Are dental records special category data under GDPR?

Yes. Dental and medical records are health data — a special category of personal data under GDPR Article 9. Processing special category data requires an explicit legal basis (typically explicit consent or the provision of health treatment under Article 9(2)(h)), and stronger security measures than for ordinary personal data.

How long must Irish dental practices retain patient records?

The Dental Council of Ireland recommends retaining adult patient records for a minimum of 8 years from the date of last treatment. For child patients, records should be retained until the patient reaches age 25 (or for 8 years from the date of last treatment if that is later). Always check current Dental Council guidance as requirements can change.

Do I need to report a data breach to the DPC?

Yes, if the breach is likely to result in a risk to the rights and freedoms of individuals. For health data breaches, the risk threshold is typically met. You must notify the DPC within 72 hours of becoming aware. If the breach poses a high risk to the individuals concerned, you must also notify the patients directly.

GDPR & Privacy

GDPR for dental practices in Ireland

3 April 2026

GDPR for dental practices in Ireland

Dental practices process some of the most sensitive personal data of any small business — patient health records, X-rays, medical history, and financial information. Under GDPR, health data is a "special category" requiring heightened protection. The DPC has specific expectations for healthcare providers.

Patient data as special category

Health data is a special category of personal data under GDPR Article 9. For dental practices, this covers:

Clinical records, treatment plans, and notes
Dental X-rays and other imaging
Prescribed medications and allergy information
Referral letters and specialist reports
Payment and insurance information (when linked to health treatment)

What this means in practice:

You need a valid legal basis specifically for processing health data — typically the provision of healthcare treatment under Article 9(2)(h) of GDPR, as implemented by the Health Research Regulations 2018
You must implement stronger technical and organisational security measures
Staff must be trained on data protection and health data confidentiality
Access must be strictly limited to those who need it for patient care

Record retention

The Dental Council of Ireland's guidance on record retention:

| Record type | Retention period | |-------------|-----------------| | Adult patient records | 8 years from last treatment | | Child patient records | Until age 25 (or 8 years from last treatment if later) | | X-rays (radiographs) | Same as patient records | | Referral letters | Retain as part of the patient file | | Consent forms | Retain for the duration of the patient record | | Financial records | 7 years (Revenue requirement) |

After the retention period, patient records must be securely destroyed (shredded, not simply deleted without proper data wiping for digital records).

Online booking systems

Dental practices increasingly use online booking systems — Solutionreach, Cliniko, Dentally, Exact (Software of Excellence), and similar tools. Each of these systems processes patient personal data on your behalf.

Your obligations:

Sign a Data Processing Agreement (DPA) with your booking system provider — this is required under GDPR Article 28
Confirm the provider stores data on EU servers (or has appropriate transfer safeguards)
Review the provider's own privacy policy and security certifications
Ensure only authorised staff can access patient records through the system

Your practice website

If your website has a contact form, appointment request form, or online booking integration, it processes personal data.

Required on your practice website:

Privacy policy explaining how patient data is collected and processed
Cookie banner if you use analytics (Google Analytics uses cookies that identify visitors)
CRO number and registered address in your footer (Companies Act 2014, if you're a registered company)
Dental Council registration number displayed (professional body requirement)

Data breach procedure

If patient records are accessed without authorisation — a cyberattack, a lost device, a misdirected email — you must:

Identify and contain the breach
Assess the likely impact on patient rights and freedoms
Notify the DPC within 72 hours via dataprotection.ie
If the breach poses high risk to patients: notify the affected patients directly
Document the breach and your response

Health data breaches almost always meet the notification threshold due to the sensitivity of the data involved.

Practical checklist for dental practices

| Item | Required? | |------|----------| | Lawful basis documented for health data processing | Yes | | DPA signed with practice management software | Yes | | Data Processing Agreement with any booking system | Yes | | Staff training on data protection | Yes | | Record retention policy documented | Yes | | Breach notification procedure in place | Yes | | Privacy notice for patients | Yes | | Privacy policy on practice website | Yes | | Cookie banner on website | Yes, if using analytics | | CRO number in website footer | Yes, if a registered company |

Check your practice website

Free website compliance check →

Sources

This is technical analysis, not legal advice. Consult the Dental Council of Ireland and a data protection specialist for specific guidance.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Scan your website free

Website Guides

Cookie consent in Ireland: DPC rules your website must follow

Cookie consent rules for Irish websites. SI 336/2011 requirements, DPC dark pattern guidance, what 'strictly necessary' means, and how to test your banner.

GDPR compliance for Irish businesses: website checklist 2026

What Irish SMBs must do to comply with GDPR on their websites. Privacy policy, cookie consent, CRO number, DPC enforcement cases, and a free website check.

Is your website GDPR compliant? Free website check for Irish businesses

Free GDPR website check for Irish businesses. Our scanner tests cookie consent, privacy policy, company registration details, security, and more. Results in 60 seconds.