Privacy Policy

Our dental practice is independent and offers various private dental and facial aesthetic treatments. Our team includes both employed and self-employed staff. We all work to protect our patients’ privacy and keep their information safe.

This document explains how we use patient information. We follow the rules of the UK GDPR and the Data Protection Act of 2018.

The person responsible for data protection compliance is Sara Al-Naer you can reach them at dental@twoth.com or by calling the practice at 0204 542 0155.

Collecting Your Personal Data

We usually get your personal information directly from you. This happens when you contact us, use our website, complete a feedback form or come for an appointment. Sometimes, we might also get your information from other places, like:

Other dentists who have treated you
Your GP or a hospital
A carer, family member, or partner
Your insurance company or dental plan provider
The NHS, regulators, or authorities like the Police
Your solicitor

Additionally, we may get information from online companies, such as Google and Facebook. These companies are not in the UK and help us with things like analysing our website, advertisements, and handling payments and services.

The Types of Personal Information We Collect and Process

We handle various kinds of patient information at our dental practice. The table below explains these types in detail. For each type of information, you will find:

What We Collect: This column describes the different kinds of personal data we gather, like your name, contact details, health data, etc.
Why We Need It: Here, we outline the purposes for which we use your information. This could range from registering you in our system to managing our relationship with you.
Our Legal Grounds: This is where we explain the legal basis under UK GDPR and the Data Protection Act 2018 for processing your data.

Categories of Personal Data	Examples of What We Collect	Why We Need It	Our Legal Grounds
Personal Identifiers	Name, Contact Details, Patient Reference number, date of birth, signatures, photos and videos (non-clinical purposes)	1. Register you in our system. 2. Contact you about treatment and manage our relationship. 3. Send marketing information. 4. Share non-clinical photos and videos (e.g., reactions, testimonials) online. 5. Prevent crime and protect our assets	1. Performance of a contract (private treatments) 2. Performance of a contract (private treatments), legitimate interest. 3. Consent, legitimate interest. 4. Consent. 5. Legitimate interest.
Family Details	Next of kin, guardians, carers, representatives.	1. Emergency contact. 2. Discuss your care with responsible parties.	1. Vital interest, consent. 2. Contract ,consent.
Financial Details	Payment details, debit/credit card information, bank account details.	1. Process payments. 2. Debt recovery.	1. Contract, 2. Legitimate interest.
Technical Data	Website usage data (IP address, browser details, etc.), social media, patient portal usage.	1. Improve online services, marketing. 2. Manage and secure our practice, website, and social media. 3. Detect unlawful activities on guest WI-FI.	1, 2. Legitimate interest. 3. Legitimate interest, legal obligation.
Communication Data	Data in emails, social media comments, letters, instant messages.	1. Handle complaints, queries, feedback. 2. Legal defence or regulatory enquiry evidence.	1, and 2 Legitimate interest.
Health Data	Medical/dental histories, lifestyle data, x-rays, clinical photos, treatment plans, recorded communications, clinical notes, incident information.	1. Assess and treat dental health. 2. Legal defence in claims or investigations. 3. Clinical and peer review. 4. Record health and safety incidents.	1. Necessary for treatment and administration. 2. Legal defence 3. Necessary for treatment, Substantial Public Interest – Equality. 4. Legal defence, Substantial Public Interest – Insurance
Ethnicity Information	Ethnic group and language details.	1. Understand cultural, religious, language needs. 2. Comply with equality law.	1. Necessary for treatment. 2. Necessary for treatment, Substantial Public Interest – Equality.
Religious and Philosophical Beliefs	Relevant beliefs impacting care (e.g., fasting, treatment preferences).	1. Assess and provide appropriate care. 2. Comply with equality law.	1. Necessary for treatment. 2. Necessary for treatment, Substantial Public Interest – Equality.

The Necessity of Your Personal Data for Dental Treatment

For effective private dental care, our practice must collect and process certain personal data. This is crucial for planning and providing safe, personalised treatment. If you choose not to share this essential information, it may hinder our ability to treat you, potentially leading to discontinuation of your treatment at our clinic.

Withdrawing Your Consent

The above table shows when we need your consent to use your personal details. For example, suppose when you first visited our dental practice, you were pleased with the service and agreed to give a video testimonial. We included this testimonial on our website and in our training courses with your consent. If you now decide that you no longer want us to use your video, you can withdraw your consent for this specific purpose.

If you wish to withdraw your consent, please reach out to us. You can find how to contact us at the top of this notice. If you decide to withdraw your consent, we will not use your information for those purposes anymore, unless there is a legal need. Just know, if you withdraw your consent, it doesn’t change any use of your information that happened before.

When We Share Your Information

Our dental practice uses your information mainly internally, by our team and dentists who take care of you. We ensure only those who need to know will access your data. We take great care to keep your information confidential and share it when necessary, such as:

Relatives and Carers: If you agree, or it helps you.
Healthcare Workers: When necessary.
NHS Bodies: For audit or other regulatory purposes.
Regulators: As required by bodies like GDC, CQC.
Social Services: If you consent or in certain situations.
Law Enforcement: As the law dictates or with your consent.
Solicitors: With your consent or by court order.
Courts/Tribunals/Coroners: On legal request.
HMRC: For legal compliance.
Research and Audit Bodies: Anonymously or with your consent.
Insurance Providers: For claim processing.
Potential New Practice Buyers and Brokers: During business ownership changes.
IT System Providers: To manage and protect our data systems.
Security Partners: For the security and safety of our practice and patients.
Translators: To assist you if you need language support.
Professional Services
- Accountants: For financial management and auditing.
- Business/Marketing/Clinical/Compliance Consultants: For advice and support in these specific areas.
- Our Solicitors: For legal advice and representation.

How We Store Your Data

We store your personal details safely, using both paper and computers. For online and cloud services and storage, especially when it’s outside the UK, we follow strict legal rules to keep your data safe.

How Long Do We Keep Your Data

We keep your details only as long as we need to. We do this to comply with health, legal, and financial-related rules and guidance. When deciding how long to keep your information, we look at its amount, type, and how private it is. We also consider the risk of someone else getting access to it. We also think about whether we need the information for situations like legal matters after your treatment ends.

How We Protect Data Transferred Internationally

Sometimes, we might need to send your personal data to countries outside the UK and the European Economic Area. Whenever this happens, we take steps to make sure your information stays safe and secure, just like it would at home. We follow the rules set by data protection laws to protect your privacy.

Here’s how we do it:

Adequacy Decisions: We check that the country where your data is going has strong privacy protections. These protections must be recognized by UK and EU authorities.
Standard Contractual Clauses: If the country doesn’t have these protections, we have a special contract in place. This contract uses specific terms that the UK and EU authorities agree will keep your data safe.

Your Data Rights and Third-Party Requests

Data protection laws grant you certain rights about your personal details:

Access: You can request to see the personal details we hold about you.
Correction: If you find errors in your information, you can ask us to correct it. You can also have incomplete details completed.
Deletion: Under some conditions, you have the right to request that we delete your personal information.
Limit Use: If you wish, you can ask us to limit the way we use your personal information.
Object: There are times when you can object to our use of your personal details.
Transfer: You may ask us to move your personal information to another organization, or directly to you, in certain situations.

FAQ: Responding to Your Request

When can I respect a response for my request?

We aim to respond quickly. If your request lands on a day we’re closed, we’ll start counting our one-month response time from the next working day.

Does my data request need to be in writing?

Not at all. You can make your request in any form that suits you. This can be in person, by phone, or via a message on social media. We’ll acknowledge and process your request regardless of how you submit it. While we might suggest filling out a form to streamline the process, it’s not mandatory. You’re free to choose how you’d like to make your request.

What if my request is not specific enough?

We’ll ask you to clarify what you’re looking for. While we wait for your clarification, we pause the one-month countdown.

Will I be charged for making a request?

Usually, it’s free. But if your request is unfounded, repetitive, or excessive, we may ask for a fee to cover our costs.

Can my request be denied?

Yes, in certain cases. If a request is too broad, doesn’t have a clear purpose, or places an unreasonable burden on us, it might be considered “manifestly unfounded” or “manifestly excessive”. We carefully evaluate each request and ensure that any decision to deny is fair and compliant with data protection regulations. We’d then inform you why we can’t fulfil it, and you can challenge our decision by contacting us.

Are there any limits to my requests?

Yes, some requests might be limited by law. We’ll let you know if that’s the case.

Can someone else make a request on my behalf?

Sure, but we’ll need proof that they’re allowed to act on your behalf. If we’re concerned about the safety of your data, we might talk to you directly or send the data to you instead of someone else.

Concerns and Complaints

If you have concerns about how we handle your data or if you’re dissatisfied with our response to a request, please reach out using the contact information provided at the beginning of this notice. You’re also entitled to lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/make-a-complaint/