Patient Privacy Policy

§1About this policy

1.1 Who we are

West End Dental Group is a group of four private dental practices serving North Wales:

• West End Dental Colwyn Bay — 104 Conway Road, Colwyn Bay, LL29 7LL
• West End Dental Llangefni — 53 High Street, Llangefni, LL77 7NA
• West End Dental Porthmadog — 15 Snowdon Street, Porthmadog, LL49 9BT
• West End Dental Prestatyn — 155 High Street, Prestatyn, LL19 9AY

The data controller for your personal information is West End Dental Holdings Limited. Our practices are operated by separate companies in the group, all of which share our registered office at 104 Conway Road, Colwyn Bay, LL29 7LL:

• West End Dental Holdings Limited (company number 06169551, ICO registration ZA241238) — the data controller
• West End Dental Colwyn Bay Limited (08293442, ICO Z3490748)
• West End Dental Llangefni Limited (09466078, ICO ZA140264)
• West End Dental Porthmadog Limited (08942996, ICO ZA140269)
• West End Dental Prestatyn Limited (15248411, ICO ZB747304)

The practice companies access your records only as required to deliver your care and operate the practice you are registered with.

Our clinicians are regulated by the General Dental Council. Our practices are regulated by Healthcare Inspectorate Wales for the provision of primary dental care.

1.2 What this policy covers

This policy applies to personal data we hold about:

• Patients of our practices, including former and inactive patients.
• People who enquire with us, attend a consultation or use our online booking tools without going on to become patients.
• Members of our dental and aesthetics membership plans.
• Visitors to our websites and digital tools, including patient-facing booking funnels.

This policy does not cover personal data we hold about our employees, self-employed associates or job applicants. A separate privacy notice covers staff data.

Some treatments and services are also covered by additional documents — including our Terms of Business and our Treatment Guarantee Terms. Where additional documents apply we will tell you and provide a copy.

1.3 Versions and changes

We may update this policy from time to time — for example, to reflect changes in the law, in our services or in how we work. The current version is always available at westend.dental/privacy.

Where changes are significant — for example, where we add a new purpose for processing your data — we will tell you in advance, in line with UK GDPR.

1.4 Our Data Protection Lead

Our Data Protection Lead is responsible for overseeing how we collect, use and protect your personal data and for responding to your questions and requests. To contact our Data Protection Lead, please use the contact details at the foot of this policy.

§2The information we collect

2.1 Information you give us

When you become a patient, enquire about a treatment, attend a consultation or join a membership plan, you give us information directly. This includes:

• Your name, date of birth, sex and other identifying information.
• Your contact details — postal address, email address, daytime telephone number and mobile telephone number.
• Your medical and dental history, including current medications, allergies, previous dental work, lifestyle factors relevant to dental health, and concerns or reasons for seeking treatment.
• Your GP’s name and surgery, where you choose to share these.
• Information about people connected to you, where relevant — for example, the parent or guardian accompanying a child, or a named person you have authorised us to discuss your care with.
• Payment information, including bank account details for Direct Debit payments and card details processed through our payment provider.
• Any other information you choose to share with us — for example, when you complete a feedback form, write a review or contact us by phone, email or messaging.

We will tell you which information is required and which is optional. We are unable to deliver dental care without the information needed to deliver it safely.

2.2 Information we create about you

In the course of your care we create additional information about you. This includes:

• Clinical notes, treatment plans, treatment estimates and consent records.
• Records of consultations, examinations and treatment delivered.
• Dental x-rays, intra-oral scans, study models and clinical photographs (see clause 3.7 for further detail on photographs and clinical imaging).
• Records of payments, refunds and any outstanding balances.
• Membership records, including the tier you are on, when you joined and how your benefits have been used.
• Records of communications with you — for example, appointment reminders sent, calls made and messages exchanged.
• Recordings of incoming and outgoing telephone calls (see clause 11).

2.3 Information we receive from others

We sometimes receive information about you from other sources, including:

• Your referring dentist or other clinician, where you have been referred to us.
• Your GP, where you have asked them to share information with us in support of your care.
• Specialist clinicians where we have referred you to them.
• A parent, guardian or person you have authorised, in line with our Terms of Business.
• Our regulated patient finance partner, where you have applied for finance through us.
• West End Health, a separate company, where you have come to us via a referral from West End Health (see clause 4.2).
• Marketing platforms, where you have engaged with our advertising — for example, by clicking an ad and completing an online form.

2.4 Information from your visit to our websites and booking tools

When you visit our websites or use our online booking tools, we collect certain information automatically. This includes:

• Technical information about your device — for example, your browser type, operating system and IP address.
• Information about how you use the site — for example, the pages you visit, the links you click and the time you spend on each page.
• Information about how you arrived at our site — for example, the search you ran, the link you followed or the advertising campaign that brought you here.
• Information you submit through online forms, including identity-verification challenges that help us prevent automated abuse.
• Information you submit at each step of an online booking — for example, the date, the appointment slot you select and any deposit you pay.

Some of this information is collected through cookies and similar technologies. See clause 10 for more on cookies.

§3How we use your information

We only use your personal data where the law allows us to do so. The lawful bases we rely on are set out below for each purpose. UK data protection law calls these "lawful bases" and they come from Article 6 of UK GDPR. Where we process information about your health, we rely additionally on Article 9(2)(h) — the provision of healthcare.

3.1 Providing your dental and aesthetic care

We use your personal data to assess, plan and deliver your dental and aesthetic care. This includes everything from your initial consultation through to follow-up after treatment.

Lawful bases:

• Performance of our contract with you (Article 6(1)(b)).
• The provision of healthcare (Article 9(2)(h)) for clinical and medical information.
• Compliance with our legal and regulatory obligations (Article 6(1)(c)) — for example, the General Dental Council’s record-keeping standards.

3.2 Operating our practices safely and lawfully

We use your personal data to operate our practices safely, securely and within the law. This includes:

• Verifying your identity at appointments and online.
• Managing appointments, schedules and clinician availability.
• Operating CCTV at our practices for safety and security (see clause 11.2).
• Recording incoming and outgoing telephone calls (see clause 11.1).
• Detecting and preventing fraud, including in our online tools.
• Investigating and responding to complaints, accidents and clinical incidents.
• Improving our services through analysis of de-identified information about how patients use our services.

Lawful bases:

• Performance of our contract with you (Article 6(1)(b)).
• Compliance with our legal and regulatory obligations (Article 6(1)(c)).
• Our legitimate interests in operating our business safely, securely and effectively (Article 6(1)(f)). Where we rely on legitimate interests, we balance our interests against your rights and freedoms.

3.3 Communicating with you about your care

We use your contact details to communicate with you about your appointments, your treatment, your account and your membership. This includes:

• Sending appointment reminders by text message and email.
• Confirming bookings and changes to bookings.
• Issuing prescriptions, results, planning letters and aftercare instructions.
• Sending statements, payment requests and refund confirmations.
• Notifying you of changes to membership pricing, benefits or terms.
• Following up on emergency or out-of-hours contact.

These communications form part of the service we provide. They continue for as long as you are a patient or member, regardless of whether you have opted in to marketing.

Lawful basis: performance of our contract with you (Article 6(1)(b)) and our legitimate interests in delivering safe, well-organised care (Article 6(1)(f)).

3.4 Marketing

Where you have opted in, we may send you marketing communications about our services, news, special offers and events. Marketing channels we may use include email newsletters, SMS, messaging apps, postal mail and personalised online advertising.

Marketing is separate from the appointment, treatment, account and membership communications described in clause 3.3. You receive those whether or not you have opted in to marketing, because they are part of the service we provide.

You choose which marketing channels we use to contact you. You can opt out of any channel at any time, by:

• Using the unsubscribe link in any email or message.
• Replying STOP to any marketing SMS.
• Contacting us at info@westend-dental.com or 0808 164 1003.

Opting out of one channel does not affect any other channel. Opting out of marketing does not affect any of the communications described in clause 3.3.

Where we use online advertising platforms to reach people who may be interested in our services, we sometimes share limited information — for example, hashed email addresses — with those platforms so that they can show our ads to similar audiences and measure how well our advertising is working. We will only do this in line with cookie and consent rules and you can opt out at any time.

Lawful basis: your consent (Article 6(1)(a)). Marketing by electronic means is also subject to the Privacy and Electronic Communications Regulations (PECR), and consent is given separately for each electronic channel as required.

3.5 Meeting our legal and regulatory obligations

We use your personal data where the law requires us to do so or where it is necessary for our regulatory compliance. This includes:

• Keeping clinical records in line with the General Dental Council’s standards.
• Keeping financial and tax records in line with HMRC requirements.
• Reporting and cooperating with investigations by regulators such as the General Dental Council, Healthcare Inspectorate Wales, the Information Commissioner’s Office, the Financial Conduct Authority and others.
• Complying with safeguarding obligations in respect of children and vulnerable adults.
• Complying with court orders and other legal requirements.

Lawful basis: compliance with our legal and regulatory obligations (Article 6(1)(c)).

3.6 Profiling and automated decision-making

We do not make any decisions about your treatment using only automated processing. All clinical decisions are made by a qualified clinician.

We do use limited automated processing in some routine operational tasks — for example, to send appointment reminders, to identify patients who may be due a recall, or to recognise potentially fraudulent activity in our online booking tools. These activities do not produce legal effects on you and you can object to them at any time.

Where you have consented to marketing, we use limited information to choose which messages and offers may be most relevant to you. You can opt out of this profiling at any time without affecting any other part of our service.

3.7 Photographs and clinical imaging

We use clinical photographs, x-rays and intra-oral scans as part of treatment planning, delivery and follow-up. Where photographs and images form part of your clinical record, they are governed by the same lawful bases as the rest of your clinical record (see clause 3.1) and we do not need additional consent from you.

We may also use clinical photographs and images for purposes outside your direct care. These uses always require separate, specific consent from you, recorded at the time. They include:

• Use in clinical training, education and continuing professional development.
• Use in marketing materials, including our website and social media, before-and-after galleries and promotional content.

Consent for these additional uses is voluntary, separate from your consent to treatment, and you can withdraw it at any time. Withdrawal does not affect treatment you have already received. Where you withdraw consent, we will stop using the relevant images going forward, although we may not be able to recall images that have already been published or shared.

Lawful basis for additional uses: your consent (Article 6(1)(a)).

3.8 AI in patient communications

We use AI tools to help us respond efficiently to enquiries and routine patient communications. The most common use is for first-line responses on our messaging channels — for example, answering questions about opening hours, directing enquiries to the right person and helping you book or reschedule.

AI tools we use do not make decisions about your treatment. A member of our team reviews and responds to anything that requires clinical judgement, a personal answer or the handling of sensitive information. You can ask to speak directly with a member of our team at any point in a conversation.

Lawful basis: our legitimate interests in providing prompt and efficient patient service (Article 6(1)(f)). We have considered your rights and interests in this and offer a clear, easy route to a human at any time.

§4Who we share your information with

Our default is one of strict confidentiality. We will not discuss your treatment with anyone outside the West End Dental Group, including a spouse or family member, without your written authority — except as set out below.

4.1 Within the West End Dental Group

We share your information across our group practices where this is necessary to deliver your care or to operate our group safely. For example, your records may be shared between practices if you receive treatment at more than one of them, or if your care is supported by our central administrative or clinical teams.

4.2 West End Health

West End Health Limited is a separate company. It is not part of West End Dental Group, and there is no corporate or legal relationship between the two businesses. West End Health currently operates one GP surgery, which is hosted within our Colwyn Bay practice.

Some patients first contact us via West End Health, or come to us on referral from a West End Health professional. Where this happens, West End Health and West End Dental act as separate Data Controllers, and any referral information is shared between us only with your specific consent at the point of referral.

After your care with us is established, our records are held separately from those of West End Health. We do not share patient information with West End Health except where there is a lawful basis to do so — for example, in a medical emergency at our Colwyn Bay practice where shared premises make a coordinated response necessary, or where you ask us to.

4.3 Clinical partners

We share your information with clinical partners where it is necessary for your care. These include:

• Dental laboratories that manufacture appliances, prosthetics and other items for your treatment.
• Specialist clinicians to whom we refer you for advanced treatment.
• Your GP and other healthcare professionals, where you have asked us to share information with them or where it is necessary in your best interests.
• Pharmacies, where we issue a prescription on your behalf.

4.4 Suppliers and processors

We share your information with categories of supplier who help us run our practices and deliver our services. These include:

• Practice management and clinical software providers, who host our patient records and clinical systems.
• Payment, finance and Direct Debit providers, who process payments, deposits and refunds.
• Communications providers, who send appointment reminders and confirmations by email and SMS on our behalf.
• Website hosting, security and identity-verification providers, who keep our online tools running and protect them against abuse.
• Analytics, attribution and online advertising platforms, where you have consented to non-essential cookies and tracking.
• Customer-relationship management and patient-feedback platforms, where you have engaged with us through them.
• AI service providers, supporting routine patient communications as described in clause 3.8.
• IT support, professional services and accountancy providers, who support the running of our business.
• Insurers and loss adjusters, where relevant to a claim.

All processors who handle your information on our behalf are bound by written contracts that require them to comply with UK data protection law and to protect your information to the same standard we apply ourselves.

4.5 Regulatory and legal authorities

We share information with regulators and authorities where we are required or permitted to do so. These include:

• The General Dental Council, Healthcare Inspectorate Wales and the Information Commissioner’s Office.
• The Financial Conduct Authority and our regulated patient finance broker, where you have applied for finance.
• HMRC and other tax and revenue authorities.
• The police, social services, courts and similar authorities, where required by law or in safeguarding circumstances.

4.6 Other circumstances

We may share your information with other parties in limited additional circumstances:

• Where you have given us your specific consent.
• Where we are required to share it by law.
• Where we believe sharing is necessary to protect you or another person from harm.
• In connection with a merger, sale, reorganisation or acquisition of our group or any practice. In these cases, we will only share what is necessary and we will require the recipient to protect your information to the same standard.

§5International transfers

We are based in the United Kingdom and your records are held primarily in the UK and the European Economic Area (EEA).

Some of the suppliers and processors we use are based outside the UK and the EEA, or use sub-processors based outside them. This is most common with our website, communications, analytics and online-advertising providers, several of which are based in the United States or operate global infrastructure.

Where we transfer your information outside the UK, we use one or more of the safeguards approved by the UK Information Commissioner’s Office. These include:

• UK adequacy regulations, where the destination country is recognised as providing an adequate level of protection.
• The UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
• Other transfer mechanisms permitted by UK data protection law, supplemented by appropriate technical and organisational measures.

You can ask us for a copy of, or a reference to, the safeguard that applies to a specific transfer.

§6How long we keep your information

We only keep your information for as long as is necessary for the purpose we collected it for, or for as long as the law requires. The most common retention periods are set out below.

Adult clinical records

Adult clinical records — including treatment notes, consent forms, x-rays, scans and clinical photographs — are retained for at least 11 years from the date of last treatment, in line with the General Dental Council’s record-keeping standards.

Children’s clinical records

Children’s clinical records are retained until the patient’s 25th birthday, or 11 years from the date of last treatment, whichever is later.

Telephone call recordings

Telephone call recordings are treated as part of the clinical record, and retained on the same basis as adult or children’s records, as appropriate.

Photographs used outside the clinical record

Photographs used outside the clinical record (for training, education or marketing) are retained until you withdraw consent, or for the time period set out in your specific consent at the time.

Financial records

Financial records — invoices, payments, refunds and finance applications — are retained for at least 6 years from the date of the transaction, in line with HMRC and FCA requirements.

Membership records

Membership records are retained for the duration of your membership and at least 6 years after termination.

Complaint records

Complaint records are retained for at least 11 years from the resolution of the complaint.

Marketing data

Marketing data, including consent records, is retained until you withdraw consent, or for 3 years from the last time you engaged with us — whichever comes first.

Online enquiries and incomplete bookings

Where you have made an online enquiry or started a booking but not gone on to become a patient, we retain that information until you withdraw consent, or for 3 years from the date of enquiry — whichever comes first.

CCTV footage

CCTV footage is retained for up to 90 days, except where retained for the investigation of a specific incident.

Website analytics data

Website analytics data is retained in line with the cookie or analytics provider’s standard retention period; typically up to 14 months for de-identified usage data.

Where we are required to keep certain information by law or regulation, those requirements take precedence over our standard retention periods.

When the retention period for a piece of your information expires, we securely delete or anonymise it.

§7How we protect your information

We take the security of your personal data seriously. Our practical safeguards include:

• Storing electronic records in secure, access-controlled clinical and business systems.
• Storing paper records in lockable, fire-resistant cabinets at our practices.
• Restricting access to your records to staff who need it for your care, your account or our legal obligations.
• Training staff on confidentiality and data protection.
• Encrypting personal data in transit and at rest, where technically appropriate.
• Maintaining secure audit trails so we can detect inappropriate access.
• Backing up critical systems regularly and testing our ability to recover from incidents.
• Carrying out data protection impact assessments before introducing new tools or services that handle personal data.

No system is ever completely secure. If we ever have reason to believe that your personal data has been involved in a security breach that is likely to result in a risk to your rights, we will tell the Information Commissioner’s Office and, where required, you, in line with UK GDPR.

§8Your rights

Under UK GDPR you have a number of rights in relation to the personal data we hold about you. Those rights are summarised below. Some rights are subject to limits — for example, where we have a regulatory or legal obligation to keep records.

8.1 The right to be informed

You have the right to be told how your personal data is used. This policy is one of the ways we provide that information.

8.2 The right of access

You have the right to ask us for a copy of the personal data we hold about you. Requests are usually responded to within one calendar month and there is normally no charge.

8.3 The right to rectification

You have the right to ask us to correct personal data that is inaccurate or incomplete.

8.4 The right to erasure

You have the right to ask us to delete personal data we hold about you. We may not be able to delete some categories of information — in particular, clinical records that we are required to retain. Where we cannot delete information, we will explain why.

8.5 The right to restrict processing

You have the right to ask us to limit how we use your personal data while we look into a query, dispute or correction.

8.6 The right to object

You have the right to object to our use of your personal data where we are relying on legitimate interests as our lawful basis. You also have an absolute right to object to direct marketing at any time.

8.7 The right to data portability

Where we are processing your data on the basis of consent or to perform a contract with you, and we are doing so by automated means, you have the right to receive a copy of that data in a structured, commonly used and machine-readable format, and to ask us to send it to another provider where this is technically feasible.

8.8 The right to withdraw consent

Where we rely on your consent to process your personal data — most commonly for marketing and for use of photographs outside the clinical record — you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

8.9 The right to complain

If you have a concern about how we have handled your personal data, please contact us first using the details at the foot of this policy. We will always try to put things right.

If you remain dissatisfied, you have the right to complain to the Information Commissioner’s Office:

• Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
• 0303 123 1113.

ico.org.uk.

8.10 Exercising your rights

To exercise any of these rights, please contact us using the details at the foot of this policy. Before we act on a request, we may ask you for proof of identity to make sure that we are responding to the right person.

§9Children and young people

We treat children and young people of all ages, as set out in our Terms of Business. The information we hold about a child is governed by this policy in the same way as for an adult patient. There are some important differences:

• A parent or legal guardian must register a patient under the age of 16 with us, and must accompany them throughout each appointment.
• We will discuss the care of a child with their parents or legal guardians as appropriate. For young people aged 16 and 17, and for younger people who are Gillick-competent, we will respect their privacy in line with their understanding and clinical needs.
• We retain children’s records until the patient’s 25th birthday, or for 11 years from the date of last treatment, whichever is later.

We do not use children’s personal data for marketing purposes.

§10Cookies and website analytics

Our websites and online tools use cookies and similar technologies to make them work and to help us understand how they are used.

Some cookies are strictly necessary — for example, to keep you logged in to a booking, to remember your preferences during a session, or to protect our online tools against fraud and abuse. These cookies do not require your consent.

Other cookies are non-essential and are set only with your consent. These include cookies and tags used for analytics, attribution and online advertising — for example, to understand which advertising campaigns are working and to enable us and our advertising partners to show you relevant ads on other sites.

When you first visit one of our websites or online tools, you can choose which non-essential cookies to accept. You can change your choices at any time through the cookie controls on the site.

§11Telephone calls and CCTV

11.1 Telephone calls

All incoming and outgoing telephone calls at our practices are recorded. Recordings are used for training, monitoring and as a contemporaneous record of clinical and customer-care discussions. Calls about your treatment form part of your clinical record and are retained on the same basis (see clause 6).

Where we make an outbound call to you, we will tell you at the start of the call that it is being recorded. Inbound calls to our practices are not announced as recorded; this privacy notice serves as your information.

11.2 CCTV

We operate CCTV at our practices to provide a safe and secure environment for patients and staff and to protect our premises. Cameras are sited in public-facing areas — including waiting areas, reception, corridors and exterior entrances. We do not operate CCTV in clinical treatment rooms.

CCTV footage is normally retained for up to 90 days, after which it is automatically overwritten. Access to footage is restricted to authorised staff and any disclosure to a third party is approved by a Director of West End Dental. We will only disclose footage:

• In the investigation of a specific incident on our premises.
• To the police, in response to a request supported by appropriate authority.
• To insurers or loss adjusters, where relevant to a claim.
• Where we are required to do so by law.

Lawful basis: our legitimate interests in safety and security (Article 6(1)(f)). We have balanced these interests against your reasonable expectation of privacy and concluded that the use of CCTV in public-facing areas is proportionate.