Data Protection Policy
Introduction
Bright Smile Dental Clinic is committed to protecting the privacy and security of personal data. This Data Protection Policy outlines how we collect, use, store, and protect your personal information in compliance with applicable data protection laws, including the Personal Data Protection Act of Sri Lanka and international best practices.
Data Controller
Bright Smile Dental Clinic is the data controller responsible for your personal data.
Contact Details:Main Street, Embilipitiya, Sri Lanka
Phone: 076 499 4948
Email: [email protected]
Types of Personal Data We Collect
We collect and process various types of personal data to provide dental services:
| Category | Examples | Purpose |
|---|---|---|
| Identity Data | Full name, date of birth, NIC number, gender | Patient identification and records |
| Contact Data | Address, email, phone number, WhatsApp | Appointment reminders, communication |
| Health Data | Medical history, dental records, X-rays, treatment notes | Diagnosis and treatment |
| Financial Data | Payment information, insurance details, billing history | Payment processing, insurance claims |
| Technical Data | IP address, browser type, device information | Website functionality, security |
| Usage Data | How you use our website and patient portal | Service improvement |
Legal Basis for Processing
We process your personal data based on the following legal grounds:
Consent: You have given explicit consent for processing, particularly for health data and marketing communications.
Contract: Processing is necessary to provide dental services you have requested.
Legal Obligation: We are required by law to maintain certain records and report specific conditions.
Legitimate Interests: Processing is necessary for our legitimate business interests, such as improving services and preventing fraud.
Vital Interests: In emergencies, we may process data to protect your life or health.
How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing dental treatment | Identity, Contact, Health | Contract, Consent |
| Appointment scheduling and reminders | Identity, Contact | Contract, Legitimate Interest |
| Billing and payment processing | Identity, Financial | Contract |
| Insurance claims | Identity, Health, Financial | Contract, Consent |
| Sending health information and tips | Contact | Consent |
| Improving our services | Usage, Technical | Legitimate Interest |
| Complying with legal requirements | All relevant data | Legal Obligation |
| Emergency contact | Identity, Contact, Health | Vital Interest |
Data Sharing
We may share your personal data with:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Healthcare Providers | Referrals, specialist consultations | Professional confidentiality, data sharing agreements |
| Insurance Companies | Processing claims on your behalf | Only with your consent, encrypted transmission |
| Laboratories | Dental prosthetics, diagnostic tests | Anonymized where possible, confidentiality agreements |
| Payment Processors | Processing card payments | PCI-DSS compliance |
| Government Authorities | Legal requirements, public health reporting | Only as required by law |
| IT Service Providers | Website hosting, software maintenance | Data processing agreements, security measures |
We do not sell your personal data to third parties.
International Data Transfers
Some of our service providers may be located outside Sri Lanka. When transferring data internationally, we ensure appropriate safeguards are in place:
- Standard contractual clauses
- Data processing agreements
- Encryption during transmission
- Verification of recipient's data protection practices
Data Retention
We retain your personal data for the following periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Medical Records | 10 years after last treatment (adults), until age 25 for minors | Legal requirement, continuity of care |
| Financial Records | 7 years | Tax and accounting requirements |
| Consent Records | Duration of consent + 3 years | Proof of consent |
| Website Usage Data | 2 years | Service improvement |
| Marketing Preferences | Until consent withdrawn | Compliance with preferences |
After the retention period, data is securely deleted or anonymized.
Your Rights
Under data protection laws, you have the following rights:
Right to Access
You can request a copy of the personal data we hold about you.
Right to Rectification
You can request correction of inaccurate or incomplete data.
Right to Erasure
You can request deletion of your data in certain circumstances (note: medical records may need to be retained for legal reasons).
Right to Restrict Processing
You can request that we limit how we use your data.
Right to Data Portability
You can request your data in a structured, machine-readable format.
Right to Object
You can object to processing based on legitimate interests or for marketing purposes.
Right to Withdraw Consent
You can withdraw consent at any time for processing based on consent.
Right to Complain
You can lodge a complaint with the relevant data protection authority.
Exercising Your Rights
To exercise any of these rights, please contact us:
- Email: [email protected]
- Phone: 076 499 4948
- In Person: Visit our clinic during office hours
We will respond to your request within 30 days. We may need to verify your identity before processing your request.
Data Security
We implement appropriate technical and organizational measures to protect your personal data:
| Security Measure | Description |
|---|---|
| Encryption | Data encrypted in transit and at rest |
| Access Controls | Role-based access, strong passwords, multi-factor authentication |
| Physical Security | Secure premises, locked storage for paper records |
| Staff Training | Regular data protection training for all staff |
| Incident Response | Procedures for detecting and responding to data breaches |
| Regular Audits | Periodic security assessments and updates |
| Backup Systems | Regular backups with secure off-site storage |
Data Breach Procedures
In the event of a data breach:
- We will assess the breach and contain it immediately
- We will notify the relevant authorities within 72 hours if required
- We will notify affected individuals if the breach poses a high risk to their rights
- We will document the breach and our response
- We will review and improve security measures
Children's Data
For patients under 18 years of age:
- Consent must be provided by a parent or legal guardian
- We collect only data necessary for treatment
- We take extra care to protect children's data
- Parents/guardians can access and manage their child's data
Changes to This Policy
We may update this policy periodically. We will notify you of significant changes by:
- Posting the updated policy on our website
- Sending an email notification for material changes
- Displaying a notice in our clinic
Contact Us
For questions about this policy or your personal data:
Data Protection ContactBright Smile Dental Clinic
Main Street, Embilipitiya, Sri Lanka
Phone: 076 499 4948
Email: [email protected]