How DrinCloud Helps You with GDPR Compliance in Europe

General Data Protection Regulation (GDPR)

If you’re using DrinCloud to manage your practice and handle or process the data of any person who lives within the European Union—even if you’re not physically located in the EU—the GDPR rules apply to you.

DrinCloud is a great choice for managing your business if you need to meet the GDPR requirements!

In some cases, we serve as a Processor and a Controller. It’s our responsibility to ensure that we have the right documentation and procedures in place to support you.

The following outlines how we’ve done that:

  • The establishment of a Data Processing Addendum (DPA).
  • Updated our Privacy Policy and Terms of Service.
  • Formalized internal company policies with regards to how we handle any of your data.
  • Appointed a Data Protection Officer (DPO).
  • Hired an EU representative Lawyer to serve as an additional point of contact for any privacy-related inquiries.
  • “Flagged” accounts in the EEA zone (so we can communicate any GDPR-related information to only the relevant parties).
  • Ensured that any third-party vendors we work with also meet GDPR compliance.

Data Processing Addendum (DPA)

This is an additional agreement (separate from our regular Privacy Policy) that you would agree to, and it means that although DrinCloud and its subprocessors aren’t physically in the EU/EEA, you are still allowed to use DrinCloud to manage your patient information.

The DPA includes Standard Contractual Clauses (also known as “Model Clauses”). These are an approved set of provisions which offer sufficient safeguards and protection for data that’s processed outside of the EU/EEA.

When you are ready, download the DrinCloud Data Processing Addendum, sign it, and send it back to us. (There are detailed instructions within the document.) The agreement is valid as soon as we receive it or start using the service we provide.

Updated our Privacy Policy and Terms of Service

We’ve updated our Privacy Policy and Terms of Service to ensure that the agreements we have in place with you meet the requirements of GDPR, as well!

For example, our servers are located in Europe – MICROSOFT CLOUD this is mandatory by GDPR standards. When you agree to our policies and terms, you’re abiding by GDPR’s requirements around data that’s processed. This means that despite your patient data being physically stored in the EEA zone, you are allowed to use DrinCloud.

Formalized internal company policies

We’ve revised the processes of in-house policies around how we handle your data. This includes protocols for how we access any of your information if requested by you, how we communicate with one another, and how we handle any incoming requests that we might get from your patients regarding their data (we always send them straight to you!).

Data Protection Officer (DPO)

We’ve appointed our own in-house Data Protection Officer (DPO). The roles of our DPO include making sure that DrinCloud is compliant with GDPR, serving as an advisor on data protection obligations, and acting as a contact point for data subjects and supervisory authorities.

EU representative

As DrinCloud has physical presence in the EU, we’ve appointed a representative as a point of contact. This complies with Article 27 of the GDPR, and the reason is that a party who actually lives in the EU needs to be available to address any questions relating to privacy.

Our EU representative is a company called G&B Abogados are specialized lawyers in the matter of European GDPR.

 

Flagged EEA-zone accounts

Not everyone who uses DrinCloud is located in the EU/EEA zone, so we’ve taken appropriate measures to “flag” those who are. This is purely for our internal knowledge, and will make it easy for us to communicate any GDPR-related information out to those who need to know it.

However, we cannot guarantee that we have captured everyone. The flagging is based on the location of your DrinCloud account, so if you’re physically outside of the EU but treating patients in the EU (for example, you practice in Australia, but you’re doing phone sessions with a patient in France), your account would not be initially flagged.

If you’re concerned that you may not have been flagged, please let us know and we can double-check!

Ensured that third-party vendors meet compliance

In order for DrinCloud to function, we may have to utilise certain third-party tools (“subprocessors”), and we have ensured that all of them are compliant with GDPR.

The role of these different third-party tools are to help DrinCloud run efficiently, such as cloud-based data storage and cloud-based email delivery services.

 

DRINCLOUD AS A PROCESSOR OF DATA

As the processor of your data, DrinCloud will help you to meet your needs as a controller—we provide you with the tools needed to comply with your patients’ requests.  Below is a list of requirements related to your use of DrinCloud, and how we help you comply with those requirements!

  • Remove patients from marketing-related communications if needed.
  • Modify patients’ personal details.
  • Provide patients with a copy of all their personal information.
  • Delete all of a patient’s information from DrinCloud if needed.
  • Record whether or not a patient has consented to your clinic’s privacy policy.
  • Let patients consent to your privacy policy when booking online.

Remove patients from marketing-related communications

If a patient requests to not receive marketing-related materials from your clinic (such as marketing emails or messages), you need to be able to remove them from any such communication. GDPR calls this the Right to Object.

You can customise your patients’ preferences by unsubscribing them from marketing, and when sending a group message you can select whether it’s “marketing-related” or “need-to-know”. If you use the archiving or deleting a patient will automatically remove their details from MailChimp, so they’ll no longer get marketing emails from you.

 

Modify a patient’s details

A patient may request that you make changes to their information, as it’s stored in DrinCloud. GDPR defines this as the Right to Rectification.

If a patient tells you that their details are incorrect, you can edit anything about that patient in DrinCloud!

Provide patients with a copy of all their personal information

A patient may come to you and request a copy of every piece of personal information you have (which is stored in DrinCloud). GDPR calls this the Right to Access. The information must also be provided to them in an easy-to-read format—and it needs to be portable (meaning, it could easily be transferred/imported to another system). This is defined as the Right to Portability.

 

Delete all patient information from DrinCloud

A patient has the right to request that you remove any and/or all of their personal information from DrinCloud. This is what the GDPR defines as the Right to Erasure or Right to Be Forgotten.

You can permanently delete a patient from your DrinCloud account. This is important for those who don’t have a legal requirement to retain records, or if that legal requirement has lapsed. If you are legally required to retain patient records, we do not advise permanently deleting any patient. You can archive them instead.

 

Record patient consent to your privacy policy

If you have a privacy policy for your clinic, you would need to keep track of whether or not your patients have consented to it, and you need to make it clear and easy  The GDPR requires that you obtain lawful consent from your patients in order to store their personal information

When adding a new patient or editing their details, you can mark off whether a patient has accepted, rejected, or not responded to your clinic’s privacy policy.

Let patients consent to your clinic’s privacy policy when booking online

Any patient who is booking an appointment through your online bookings page will be required to agree to your privacy policy, if you include a link to it.

When they agree to this, their record in your DrinCloud account will also be updated to indicate that they have accepted your privacy policy.

 

DRINCLOUD AS A CONTROLLER OF DATA

We’re also a controller, in that we control your information that you provide to us—like your email address, business details, and contact information, for example. As a controller, we have the same sorts of responsibilities that you have when it comes to your patients—except we’re handling your information, not that of your patients.

The ways we comply with our job as a controller include:

  • Full deletion of your DrinCloud account.
  • Allow you to opt out of any marketing-related communications from us.

Check out the specifics of how we help you with GDPR compliance, below!

Full deletion of your DrinCloud account

If requested, we can entirely delete your DrinCloud account. This is irreversible. We’ll provide you with the tools to download all of your data prior to deleting (such as data exports) but if you do require a full account deletion, please note that it cannot be undone.

This is important for those who don’t have a legal requirement to retain records, or if that legal requirement has lapsed. If you are legally required to retain your records, we do not advise full account deletion.

Allow you to opt out of any marketing communications from us

If you’d prefer to not receive emails from us that don’t explicitly relate to your account, you can opt out of these. If you opt out, it means that you wouldn’t receive any emails about new features we release, for example, but you would still receive an email if your account was past due.

Note: this is different to your patients opting out of marketing-related communications from your clinic.

As always, if you have any questions about any of this, reach out to our support team via the chat bubble in the lower-right! We’ll be more than happy to discuss things with you at info@drincloud.com