At Cardiff Dental and Aesthetics Centre, we take your privacy seriously. This policy explains what personal information we collect about you, why we need it, how we use it, who we share it with, and the rights you have over it.

Cardiff Dental and Aesthetics Centre is the “Data Controller” for the information we hold about you. We are a registered dental practice at 107 Clare Road, Cardiff CF11 6QQ, contactable on 02920 229877 or by email at hello@cardiffdentalaesthetics.co.uk.

Our Practice Manager, Emily Williams, is the point of contact for any questions about how we use your personal data.

Depending on your relationship with us, we may collect and hold:

– Your contact details — name, address, phone number and email address

– Date of birth and your NHS number (where applicable)

– Your medical history and dental history

– Records of treatment carried out — including x-rays, clinical photographs, treatment plans, prescriptions and clinical notes

– Details of the dentist, hygienist or other clinician who treats you

– Your preferences and any communication you have with us about your care

– Payment and billing information

– Where relevant, information about family members who are also our patients (for example, emergency contacts)

– For website visitors — information about how you use our site, collected through our first-party analytics (see the Cookies section below)

Under UK GDPR, we need a lawful basis to collect and use your personal data. The bases we rely on are:

– To provide your dental care — this is a contract between you and us. We need your information to diagnose, plan, carry out and follow up your treatment.

– To meet our legal obligations — as a dental practice we are required by law to keep certain records, including for NHS services, clinical governance, and tax purposes.

– Tasks in the public interest — for NHS-funded treatment, we process your information as part of the provision of NHS dental care in Wales.

– Our legitimate interests — for example, managing our practice, contacting patients about appointments and follow-up care, and improving our services.

– Your consent — for marketing or newsletter communications, for sharing your photographs for promotional purposes, or for any use of your data beyond what is required for your care. You can withdraw consent at any time.

Because your dental records include health information, they are classed as special category data under UK GDPR. For this data we rely on the additional condition in Article 9(2)(h) — the provision of health and social care.

We only share your information where we need to and where we are legally allowed to. The main parties we share with are:

– NHS Wales and Cardiff and Vale University Health Board — for NHS-funded treatment, clinical governance, and administration of payments

– Other healthcare professionals — if we refer you for specialist treatment, to a hospital, or to another dental practice

– Dental laboratories — where crowns, dentures, orthodontic appliances or other custom items are made on your behalf

– Our clinical software and IT suppliers — who act as Data Processors on our behalf and are bound by written contracts to keep your information secure

– Our indemnity providers, regulators and legal advisors — in the rare event of a complaint, claim or regulatory review

– HMRC and our accountants — for tax and accounting purposes

– Law enforcement or public authorities — where we are required to by law

We never sell your information. We do not share your data with third parties for their own marketing purposes.

We keep your dental records for the periods set out in national guidance from the General Dental Council, the NHS and the British Dental Association:

– Adult patients — records are kept for at least 11 years from the date of your last treatment

– Child patients — records are kept until the child’s 25th birthday, or for 11 years after their last treatment, whichever is the longer period

– Financial records — kept for at least 7 years, as required by HMRC

– CCTV footage (where in use) — typically retained for no more than 30 days, unless needed for an active investigation

After these retention periods, we securely destroy paper records and delete digital records.

You have the following rights over the personal information we hold about you:

– The right to be informed — about how we use your data (this policy)

– The right of access — you can ask for a copy of the information we hold about you

– The right to rectification — you can ask us to correct information that is inaccurate or incomplete

– The right to erasure (“right to be forgotten”) — in some circumstances you can ask us to delete your information, although clinical records generally need to be retained for the periods set out above

– The right to restrict processing — you can ask us to limit how we use your data in certain circumstances

– The right to data portability — in some cases you can ask us to transfer your data to another provider

– The right to object — to certain types of processing, including direct marketing

– Rights related to automated decision-making — we do not use automated decision-making or profiling

To exercise any of these rights, please contact Emily Williams using the details at the end of this policy. We will respond within one calendar month.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (contact details below).

We take the security of your personal data seriously and have appropriate technical and organisational measures in place. These include:

– Secure clinical software with password-protected access, limited to authorised staff only

– Encrypted digital records and secure backups

– Locked storage for paper records

– Confidentiality agreements with all members of staff

– Regular staff training on data protection and information governance

– CCTV monitoring of the premises where appropriate

– Restricted access to our practice premises

Our website uses a limited number of cookies and a first-party, privacy-focused analytics tool to help us understand how visitors use the site. We do not use Google Analytics, Facebook pixels or other third-party advertising trackers, and our analytics do not identify individual visitors.

Where cookies or analytics require your consent under UK cookie law, you will see a clear banner on your first visit allowing you to accept or decline. You can clear and block cookies at any time through your browser settings — although disabling cookies may affect how parts of our website work.

We may update this privacy policy from time to time to reflect changes to our practice, our technology, or updated legal requirements. When we make a significant change we will show the date of the update on this page and, where appropriate, let you know directly.