If you're using Carepatron to run your practice and handle or process the data of any person living within the European Union or the United Kingdom —even if you're not physically located there — GDPR rules still apply. We aim to make it easy for you to meet your GDPR requirements!
In this guide, we'll cover the following:
Data Processing Addendum (DPA)
These additional agreements are incorporated into our terms of service where applicable, and mean that although Carepatron and its subprocessors aren't physically in the EU/UK you are still allowed to use Carepatron to manage your client's information.
The DPA includes Standard Contractual Clauses (also known as "Model Clauses"). These are an approved set of provisions which offer sufficient safeguards and protection for data that's processed outside of the EU/UK.
Privacy Policy and Terms of Service
Our Privacy Policy and Terms of Service include the agreements to meet GDPR requirements!
Data Protection Officer (DPO)
We have our own in-house Data Protection Officer (DPO). Our DPO's role includes:
Ensuring that Carepatron is compliant with GDPR.
Serving as an advisor on data protection obligations.
Acting as a contact point for data subjects and supervisory authorities.
Our DPO can be contacted at support@carepatron.com
Third-party vendor compliance
For Carepatron to function, we may have to utilize specific third-party tools ("subprocessors"), and we have ensured that all of them comply with GDPR.
The role of these different third-party tools is to help Carepatron run efficiently, such as cloud-based data storage. You can learn more about the subprocessors we use here.
Carepatron as a processor of data
As your data processor, Carepatron will help you meet your needs as a controller—we provide you with the tools needed to comply with your patients' requests.
Modify a client's details
Clients may request that you change their information, as it's stored in Carepatron. GDPR defines this as the Right to Rectification.
If a Client says their details are incorrect, you can edit anything about that Client Record in Carepatron!
Provide clients with a copy of all their personal information
A client may come to you and request a copy of their personal information (which is stored in Carepatron). GDPR calls this the Right to Access. The information must also be provided to them in an easy-to-read format—and it needs to be portable (meaning, it could easily be transferred/imported to another system). This is defined as the Right to Portability.
Delete all patient information
A client has the right to request that you remove any and/or all of their personal information from Carepatron. The GDPR defines this as the Right to Erasure or Right to Be Forgotten.
You can permanently delete a client from your Carepatron workspace. This is important for those who don’t have a legal requirement to retain records or if that legal requirement has lapsed. If you are legally required to retain patient records, we do not advise permanently deleting any patient.
Record patient consent to your privacy policy
If you have a privacy policy for your practice, you would need to keep track of whether or not your clients have consented to it, and you need to make it clear and easy The GDPR requires that you obtain lawful consent from your clients to store their personal information.
Carepatron as a controller of data
We're also a controller, in that we control the information you provide us—like your email address, business details, and contact information. As a controller, we have the same sorts of responsibilities that you have regarding your clients—except we're handling your information, not that of your clients.
The ways we comply with our job as a controller include:
Check out the specifics of how we help you with GDPR compliance below! 🎉
Full deletion of your Carepatron account
If requested, we can entirely delete your Carepatron account.
This is important for those who don’t have a legal requirement to retain records or if that requirement has lapsed. We do not advise full account deletion if you are legally required to retain your records.
Our team will be available to answer any further questions you may have. Just reply via messenger through the Help channel in your workspace.