Privacy Policy

At Wilmer Health, we are committed to protecting personal and medical information with the same care, confidentiality, and professional responsibility that govern our visa medical certification and documentation services.

This Privacy Policy explains how Wilmer Health collects, uses, stores, and protects personal, medical, identity, and payment information in accordance with the UK GDPR, EU GDPR, HIPAA-equivalent standards, and internationally recognised medical data-protection frameworks.

Effective Date: 1 July 2023
Last Reviewed: January 2026
Next Scheduled Review: January 2027
Data Protection Officer (DPO): Dr Andrew Smith MBChB BSc (Hons) MRCGP, Medical Director, Wilmer Health
Contact: dpo@wilmerhealth.com

1. Introduction

Wilmer Health is committed to protecting the privacy, confidentiality, and security of all personal data entrusted to us. This Privacy Policy explains how we collect, use, store, share, and safeguard personal information when providing visa medical certificates, sworn translations, apostilles, legalisation services, and related documentation for official embassy and consulate submission.

Wilmer Health operates as a medically governed, internationally facing service. Many of the documents we handle form part of formal immigration and visa decision-making processes and may include sensitive medical, identity, and legal information. As such, we apply standards of data protection, confidentiality, and information governance consistent with those expected of regulated medical services and official documentation providers.

This Privacy Policy reflects our commitment to professional medical confidentiality, lawful data processing, and responsible handling of information that may directly affect an individual’s visa application, immigration status, or legal rights. We process personal data only where it is necessary, proportionate, and relevant to the services requested.

This Privacy Policy applies to all users of the Wilmer Health website, services, and communications, including applicants based in the United Kingdom, the European Union, the United States, and other jurisdictions worldwide. It applies to all personal data processed in connection with visa medical certification, sworn translations, apostilles, document legalisation, and associated support services.

2. Data Controller

For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection and privacy laws, Wilmer Health acts as the Data Controller for all personal data processed in connection with our services.

As Data Controller, Wilmer Health determines the purposes and means of processing personal, medical, and documentation-related information provided by applicants when delivering visa medical certificates, sworn translations, apostilles, legalisation services, and associated support.

Data Controller: Wilmer Health
Jurisdiction: United Kingdom
Registered Office: London, United Kingdom
Contact: dpo@wilmerhealth.com

Data Protection Lead: The Medical Director of Wilmer Health

The Data Protection Lead has overall responsibility for ensuring compliance with applicable data protection legislation, professional medical confidentiality obligations, and internal information governance standards. This role includes oversight of how sensitive medical and identity data is collected, accessed, stored, transferred, and retained across Wilmer Health’s clinical, administrative, and documentation workflows.

Given the medical nature of part of our services and the international scope of visa and immigration applications, data protection oversight is integrated into Wilmer Health’s broader clinical governance framework. This ensures that data handling decisions are aligned not only with legal requirements, but also with recognised standards of medical ethics, confidentiality, and professional accountability.

The Data Protection Lead can be contacted for all data protection–related enquiries at:
dpo@wilmerhealth.com

3. Categories of Personal Data We Collect

Wilmer Health collects and processes personal data only where necessary, relevant, and proportionate to deliver visa-related medical certification and documentation services. Data collection is limited to what is required for defined, lawful purposes and is handled in accordance with medical confidentiality and data protection obligations.

3.1 Identity and Contact Information

This information is used to verify identity, prepare official documentation, and communicate with applicants.

  • Full name
  • Date of birth
  • Nationality
  • Residential address
  • Email address and telephone number
  • Passport or government-issued identity document details

3.2 Medical Information (Special Category Data)

Where visa requirements mandate medical declarations, we collect limited medical information relevant to those declarations.

  • Medical history relevant to visa declarations
  • Information relating to communicable diseases where required by consular guidance
  • Health declarations and informed consent confirmations
  • Supporting medical documentation provided voluntarily by the applicant

Medical information is classified as special category personal data under Article 9 of the UK GDPR and EU GDPR and is subject to enhanced safeguards. Access to medical data is restricted to authorised clinicians and support staff directly involved in the certification process.

3.3 Visa and Legal Documentation

To support immigration and consular processes, we may process:

  • Visa application reference numbers
  • Embassy or consulate-specific requirements
  • Police certificates, birth certificates, and marriage certificates
  • Supporting correspondence required for visa or residency applications

3.4 Translation, Apostille, and Legalisation Data

Where applicants request additional documentation services, we may process:

  • Documents submitted for sworn translation
  • Apostille and legalisation records
  • Certification, verification, and tracking metadata

These documents are processed solely for the purpose of official submission and verification and are not used for any secondary purpose.

3.5 Technical and Usage Information

To ensure the security, integrity, and functionality of our website and services, we may collect limited technical data, including:

  • IP address
  • Browser and device information
  • Website interaction data

This information is used for security, performance monitoring, and operational integrity only. Wilmer Health does not use technical data for advertising, behavioural profiling, or marketing analytics.

4. How We Use Personal Data

Wilmer Health uses personal data only where it is necessary, relevant, and proportionate to deliver visa-related medical and documentation services. All processing is purpose-limited and carried out in line with data protection law, medical confidentiality obligations, and recognised information governance standards.

Personal data may be used for the following purposes:

  • Issuing visa medical certificates: To prepare, review, sign, and issue medical certificates required for visa and immigration applications, ensuring accuracy, appropriate wording, and suitability for embassy or consulate submission.
  • Medical review and clinical oversight: To allow qualified doctors to assess submitted medical information, apply professional medical judgement, and provide clinical oversight in accordance with ethical and regulatory standards.
  • Coordination of sworn translations, apostilles, and legalisation services: To arrange certified sworn translations, apostilles through the Foreign, Commonwealth & Development Office (FCDO), and related legalisation steps required for official visa documentation.
  • Identity and document verification: To verify applicant identity, confirm document authenticity, and ensure that medical certificates and supporting documentation can be independently validated by embassies, consulates, or other authorities.
  • Communication with applicants: To contact applicants regarding their application, documentation status, requests for clarification, delivery arrangements, or updates related to their visa documentation.
  • Complying with legal, regulatory, and professional obligations: To meet obligations under UK GDPR, EU GDPR, HIPAA (where applicable), medical professional standards, record-keeping requirements, and audit or verification requests from relevant authorities.
  • Record-keeping, audit, and verification: To maintain secure records that support traceability, quality assurance, clinical governance, and the ability to verify issued documentation if required by embassies, consulates, or applicants.

Wilmer Health does not use personal or medical data for:

  • Advertising or marketing profiling
  • Automated decision-making
  • Sale or commercial exploitation of personal data

All data processing activities are reviewed regularly to ensure they remain lawful, necessary, and aligned with the purpose for which the information was originally collected.

5. Legal Bases for Processing Personal Data

Wilmer Health processes personal data only where a valid lawful basis exists under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws. The lawful basis applied depends on the nature of the information and the service being provided.

We rely on one or more of the following legal bases:

  • Consent: Where applicants explicitly provide informed consent for the collection, review, and processing of personal and medical information for visa documentation purposes. Consent is obtained through clear declarations and may be withdrawn at any time, subject to legal or regulatory retention requirements.
  • Performance of a contract: Where processing is necessary to fulfil a contract entered into with the applicant, including the preparation, review, and issuance of visa medical certificates, sworn translations, apostilles, and related documentation services.
  • Legal obligation: Where processing is required to comply with applicable legal, regulatory, or professional obligations, including immigration documentation standards, medical record-keeping requirements, and verification or audit requests from relevant authorities.
  • Vital interests: In limited circumstances, where processing is necessary to protect the vital interests of the applicant or another individual, particularly in relation to health, safety, or medical risk identified during the documentation process.
  • Public interest in healthcare: Where processing is necessary for reasons of public interest in the area of healthcare, including the issuance of regulated medical documentation and the application of professional medical judgement in accordance with recognised clinical and ethical standards.

Processing of Special Category (Medical) Data

Medical information constitutes special category data under UK GDPR and EU GDPR. Wilmer Health processes such data only where additional lawful conditions are met, including:

  • Explicit consent for medical assessment and certification
  • Processing necessary for healthcare purposes carried out by qualified medical professionals
  • Compliance with medical confidentiality obligations and professional standards
  • Processing necessary for reasons of substantial public interest in healthcare and immigration documentation

All special category data is subject to enhanced safeguards, access controls, and confidentiality protections in line with data protection law and medical ethics.

6. Medical Confidentiality and Professional Duties

All medical information processed by Wilmer Health is handled in accordance with strict professional confidentiality obligations. Visa medical certificates involve the review and certification of personal health information, and we apply the same standards of confidentiality, discretion, and professional responsibility that are expected within regulated medical practice.

Doctors issuing visa medical certificates through Wilmer Health are bound by:

  • General Medical Council (GMC) professional standards, including Good Medical Practice and associated confidentiality guidance
  • Core duties of medical confidentiality under established medical ethics
  • Healthcare governance and information governance requirements applicable to medical documentation used for official and legal purposes

Medical information is accessed solely for the purpose of preparing visa medical certificates and supporting documentation. Access is strictly limited to:

  • Qualified doctors responsible for medical review and certification
  • Authorised administrative staff who require access to coordinate documentation, delivery, or legalisation services

All access to medical information is role-based, logged where appropriate, and restricted to individuals who are subject to confidentiality obligations and data protection training.

Wilmer Health does not disclose medical information to third parties unless:

  • Explicit consent has been provided by the applicant
  • Disclosure is necessary to fulfil a legal or regulatory obligation
  • Disclosure is required to protect the vital interests of the applicant or another individual

These safeguards ensure that medical confidentiality is maintained at every stage of the visa documentation process, while allowing doctors to exercise independent professional judgement in accordance with recognised medical and ethical standards.

Our approach to medical confidentiality and governance is set out in our Medical Code of Practice.

7. HIPAA Compliance (United States Applicants)

Wilmer Health maintains full compliance with the Health Insurance Portability and Accountability Act (HIPAA) for applicants based in the United States. Where personal health information is processed in connection with visa medical certificates or related documentation, we apply HIPAA-aligned safeguards to ensure confidentiality, integrity, and availability of protected health information (PHI).

Our HIPAA compliance framework is designed to reflect the realities of remote medical documentation while meeting the expectations placed on healthcare-related services handling sensitive medical data for official use.

HIPAA-aligned safeguards implemented by Wilmer Health include:

  • Administrative safeguards, including documented policies, staff training, role-based access controls, and defined responsibilities for data protection and medical confidentiality
  • Technical safeguards, such as secure authentication, access logging, encryption of data in transit and at rest, and controlled system permissions
  • Physical safeguards, including secure server infrastructure, controlled access to systems, and protections against unauthorised physical access to data

Access to protected health information is restricted to authorised clinicians and staff who require it to perform their professional duties in connection with visa documentation. All access is governed by the principle of minimum necessary use.

Medical data relating to US-based applicants is transmitted and stored using secure, encrypted systems, with audit logging and monitoring in place to support accountability and traceability.

Wilmer Health’s HIPAA-aligned controls operate alongside our compliance with UK GDPR, EU GDPR, and international data protection standards, ensuring consistent protection of medical information regardless of the applicant’s location.

8. ISO/IEC 27001 Information Security Certification

Wilmer Health operates an Information Security Management System (ISMS) aligned with the principles and controls set out in ISO/IEC 27001, the internationally recognised standard for information security management.

This framework governs how we identify, assess, and manage risks to personal, medical, and operational data across all systems involved in visa medical certificates, sworn translations, apostilles, legalisation services, and supporting documentation.

Our ISO/IEC 27001–aligned approach is designed to ensure the confidentiality, integrity, and availability of information handled by Wilmer Health, particularly where sensitive medical and identity data is processed for official embassy and consulate use.

Key elements of our information security framework include:

  • Risk-based security controls, with regular risk assessments conducted to identify, evaluate, and mitigate threats to personal and medical data
  • Encryption of data in transit and at rest, ensuring information remains protected when transmitted electronically and when stored within secure systems
  • Role-based access management, restricting access to data based on job function and professional necessity, with the principle of least privilege applied
  • Authentication and access logging, enabling traceability and accountability for system access
  • Ongoing security monitoring and review, including regular evaluation of technical controls, operational procedures, and incident response readiness

Information security responsibilities are embedded across clinical, administrative, and technical teams, supported by documented policies, internal training, and governance oversight.

Our ISO/IEC 27001–aligned controls operate alongside our obligations under UK GDPR, EU GDPR, and HIPAA, providing a consistent and structured approach to protecting personal and medical information regardless of jurisdiction.

9. Data Sharing and Third Parties

Wilmer Health shares personal and medical data only where strictly necessary to deliver visa medical certificates and associated documentation services. All data sharing is carried out on a need-to-know basis, proportionate to the purpose of processing, and subject to contractual, legal, and professional safeguards.

We do not sell personal data, and we do not permit third parties to use applicant information for marketing, profiling, or unrelated purposes.

Personal data may be shared with the following categories of third parties, where required:

  • Licensed doctors and clinicians engaged by Wilmer Health to review medical information and issue visa medical certificates under clinical governance and professional confidentiality obligations
  • Spanish sworn translators (traductores jurados) officially registered with the Spanish Ministry of Foreign Affairs, responsible for producing certified translations accepted by Spanish consulates in the UK, the USA, and internationally
  • The UK Foreign, Commonwealth & Development Office (FCDO) where apostilles are required for the legalisation of medical certificates or supporting documents
  • Secure delivery and logistics providers, including Royal Mail within the UK and DHL for international deliveries, used solely for the physical dispatch of original documents where required
  • Payment service providers operating under PCI DSS compliance, responsible for securely processing payment transactions. Wilmer Health does not store full payment card details

All third parties are subject to confidentiality obligations and are required to implement appropriate technical and organisational measures to protect personal and medical data in line with applicable data protection legislation.

Where third-party processors are used, Wilmer Health ensures that:

  • Data processing agreements are in place where required
  • Access to data is limited to the minimum necessary
  • Information is used only for the specific services contracted
  • Security standards are assessed and reviewed periodically

Wilmer Health remains accountable as the Data Controller for personal data processed through its services and retains oversight of how data is handled throughout the documentation and delivery process.

10. International Data Transfers

Wilmer Health provides visa medical certification and documentation services to applicants based internationally, including in the United Kingdom, the European Union, the United States, and other jurisdictions worldwide. As part of delivering these services, personal data may be accessed, processed, or transferred outside the UK or European Economic Area (EEA).

Where international data transfers occur, Wilmer Health ensures that appropriate legal, technical, and organisational safeguards are in place to protect personal and medical information in accordance with applicable data protection laws.

Depending on the destination and nature of the transfer, safeguards may include:

  • Adequacy decisions issued by the UK Government or the European Commission, where the destination country is recognised as providing an adequate level of data protection
  • Contractual safeguards, including data protection clauses and confidentiality obligations, requiring recipients to protect personal data to UK GDPR and EU GDPR standards
  • HIPAA-aligned safeguards for processing involving applicants based in the United States, including administrative, technical, and physical protections for medical information
  • Restricted access controls, ensuring that data is accessed only by authorised personnel involved in delivering visa documentation services
  • Secure transmission and storage measures, including encryption and monitored access

International transfers are limited to what is necessary and proportionate for the provision of visa medical certificates, sworn translations, apostilles, document legalisation, and secure delivery services.

Wilmer Health does not transfer personal data internationally for marketing, profiling, or unrelated commercial purposes.

We continually review our international data transfer arrangements to ensure they remain compliant with evolving data protection requirements, regulatory guidance, and best practice in medical and immigration-related data handling.

11. Data Retention

Wilmer Health retains personal and medical information only for as long as it is necessary, lawful, and proportionate to fulfil the purposes for which it was collected. This includes meeting professional medical obligations, supporting visa and immigration documentation processes, and complying with applicable legal and regulatory requirements.

Personal data may be retained to:

  • Meet medical record-keeping obligations associated with the issuance of visa medical certificates
  • Support verification, audit, and validation of visa documentation submitted to embassies and consulates
  • Respond to legitimate enquiries from applicants, consulates, or authorised authorities regarding issued documentation
  • Comply with legal, regulatory, and professional requirements, including those arising under UK GDPR, EU GDPR, HIPAA (where applicable), and medical governance standards

Retention periods vary depending on the type of data, the nature of the service provided, and the applicable legal or regulatory framework. Medical and identity data are retained only for the minimum period necessary to satisfy these obligations.

Once applicable retention periods expire:

  • Personal data is securely deleted, or
  • Where appropriate, irreversibly anonymised so that individuals can no longer be identified

Deletion and anonymisation processes are carried out using secure, industry-standard methods designed to prevent unauthorised access, recovery, or reconstruction of data.

Wilmer Health regularly reviews its data retention practices to ensure ongoing compliance with data protection law, medical confidentiality standards, and best practice in handling sensitive visa and immigration documentation.

12. Your Rights

Under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), individuals whose personal data is processed by Wilmer Health are entitled to a range of statutory data protection rights.

These rights include the right to:

  • Access your personal data and receive confirmation of how it is being processed
  • Rectification of inaccurate, incomplete, or outdated personal information
  • Erasure of personal data where legally permitted, including where data is no longer necessary for its original purpose
  • Object to processing, where processing is based on legitimate interests or public interest grounds
  • Data portability, where applicable, allowing you to receive certain personal data in a structured, commonly used, and machine-readable format

Some rights may be subject to legal or professional limitations, particularly where data must be retained to comply with medical, regulatory, or visa-related record-keeping obligations.

Requests to exercise data protection rights can be made via our Contact page or by contacting our Data Protection Lead directly. All requests are handled:

  • In accordance with applicable data protection legislation
  • Within statutory response timeframes
  • With appropriate identity verification to protect confidentiality

Wilmer Health is committed to facilitating the lawful exercise of data subject rights while ensuring the continued integrity, security, and professional governance of medical and visa-related documentation.

13. Security Measures

Wilmer Health implements comprehensive technical and organisational security measures to protect personal, medical, and identity data against unauthorised access, loss, alteration, or disclosure.

Our security framework is designed in line with recognised information security standards and reflects the sensitivity of medical and visa-related documentation.

Key security measures include:

  • Encryption in transit and at rest: All data transmitted through our website and internal systems is protected using SSL/TLS encryption. Medical records, identity documents, and certification files are stored in encrypted databases and secure document storage environments.
  • Access controls and role-based permissions: Access to personal and medical data is restricted to authorised clinical and administrative personnel only, based on defined professional roles and operational necessity. User access is logged and monitored.
  • Secure internal systems and communications: Internal communications between doctors, translators, and administrative staff take place within secure, password-protected systems designed to prevent unauthorised disclosure of sensitive information.
  • Audit logging and monitoring: System activity and access to sensitive data are logged to support auditability, accountability, and the investigation of any security incidents.
  • Ongoing security testing and review: Security controls are reviewed regularly as part of our information security management processes, including vulnerability assessment, risk review, and periodic audits aligned with ISO/IEC 27001 principles.

These measures are designed to ensure the confidentiality, integrity, and availability of data throughout its lifecycle and to meet the expectations placed on services handling regulated medical information and official visa documentation.

14. Cookies and Website Analytics

The Wilmer Health website uses essential cookies and limited analytics tools to ensure core website functionality, security, and performance.

Essential cookies are required to:

  • Enable secure access to our website and forms
  • Maintain session integrity
  • Protect against fraudulent or unauthorised activity

Where analytics are used, they are implemented in a privacy-conscious manner and are limited to understanding how visitors interact with our website so that we can improve usability, accessibility, and system reliability. We do not use cookies or analytics for advertising, behavioural profiling, or cross-site tracking.

Users are provided with clear information and choice regarding non-essential cookies, in line with UK GDPR, EU GDPR, and ePrivacy requirements.

Further details about the types of cookies we use, their purpose, and how users can manage cookie preferences are set out in our Cookie Policy, which forms part of our broader data protection framework.

15. Complaints and Regulatory Oversight

Wilmer Health is committed to transparency and accountability in how personal and medical data is handled. If you have any concerns about our data protection practices, confidentiality safeguards, or the way your personal information has been processed, we encourage you to contact us in the first instance so that we can review and address the issue promptly.

Data protection concerns can be raised by contacting our Data Protection Lead at:

Email: dpo@wilmerhealth.com

We take all complaints seriously and investigate them in accordance with applicable data protection laws, medical confidentiality obligations, and internal governance procedures.

If you remain dissatisfied with our response, or believe that your data protection rights have been infringed, you have the right to lodge a complaint with the UK’s supervisory authority:

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk

The ICO is the independent authority responsible for overseeing data protection and privacy compliance in the United Kingdom.

16. Contact Details

For all data protection, privacy, or confidentiality enquiries relating to Wilmer Health services, please contact our Data Protection Lead:

Email: dpo@wilmerhealth.com

This contact point is overseen by the Medical Director of Wilmer Health, who is responsible for data protection compliance, medical confidentiality obligations, and information governance across the organisation.

All enquiries are handled confidentially and in accordance with applicable data protection legislation and professional medical standards.

Requests may also be submitted via our Contact page.

17. Policy Updates

This Privacy Policy is reviewed on a regular basis to ensure it remains accurate, up to date, and aligned with applicable legal, regulatory, and professional standards.

Reviews may occur in response to changes in data protection legislation, medical governance requirements, information security practices, or the scope of services provided by Wilmer Health. Where material updates are made, the revised policy will be published on this page and will apply from the date stated.

Last updated: January 2026