Who we are
Our website address is: http://enamelplanningcentre.com
Enamel Planning Centre (EPC)
EPC is committed to protecting the privacy of users of this website (the “Website”) and will do everything in its power to ensure that users’ Personal Data is treated with respect to their fundamental rights and freedoms as well as personal dignity, with particular reference to confidentiality.
We at EPC have thus prepared this Privacy Policy in order to briefly explain to you how we will collect, use, share and secure your Personal Data. It also describes your choices regarding the use, access, and correction of your Personal Data.
We may require users to provide certain personal information and details in order to provide our services, and we would therefore like to explain the procedures and ways in which we handle data supplied to us.
This Privacy Policy will also provide you with full information so that you are able to consent to the processing of your Personal Data in an explicit and informed manner, where appropriate.
In general, any information and data which you provide, or which is otherwise gathered by us in the context of the Website, will be used by EPC in compliance with Regulation (EU) 2016/679 (“GDPR”) of the European Parliament and the Council of 27 April 2016 on the protection of natural persons, or General Data Protection Regulation (RGPD).
This means, in particular, that any Personal Data processing carried out by EPC will respect the principles of lawfulness, fairness, transparency, purpose limitation, storage limitation, data minimization, accuracy, integrity, and confidentiality.
Direct contact SMS will be used to contact you related to website and website lead capture form for Digital Smile Design and the services advertised herein. Message and data rates may apply. Check with your carrier for more information.
Message frequency varies but you may opt out of SMS communication at any time by sending “STOP” in reply to any SMS communications.
You may contact xxxx
1. WHO IS THE DATA CONTROLLER?
Enamel Planning Center S.L. (Hereinafter “EPC”)
Company Reg.
2. THE PURPOSE OF PROCESSING, LAWFULNESS AND RETENTION PERIOD
As you use the Website and, in particular, as you provide information and upload files to the Website in order to access the Website’s services, EPC may collect and process information related to you as an individual and which allows you to be identified, either directly or together with additional information (“Personal Data”).
Such information may include your name, address, telephone number, email address, date of birth or age, gender, credit card, and other financial information related to payments for services, dental records, photographs, and other information you choose to provide.
We will notify you of such purposes at the time that we request to collect Personal Information from you and will endeavour to only collect the information that is strictly necessary to fulfil those purposes. We will ask for your explicit consent to the collection of sensitive data and acceptance of the terms of this Privacy Policy.
We will also collect information about your use of our Website as described in the section “Cookies and Advertisements” below. EPC intends to use your Personal Data, collected through the Website, for the following purposes:
• To set up and manage your member account on our Sites.
• To allow you to use and purchase products and services.
• To provide you with information about our products, services, news, and events we believe may be of interest to you.
• To gather demographic information about user trends.
• To analySe the use of our services and products, develop new services and products, and customize our products, services, and other information we make available.
Depending on the Data Subject category, EPC might process the information you provide us with the following purposes:
DATA SUBJECTS PURPOSE OF PROCESSING LAWFULNESS OF RETENTION PERIOD PROCESSING
POTENTIAL CLIENTS
CLIENTS
To manage the potential commercial and/or professional relationship
To manage the sending of the requested information and/or to resolve the queries raised
To facilitate offers of our services and/or products of your interest
Register on our platform as a user or healthcare professional.
Manage the orders you request from us.
Management of the invoicing of services.
Depending on the service requested, invoicing may be carried out from any of the companies in the EPC group.
Send the order to your center or to your client’s address.
Provide offers for our services and/or products that may be of interest
To manage the commercial and/or professional relationship.
Management of the invoicing of services
Manage the selection process.
To keep the CV for new job opportunities in the future.
Analyze navigation data
Processing of data required to manage course attendance.
Art 6.1. a) GDPR: Consent to the processing
Art 6.1. a) GDPR: Consent to the processing
Art 6.1. a) GDPR: Consent to the processing
Art 6.1. a) GDPR: Consent to the processing
Art 6.1. b) GDPR: Performance of a contract to which the data subject is party
Art 6.1. b) GDPR: Performance of a contract to which the data subject is a party
Art 6.1. b) GDPR: Performance of a contract to which the data subject is a party
Art 6.1. b) GDPR: Performance of a contract to which the data subject is party
Art 22.1 LSSICE: Performance of a contract to which the data subject is party
Art 6.1. b) GDPR: Performance of a contract to which the data subject is party
Art 6.1. b) GDPR: Execution of a contract in which the interested party is a party or adoption of pre-contractual measures.
Art 6.1. a) GDPR: Consent to the processing.
Art 6.1. a) GDPR: Consent to the processing
Art 6.1. a) GDPR: Consent to the processing.
Art 6.1. b) GDPR: Performance of a contract to which the data subject is a party.
Data will be deleted once it has fulfilled the purpose for which it was collected and the conservation periods have been met due to legal obligation
Data will be deleted once it has fulfilled the purpose for which it was collected and the conservation periods have been met due to legal obligation
If you delete your Client Account, your data will be destroyed after 5 years maximum, keeping your data during this period blocked.
SUPPLIERS
APPLICANTS
Data will be deleted once it has fulfilled the purpose for which it was collected and the conservation periods have been met due to legal obligation
Personal data will be deleted or anonymized once the recruitment process is completed. Thereafter, personal data will only be available as metadata without direct personal reference for statistical purposes (e.g. percentage of women and men in applications received, number of applications per period, etc.).
EPC will retain personal data in order to identify any other position that is of interest to the applicant for a maximum period of 2 years, as long as the said applicant has given his/her express consent accordingly. This also applies to applications for training and internship positions.
The retention period will be determined by the cookie policy, with each cookie setting the retention period or until the user deletes them.
Data will be deleted once it has fulfilled the purpose for which it was collected and the conservation periods have been met due to legal obligation.
The maximum retention period for course users will be five years.
WEB USERS
COURSE USERS
COURSES DEMONSTRATION PATIENTS
3. PATIENT DATA
To manage the selection process of those volunteer candidates who wish to participate/are nominators to participate in a Live demonstration case using EPC solutions.
* For this purpose it will be necessary to use images, videos in which the candidate appears, and participation implies acceptance of this condition.
1. Art 6.1. a) and 9.2. a) GDPR: Consent to the processing.
Data will be deleted once the have fulfilled the purpose for which they were collected and the conservation periods have been met due to legal obligation
3.1 Data Processing Agreement (DPA)
EPC will act as the Processor of patient data communicated to us by ENAMEL PLANNING CENTRE.( “Clients” or ·Potential Clients” or “ ENAMEL PLANNING CENTRE”).
All health professionals who register on our platform accept the conditions of data processing and are responsible for obtaining the informed consent, and the image authorization form from patients.
EPC PLANNING, along with all employees, is obliged to the following:
- Use the personal data subject to processing, or those collected for processing, exclusively for the purpose object of their responsibility. Under no circumstance may the data be used for personal or different purposes than those determined by the ENAMEL PLANNING CENTRE.
- Process data according to the guidelines drafted by the ENAMEL PLANNING CENTRE. EPC may communicate the data to other companies for the performance of its services, acting as sub-processors, including outside the EEA.
- Likewise, those registered ENAMEL PLANNING CENTRE who are granted the provision or performance of service will act as sub-processors and are obliged to comply with the minimum measures established in this section.
- Guarantee that those authorized to process personal data agree, expressly to keep confidentiality, and professional secrecy and comply with the corresponding security measures. The duty of secrecy and confidentiality relative to personal data which may have been accessed by virtue of this processing shall prevail indefinitely over time.
- Provide, in writing, a record of all the categories of processing activities.
- Support the ENAMEL PLANNING CENTRE, when possible, taking into account the nature of such processing and with the appropriate technical and organizational means, in order for the ENAMEL PLANNING CENTRE to comply with the rights to access, rectification, erasure, right to object, restriction of processing, right to data portability and the right not to be subject to a decision based solely on automated processing (including profiling ).
When the data subjects execute the rights of access, rectification, erasure, right to object, restriction of processing, right to data portability, and the right not to be subject to a decision based solely:
- If the notification has been done to the HEALTHCARE PROFESSIONAL, EPC must be notified in an e-mail to the account xxx . Such notification must be done immediately and no later than 5 working days after the receipt of the request, attached to, in the given case, additional information relevant to the request.
- If the notification has been done to EPC directly, EPC will notify the HEALTHCARE PROFFESIONAL no later than 5 working days after the receipt of the request, attached to, in the given case, additional information relevant to the request.
Provide support to the CONTROLLER in the development of impact assessments related to data protection and in previous consulting activities to the Control Authority, if applicable and when deemed appropriate, following the data protection regulations that may be applicable and/or following the guidelines provided by the local Control Authority.
3.2 Security Measures
EPC will implement the necessary technical and organizational security measures to guarantee the permanent confidentiality, integrity, availability, and resilience of the treatment systems and services. As minimum guarantees, EPC has implemented the following measures:
- Access control. EPC has implemented access controls and user management processes to ensure that only authorized individuals gain access to business applications, systems, and computing devices, that individual accountability is assured, and to provide authorized users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority.
1. Password policy. EPC has implemented a password policy that guarantees the following minimum levels of security: 2. Minimum of 8 characters in length
3. Password complexity including upper case, lower case, number & special characters must be enforced
4. Passwords are changed no more than every 6 months
5. Account lockout after no more than a total of 10 failed login attempts must be enforced
- Antivirus and similar systems.
- Firewall, Intrusion, and detection prevention systems or similar systems.
- Physical access control system to the facilities where the information is housed
- Audit logs recording user activities and information security events on systems supporting the Service shall be produced, and shall be kept for a minimum period of 90 days.
- Daily backup systems. Documented process of backing up and recovering data.
- All software will be updated to ensure they have the latest security patches.
- If employees are going to connect to remote systems, security systems such as VPN or other encrypted connection systems will be implemented.
- Encryption of patient health-related information.
Upon completion of services, EPC will remove the Personal Data. Nonetheless, the PROCESSOR may keep a copy with the data properly blocked if there are liabilities resulting from the provision of the service or if there is a legal obligation to do so.
3.3 Security Breaches
EPC PLANNING shall notify the ENAMEL PLANNING CENTRE, without delay and, in any case, within no more than 72 hours after the event is notified through an e-mail, of security breaches for the Personal data under their responsibility, that they may be aware of, as well as any information relevant to the issue’s documentation and communication.
The minimal following information, if available, must be provided:
- Description of the nature of the security breach of personal data, including, when possible, the categories and an approximate number of affected parties and the categories and an approximate number of registries of affected personal data.
- Name and contact information of the delegate for data protection or another contact that may provide further information.
- Description of possible consequences of a security breach in personal data.
- Description of the implemented or proposed measures to correct the security breach in personal data, including, if applicable, measures established to relieve possible negative effects.
If the aforementioned information cannot be provided at once, it shall be provided, within the possibilities, gradually, as may be made available, without further delay.
The ENAMEL PLANNING CENTRE do not need to be notified when it is unlikely that said security breach implies a risk to the rights and liberties of natural persons.
4. RECIPIENTS DATA AND INTERNATIONAL TRANSFERS.
In the framework of its activity and for the purposes specified above, your Personal Data may be shared with the following entities (“Recipients”): Other companies within the EPC Group* for internal administrative purposes and/or as a complementary service to any EPC Product Purchased:
EPC Planning Center
Our partners for purposes of performing services on our behalf, such as business, administrative, accounting, tailored advertising, measuring and improving our services and products, and enabling other enhancements. This may include our partners contacting you via email, mobile phone, text, or other means to which you consent.
EPC’s third party, dental and/or training service partners, including those outside the EU, for the purpose of receiving information, products, or benefits from them, pursuant to the various commercial agreements reached by EPC. (“Co-branding Activities”). The third party’s use of your information will be governed by the third party’s privacy policy, the General Data Protection Regulation (EU) 2016/679 (GDPR).
Network of collaborating laboratories or ENAMEL PLANNING CENTRE for the manufacturing and/or performance of molds, studies, and other related services.
Selected individuals authorized by EPC to process Personal Data needed to carry out activities strictly related to the provision of the services through the Website, who have undertaken an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality.
Public entities, bodies, or authorities, in accordance with the applicable law or binding orders of those entities, bodies, or authorities.
Depending on the service requested, invoicing may be carried out from any of the companies in the EPC group.
IMPORTANT*
For the Service performance, it might be necessary that the Personal Data is transferred to other companies, which are not always going to be in a territorial scope considered safe by the GDPR.
EPC looks for the best health professionals and service providers to deliver the service worldwide, often according to the geographical area from which orders are placed.
Therefore, such transfers will only be made with your consent and knowing that it will not always be possible to guarantee that the companies using our services come from a territory with an adequate scope of protection.
The consequence of not accepting that both your data as a user of the application or web app, as well as the health data of patients are communicated to an unsafe territory, will make our service not accessible.
All professionals using EPC’s services shall ensure that they have requested their patients’ consent that their data may eventually be communicated to non-secure territories in accordance with the GDPR, in a clear manner, and that they have understood the information.
5. DATA RIGHTS
As a data subject, you are entitled to exercise the following rights, at any time:
- Right to be informed. To be informed about how your Personal Data is collected and processed and, its purposes.
- Right of Access. To obtain confirmation as to the existence of your Personal Data being processed by EPC, access and obtain a copy of such data.
- Right of rectification. To request to update, modify and/or rectify your Personal Data where it may be inaccurate or incomplete.
- Right of Erasure. To obtain the erasure of your Personal Data where you feel that the processing is unnecessary or otherwise unlawful, render Personal Data anonymous, block data whose processing is unlawful, or set limits to the processing. Provided EPC’s legitimate interest to hold such information.
- Right to object.
Object to the processing of your Personal Data, based on relevant grounds related to your particular situation, which you believe must prevent EPC from processing your Personal Data for a given purpose.
Object to processing of Personal Data that is made for the purposes of sending advertising material, carrying out direct sales, market research, or commercial communication.
Right to restriction of the processing. Where you feel that the Personal Data processed is inaccurate, or that the processing is unnecessary or unlawful, as well as where you have objected to the processing.
Right to Withdraw your consent to processing (for Marketing and Profiling), where your consent serves as the legal basis for processing – this will not affect the lawfulness of the processing carried out prior to your withdrawal.
Right of Portability – you have the right to obtain a copy of the Personal Data you provided to EPC.
Please note that most of the Personal Data you provide to EPC can be changed at any time, by accessing, where applicable, your user profile created on the Website.
You can also withdraw consent for Marketing (for communications received via e-mail) by selecting the appropriate link included at the bottom of every marketing message. Consent for Profiling carried out by cookies may be withdrawn at any time.
When you request the deletion of your Personal Data, we not only delete the data from our system, but also notify all identified third parties that have access to the personal data to completely remove the data from their systems and confirm erasure.
At any time, you shall be entitled to exercise the rights established by the law in force, by addressing the relevant request to our Privacy Department by sending a written notification to the email: XX, attaching, in either case, a photocopy of your ID DOCUMENT or other similar identification documents to prove identity as Data Subject.
Models, application forms, and other information regarding rights are available on the website XX of the Control Authority, the Spanish Data Protection Agency, hereinafter, AEPD for its abbreviation in Spanish.
6. SECURITY MEASURES
EPC has implemented the necessary technical and organizational security measures to guarantee the confidentiality, integrity, availability, and permanent resistance of treatment systems and services, establishing encryption systems for sensitive information.
In order to determine the security measures to be implemented, EPC has taken into account the risk analysis of our company, through which the most appropriate measures have been determined to guarantee the security of the treatment, which must be adopted, and everything that has been done. In any case, we continue to work to improve the security of our systems and ensure that information is properly protected.
- EPC has implemented duly documented and regularly updated personal data protection policies.
- EPC ́s personal data protection procedures are formally documented, when required, periodically reviewed, and substantiated with objective documents (e.g., minutes of meetings, lists, IT logs), which may demonstrate constant diligence and vigilance regarding the protection of personal data in the processing activities carried out.
- EPC has appointed both a security officer and a data protection officer (DPO) responsible for coordinating and monitoring the security rules and procedures as well as data protection compliance.
- EPC’s employees are aware of the procedures for data subjects to exercise their right of access, and for communicating requests to exercise data subjects’ rights to the data controller.
- EPC maintains a general register where these requests, e.g., to exercise the right of access, are recorded.
- EPC has appointed a person/function (the DPO) in charge of providing written explanations to the data controller regarding requests from data subjects.
- EPC has set a deadline for communicating requests to the data controller.
- EPC has a procedure to document, in writing, any refusals given to data subject’s requests to exercise their rights to erasure, restriction of processing, or data portability, and to share this documentation with the data controller.
- EPC Client ́s Data will be deleted once they have fulfilled the purpose for which they were collected and the conservation periods have been met due to legal obligation.
- EPC acts as the Processor of patient data communicated to us by ENAMEL PLANNING CENTRE. For this reason, all health professionals who register on our platform accept the conditions of data processing and are responsible for obtaining the informed consent of patients. Likewise, those registered health professionals who are granted the provision or performance of service will act as sub-charger and are obliged to comply with the minimum measures established in the “data patients” section.
- EPC will use the personal data subject to processing exclusively for the purpose object of their responsibility.
- EPC will process data according to the guidelines drafted by the ENAMEL PLANNING CENTRE.
EPC may communicate the data to other companies for the performance of its services, acting as sub-processors, including outside the EEA.