Are dental records special category data under GDPR?

Yes. Dental and medical records are health data, a special category of personal data under GDPR Article 9. Processing special category data requires an explicit legal basis (typically explicit consent or the provision of health treatment under Article 9(2)(h)), and stronger security measures than for ordinary personal data.

How long must Irish dental practices retain patient records?

The Dental Council of Ireland recommends retaining adult patient records for a minimum of 8 years from the date of last treatment. For child patients, records should be retained until the patient reaches age 25 (or for 8 years from the date of last treatment if that is later). Always check current Dental Council guidance as requirements can change.

Do I need to report a data breach to the DPC?

Yes, if the breach is likely to result in a risk to the rights and freedoms of individuals. For health data breaches, the risk threshold is typically met. You must notify the DPC within 72 hours of becoming aware. If the breach poses a high risk to the individuals concerned, you must also notify the patients directly.

GDPR & Privacy

GDPR for dental practices in Ireland

Steven | TrustYourWebsite · 3 April 2026

Dental practices process some of the most sensitive personal data of any small business: patient health records, X-rays, medical history, and financial information. Under GDPR, health data is a "special category" requiring heightened protection. The DPC has specific expectations for healthcare providers.

Patient data as special category

Health data is a special category of personal data under GDPR Article 9. For dental practices, this covers:

Clinical records, treatment plans, and notes
Dental X-rays and other imaging
Prescribed medications and allergy information
Referral letters and specialist reports
Payment and insurance information (when linked to health treatment)

What this means in practice:

You need a valid legal basis specifically for processing health data, typically the provision of healthcare treatment under Article 9(2)(h) of GDPR, as implemented by the Health Research Regulations 2018
You must implement stronger technical and organisational security measures
Staff must be trained on data protection and health data confidentiality
Access must be strictly limited to those who need it for patient care

Record retention

The Dental Council of Ireland's guidance on record retention:

Record type	Retention period
Adult patient records	8 years from last treatment
Child patient records	Until age 25 (or 8 years from last treatment if later)
X-rays (radiographs)	Same as patient records
Referral letters	Retain as part of the patient file
Consent forms	Retain for the duration of the patient record
Financial records	7 years (Revenue requirement)

After the retention period, patient records must be securely destroyed (shredded, not simply deleted without proper data wiping for digital records).

Online booking systems

Dental practices increasingly use online booking systems such as Solutionreach, Cliniko, Dentally, Exact (Software of Excellence), and similar tools. Each of these systems processes patient personal data on your behalf.

Your obligations:

Sign a Data Processing Agreement (DPA) with your booking system provider. This is required under GDPR Article 28
Confirm the provider stores data on EU servers (or has appropriate transfer safeguards)
Review the provider's own privacy policy and security certifications
Ensure only authorised staff can access patient records through the system

Your practice website

If your website has a contact form, appointment request form, or online booking integration, it processes personal data.

Required on your practice website:

Privacy policy explaining how patient data is collected and processed
Cookie banner if you use analytics (Google Analytics uses cookies that identify visitors)
CRO number and registered address in your footer (Companies Act 2014, if you're a registered company)
Dental Council registration number displayed (professional body requirement)

Data breach procedure

If patient records are accessed without authorisation (a cyberattack, a lost device, a misdirected email), you must:

Identify and contain the breach
Assess the likely impact on patient rights and freedoms
Notify the DPC within 72 hours via dataprotection.ie
If the breach poses high risk to patients: notify the affected patients directly
Document the breach and your response

Health data breaches almost always meet the notification threshold due to the sensitivity of the data involved.

Practical checklist for dental practices

Item	Required?
Lawful basis documented for health data processing	Yes
DPA signed with practice management software	Yes
Data Processing Agreement with any booking system	Yes
Staff training on data protection	Yes
Record retention policy documented	Yes
Breach notification procedure in place	Yes
Privacy notice for patients	Yes
Privacy policy on practice website	Yes
Cookie banner on website	Yes, if using analytics
CRO number in website footer	Yes, if a registered company

Check your practice website

Free website compliance check →

Sources

This is technical analysis, not legal advice. Consult the Dental Council of Ireland and a data protection specialist for specific guidance.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Scan your site free

Website Guides

Complete GDPR Website Audit: Step-by-Step Checklist

A step-by-step GDPR audit checklist for your website. Check cookies, tracking, privacy policy, forms, third-party services, and security in one pass.

Cookie banner dark patterns in Ireland: what the DPC expects in 2026

The 12 cookie banner dark patterns per EDPB taxonomy. DPC guidance, IAB Europe ruling and what the scanner detects after clicking reject all.

Cookie consent in Ireland: DPC rules your website must follow

Cookie consent rules for Irish websites. SI 336/2011 requirements, DPC dark pattern guidance, what 'strictly necessary' means, and how to test your banner.