Effective date: 1 May 2026 Last updated: April 2026
This section governs your use of the Prime Smile Dental Clinic website at primesmilejaffna.lk and the personal data we hold about you as a patient or enquirer. It is prepared in accordance with the laws of Sri Lanka, including the Personal Data Protection Act No. 9 of 2022 and the Electronic Transactions Act No. 19 of 2006, as well as the EU General Data Protection Regulation (GDPR) where applicable to patients ordinarily resident in the European Economic Area. By using our website or attending our clinic, you accept the terms set out below.
PART I
Privacy & Data Protection
1.1 Who we are and how to contact us
Prime Smile Dental Clinic (“we”, “us”, “our”) is located at No 235, Hospital Road, Jaffna, Sri Lanka. We are the data controller responsible for personal data collected through our clinic premises, this website, and all related communications. For any data protection matter, please contact us at info@primesmilejaffna.lk or by post at the address above.
1.2 Legal framework
We process personal data in compliance with the Personal Data Protection Act No. 9 of 2022 (PDPA) of Sri Lanka. The Act establishes lawful bases for processing, imposes obligations on data controllers, and grants rights to data subjects. Dental and medical records constitute sensitive personal data under the PDPA and are afforded the highest level of protection under the Act. We also comply with the Electronic Transactions Act No. 19 of 2006 in relation to digital records and electronic communications with patients.
Where a patient is ordinarily resident in the European Economic Area, or where we offer services to individuals in the EEA or monitor their behaviour, the EU General Data Protection Regulation (GDPR) applies in addition to Sri Lankan law. The provisions of Part IV of this document set out our obligations and your rights under GDPR in those circumstances. Where any gap exists in the PDPA or where the Sri Lanka Data Protection Authority has not yet issued guidance on a particular matter, we apply GDPR standards as the baseline for good practice.
1.3 What personal data we collect
We collect identity data (including full name, date of birth, and national identity card or passport number), contact data (postal address, telephone number, and email address), and clinical and health data (including dental and medical history, treatment records, radiographs, clinical photographs, medications, and allergies). We also collect payment and billing records, website usage data (including IP addresses, browser information, and pages visited), and correspondence submitted through our website, by telephone, or by messaging applications.
We do not knowingly collect personal data from children under the age of 16 without verified parental or guardian consent. Where a patient is a minor, a parent or legal guardian must provide consent on their behalf.
1.4 Purposes and lawful bases for processing
We process your personal data to provide dental treatment and clinical care, on the basis of a contract and, for sensitive health data, on the basis of vital interests in the context of healthcare provision. We maintain clinical records as required by law and professional regulation, which constitutes a legal obligation. We schedule appointments and send appointment reminders on the basis of our legitimate interests. We process payments on the basis of a contract. We refer you to specialists where clinically necessary on the basis of vital interests and, where required, your explicit consent. We send marketing communications such as newsletters and promotional offers only where you have given consent, which may be withdrawn at any time.
We will never use your health or clinical data for marketing purposes without your explicit written consent, and we will never sell your personal data to any third party.
1.5 Patient confidentiality
In addition to our obligations under the PDPA, we are bound by professional duties of confidentiality under the standards set by the Sri Lanka Dental Council and the Sri Lanka Medical Council. All clinical information you share with us is treated in strict confidence. Access to patient records is restricted to clinical and administrative staff who have a direct need to know for the purposes of your care. All staff are bound by confidentiality obligations as a condition of their engagement with us.
We will disclose confidential clinical information without your consent only where we are required to do so by a court order or other binding legal obligation, or where failure to disclose would present a serious and imminent risk to your life or the life of another person.
1.6 How we share your data
We may share your personal data with specialist clinicians, hospitals, or allied health professionals where a referral is clinically appropriate and where you have been informed of the referral. We may share data with dental laboratories, imaging centres, and other diagnostic service providers where this is necessary to provide your treatment. We share payment information with our payment processing providers solely for the purpose of completing billing transactions. We use third-party software providers to support clinic management, patient records, and website operations; these providers are bound by written data processing agreements and may not use your data for their own purposes.
Where we are required by law, regulation, or court order to disclose personal data, we will do so. We will, wherever legally permissible, notify you before making such a disclosure.
1.7 International data transfers
Certain software tools and services we use may store or process data on servers located outside Sri Lanka. Where such transfers occur, we ensure that appropriate safeguards are in place consistent with the requirements of the PDPA 2022. For transfers involving data belonging to EEA residents, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate transfer mechanisms recognised under GDPR, as set out in Part IV. If you have questions about a specific international transfer, please contact us at the address in section 1.1.
1.8 Retention of personal data
We retain clinical patient records for a minimum of seven years from the date of last treatment, or until the patient reaches the age of 25 in the case of minors, whichever period is longer. This period reflects prevailing medical and dental practice standards in Sri Lanka. Financial and billing records are retained for seven years. General correspondence is retained for three years. Marketing consent records are retained for the duration of the consent and for three years after withdrawal. Website analytics data is retained for twelve months. Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised.
1.9 Security measures
We implement technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction. These measures include encrypted storage of digital records, role-based access controls, secure physical storage and disposal of paper records, HTTPS encryption across this website, and regular staff training on data protection and confidentiality. In the event of a personal data breach that poses a risk to the rights and freedoms of affected individuals, we will notify the relevant authority and those individuals promptly and in accordance with the PDPA 2022. For EEA residents, we will additionally comply with the 72-hour breach notification obligation under GDPR Article 33, as set out in Part IV.
1.10 Cookies
Our website uses cookies. Essential cookies are necessary for the website to function and are placed without consent. Analytics cookies help us understand how visitors use the site and are placed only with your prior consent. Marketing cookies are used to deliver relevant promotional content and require your explicit consent. You may manage or withdraw your cookie preferences at any time through the cookie settings banner on this website or through your browser settings. Withdrawing consent does not affect the lawfulness of any processing that took place before the withdrawal.
1.11 Your rights as a data subject
Under the PDPA 2022, you have the right to request access to the personal data we hold about you, to request correction of inaccurate or incomplete data, to request erasure of your data subject to any applicable legal retention requirements, to request restriction of processing in certain circumstances, to receive your personal data in a portable format where technically feasible, to object to processing carried out on the basis of our legitimate interests (including direct marketing), and to withdraw any consent you have given at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at the details set out in section 1.1. We will respond within 30 calendar days of receipt of a valid request. Where a request is complex or involves a large volume of data, we may extend this period by a further 30 days and will notify you of the extension. You also have the right to lodge a complaint with the Data Protection Authority of Sri Lanka once that body is fully constituted and operational under the Act. EEA residents have additional rights and complaint mechanisms under GDPR, which are set out in Part IV.
PART II
Website Terms of Use
2.1 Acceptance of terms
By accessing and using primesmilejaffna.lk, you accept these terms of use in full. If you do not accept these terms, you must cease using this website immediately. We reserve the right to amend these terms at any time. Continued
2.2 Medical and dental disclaimer
The content published on this website, including articles, blog posts, treatment descriptions, FAQs, and any other written or visual material, is provided for general informational purposes only. It does not constitute clinical advice, a diagnosis, a treatment recommendation, or a substitute for a professional consultation with a qualified dental practitioner. You should not rely on any content on this website when making decisions about your dental or medical health.
If you have a dental or medical concern, you should contact a qualified clinician directly. In the case of a dental emergency, please call us immediately at 021-2228386 or attend the nearest hospital emergency department.
2.3 Accuracy of information
We make reasonable efforts to ensure that the information on this website is accurate and up to date. However, we do not warrant that the content is free from errors, omissions, or inaccuracies. Treatment descriptions, prices, clinician details, and opening hours are subject to change. You should contact the clinic directly to confirm any specific information before acting upon it.
2.4 Acceptable use
You may use this website only for lawful purposes and in a manner that does not infringe the rights of any third party or restrict or inhibit the use of the website by others. You must not use this website to transmit unsolicited communications, to introduce malicious code, to attempt to gain unauthorised access to any part of the website or its underlying systems, or to engage in any conduct that is fraudulent, harmful, or otherwise unlawful. Such conduct may give rise to liability under the Computer Crimes Act No. 24 of 2007 of Sri Lanka.
2.5 Online appointments and enquiries
Where this website offers the facility to request an appointment or submit an enquiry, doing so does not constitute a confirmed booking or a contractual relationship. An appointment is confirmed only when you receive direct confirmation from the clinic. Appointment requests submitted through the website are handled during clinic working hours and may not receive a same-day response.
2.6 Third-party links
This website may contain links to external websites operated by third parties. These links are provided for your convenience only. We have no control over the content, privacy practices, or terms of those websites and accept no responsibility for them. The inclusion of a link does not constitute an endorsement of the linked website or its operator. You access third-party websites entirely at your own risk.
2.7 Intellectual property
All content on this website, including text, images, logos, graphics, and the overall design and layout, is either owned by Prime Smile Dental Clinic or is used with appropriate permission. This content is protected by copyright and other intellectual property rights under the Intellectual Property Act No. 36 of 2003 of Sri Lanka. You may not reproduce, distribute, republish, modify, or create derivative works from any content on this website without our prior written consent. You may print or download content for your own private, non-commercial reference.
2.8 Limitation of liability
To the fullest extent permitted by applicable law, Prime Smile Dental Clinic, its clinicians, directors, employees, and agents shall not be liable for any loss or damage arising from your use of, or inability to use, this website or its content, including but not limited to direct, indirect, incidental, consequential, or special damages. This limitation does not exclude liability for death or personal injury caused by our clinical negligence, or for any liability that cannot lawfully be excluded.
2.9 Availability
We do not warrant that this website will be available at all times or that it will be free from interruptions, errors, or security vulnerabilities. We reserve the right to suspend, withdraw, or restrict access to this website or any part of it at any time without notice.
PART III
Governing Law & Updates
3.1 Governing law and jurisdiction
This Privacy Policy and Legal Notice, and any dispute or claim arising out of or in connection with it, is governed by and construed in accordance with the laws of the Democratic Socialist Republic of Sri Lanka. Any dispute arising under or in connection with these terms shall be subject to the exclusive jurisdiction of the courts of Sri Lanka, without prejudice to the rights of EEA residents to seek redress through supervisory authorities or courts in their country of residence under GDPR.
3.2 Language
This document is published in English. In the event of any conflict between this document and any translated version, the English language version shall prevail.
3.3 Updates to this document
We review and update this document periodically, including as required by changes in applicable law or our clinical and operational practices. When we make material changes, we will update the effective date at the top of this document and, where appropriate, notify patients directly. We encourage you to review this page from time to time. Continued use of this website or our services after any update constitutes your acceptance of the revised terms.
3.4 Contact
For any question about this document, to exercise your data subject rights, or to raise a concern about how we have handled your personal data, please contact us at info@primesmilejaffna.lk or by post at No 235, Hospital Road, Jaffna, Sri Lanka. We aim to acknowledge all enquiries within five working days.
PART IV
GDPR Provisions — International Patients & Supplementary Standards
4.1 Scope and application
This Part applies to any individual who is ordinarily resident in the European Economic Area (EEA) and who uses this website, contacts our clinic, or receives treatment from us, whether in person or remotely. It also applies where we offer services to individuals in the EEA or process personal data in connection with monitoring the behaviour of individuals located in the EEA, in accordance with the extraterritorial scope of the GDPR under Article 3(2).
In addition, where the PDPA 2022 does not yet provide specific rules on a matter, or where the Sri Lanka Data Protection Authority has not yet issued implementing regulations or guidance on a particular issue, we apply the corresponding GDPR standard as a matter of good practice. This approach ensures that all patients, regardless of their country of origin, benefit from a consistent and high standard of data protection.
4.2 Our role under GDPR
For the purposes of GDPR, Prime Smile Dental Clinic acts as a data controller in respect of personal data processed about EEA residents. We have not appointed a formal EU representative under Article 27 GDPR at this time, as our processing of EEA residents’ data is occasional in nature. Should the volume of such processing materially increase, we will review this position and appoint a representative where required. EEA residents may in the meantime direct all GDPR-related enquiries to us directly at info@primesmilejaffna.lk.
4.3 Lawful bases under GDPR
Where GDPR applies, we process personal data only where we have a valid lawful basis under Article 6 of the Regulation. For the provision of dental treatment, our lawful basis is the performance of a contract or, prior to a contract, the taking of steps at your request. For maintaining clinical records and complying with professional regulations, our basis is compliance with a legal obligation. For appointment scheduling and other operational communications, we rely on our legitimate interests, which we have assessed as not overriding your fundamental rights and freedoms. For marketing communications, we rely on your freely given, specific, informed, and unambiguous consent, which you may withdraw at any time without detriment.
Where we process special category data, including health and dental records, under Article 9 GDPR, we rely on the processing being necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems, as set out in Article 9(2)(h). Where this basis does not apply, we will seek your explicit consent.
4.4 Your rights under GDPR
In addition to the rights set out in section 1.11 of this document, EEA residents have the following rights under GDPR. You have the right to erasure under Article 17, also known as the right to be forgotten, which entitles you to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent, or where the data has been processed unlawfully, subject to applicable legal retention obligations. You have the right to restriction of processing under Article 18, which allows you to request that we limit our use of your data in specified circumstances, including while a dispute about accuracy or legitimate interests is resolved. You have the right to data portability under Article 20, which entitles you to receive personal data you have provided to us in a structured, commonly used, and machine-readable format and to transmit it to another controller. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects, under Article 22. We do not currently carry out any such automated decision-making in relation to patients.
We will respond to GDPR rights requests within one calendar month of receipt. Where a request is complex, we may extend this period by two further months and will notify you within the first month of the reason for the extension.
4.5 Transfers of EEA resident data outside the EEA
Where personal data belonging to EEA residents is transferred to a country outside the EEA that has not received an adequacy decision from the European Commission, we will ensure that an appropriate safeguard is in place before the transfer takes place. The primary mechanism we rely upon is the use of Standard Contractual Clauses (SCCs) in the form approved by the European Commission under GDPR Article 46(2)(c). Where SCCs are used, we carry out a transfer impact assessment where required. We will provide EEA residents with a copy of the relevant safeguard upon request by contacting us at the details in section 3.4.
4.6 Data breach notification under GDPR
In addition to our obligations under the PDPA 2022, where a personal data breach is likely to result in a risk to the rights and freedoms of EEA residents, we will notify the competent supervisory authority in the relevant EEA member state within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay under Article 34 GDPR.
4.7 Complaints and supervisory authorities
EEA residents have the right to lodge a complaint with the data protection supervisory authority in the EEA member state of their habitual residence, place of work, or place of the alleged infringement. This right exists independently of any complaint lodged with us directly and does not affect any other legal remedies available to you. A full list of EEA supervisory authorities and their contact details is available at the European Data Protection Board website at edpb.europa.eu.
We request that you contact us in the first instance at info@primesmilejaffna.lk to give us the opportunity to resolve any concern before a formal complaint is submitted to a supervisory authority.
4.8 GDPR as a supplementary baseline
Where Sri Lankan law does not yet address a specific aspect of data protection, or where implementing regulations under the PDPA 2022 have not yet been issued, we will apply the corresponding GDPR principle or rule as a minimum standard. This applies in particular to matters such as privacy by design and by default, data minimisation, purpose limitation, and the handling of requests relating to automated processing. This commitment is not a legal obligation under Sri Lankan law at this time but reflects our view that patients deserve consistent protection regardless of the gaps that exist in any developing legislative framework.
© 2026 Prime Smile Dental Clinic. Prepared under the PDPA No. 9 of 2022, Electronic Transactions Act No. 19 of 2006, Computer Crimes Act No. 24 of 2007, Intellectual Property Act No. 36 of 2003 (Sri Lanka), and the EU GDPR where applicable.