Privacy Policy

1. Scope & Purpose

     This policy ensures compliance with:

• UK General Data Protection Regulation (GDPR)
• Data Protection Act 2018
• ICO (Information Commissioner’s Office) guidelines

     Applies to all patient/dentist data processed for:

• Fabricating dental restorations (crowns, dentures, implants)
• Managing clinical records, scans, and prescriptions
• Marketing communications

2. Data We Collect & Legal Basis

      Categories of Data:

• Patient Data: Names, dental impressions/scans, medical histories (from dentists).
• Dentist Data: Contact details, practice information, payment records.
• Digital Data: Intraoral scan files (STL/DCM), Exocad design files, emails.

      Legal Basis for Processing:

• Contractual Necessity: To fulfill lab orders (Article 6(1)(b) UK GDPR).
• Legitimate Interest: For quality control and service improvement (e.g., anonymized case studies).
• Explicit Consent: For marketing newsletters (opt-in required).

3. Data Security Measures

      Technical Protections:

• Encryption: All digital files (scans, designs) encrypted in transit and at rest (AES-256).
• Access Controls: Role-based permissions for staff; 2FA for cloud systems.
• Audit Logs: Track access to sensitive data (who, when, why).

      Physical Protections:

• Secure storage for physical impressions/dentures (locked cabinets).
• Shredding/disposal of physical records after 7 years (NHS guidelines).

4. Data Sharing & Third Parties

     We share data only with:

• Dentists/clinics (for treatment continuity).
• Trusted Suppliers (e.g., milling centers under NDAs).
• Legal Obligations: If required by CQC, GDC, or courts.

      International Transfers:

• Data stays UK/EU-based (or with ICO-approved safeguards like SCCs if exported).

5. Individual Rights

     Patients/dentists can request:

1. Access – Copies of their data (free within 30 days).
2. Rectification – Correct inaccurate records (e.g., scan errors).
3. Erasure – Delete non-essential data (unless legally required to retain).
4. Restriction – Limit processing during disputes.
5. Portability – Receive digital scans in usable format.

      Submit requests to: [email protected] or 07756 580985.

6. Data Retention

• Active Cases: Retained for 2 years post-delivery.
• Inactive Records: Anonymized/deleted after 7 years (NHS retention rules).
• Marketing Data: Reviewed annually; unsubscribed contacts deleted.

7. Breach Protocol

1. Report internally within 24 hours to our Data Protection Officer (DPO).
2. Assess risk to rights/freedoms of affected individuals.
3. Notify ICO within 72 hours if high risk (per UK GDPR Article 33).
4. Inform patients/dentists if breach poses direct harm (e.g., exposed health data).

8. Staff Training & Compliance

• Annual GDPR training for all employees.
• Confidentiality agreements signed by staff/contractors.
• ICO registration number: ZB897705
• MHRA registration number: 34271

9. Policy Updates

     Reviewed annually or after significant legal changes.
      Contact DPO: Alireza Karami | [email protected] | 97 Russel Lane, London.