(Updated June 2025 to reflect the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR). This policy supplements, and should be read alongside, our Terms and Conditions.)
1. Purpose of This Policy
This Privacy Policy explains how and why Danbury Dental Care Ltd ("we", "us", "our") collect, use, store, share and protect your personal data when you:
- visit danburydentalcare.co.uk or any website under our control ("Website");
- enquire about or receive treatment at our practice located at 24 Maldon Road, Danbury, Essex CM3 4QH ("Practice"); or
- otherwise interact with us (e.g. by telephone, email, social media or in person).
It also sets out the rights you have in respect of your personal data and how to exercise them.
2. Who We Are - Data Controller Details
| Company name | Danbury Dental Care Ltd |
| Head office | 24 Maldon Road, Danbury, Essex, CM3 4QH |
| Telephone | 01245 225091 |
| [email protected] | |
| Data Protection Officer (DPO) | Kalyanie Gengeswaran, Principal Dentist |
Danbury Dental Care Ltd acts as the Data Controller for the majority of the personal data described below. In certain limited circumstances (for example, where laboratory services dictate the means of processing), we may also act as a Joint Controller or Processor.
3. The Data We Collect
We collect and process different categories of information depending on your relationship with us:
| Category | Examples | Source |
|---|---|---|
| Identification & Contact Data | Name, date of birth, NHS number, postal address, email, telephone numbers | Direct from you, referring dentists/GPs |
| Health & Special Category Data | Medical and dental history, radiographs, photographs, treatment notes, prescriptions, medical letters | Direct from you, prior clinicians, laboratories |
| Financial Data | Invoices, payment card details (tokenised), insurance details | Direct from you, finance providers |
| Technical & Usage Data | IP address, browser type, pages visited, cookies, referring site, interaction times | Automated via cookies & analytics |
| Marketing & Preference Data | Newsletter opt-in, preferred contact method, survey responses | Direct from you |
4. How We Collect Data
- Direct interactions - paper forms, online forms, telephone calls, email, clinical consultations.
- Automated technologies - cookies, server logs, third-party analytics (see section 13).
- Third parties - referring clinicians, dental laboratories, insurers, credit providers, NHS England.
5. Purposes and Lawful Bases for Processing
| Purpose | Lawful basis (Article 6 UK GDPR) | Additional condition for special data (Article 9) |
|---|---|---|
| Assessing, planning and delivering dental care | 6(1)(b) Contract - to provide treatment you request | 9(2)(h) - health care provision |
| Record-keeping & clinical governance | 6(1)(c) Legal obligation - CQC, GDC, NHS | 9(2)(h) |
| Appointment reminders & service messages | 6(1)(f) Legitimate interests (efficient care & reduced DNAs) | 9(2)(h) |
| Payment processing & finance | 6(1)(b) Contract / 6(1)(f) | - |
| Marketing of similar products/services | 6(1)(a) Consent or 6(1)(f) soft opt-in under PECR | - |
| Website analytics & improvement | 6(1)(f) Legitimate interests | - |
| Legal claims & debt recovery | 6(1)(f) Legitimate interests | 9(2)(f) - legal claims |
Where we rely on consent you may withdraw it at any time (see section 11).
6. Sharing Your Data
We share data only where necessary and with appropriate safeguards:
- Dental laboratories & referral specialists to create or continue your treatment.
- Software & IT providers (practice management, CRM, secure email) under written data-processing agreements.
- NHS bodies & regulators (NHS England, CQC, GDC, HMRC) where legally required.
- Payment providers & finance companies to process fees or credit applications at your request.
- Emergency services or safeguarding authorities where vital interests or statutory duties apply.
We do not sell or rent your personal data for marketing purposes.
7. International Transfers
All core systems are hosted within the EEA. Where vendors operate outside these areas (e.g. US-based email services) we ensure that an adequate level of protection exists - typically via the UK International Data Transfer Agreement (IDTA) or recognised UK Addendum to EU Standard Contractual Clauses.
8. Data Security
We implement proportionate technical and organisational measures including:
- TLS encryption for website and email traffic;
- role-based access controls & strong authentication;
- encrypted off-site backups;
- staff confidentiality agreements & GDPR training;
- regular patching and penetration testing of systems.
9. Data Retention
| Data type | Retention period |
|---|---|
| Patient clinical records | Minimum 11 years after last visit, or until age 25 for children (whichever is later) |
| Financial records | 7 years for HMRC compliance |
| Marketing consents & opt-outs | Indefinitely or until withdrawn + six years |
| Website analytics logs | 26 months (Google Analytics default) |
| Enquiry/Contact forms | 24 months unless converted into active patient record |
We periodically review the data we hold and securely erase or anonymise it when no longer required.
10. Your Rights
You have the rights to:
- Be informed - this policy fulfils that right.
- Access - receive a copy of your data.
- Rectification - correct inaccurate or incomplete data.
- Erasure - ask us to delete data (subject to legal limits).
- Restriction - suspend our processing in certain circumstances.
- Portability - obtain your data in a structured, machine-readable format.
- Object - to processing based on legitimate interests or direct marketing.
- Not be subject to automated decision-making that produces legal or similarly significant effects.
To exercise any right, please contact our DPO (details in section 2). We will respond within one month.
11. Marketing Communications
We will send electronic marketing only with your consent or under the PECR "soft opt-in" for existing patients. You can opt out at any time by:
- clicking the "unsubscribe" link in any marketing email;
- replying "STOP" to SMS; or
- contacting us directly.
12. Automated Decision-Making and Profiling
We do not use automated decision-making that produces legal effects. Basic segmentation (e.g. reminding patients overdue for hygiene) is performed under legitimate interests and does not amount to profiling under UK GDPR.
13. Cookies and Similar Technologies
Our Website uses strictly necessary cookies (to maintain sessions) and performance cookies (e.g. Google Analytics) to understand visitor behaviour. On your first visit we display a cookie banner allowing you to accept or decline non-essential cookies. Detailed cookie information is available in our separate Cookie Policy.
14. How to Complain
If you believe we have not handled your data correctly:
- Contact our DPO in the first instance so we can address your concerns.
- You may lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk Tel: 0303 123 1113.
15. Changes to This Policy
We review this Policy at least annually. Updates will be posted on this page and, where appropriate, notified to you by email or displayed in the Practice.