GDPR Compliance

How DocNotes complies with EU data protection regulations

Our Commitment to GDPR

DocNotes is fully committed to compliance with the General Data Protection Regulation (GDPR) and other EU data protection laws. We have implemented comprehensive technical and organizational measures to ensure the protection of personal data.

Legal Basis for Processing

We process personal data based on the following legal grounds:

  • Contractual necessity: To provide the DocNotes service as per our agreement with you
  • Legitimate interests: To improve our service, prevent fraud, and ensure security
  • Legal obligations: To comply with applicable laws and regulations
  • Consent: When required, we obtain explicit consent for specific processing activities

Data Controller and Processor

DocNotes as Data Processor

When you use DocNotes to process patient data, you (the healthcare professional or practice) act as the Data Controller, and DocNotes acts as the Data Processor. We process personal data only according to your instructions and in compliance with GDPR requirements.

DocNotes as Data Controller

For your account information and service usage data, DocNotes acts as the Data Controller and is responsible for GDPR compliance in processing this data.

Data Protection Principles

We adhere to all GDPR data protection principles:

  • Lawfulness, fairness, and transparency: We process data lawfully and transparently
  • Purpose limitation: We collect data only for specified, explicit purposes
  • Data minimization: We collect only necessary data
  • Accuracy: We maintain accurate and up-to-date records
  • Storage limitation: We retain data only as long as necessary
  • Integrity and confidentiality: We implement appropriate security measures
  • Accountability: We can demonstrate compliance with GDPR principles

Your Rights Under GDPR

As a data subject, you have the following rights:

Right to Access (Article 15)

You can request confirmation of whether we process your personal data and obtain a copy of that data.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure (Article 17)

You can request deletion of your personal data under certain circumstances, including when data is no longer necessary or when you withdraw consent.

Right to Restriction (Article 18)

You can request restriction of processing in specific situations, such as when contesting data accuracy.

Right to Data Portability (Article 20)

You can receive your personal data in a structured, commonly used format and transmit it to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Article 7)

Where processing is based on consent, you can withdraw that consent at any time.

Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with your national data protection authority.

Exercising Your Rights

To exercise any of your GDPR rights:

  • Log into your account and access your account settings
  • Contact us at contact@docnotes.app
  • Submit a written request to our company address

We will respond to your request within one month, as required by GDPR. In complex cases, we may extend this by two additional months.

Data Processing Agreement

For customers who process patient data (acting as Data Controllers), we provide a Data Processing Agreement (DPA) that meets GDPR Article 28 requirements. This agreement includes:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data processed
  • Categories of data subjects
  • Processor obligations and restrictions
  • Sub-processor arrangements
  • Security measures
  • Data breach notification procedures
  • Assistance with data subject rights
  • Data deletion or return procedures

Security Measures

We implement appropriate technical and organizational measures including:

  • End-to-end encryption for all personal data
  • Access controls and authentication
  • Regular security testing and audits
  • Employee training on data protection
  • Incident response procedures
  • Business continuity and disaster recovery
  • Vendor security assessments

Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours (when required)
  • Notify affected individuals without undue delay when there is a high risk
  • Document all breaches and remediation actions
  • For customers acting as Data Controllers, we will notify you promptly so you can meet your own notification obligations

International Data Transfers

All data is stored and processed within the European Union. When data transfers outside the EU are necessary, we ensure appropriate safeguards through:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Other approved transfer mechanisms

Sub-processors

We work with carefully selected sub-processors who meet GDPR requirements. Our main sub-processors include:

  • Cloud infrastructure providers (EU-based)
  • AI service providers with healthcare compliance
  • Payment processors
  • Email service providers

A complete list of sub-processors is available upon request. We will notify customers of any changes to sub-processors.

Data Retention

We retain personal data only as long as necessary:

  • Account data: Retained while your account is active
  • Clinical data: Retained according to your instructions as Data Controller
  • After account deletion: Most data deleted within 90 days
  • Legal requirements: Some data retained longer when required by law

Privacy by Design and Default

DocNotes is built with privacy by design principles:

  • Default privacy-protective settings
  • Data minimization in system design
  • Privacy impact assessments for new features
  • Regular privacy reviews
  • Transparent data processing

Children's Data

DocNotes is not intended for use by individuals under 18. We do not knowingly collect personal data from children. Healthcare professionals using our service are responsible for compliance with applicable regulations when documenting care for pediatric patients.

Data Protection Officer

Our Data Protection Officer oversees GDPR compliance and can be contacted at:

Email: contact@docnotes.app
Address: Dusekestr 15, 13187 Berlin, Germany

Supervisory Authority

Our lead supervisory authority is [Your National Data Protection Authority]. You have the right to lodge a complaint with your local supervisory authority if you believe we have not complied with GDPR.

Updates to This Information

We may update this GDPR compliance information to reflect changes in our practices or legal requirements. We will notify users of material changes.

Contact Us

For questions about GDPR compliance or to exercise your rights:

Email: contact@docnotes.app
Address: Dusekestr 15, 13187 Berlin, Germany