests of their data, where legitimate interests is the lawful reason for processing the data, by contacting: dpo@clanwilliam.co.uk.
Where we get personal information from
We gain information through social media connections for recruitment of employees in line with this policy and LinkedIn terms and conditions. We also receive information from third parties for candidates for employment from agencies, as well as directly from you as a candidate during the recruitment process.
How long we keep information
We retain information if it is necessary and relevant for our operations. In addition, we retain personal information to comply with applicable laws, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, enforce our Terms of Service, and other actions permitted by law. When your personal information is no longer needed for our business purposes, we dispose of it, subject to applicable laws.
Candidates’ CVs, test scores and interview information to apply for a job with us are retained as described in the table above.
Who we share information with
We may, on occasion, share personal data with other companies within the Lanas group to deliver, support or enhance our services.
We do not share information with third parties for the purposes of recruitment.
Sharing information outside the UK
We may need to transfer your personal data internationally. We do not share your data outside the EEA and UK unless adequate safeguards are in place, such as standard contractual clauses or adequacy decisions