Vista Smile Studio

    GDPR Policy

    Last updated: 1 May 2026

    This GDPR Policy explains how Vista Smile Studio meets its obligations under the UK General Data Protection Regulation (UK GDPR) and the EU GDPR when processing the personal data of patients and website visitors based in the United Kingdom and the European Economic Area.

    1. Our role

    Vista Smile Studio acts as a data controller in respect of patient enquiries, clinical records, and bookings. Where we engage suppliers (cloud hosting, email, dental laboratories, transfer companies, payment processors) those suppliers act as our data processors under written agreements.

    2. Data protection principles

    • Lawfulness, fairness and transparency.
    • Purpose limitation – data is used only for the reasons we have set out.
    • Data minimisation – we ask only for what is needed for clinical care and your booking.
    • Accuracy – you can ask us to correct anything wrong at any time.
    • Storage limitation – we keep data only as long as we must (see our Privacy Policy).
    • Integrity and confidentiality – we apply technical and organisational security.
    • Accountability – we keep written records of our processing activities.

    3. Lawful bases

    We rely on contract, legitimate interests, legal obligation, vital interests, and explicit consent (for special category health data and marketing). Full details are in our Privacy Policy.

    4. International data transfers

    Because the clinic is in Turkey, your personal data is transferred outside the UK/EEA. Turkey does not currently benefit from a UK or EU adequacy decision. We rely on:

    • Your explicit, informed consent at the point of enquiry, given that you are deliberately seeking treatment in Turkey.
    • The UK International Data Transfer Agreement / EU Standard Contractual Clauses with our key suppliers where applicable.
    • Encryption in transit and at rest.

    5. Your UK GDPR rights

    • Right to be informed.
    • Right of access (a copy of your data, free of charge, within 30 days).
    • Right to rectification.
    • Right to erasure (subject to clinical record-keeping requirements).
    • Right to restrict processing.
    • Right to data portability.
    • Right to object to processing, including marketing.
    • Rights related to automated decision-making (we do not use automated decision-making in clinical care).
    • Right to withdraw consent at any time.

    6. How to exercise your rights

    Email vistasmilestudio@gmail.com with “GDPR request” in the subject. We will verify your identity and respond within one calendar month. There is no fee unless your request is manifestly unfounded or excessive.

    7. Data breaches

    We maintain an internal breach register. Where a breach is likely to result in a risk to your rights and freedoms we notify the Information Commissioner’s Office within 72 hours. Where the risk is high, we also notify you directly without undue delay.

    8. Complaints

    You can complain to the UK Information Commissioner’s Office at ico.org.uk, by phone on 0303 123 1113, or in writing to Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. EEA residents may also contact their local supervisory authority.

    9. Review

    This policy is reviewed at least annually and whenever there is a material change to how we process personal data.