Toothie Dental — Personal Data Protection Notice
Effective date: [TO BE INSERTED — date of publication] Version: 1.2 (DRAFT for legal review) Last reviewed: [TO BE INSERTED]
About this notice
This Notice explains how Toothie Dental Sdn Bhd, (referred to here as "we", "us", or "our") collects, uses, stores, shares, and protects personal data — and what your rights are in relation to that data.
We follow the Personal Data Protection Act 2010 (PDPA) and the Personal Data Protection (Amendment) Act 2024, as well as the APHM Code of Practice for Private Healthcare and Malaysian Dental Council record-keeping requirements that apply to dental clinics.
If anything in this Notice is unclear, you can contact us using the details in the section "How to contact us" at the bottom of this page. If you are a patient, you can also ask any of our team during your visit.
We follow the Personal Data Protection Act 2010 (PDPA) and the Personal Data Protection (Amendment) Act 2024, as well as the APHM Code of Practice for Private Healthcare and Malaysian Dental Council record-keeping requirements that apply to dental clinics.
If anything in this Notice is unclear, you can contact us using the details in the section "How to contact us" at the bottom of this page. If you are a patient, you can also ask any of our team during your visit.
Who this Notice covers
This Notice applies to all individuals whose personal data we process. That includes:
This Notice does not cover companies or organisations as legal entities — only the natural persons (individuals) within them. The PDPA protects individuals, not companies.
- Patients — anyone who books an appointment, attends our clinic, or whose personal data is collected for the purpose of dental care.
- Patient family members, guardians, and next of kin — including parents and guardians of children we treat, emergency contacts, and authorised representatives.
- Current and former employees, and prospective employees — our current staff, past staff, and anyone who applies for a job with us (whether successful or not).
- Current and former locum dentists, interns, and contractors — individuals who currently provide, or have previously provided, professional services to or through our clinic.
- Current and former suppliers, vendors, and business partners — the named individuals at organisations we currently work with or have previously worked with (for example, laboratory technicians, IT providers, payment vendors).
- Visitors entering our staff or treatment areas — non-patient visitors who require access to areas of our clinic beyond our reception and waiting area (for example, delivery persons who need to access back-of-house, contractors, vendor representatives, repair technicians, prospective business partners, or authorised observers). Visitors who remain in our reception or waiting area only are not subject to visitor data collection (see "From visitors to our premises" below).
- Visitors to our website — including those who fill in our online booking form, contact form, or interact with us via messaging platforms linked from our website.
This Notice does not cover companies or organisations as legal entities — only the natural persons (individuals) within them. The PDPA protects individuals, not companies.
What personal data we collec
The categories of personal data we may collect depend on your relationship with us. Below is a list by category.
From patients (and from patient family members, guardians, or next of kin)
From current and former employees, prospective employees, locums, interns, and contractors
From current and former suppliers, vendors, and business partners (individual contacts)
From visitors to our premises (other than patients)
We only collect visitor information when a visitor needs to enter our staff or treatment areas. Visitors who remain in our reception and waiting area only — for example, briefly accompanying a patient, dropping off a delivery at the front desk, or waiting briefly to speak with our team — are not asked to fill in the visitor management form, and we do not collect their personal data (other than what may be captured by CCTV, see below).
When you visit our premises in a non-patient capacity and require access to areas beyond our reception and waiting area — for example, as a delivery person needing to access back-of-house, a contractor, vendor representative, prospective business partner, repair technician, or authorised observer — we collect, through our visitor management form:
We do not take a photograph of you at check-in.
In addition, the following may apply to anyone present at our premises, including patients, patient family members, staff, and visitors in any area (reception, waiting area, or beyond):
From visitors to our website (toothiedental.com)
Future changes to data collection
If we begin to collect additional categories of personal data in the future — for example, in response to changes in clinical practice, regulatory requirements, or new services we may offer — we will update this Notice and, where required, obtain fresh consent before collecting the new categories. The current version is always available at toothiedental.com/privacy-notice.
From patients (and from patient family members, guardians, or next of kin)
- Identification: full name, NRIC or passport number, date of birth, gender, nationality.
- Contact information: telephone number, mobile number, email, emergency contact details, and general residential area (you may choose "prefer not to disclose"). We do not require your specific street address.
- Family / household information: name and contact of next of kin, parent or guardian (for children), spouse (for emergencies).
- Medical and dental history: including past dental treatment, current and past medical conditions, medications, allergies, family medical history where relevant, lifestyle factors such as smoking and alcohol use, pregnancy status, mental health history relevant to dental care.
- Clinical data captured during your visits: examination findings, diagnoses, treatment plans, dental records, clinical photographs, intra-oral images, X-rays and other imaging, impressions and study models, specimens sent for laboratory work, treatment notes, written and verbal consent records.
- Payment information: payment method, card details where applicable, billing records.
- Insurance information — only where you choose to use insurance for your treatment. We are not currently on most insurance / Third-Party Administrator (TPA) panels (see our What to Expect page). Where you self-claim, we may issue receipts with treatment details for you to submit to your insurer.
- Appointment and communication records: appointment bookings, reminders sent and received, voice or written messages with us, feedback or complaints, our notes from any phone or in-person discussion with you.
- Other information you choose to share with us in the course of your care.
From current and former employees, prospective employees, locums, interns, and contractors
- Identification and contact: full name, NRIC or passport, address, telephone, email, photograph for staff identification.
- Professional credentials: dental practitioner registration with the Malaysian Dental Council, qualifications, continuing professional development records, indemnity insurance details.
- Employment / engagement information: CV, references, interview notes, employment or service contract details, EPF/SOCSO/EIS numbers (for employees), bank account for salary or fee payment.
- Health declarations: vaccination status (relevant to clinical work), occupational health information where relevant to fitness for clinical duties.
- Performance and disciplinary records: appraisals, training records, incident records where applicable.
- Records of past employment or engagement: we retain records of past staff, locums, interns, and contractors for the periods required by accounting, tax, MDC, and other regulatory obligations (typically a minimum of seven years from the end of the relationship, longer where specific obligations apply).
From current and former suppliers, vendors, and business partners (individual contacts)
- Name, role, business contact details (phone, email), and any other information you share with us in the course of doing business.
- We retain records of past business relationships as required for accounting, tax, and contractual purposes (typically a minimum of seven years from the end of the relationship).
From visitors to our premises (other than patients)
We only collect visitor information when a visitor needs to enter our staff or treatment areas. Visitors who remain in our reception and waiting area only — for example, briefly accompanying a patient, dropping off a delivery at the front desk, or waiting briefly to speak with our team — are not asked to fill in the visitor management form, and we do not collect their personal data (other than what may be captured by CCTV, see below).
When you visit our premises in a non-patient capacity and require access to areas beyond our reception and waiting area — for example, as a delivery person needing to access back-of-house, a contractor, vendor representative, prospective business partner, repair technician, or authorised observer — we collect, through our visitor management form:
- Your full name as shown in your NRIC or passport
- Your NRIC or passport number (for visitor identification and security)
- Your email and phone number
- The company or organisation you represent
- The purpose of your visit and a brief description of work to be done
- The areas of our premises you accessed (your designated "location access level")
- The time of your arrival and departure
- Your signed visitor agreement acknowledging our access rules and confidentiality obligations
We do not take a photograph of you at check-in.
In addition, the following may apply to anyone present at our premises, including patients, patient family members, staff, and visitors in any area (reception, waiting area, or beyond):
- Security camera (CCTV) footage, if we operate cameras at our premises. The locations of any cameras are clearly indicated by signage. CCTV recordings are reviewed only where necessary for security, safety, or investigation of an incident.
From visitors to our website (toothiedental.com)
- Information you voluntarily provide via our online booking form, contact form, or any WhatsApp / email enquiry initiated from our website.
- Technical information: when you browse our website, certain technical and statistical data may be automatically collected by our hosting provider, including your IP address, browser type, the time, date, and duration of your visit, and pages viewed. This is standard for any website. We do not use this information to identify you personally.
Future changes to data collection
If we begin to collect additional categories of personal data in the future — for example, in response to changes in clinical practice, regulatory requirements, or new services we may offer — we will update this Notice and, where required, obtain fresh consent before collecting the new categories. The current version is always available at toothiedental.com/privacy-notice.
Sensitive Personal Data — special protections
Some of the data we collect about you is classified as Sensitive Personal Data (SPD) under PDPA Section 4 (as expanded by the 2024 Amendment to include biometric data), including:
Processing Sensitive Personal Data requires explicit consent from you. This is why our intake forms (such as the Medical History form) include a specific consent section in addition to your clinical consent for treatment. The two consents are separate and serve different legal purposes.
- Physical and mental health information — this includes your medical history, dental records, clinical photographs, X-rays, and treatment records.
- Biometric data — defined as any personal data resulting from technical processing relating to a person's physical, physiological, or behavioural characteristics. At present, we do not process biometric identifiers for visitors, staff, or patients. We do not use fingerprint, facial recognition, or other biometric systems. If we adopt any such system in future, this Notice will be updated before any biometric data is collected.
- Information about alleged commission of any offence.
Processing Sensitive Personal Data requires explicit consent from you. This is why our intake forms (such as the Medical History form) include a specific consent section in addition to your clinical consent for treatment. The two consents are separate and serve different legal purposes.
How we collect your personal data
We collect personal data:
- Directly from you — when you book an appointment, fill in our intake forms (including our visitor management form for non-patient visitors), talk to us during a visit, contact us by phone, message, or email, or browse our website.
- From your authorised representatives — parents on behalf of minor children, guardians on behalf of patients unable to give consent themselves, family members in emergency situations.
- From other healthcare providers — for example, when a doctor or another dentist refers you to us, or when we receive your records from a previous dental clinic with your consent.
- From third parties we work with for purposes related to your care — for example, dental laboratories, specialists we refer you to, or insurance providers and Managed Care Organisations where you have an arrangement.
- From publicly available sources — where lawfully permitted.
- Automatically — limited technical information from your visit to our website, and CCTV footage at our premises (as described above).
Why we collect and use your personal data (Purposes)
We collect and use your personal data only for purposes that are lawful, directly related to our activity as a dental clinic, and not excessive for those purposes. The main purposes include:
For patients and patient family members
For employees, prospective employees, locums, interns, contractors (current and former)
For visitors to our premises
For visitors to our website
We will not use your personal data for purposes that are not described in this Notice without first obtaining your fresh consent — unless we are required or permitted to do so by law.
For patients and patient family members
- To verify your identity and contact you about your dental care.
- To assess, plan, deliver, and review your dental treatment safely.
- To maintain accurate clinical records as required by the Malaysian Dental Council (MDC) and applicable Ministry of Health (MoH) regulations.
- To refer you to other healthcare providers (specialists, laboratories, hospitals) when needed for your care.
- To handle billing, payment, and (where applicable) self-claim insurance documentation.
- To send you appointment reminders, recall reminders, and information about your care.
- To respond to enquiries, comments, complaints, or feedback you give us.
- To respond to medical emergencies, including contacting your emergency contact.
- To meet our legal obligations under PDPA, PHFSA (Private Healthcare Facilities and Services Act 1998), Income Tax Act, and other applicable laws.
- To support clinical audit, quality improvement, and risk management — using anonymised data where individual identification is not necessary.
- To defend ourselves against any complaint, claim, or legal action involving your care.
For employees, prospective employees, locums, interns, contractors (current and former)
- To manage recruitment, employment, engagement, contract, payroll, and performance.
- To verify professional qualifications and credentials.
- To meet legal obligations as an employer or principal (EPF, SOCSO, EIS, Inland Revenue, MDC where applicable).
- To maintain clinical and operational records.
- To handle complaints, disputes, and grievances.
For visitors to our premises
- To maintain a record of who is on our premises at any time, for security and safety.
- To verify your identity for access control.
- To establish your acknowledgement of confidentiality obligations to our patients and staff.
- To investigate any incident occurring during a visit.
- To comply with our contractual obligations to suppliers and vendors.
For visitors to our website
- To respond to your enquiries and booking requests.
- To maintain the security and proper functioning of our website.
We will not use your personal data for purposes that are not described in this Notice without first obtaining your fresh consent — unless we are required or permitted to do so by law.
Who we may share your personal data with
We share your personal data only when necessary for the purposes described above. The categories of recipients may include:
We do not sell or rent your personal data. We do not share your personal data for marketing or advertising by third parties.
- Healthcare providers involved in your care — specialists we refer you to, hospitals if you require hospital-based care, your medical doctor where relevant.
- Dental laboratories — for prosthetic work, impressions, or other laboratory services related to your treatment.
- Imaging or diagnostic providers — if we send samples or images to external diagnostic services.
- Insurance providers, Managed Care Organisations, third-party administrators — only where you have an arrangement with them and have authorised us to coordinate with them, or where you self-claim and we issue receipts for your submission.
- Government authorities and regulators — including the Malaysian Dental Council, Ministry of Health, Inland Revenue Board, Personal Data Protection Department, and any law enforcement agency where required by law or court order.
- Service providers and processors who work for us — for example, our IT provider, cloud storage provider, visitor management platform, payment processor, accounting firm, or legal advisors. These parties are bound by contract or by their own terms of service to process your data only on our instructions or for the specific service we use them for, and to protect it appropriately.
- Professional indemnity insurer and legal advisor — where necessary for handling a claim, complaint, or legal matter.
- Other parties — only with your express consent.
We do not sell or rent your personal data. We do not share your personal data for marketing or advertising by third parties.
Transfer of your personal data outside Malaysia
Some of our service providers (for example, our website host, our visitor management platform, our cloud storage, or our software providers) may process data on servers located outside Malaysia. Under the 2024 Amendment to the PDPA, we may transfer your personal data outside Malaysia where:
We take reasonable steps to ensure that any service provider outside Malaysia handling your data is bound by appropriate safeguards.
- The destination country has data protection laws substantially similar to the PDPA; or
- The transfer is necessary for your care or to fulfil a contract with you; or
- You have consented to the transfer; or
- The transfer falls within other exceptions permitted by Section 129 of the PDPA.
We take reasonable steps to ensure that any service provider outside Malaysia handling your data is bound by appropriate safeguards.
How long we keep your personal data (Retention)
We keep your personal data only for as long as necessary for the purposes described above, or as required by law.
Category of data |
Retention period |
Patient clinical records |
Minimum seven (7) years from the date of your last visit, in line with Malaysian Dental Council guidance and Private Healthcare Facilities and Services Act requirements. For records of child patients, at least seven years from the date the patient reaches the age of majority. |
Employment records |
In line with applicable employment law and tax law requirements (typically seven years from the end of employment). |
Locum, intern, contractor records |
Minimum seven years from the end of the engagement, in line with accounting, tax, and regulatory obligations. |
Supplier / vendor / business partner records |
In line with applicable accounting and tax requirements (typically seven years). |
Visitor management records |
Twelve (12) months from the date of the visit, unless the visit is connected to an incident, complaint, or legal matter requiring longer retention. |
CCTV recordings |
Retained on a rolling basis per our security system's storage cycle (typically 14–30 days), unless specific footage is preserved due to an incident or for legal purposes. |
Website enquiry / booking form data |
Until your enquiry is resolved or, where the enquiry leads to you becoming a patient, retained as part of your patient record. |
Once the retention period ends and there is no continuing legal basis to retain your data, we will securely destroy or anonymise it.
How we protect your personal data (Security)
We take reasonable technical, physical, and organisational measures to protect your personal data, including:
No system is perfectly secure. If a personal data breach occurs that is likely to cause significant harm, we will notify the Personal Data Protection Commissioner as required by PDPA Section 12B, and we will notify affected individuals without unnecessary delay.
- Access controls — only staff who need to access your data for their role can do so. Records are stored on systems that require login authentication.
- Physical security — paper records (where used) are stored in locked or restricted-access areas.
- Digital security — data on our clinical systems is protected by passwords, regular software updates, and standard security practices.
- Staff training — our team is briefed on confidentiality and PDPA obligations.
- Confidentiality undertakings — all staff, contractors, and visitors are bound by confidentiality terms in their employment agreements, service agreements, or visitor agreement.
No system is perfectly secure. If a personal data breach occurs that is likely to cause significant harm, we will notify the Personal Data Protection Commissioner as required by PDPA Section 12B, and we will notify affected individuals without unnecessary delay.
Your rights under the PDPA
You have the following rights in relation to your personal data:
To exercise any of these rights, please contact us using the details below.
- Right to be informed — you have the right to know how we process your personal data. This Notice is part of how we meet that obligation.
- Right of access — you can request a copy of the personal data we hold about you. We may ask you to verify your identity before responding.
- Right to correction — if any personal data we hold about you is inaccurate, incomplete, misleading, or out-of-date, you can ask us to correct it.
- Right to withdraw consent — where we process your data based on your consent, you can withdraw that consent at any time. Note that this does not affect the lawfulness of processing before withdrawal, and we may still be required to retain certain records (for example, clinical records for the minimum retention period set by the MDC).
- Right to data portability (new under the 2024 Amendment, in force from June 2025) — you have the right to request that your personal data be transmitted directly from us to another data controller of your choice, subject to technical feasibility and data format compatibility.
- Right to limit processing for direct marketing — you can request that we cease processing your personal data for direct marketing purposes.
- Right to lodge a complaint — if you believe we have not handled your personal data in accordance with the PDPA, you can lodge a complaint with the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi, JPDP): https://www.pdp.gov.my
To exercise any of these rights, please contact us using the details below.
Cookies and website data
Our website (toothiedental.com) is hosted on Weebly. The website may use standard cookies and analytics tools provided by Weebly and any analytics services we have enabled. These tools may collect technical information about your visit (browser type, IP address, pages viewed) but are not used to identify you personally.
If you fill in any form on our website (online booking, contact form), the information you provide is collected by us as the data controller, and is processed for the purpose of responding to your enquiry or booking your appointment.
If you fill in any form on our website (online booking, contact form), the information you provide is collected by us as the data controller, and is processed for the purpose of responding to your enquiry or booking your appointment.
What happens if you do not provide your personal data
For most of our services, we cannot proceed without the personal data we ask for. For example:
If you choose not to provide some of the data we ask for, we will tell you what the consequence is, and you can decide whether to proceed. For optional fields (such as the "prefer not to disclose" option on the residential area question), there is no consequence to choosing not to disclose.
- We cannot register you as a patient or provide dental care without your basic identification and medical history.
- We cannot process payments without the relevant payment information.
- We cannot consider a job application without the information requested on our application form.
- We cannot grant non-patient visitors access to our staff or treatment areas without the visitor information needed for security and confidentiality protection. (Visitors who remain in reception or the waiting area only do not need to provide any information.)
If you choose not to provide some of the data we ask for, we will tell you what the consequence is, and you can decide whether to proceed. For optional fields (such as the "prefer not to disclose" option on the residential area question), there is no consequence to choosing not to disclose.
Changes to this Notice
We may update this Notice from time to time — for example, to reflect changes in the law, in our services, or in how we handle your data. The current version is always available at toothiedental.com/privacy-notice.
Where changes are significant, we will notify you directly (for example, by email or at your next visit).
Where changes are significant, we will notify you directly (for example, by email or at your next visit).
How to contact us about your personal data
If you have any questions about this Notice, want to exercise any of your rights, or have a concern about how we handle your data, please contact us:
Personal Data Protection Officer / Authorised Contact Toothie Dental
Email: [email protected]
Written requests should be sent to the above by email, including:
We will respond within the timeframes required by the PDPA (currently 21 days for access requests, subject to extension where necessary).
If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Department: https://www.pdp.gov.my
Personal Data Protection Officer / Authorised Contact Toothie Dental
Email: [email protected]
Written requests should be sent to the above by email, including:
- Your full name and contact details
- Verification of your identity (NRIC or passport copy)
- A description of the request (access, correction, withdrawal, portability, complaint)
- The relevant personal data the request relates to
We will respond within the timeframes required by the PDPA (currently 21 days for access requests, subject to extension where necessary).
If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Department: https://www.pdp.gov.my
Definitions used in this Notice
- Personal data — any information relating to an identified or identifiable individual.
- Sensitive Personal Data (SPD) — personal data concerning physical or mental health, biometric data, political opinions, religious beliefs, or alleged commission of an offence.
- Data controller (equivalent to "Data User" under the previous PDPA terminology) — the entity that decides the purposes and means of processing your personal data. In this Notice, the data controller is Toothie Dental ([INSERT FULL REGISTERED NAME]).
- Data processor — any third party that processes personal data on behalf of the data controller (for example, our IT provider, cloud storage provider, visitor management platform, dental laboratory).
- Data subject — the individual to whom the personal data relates (you).
- Processing — any operation performed on personal data, including collecting, recording, storing, using, sharing, and destroying.
- PDPA — Personal Data Protection Act 2010, as amended by the Personal Data Protection (Amendment) Act 2024.
