← Back to Trust Center

GDPR Compliance

Ensuring Personal Privacy and Data Processing Transparency under European Standards

🇪🇺
Summary in plain English: We comply with the European GDPR. We act as a Data Processor for patients and a Data Controller for our registered clinic accounts. EEA users have strong rights to access, correct, and delete their data, overseen by our Data Protection Officer.

1. GDPR Framework Overview

The General Data Protection Regulation (GDPR) regulates how organizations process the personal data of individuals inside the European Economic Area (EEA).

Hypocrates ("we", "our", or "us") acts as both a Data Controller (for our own client account information, such as account registrations and billing) and a Data Processor (for clinical patient data processed on behalf of our clinic customers who use our software).

We are committed to maintaining the highest privacy, transparency, and data protection standards for all users and patients under our care.

2. Lawful Bases for Processing

Under GDPR, we process personal data only when a lawful basis is established. These bases include:

Contractual Necessity: Processing is required to perform the services we contracted to provide to our clinic customers.

Legal Obligation: Processing is necessary to comply with administrative, regulatory, or tax laws.

Legitimate Interests: Processing is based on our legitimate business interests to optimize platform performance, monitor security settings, prevent fraud, and improve workflows, provided these do not override your privacy rights.

Consent: When you or your patients have given explicit, unambiguous consent to process data for specific purposes (such as experimental diagnostics or ambient voice transcription). Consent can be withdrawn at any time.

3. Rights of EEA Data Subjects

Individuals residing in the European Economic Area (EEA) have specific rights regarding their personal data under GDPR. Hypocrates supports the execution of these rights:

Right of Access: You have the right to obtain confirmation as to whether your personal data is being processed and to receive a copy of that data.

Right to Rectification: You have the right to request correction of inaccurate or incomplete personal records.

Right to Erasure (To Be Forgotten): You may request that we delete your personal data when it is no longer necessary for the purposes collected or when you withdraw consent (subject to legal retention requirements).

Right to Restriction: You can request that we limit the processing of your personal data under certain conditions (e.g., if you contest its accuracy).

Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object: You have the right to object to processing based on legitimate interests or direct marketing at any time.

4. Cross-Border Data Transfers

Hypocrates stores data using high-security server facilities. For data originating in the EEA, any transfers to countries outside the EEA are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.

We conduct rigorous security and compliance assessments of all vendors and sub-processors to ensure they maintain data protection safeguards that are equivalent to GDPR standards.

5. Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee our legal compliance and privacy framework. For any GDPR-specific queries, compliance audits, or to exercise your data subject rights, please contact our DPO office:

DPO Office Contact

Email: dpo@hypocrates.com

Address: Rruga Ibrahim Rugova, Sky Tower, Floor 8, Tirana 1001, Albania