Processing Personal Data

Processing Personal Data in Smylor

Date: 1^st January 2023, Version number: 1.0

When you use Smylor to record and collect personal data from your Smylor profile pages or Smylor listing or internal system, Smylor takes on the role of the Data Processor. This means Smylor is processing data on your behalf whereas you are the owner and Controller of the data.

As the Data Controller, you are principally responsible for (among other things) collecting consent, managing consent-revoking and enabling right to access.

Smylor's Data Processing Agreement specifies the obligations of both parties, you the Controller and Smylor the Processor. Note where required Smylor will request explicit consent for the processing of personal data including potential personal dental health data.

• What counts as "personal data"?
• How might I be capturing personal data with Smylor?
• How can I know what data I have on any specific user?

What counts as "personal data"? 

According to the GDPR, personal data is any information relating to an identified or identifiable individual, which could mean any information that could be used either on its own or in conjunction with other data, to identify an individual.

Unless clear and advance consent has been given by the individual or end-user, Smylor’s marketplace tools should not be used to monitor personally identifiable information that would allow you to gain insight into individual user behavior. For more information about this read Smylor’s Acceptable Use Policy

How might I be capturing personal data with Smylor? 

There are two types of personal data you can send to Smylor:

• You can passively send personal data to Smylor if personal data is embedded in the page content of your site, application or internal system. For example, you may have a profile page for your site containing a user’s personal information including potentially dental treatment plans. This content maybe available to Smylor unless steps have been taken to suppress it.
• You can actively send personal data (e.g. email address, user ID, appointment data, etc.) to Smylor using Smylor’s API or your own API. This feature is optional but if adopted will probably require a dedicated signed Data Processing Agreement (DPA). 

How can I know what personal data I have on any specific user? 

In the event Smylor or yourself has gained consent to associate data about a user completing activities involving personal data collection such as an appointment booking, online conversations or a treatment review, whether over the Smylor API or internal API, when needed you can use Symlor's user lookup capabilities to find and delete personal data about your user that Smylor may have processed.