Before publication, confirm the controller’s full registered identity, an EU representative under Article 27 GDPR if required, a Data Protection Officer where applicable, hosting and messaging providers, retention periods, and the lawful transfer mechanism for China and Russia. The current project data is not sufficient to claim full GDPR compliance.
1. Controller, contacts and territorial scope
Provisional controller: Dental Center of Heihe First People’s Hospital, 230 Central Street, Heihe, Heilongjiang Province, China.
- Privacy contact: heihe1.ru@yandex.ru.
- Telephone: +7-914-048-76-66.
- Full registered name and registration number: to be confirmed.
- EU representative under Article 27 GDPR: to be appointed or the applicable exemption documented.
- Data Protection Officer: to be assessed and identified if legally required.
This Notice is intended for visitors in the EU/EEA where the processing falls within the territorial scope of Regulation (EU) 2016/679 (GDPR). It complements the separate policy for visitors from the Russian Federation.
2. Categories of personal data
Information submitted by you
- name and telephone number;
- preferred contact channel;
- the content of your enquiry;
- dental images, medical reports and health information if you later choose to provide them through an agreed channel.
Technical and security information
- submission date and time;
- a cryptographic hash derived from the network address for abuse prevention;
- browser/device information (User-Agent);
- session identifiers and anti-forgery tokens required to protect the appointment form.
Please do not include detailed health information in the free-text form field. Dental images and medical records should only be shared after you receive information about the destination, safeguards and appropriate channel.
3. Purposes and legal bases
| Purpose | Data | GDPR legal basis | Indicative retention |
|---|---|---|---|
| Responding to your enquiry and arranging a consultation | Name, telephone, contact preference, message | Article 6(1)(b): steps at your request before entering into a contract; Article 6(1)(a) where consent is used | During communication and up to 3 years afterwards where needed to document the enquiry |
| Preliminary clinical assessment | Dental images, reports and health data | Article 6(1)(a) and explicit consent under Article 9(2)(a), unless another documented healthcare basis applies | Until the purpose is completed or consent is withdrawn, subject to legal retention duties |
| Site and form security | Session data, network-address hash, User-Agent and request logs | Article 6(1)(f): legitimate interests in preventing abuse and protecting the service | Session data until session expiry; other security records under an approved short retention schedule |
| Compliance and legal claims | Relevant enquiry and service records | Article 6(1)(c) and Article 6(1)(f) | For the statutory period or while a claim may be established, exercised or defended |
| Optional website analytics | Online identifiers, device/browser information, approximate location, page views and non-identifying interface events | Article 6(1)(a) consent and applicable ePrivacy rules | Analytics cookies for up to 180 days; GA4 event data under the retention period configured by the controller |
We do not use your appointment consent for advertising. Marketing communications require a separate opt-in. No solely automated decision producing legal or similarly significant effects is currently made through the website.
4. Health data and information about children
Dental images, diagnoses, symptoms, treatment history and similar information are data concerning health and therefore a special category under Article 9 GDPR. For an online preliminary assessment, the intended basis is your explicit consent unless the controller documents another applicable healthcare basis under EU or Member State law.
You may withdraw consent at any time. Withdrawal does not affect processing already carried out lawfully and may not require deletion where a separate legal duty applies.
Enquiries about a child should be submitted by a parent or legal guardian. The website is not intended to collect personal data directly from children. The controller must verify any Member State requirements that apply to the particular service and child.
5. Cookies and similar technologies
The current website uses strictly necessary session technologies for appointment-form security, CSRF protection and abuse prevention. They are not used for behavioural advertising and may be set without an optional-cookie opt-in where permitted because the requested service cannot work securely without them.
The cookie heihe1_cookie_consent stores the selected preference for up to 180 days. If analytics is accepted, Google Analytics 4 may set _ga and _ga_<identifier> cookies for up to 180 days to distinguish visits and produce aggregate statistics.
The website uses Basic Google Consent Mode v2. The external Google tag is not loaded and no data is sent to Google Analytics before the visitor selects “Allow analytics”. Advertising storage, advertising user data and advertising personalisation remain denied in all cases; Google Signals and ad-personalisation signals are disabled.
GA4 may receive the page URL and title, technical browser/device information, approximate location and non-identifying interaction events. The website does not intentionally send names, telephone numbers, appointment messages or health information to GA4. A choice can be changed through “Cookie settings” in the footer. Withdrawal blocks further analytics collection and deletes analytics cookies accessible to the website; it does not retroactively erase data already transmitted.
6. Recipients and processors
Depending on your request, data may be accessible to authorised clinic personnel, the Russian-speaking coordinator, treating dentists, website hosting and maintenance providers, and the messaging service selected by you. Public authorities may receive data where disclosure is legally required.
When analytics consent is given, Google receives technical and usage information as the provider of Google Analytics 4 under its applicable data-processing terms. Before launch, the controller must document the relevant Google entity, processing locations, transfer mechanism and GA4 retention settings.
Before launch, the controller must list or clearly describe the actual processor categories, execute Article 28 GDPR data-processing terms where required, and ensure that each recipient receives only the information needed for its role.
7. Transfers outside the EU/EEA
The dental clinic is located in China, and coordination may involve Russia. Both destinations are outside the EU/EEA and are not included in the European Commission’s current list of countries covered by a GDPR adequacy decision.
A transfer therefore requires a valid Chapter V GDPR mechanism, such as approved Standard Contractual Clauses together with an assessment and supplementary measures where appropriate, or a narrowly applicable Article 49 derogation. Explicit consent to a specific transfer can only be relied upon after informing the individual of the possible risks and must not be used as a routine substitute for appropriate safeguards.
Launch condition: medical documents from EU/EEA visitors should not be requested or transferred until the controller has documented the recipient, destination, transfer mechanism and practical safeguards and has updated this Notice accordingly.
8. Retention and deletion
Personal data must be kept only for as long as necessary for the stated purpose, a legal obligation or the establishment, exercise or defence of legal claims. Different categories may therefore have different periods.
Before production launch, the controller must approve a retention schedule and implement deletion in every storage location and backup lifecycle. The current file-based appointment handler does not automatically delete expired enquiries.
Where processing is based only on consent, data will be deleted or anonymised after withdrawal unless another legal basis justifies continued retention.
9. Your GDPR rights
Subject to the conditions and limits in the GDPR, you may request:
- access to your personal data and a copy;
- rectification of inaccurate or incomplete data;
- erasure or restriction of processing;
- objection to processing based on legitimate interests;
- data portability where processing is automated and based on consent or contract;
- withdrawal of consent at any time;
- information about international-transfer safeguards.
We may need reasonable information to verify your identity before acting on a request. Requests are normally handled without charge and within one month, subject to the extensions and exceptions allowed by the GDPR.
10. Contact, complaints and updates
Email heihe1.ru@yandex.ru with the subject “EU data protection request”. Please describe the request and provide a safe method for our response.
You also have the right to lodge a complaint with the data-protection supervisory authority in the EU/EEA country of your habitual residence, place of work or the alleged infringement.
This Notice may be updated when services, recipients, safeguards or legal requirements change. The current version and effective date will be published on this page.

