Important Updates on the General Data Protection Regulation
As a global provider of oral healthcare technology, Carestream Dental takes its commitment to customer and patient privacy seriously. All of our software and systems are designed with the most stringent information protections in mind, and we value your trust in our business.
Part of this commitment involves being prepared for the General Data Protection Regulation (GDPR). This regulation provides consistent standards across the European Union (EU) and the United Kingdom (UK) to protect the rights of individuals in the EU and the UK regarding how their personal data is being used. This regulation went into effect on 25 May, 2018 and applies to any company that controls and/or processes personal data of individuals in the EU and the UK, also called “data subjects.”
Security and Data Management Carestream Dental employs strict policies and procedures around security and data management. An internal team, led by a designated data protection officer, ensures GDPR compliance. Additionally, policies and documentation have already been either created or refined further to safeguard data both inside and outside of the EU and the UK while also increasing our ability to react in the unlikely event of a data breach.
We will continue, as has been our practice, to only process personal data according to our customers’ instructions.
Transfer of Personal Data to a Third Country Carestream Dental is a global business utilizing support services operating outside of the UK and the EU, and as such personal data collected by Carestream Dental may be stored or processed in the United States or in any other country where Carestream Dental or its affiliates, subsidiaries, or third-party service providers maintain facilities. EU and UK data subjects who provide personal data to Carestream Dental consent to the processing and transfer of that data to the United States and other locations outside of the EU and UK, including to countries with laws that may not provide the same level of protection of personal data.
CSD relies on approved Standard Contractual Clauses for the international transfer of personal information collected in the European Economic Area and UK as a legal basis for transfers of Personal Data.
Despite that the fact that the Court of Justice of the European Union invalidated the Privacy Shield adequacy decision, CSD is still certified under this program and will abide by the principles of the EU-U.S and Swiss-U.S Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU or Switzerland to the United States. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/ . If you have questions or concerns about our privacy certifications, contact our third-party dispute resolution provider.
Retention Period Personal data is retained by Carestream Dental no longer than necessary to fulfil the purposes for which it was collected (e.g., to execute obligations to former employees to provide post-employment benefits) or as agreed upon under applicable contracts with clients or business partners.
Information for Our Practice Management Software and CS Connect Customers Carestream Dental’s practice management software features controls that enable the Controller’s compliance with Article 22 regarding the processing of personal data under GDPR and Article 32 for ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services:
Our practice management software provides authentication capabilities to allow Controllers to restrict access to patient data.
Our practice management software provides internal security measures for additions, deletions and modifications of records to ensure compliance with the security requirements under Article 32.
Our practice management software offers patient archiving capabilities that support the GDPR requirement of “right to be forgotten,” provided the patient’s request does not conflict with other regulatory controls for retaining patient records.
CS Connect provides anonymisation of patient data when sending image files to laboratories.
Carestream Dental’s support services utilise secure remote access technologies that require the Controller’s consent to be given prior to access and ensure proper encrypted viewing and/or transfer of patient data.
Where available, Carestream Dental can provide secure data backup services through a vetted third-party service to help Controllers meet their “resilience” requirement under Article 32.
Carestream Dental will continually stay on top of new regulatory requirements to identify additional capabilities that will help Controllers comply with GDPR.
Information for our Imaging Customers We understand that meeting the GDPR requirements takes a lot of time and effort. As your partner, we want to help you make your process as seamless as possible so you can focus on your practice, instead of worrying about compliance. To help you comply with the GDPR, we will be continually working to improve the functionality of our tools, including capabilities to:
Provide access controls
Anonymise or delete user data
Perform data audits or assessments using data processing logs
Create provisions for data subjects’ rights
Enhance security for user data
Changes to This Statement We may update this GDPR Compliance Statement to reflect changes to our practices or applicable laws. If we make any updates, we will notify data subjects by means of a notice on this Statement. We encourage customers to periodically review this page for the latest information on our privacy practices.
Find Out More Carestream Dental fully supports the principles of the GDPR. Our mission is to help our customers create better patient experiences with relevant communication, and that requires the fair and secure use of personal data that is given with full consent and transparency.
If you have any questions or concerns regarding GDPR and Carestream Dental, please contact us at firstname.lastname@example.org.