If you're using Carepatron to run your practice and handle or process the data of any person living within the European Union or the United Kingdom —even if you're not physically located there — GDPR rules still apply. We aim to make it easy for you to meet your GDPR requirements!

In this guide, we'll cover the following:

These additional agreements are incorporated into our terms of service where applicable, and mean that although Carepatron and its subprocessors aren't physically in the EU/UK you are still allowed to use Carepatron to manage your client's information.

The DPA includes Standard Contractual Clauses (also known as "Model Clauses"). These are an approved set of provisions which offer sufficient safeguards and protection for data that's processed outside of the EU/UK.

EU Data Processing Addendum

UK Data Processing Addendum

Our Privacy Policy and Terms of Service include the agreements to meet GDPR requirements!

We have our own in-house Data Protection Officer (DPO). Our DPO's role includes:

Our DPO can be contacted at team@carepatron.com

For Carepatron to function, we may have to utilize specific third-party tools ("subprocessors"), and we have ensured that all of them comply with GDPR.

The role of these different third-party tools is to help Carepatron run efficiently, such as cloud-based data storage. You can learn more about the subprocessors we use here.

As your data processor, Carepatron will help you meet your needs as a controller—we provide you with the tools needed to comply with your patients' requests.

Clients may request that you change their information, as it's stored in Carepatron. GDPR defines this as the Right to Rectification.

If a Client says their details are incorrect, you can edit anything about that Client Record in Carepatron!

A client may come to you and request a copy of their personal information (which is stored in Carepatron). GDPR calls this the Right to Access. The information must also be provided to them in an easy-to-read format—and it needs to be portable (meaning, it could easily be transferred/imported to another system). This is defined as the Right to Portability.

A client has the right to request that you remove any and/or all of their personal information from Carepatron. The GDPR defines this as the Right to Erasure or Right to Be Forgotten.

You can permanently delete a client from your Carepatron workspace. This is important for those who don’t have a legal requirement to retain records or if that legal requirement has lapsed. If you are legally required to retain patient records, we do not advise permanently deleting any patient.

If you have a privacy policy for your practice, you would need to keep track of whether or not your clients have consented to it, and you need to make it clear and easy The GDPR requires that you obtain lawful consent from your clients to store their personal information.

We're also a controller, in that we control the information you provide us—like your email address, business details, and contact information. As a controller, we have the same sorts of responsibilities that you have regarding your clients—except we're handling your information, not that of your clients.

The ways we comply with our job as a controller include:

Check out the specifics of how we help you with GDPR compliance below! 🎉

If requested, we can entirely delete your Carepatron account.

This is important for those who don’t have a legal requirement to retain records or if that requirement has lapsed. We do not advise full account deletion if you are legally required to retain your records.

Our team will be available to answer any further questions you may have. Just reply via messenger or reach out on team@carepatron.com.