Do we have to send X-rays and imaging files?

Yes — under GDPR Article 15, the right of access covers personal data including imaging and clinical photographs attached to the patient. Ghost lets you upload imaging exports, redact third-party identifiers (for example a referrer's name in metadata), and include them in the response pack. Provide them in a format the patient can actually open — that is part of the regulator's expectation.

What about clinical notes from another dentist or hospital?

Third-party clinical opinions held in your file are still the patient's data when they ask. The third-party clinician may have an interest worth considering, but they do not normally veto disclosure of their professional notes. Common practice: disclose the substantive content, redact identifying details of the third-party clinician, and log the decision on the case. Ghost's redaction workspace and audit log are built for exactly this judgement call.

Do redactions happen in the cloud, or stay on our machine?

PDF rendering and redaction are client-side in your browser — the file does not leave the practice unless you save the session. For AI-assisted detection on Solo DPO, the document is processed through an EU-hosted detection path that returns suggested boxes; you can opt out and redact manually. Full details are on the security page.

We never get subject access requests — do we still need this?

Most practices say that until a solicitor writes. The risk is not the volume; it is that the one request you do get is time-bound, high-stakes, and visible to a regulator if you mishandle it. A documented process now is what the DPC and your insurer want to see, and it caps the hours your team loses if a request lands during a busy week.

Can our GDPR consultant access the cases?

Yes — on Solo DPO and DPO Team. Invite your consultant as a read-only or operator member, share case logs, and export the full audit pack. Most consultants prefer a clear log on the cases they advise on over reconstructing it from email chains later.

How much does it cost?

Free to start: one active case, manual PDF redaction up to 5 pages per file, and 10 redactions per month. Solo DPO is €49/month (or €39/month billed annually) for unlimited cases, AI-assisted redaction, the full audit log, and the Article 30 register.

How long does setup take?

One 45-minute call. We configure your subject access intake template, response wording, and basic logging together. You can run a request end-to-end the same week.

Ghost

For Irish dental practices

Patient record requests,
without the panic.

A 4-step process for Irish dental clinics: log, redact, respond, prove it. So the next solicitor letter — or “I want everything you have on me” — doesn’t stop your Tuesday morning.

No credit card · EU-hosted · Built to the same data-protection standards as regulated financial software.

Start 30-day free trial Try the redaction demo

Ghost — Patient record request

Ghost privacy request workspace: case detail with identity verification, tasks, and documents

1 month

Article 12 response window

72 hours

Breach notice to the DPC

€20M

Maximum GDPR fine

Hosted infrastructure

The 4-step process

What a real DSAR Tuesday looks like with Ghost.

A solicitor letter lands. Or a patient asks for everything you hold on them. Without a process: half a day of charts, drives, and inboxes, and someone praying nothing was missed. With Ghost: four steps, every time.

Step 01

Log the request

Record who asked, when, and the statutory due date. The one-month clock starts the moment you have enough to identify the request — not when someone finally finds time to act.

Step 02

Collect records

Pull charts, letters, imaging exports, and admin files from your practice software and shared drives. Ghost does not replace your clinical system; it is where the request is managed once documents are exported.

Step 03

Redact what shouldn’t go out

Mask third-party identifiers, staff notes that are not the patient’s data, and anything else that shouldn’t be disclosed. AI suggestions on Solo DPO; you accept, reject, or refine every box.

Step 04

Send and keep proof

Deliver via a secure time-limited link, keep a copy of what was sent, and retain an append-only audit trail you can show the DPC, an insurer, or a patient’s solicitor.

Privacy request manager

The one-month clock starts the moment you log it.

A branded intake link your reception can share, identity verification before any disclosure, and the Article 12 deadline tracked automatically on every case. Assign the task to whoever is handling it; everyone else can see exactly where it stands.

Branded intake link for reception to share
Identity verification before disclosure
Article 12 deadline tracked automatically

Explore privacy requests

Ghost — Privacy request manager

Ghost privacy request workspace showing intake, identity verification, tasks, and documents on a single case

AI-assisted redaction

PII detected. You review. Clean PDF out in minutes.

Upload exports from your practice software, scanned letters, X-ray reports. Ghost detects names, addresses, IDs, and contact details and proposes redactions. You accept, reject, or refine. The afternoon of going through a printout with a black marker disappears.

PDFs, images, and scanned documents
PII detected on Solo DPO; manual on Free
Client-side rendering — files stay in your browser

Try the redaction demo

Ghost — AI-assisted redaction

Ghost redaction workspace with AI-detected PII boxes ready for review on a PDF

Case audit log

A documented trail of how the request was handled.

Each case keeps an append-only timeline — the intake, the identity check, redaction review sign-off, the final delivery, and who downloaded the pack. The record you’d otherwise have to reconstruct from email chains after a complaint.

Append-only timeline per case
Identity verification recorded with timestamps
Audit pack export when the DPC, an insurer, or counsel asks

How we keep data safe

Ghost — DSAR case audit log

See it end to end

A short walk-through of the workspace.

Redaction, privacy requests, and the audit log — in about three minutes.

Ghost — Product tour

More walkthroughs and guides

What practices ask us

The three things every practice says first.

“We never get these.”

Most practices say that until a solicitor writes. The risk isn’t volume — it’s that the one request you do get is time-bound and high-stakes. A documented process now beats improvising under a deadline.

“Our practice software handles GDPR.”

Practice management systems are great at storing records. Ghost lives in the moment a patient asks for everything: pulling exports together, redacting third-party detail, assembling the pack, and logging what was sent.

“We have a consultant.”

Ghost makes their job easier. They get a clear case log and exportable audit pack on every request they advise on. Invite them as a member; they review without sitting in your inbox.

Pricing

Built for a 1–5 chair practice budget.

Try the workflow free. Upgrade when you want to run every request through Ghost.

Free

Try the workflow on a real request before you commit.

€0/forever

1 active case
Manual redaction (PDF, up to 5 pages/file)
10 redactions per month
1 Article 30 register entry

Solo DPO

For owner-dentists and practice managers running the privacy programme themselves.

€49/month

Unlimited cases and redactions
AI-assisted PII detection
Article 30 register + audit log
Done-with-you 45-min setup included
€39/mo billed annually (save 20%)

Start 30-day trial

Done-with-you setup

A 45-minute call to configure intake, response wording, and your first case end-to-end.

Includedwith trial

45-min onboarding call
Intake template + response wording configured
First DSAR walked through together
Recording you can share with the team

See all plans if you operate multiple sites or work with a consultancy.

10 steps to a GDPR-confident dental practice

A free checklist covering privacy notices, the 30-day rule, the 72-hour rule, retention, and staff awareness — adapted for Irish dental practices.

Read the checklist

FAQ

Frequently asked questions

The next request lands when it lands.

Set up the process before it does. 30-day free trial — no credit card, EU-hosted, one 45-minute setup call included.

Start Free Trial Try the redaction demo

The regulatory landscape for Irish dental practices

Regulation (EU) 2016/679 (GDPR) applies to dental practices as data controllers. Health data is special category data under Article 9; processing must meet an Article 9 condition as well as a lawful basis under Article 6. Patients have a right of access under Article 15; you must respond within one month in most cases (Article 12), provide a copy in an appropriate format, and explain exemptions where you limit disclosure.

In Ireland, the Data Protection Commission (DPC) is the supervisory authority. Personal data breaches that are likely to result in a risk to individuals must be notified to the DPC without undue delay and, where feasible, within 72 hours of becoming aware (Article 33). Sector guidance from the Irish Dental Association and privacy practitioners stresses practical steps: clear privacy notices, a named person responsible for data protection, documented subject access procedures, retention discipline, and staff awareness — not heavyweight enterprise tooling.

Ghost helps you operate documented subject access and redaction workflows; it does not provide legal advice. For practice-specific questions — especially clinical confidentiality and Article 9 conditions — speak to your insurer, consultant, or solicitor.

Patient record requests,
without the panic.

A 4-step process for Irish dental clinics: log, redact, respond, prove it. So the next solicitor letter — or “I want everything you have on me” — doesn’t stop your Tuesday morning.

No credit card · EU-hosted · Built to the same data-protection standards as regulated financial software.

Patient record requests, without the panic.