Privacy Policy

This Privacy Policy describes how DentaField Clinic processes the personal data of patients, website visitors and persons who contact us, as well as the rights you are entitled to. The processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR), with Law no. 190/2018 and with Law no. 506/2004.

We recommend that you read this document carefully. For any clarification, you can contact us using the details below.

The controller of the personal data is the dental practice operating under the name „DentaField Clinic”, with its registered office at Bulevardul Constantin Brâncoveanu nr. 18, Sector 4, 041451 București, and which provides dental medical care under the operating health authorization issued by the Direcția de Sănătate Publică (Public Health Directorate).

You can contact us as follows:

• Address: Bulevardul Constantin Brâncoveanu nr. 18, Sector 4, 041451 București

• E-mail: dentafield@gmail.com

• Phone: +40 744 841 966

For any question or request regarding the processing of your data and the exercise of the rights provided by the GDPR, you can write to us at dentafield@gmail.com or in writing, at the address above, marked „For the attention of the data protection officer”.

Given the nature and size of the practice (a small dental practice, without large-scale processing within the meaning of Art. 37 GDPR), we have not appointed a Data Protection Officer (DPO). However, we have established the e-mail address above (dentafield@gmail.com) as the contact point for all data protection matters. Insofar as we process the personal numerical code (CNP), for the preparation of dental medical or fiscal documents, we apply the additional safeguards required by Art. 4 of Law no. 190/2018.

Depending on how you interact with us, we may process the following categories of data:

• Identification and contact data: surname, first name, e-mail address, telephone number and, where applicable, the postal address and the CNP (the latter only when it is necessary for medical or fiscal documents).

• Data submitted through the website forms (the contact form and the appointment request form): the content of the message, the reason for the visit or the request, the preferred appointment slot and any other information you choose to include. The „reason for the visit” may, by its nature, reveal a health concern.

• Health data — a special category of data (Art. 9 GDPR): information about your oral health status, dental history, diagnoses, treatment plans and procedures, dental X-rays and other investigations, allergies and relevant medical history. This data is processed mainly within the dental care relationship at the practice, but it may also appear in the messages submitted through the form, if you choose to mention it.

• Data from your interaction with us: correspondence (e-mail, telephone), the history of appointments and requests.

• Data from your interaction with the virtual assistant (chatbot): the content of the conversation and the questions you ask.

• Technical and website usage data: IP address, device and browser identifiers, the pages accessed, the date and time of access, as well as the data collected through cookies and similar technologies (including Google Analytics 4 and Google Ads), under the conditions described in the Cookies Policy and only on the basis of your consent.

• Data from public reviews: the displayed name and the content of the review you have published about us on Google.

We do not ask for and do not wish to receive, through online channels, more data than is necessary for the specific purpose of the interaction.

We process your data only for specific purposes and on the basis of a legal basis provided by the GDPR:

• Handling requests submitted through the contact form, by e-mail or by telephone — legal basis: taking steps at your request prior to entering into a contract [Art. 6(1)(b) GDPR] and, where applicable, our legitimate interest in responding to you and communicating effectively [Art. 6(1)(f) GDPR].

• Handling appointment requests and organizing dental consultations — legal basis: pre-contractual steps at your request [Art. 6(1)(b) GDPR].

• Providing dental medical services and preparing the dental medical documentation — specific legal bases for health data (see the following section).

• Complying with legal obligations (for example accounting and fiscal obligations, retention of the dental medical documentation, handling of complaints, reporting to authorities) — legal basis: the legal obligation [Art. 6(1)(c) GDPR].

• Cookies and analytics and advertising tools (Google Analytics 4, Google Ads) — legal basis: your consent [Art. 6(1)(a) GDPR], which you can give or refuse from the cookie banner and which you can withdraw at any time.

• Ensuring the security of the website and systems, preventing fraud and diagnosing technical problems — legal basis: our legitimate interest in maintaining a secure and functional online environment [Art. 6(1)(f) GDPR].

• Establishing, exercising or defending a legal claim in court — legal basis: the legitimate interest [Art. 6(1)(f) GDPR] or the legal obligation [Art. 6(1)(c) GDPR].

When we rely on the legitimate interest, it consists of the ability to provide you with a prompt response, to keep a record of the correspondence, to organize our activity and to protect our rights; this interest has been assessed and balanced against your rights and freedoms.

Health data enjoys special protection and is processed as follows:

• Within dental care (consultation, diagnosis, treatment, keeping the dental record), the processing is necessary for the purposes of preventive medicine, of establishing the diagnosis and of providing medical care, on the basis of Art. 9(2)(h) read in conjunction with Art. 9(3) GDPR. This data is processed by medical staff bound by the legal obligation to maintain professional secrecy, in accordance with Law no. 46/2003 on patient rights and with the Code of Professional Conduct of the dentist.

• If you choose, on your own initiative, to communicate online information about your health to us (through the form, by e-mail or via the chatbot), we will process it strictly in order to contact you and act upon the request, on the basis of Art. 9(2)(h) read in conjunction with Art. 9(3) GDPR and of our legitimate interest in responding to you [Art. 6(1)(f) GDPR]; insofar as the voluntary submission of this data expresses your agreement, we may also rely, where applicable, on explicit consent [Art. 9(2)(a) GDPR].

The medical professional secrecy and the duty of confidentiality incumbent on us are not limited in time and are maintained even after the relationship with the patient has ended or after the patient’s death. In order to protect patients, through online or telephone channels (e-mail, forms, virtual assistant, social networks, unverified calls or messages) we do not confirm and do not discuss a person’s status as a patient, the existence or content of an appointment, diagnoses, treatment plans or other personal or health data of a person. Such information can be communicated exclusively to the data subject or to the person entitled under the law, after verification of identity — a verification that we request only when there is a reasonable doubt and which we apply in a proportionate manner, without unjustifiably hindering the exercise of the rights provided by law.

Please do not submit detailed health data (diagnoses, conditions, treatments, dental X-rays) through the online forms, by e-mail or via the chatbot; these matters are discussed securely during a consultation. We do not ask for, and we do not make the appointment conditional on, the submission of such data online. When we nevertheless receive health data through these channels, we reduce it to the minimum necessary and delete or anonymize it as soon as it is no longer necessary for the above purpose [Art. 5(1)(c) and (e) and Art. 25 GDPR], except in cases where its retention is required by a legal obligation or is necessary for the establishment, exercise or defence of a legal claim.

We do not sell your data. We may disclose it or make it accessible to the following categories of recipients, strictly to the extent necessary:

• The web hosting and infrastructure provider — Amazon Web Services (AWS), through the AWS Amplify service, which hosts the website and securely stores the data related to the forms.

• Amazon Web Services (Amazon Bedrock) — for the operation of the virtual assistant (chatbot), which processes the content of the conversations in order to generate responses; the service is used in a region within the European Union.

• Google — for displaying maps (Google Maps), for displaying reviews and, only with your consent, for analytics and advertising (Google Analytics 4, Google Ads).

• The message transmission service provider — a specialized provider of e-mail and message delivery services, on the basis of contractual guarantees of confidentiality and security, for the delivery of messages generated by the forms and of the correspondence.

• The accounting service provider — the clinic’s accounting service provider, on the basis of contractual guarantees, for the fulfilment of accounting and fiscal obligations.

• Public authorities, courts or other bodies, when we have a legal obligation to that effect.

Where these providers process data on our behalf, they act as processors and are bound by data processing agreements concluded in accordance with Art. 28 GDPR, which require confidentiality, adequate security measures and processing exclusively on the basis of our instructions.

Some of our providers (in particular Google and, where applicable, AWS) may process data on servers located outside the European Economic Area, including in the United States of America.

When such transfers take place, we ensure that they are protected by appropriate safeguards within the meaning of the GDPR: the Standard Contractual Clauses adopted by the European Commission [Art. 46(2)(c) GDPR] and/or the provider’s certification under the EU-U.S. Data Privacy Framework, where applicable. You have the right to obtain a copy of the safeguards applied or information about where they have been made available, by contacting us using the details above.

We keep the data only for as long as is necessary for the purposes for which it was collected or to comply with legal obligations. The main retention periods are:

• The patient’s dental record and dental medical documentation: 5 years from the last contact with the patient, in accordance with the Code of Professional Conduct of the dentist (Art. 35), except in situations where the law requires a longer period.

• Supporting documents and accounting records (including invoices): 5 years; the annual financial statements: 10 years — in accordance with Art. 25 of the Accounting Law no. 82/1991, as subsequently amended.

• Requests submitted through the contact form and the related correspondence: for the period necessary to resolve them and, subsequently, for a proportionate period (as a rule up to 24 months), except in cases where they are necessary for the defence of a legal claim or for the fulfilment of a legal obligation.

• Appointment requests: for the duration of handling the request, after which they are deleted or, where applicable, incorporated into the dental medical documentation (subject to the period above).

• Technical logs and security data: short periods, proportionate to the security and diagnostic purpose.

• Data processed on the basis of consent (for example analytics or advertising cookies): until the consent is withdrawn or until the expiry of the cookie’s duration, in accordance with the Cookies Policy.

Upon the expiry of these periods, the data is securely deleted or anonymized.

As a data subject, you are entitled to the following rights provided by the GDPR:

• The right of access (Art. 15): to obtain confirmation that we process your data and a copy of it.

• The right to rectification (Art. 16): to correct inaccurate data or to complete incomplete data.

• The right to erasure — the „right to be forgotten” (Art. 17): to obtain the erasure of the data under certain conditions. This right is not absolute: it does not apply where the processing is necessary for the fulfilment of a legal obligation [Art. 17(3)(b) GDPR] — for example, we cannot delete the dental record or the accounting documents before the expiry of the legal retention periods.

• The right to restriction of processing (Art. 18).

• The right to data portability (Art. 20), for data processed by automated means, on the basis of consent or of a contract.

• The right to object (Art. 21): to object to processing based on our legitimate interest, on grounds relating to your particular situation.

• Rights related to automated individual decisions (Art. 22) — see the section on the virtual assistant.

• The right to withdraw consent at any time [Art. 7(3) GDPR], where the processing is based on consent (for example analytics or advertising cookies or health data submitted online). The withdrawal does not affect the lawfulness of the processing carried out beforehand.

• The right to lodge a complaint with the supervisory authority (see the ANSPDCP section).

To exercise your rights, you can contact us through the channels indicated in the section on the controller. We will respond, as a rule, within one month of receiving the request, a period which may be extended by two months in the case of complex or numerous requests, in which case you will be informed. In order to protect you, we may ask you for additional information necessary to confirm your identity.

You have the right to obtain a first copy free of charge of your data, including from the dental record. For any additional copy we may charge a reasonable fee, calculated on the basis of administrative costs [Art. 15(3) GDPR]. In the case of manifestly unfounded or excessive requests, in particular due to their repetitive character, we may either charge a reasonable fee or refuse to act on the request [Art. 12(5) GDPR].

Even if you request the erasure of the data, object to the processing (Art. 21 GDPR) or request its restriction (Art. 18 GDPR), we have the right to continue to keep and process the data from the dental record and the related documents, to the extent necessary for the establishment, exercise or defence of a legal claim in court [Art. 17(3)(e), Art. 18(2) and Art. 21(1) GDPR]. This applies in particular for the duration of the limitation period for professional liability actions (3 years) and of the legal archiving periods. During this interval, the data is kept in a restricted manner, with limited access, exclusively for this purpose.

When we display patient reviews on the website, we may obtain data (the displayed name and the content of the review) from external, publicly accessible sources, namely the Google platform, on which you have published these reviews. In accordance with Art. 14 GDPR, we inform you that the source of this data is the platform on which you published the review, and the display on the website is based on our legitimate interest in presenting genuine patient opinions [Art. 6(1)(f) GDPR]. You can object to the display by contacting us using the controller’s details.

We do not publish and do not use any rating or average score generated by us and we do not fabricate reviews or scores.

For the Google integrations (maps, reviews and any analytics modules), DentaField Clinic is responsible exclusively for the operation of collecting and transmitting data to Google from this website. The processing that Google subsequently carries out, for its own purposes, is performed under Google’s responsibility as an independent controller, in accordance with its policies; for these you can contact Google directly.

Our website and online services are not intended for direct use by minors without the involvement of a parent or legal representative. With regard to the services offered on the basis of consent (for example certain cookies), the processing of a minor’s data is permitted only under the conditions of Art. 8 GDPR read in conjunction with national legislation.

For the dental services provided to minors, the data is processed with the involvement of the parent or legal representative, in accordance with Law no. 46/2003. Both the dental treatment and any clinical photograph, dental X-ray or video recording used for a purpose other than the medical documentation of the file (for example „before/after” materials) are carried out only with the written, prior and explicit consent of the parent or legal representative, while respecting the child’s anonymity. We do not publish images of minors without such consent.

If you are a parent or legal representative and you consider that a minor has submitted data to us without your consent, please contact us so that we can take the necessary measures.

When a processing operation is based on your consent, we keep an internal record of it (the time and the purpose for which it was given), as an accountability measure [Art. 5(2) and Art. 7(1) GDPR]. For health data, including any clinical or „before/after” photographs, consent is requested explicitly and separately — through a distinct agreement, collected outside the acceptance of the website — and is not presumed from the mere use of the website. You can withdraw your consent at any time, without affecting the lawfulness of the processing carried out beforehand.

Photographs, dental X-rays and recordings made for the purpose of diagnosis and treatment form part of the dental record and are processed on the basis of Art. 9(2)(h) GDPR (medical care) and, where applicable, point (f) (defence of a legal claim in court). These are distinct from any images used, with your consent, for promotional purposes: withdrawing the promotional consent stops the advertising use, but does not affect the retention of the clinical documents in the dental record, which we are obliged or entitled to preserve for medical and evidentiary purposes.

The images depicting the dentists, the team members or the patients are additionally protected by the right to one’s own image of the persons represented (Art. 73, Art. 74 and Art. 76 of the Civil Code). The downloading, copying, modification, redistribution or any other use of these images by visitors is prohibited, save in the cases permitted by law, without the prior written consent of DentaField Clinic and, where applicable, of the person represented.

We apply appropriate technical and organizational measures to protect the data against unauthorized access, loss, destruction or disclosure [Art. 32 GDPR]: access control, encryption in transit, restriction of access on a need-to-know basis, internal policies and staff training regarding professional secrecy. No method of transmission or storage is completely secure; we make reasonable efforts to protect the data.

In the event of a security breach involving personal data which is likely to result in a risk to your rights and freedoms, we will notify the ANSPDCP within 72 hours of becoming aware of it [Art. 33 GDPR]. Where the breach is likely to result in a high risk, we will also inform you, without undue delay [Art. 34 GDPR].

The virtual assistant (chatbot) available on the website provides automated answers to questions of a general nature (information about services, schedule, contact) and has an exclusively informational role. We inform you that you are interacting with an automated system, not with a natural person.

We do not make decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you [Art. 22 GDPR]. In particular, the chatbot does not make medical decisions (it does not establish diagnoses and does not determine treatments) and does not make decisions with legal effects. Any diagnosis or treatment plan is established exclusively by a dentist, following a consultation. We recommend that you do not enter sensitive data into the conversation, including health data.

Providing the data requested through the website forms (name, contact, the reason for the request) is necessary in order for us to be able to act upon your request; if you do not provide us with this data, we will not be able to process the request, confirm an appointment or respond to the message. Within dental care, providing certain data (including health data and, where applicable, identification data required by law) may be necessary for establishing the diagnosis and fulfilling legal obligations; failure to provide it may make it impossible to provide dental services safely. Providing the data processed on the basis of consent (for example analytics or advertising cookies) is optional, and refusal does not affect the possibility of using the essential functions of the website.

If you consider that the processing of your data infringes the data protection legislation, you have the right to lodge a complaint with the supervisory authority:

The National Supervisory Authority for Personal Data Processing (ANSPDCP)

• Address: B-dul G-ral Gheorghe Magheru nr. 28-30, Sector 1, postal code 010336, București, România

• Phone: +40 318 059 211 / +40 318 059 212

• E-mail: anspdcp@dataprotection.ro

• Website: www.dataprotection.ro

However, please contact us first — we will try to resolve any dissatisfaction directly.

In addition to the rights provided by the GDPR, you also benefit from the specific patient rights regulated by Law no. 46/2003: the confidentiality of all information concerning your health status, the results of investigations, the diagnosis, the treatment and your personal data, including after death (Art. 21); the disclosure of this information to other persons only with your explicit consent or when the law expressly requires it (Art. 22); access to your personal medical data (Art. 24). These rights apply in addition to the GDPR rights described above.