GDPR Compliance
Ensuring Personal Privacy and Data Processing Transparency under European Standards
1. GDPR Framework Overview
The General Data Protection Regulation (GDPR) regulates how organizations process the personal data of individuals inside the European Economic Area (EEA).
Hypocrates ("we", "our", or "us") acts as both a Data Controller (for our own client account information, such as account registrations and billing) and a Data Processor (for clinical patient data processed on behalf of our clinic customers who use our software).
We are committed to maintaining the highest privacy, transparency, and data protection standards for all users and patients under our care.
2. Lawful Bases for Processing
Under GDPR, we process personal data only when a lawful basis is established. These bases include:
• Contractual Necessity: Processing is required to perform the services we contracted to provide to our clinic customers.
• Legal Obligation: Processing is necessary to comply with administrative, regulatory, or tax laws.
• Legitimate Interests: Processing is based on our legitimate business interests to optimize platform performance, monitor security settings, prevent fraud, and improve workflows, provided these do not override your privacy rights.
• Consent: When you or your patients have given explicit, unambiguous consent to process data for specific purposes (such as experimental diagnostics or ambient voice transcription). Consent can be withdrawn at any time.
3. Rights of EEA Data Subjects
Individuals residing in the European Economic Area (EEA) have specific rights regarding their personal data under GDPR. Hypocrates supports the execution of these rights:
• Right of Access: You have the right to obtain confirmation as to whether your personal data is being processed and to receive a copy of that data.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal records.
• Right to Erasure (To Be Forgotten): You may request that we delete your personal data when it is no longer necessary for the purposes collected or when you withdraw consent (subject to legal retention requirements).
• Right to Restriction: You can request that we limit the processing of your personal data under certain conditions (e.g., if you contest its accuracy).
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object: You have the right to object to processing based on legitimate interests or direct marketing at any time.
4. Cross-Border Data Transfers
Hypocrates stores data using high-security server facilities. For data originating in the EEA, any transfers to countries outside the EEA are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
We conduct rigorous security and compliance assessments of all vendors and sub-processors to ensure they maintain data protection safeguards that are equivalent to GDPR standards.
5. Data Protection Officer (DPO)
We have appointed a Data Protection Officer to oversee our legal compliance and privacy framework. For any GDPR-specific queries, compliance audits, or to exercise your data subject rights, please contact our DPO office:
DPO Office Contact
Email: dpo@hypocrates.com
Address: Rruga Ibrahim Rugova, Sky Tower, Floor 8, Tirana 1001, Albania