GDPR Compliance
Last Updated: January 24, 2025
CareFlow is committed to compliance with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland.
1. Our GDPR Commitment
As a healthcare management platform, CareFlow takes data protection seriously. We have implemented comprehensive measures to ensure GDPR compliance across all aspects of our service:
- Privacy by design and by default in all systems
- Transparent data processing practices
- Strong technical and organizational security measures
- Clear data subject rights procedures
- Data Processing Agreements (DPAs) with all customers
- Regular compliance audits and assessments
2. Legal Basis for Processing
We process personal data under the following legal bases:
- Contract Performance: To provide our healthcare management services
- Legal Obligation: To comply with healthcare regulations and legal requirements
- Legitimate Interests: To improve our services, prevent fraud, and ensure security
- Consent: Where explicitly provided for specific processing activities
- Vital Interests: To protect the health and safety of individuals
3. Data Controller and Processor Roles
In the context of GDPR:
- Your Organization (Data Controller): Determines the purposes and means of processing patient data
- CareFlow (Data Processor): Processes data on behalf of your organization according to your instructions
- We only process personal data as instructed by you and in accordance with our Data Processing Agreement
- We do not use your data for our own purposes or share it with third parties without authorization
4. Types of Personal Data Processed
CareFlow may process the following categories of personal data:
- Patient Data: Names, contact details, medical records, health information, treatment data
- Staff Data: Employee information, schedules, qualifications, employment records
- Account Data: User credentials, login information, access logs
- Financial Data: Billing information, payment records, insurance details
- Technical Data: IP addresses, device information, usage analytics
5. Data Subject Rights
Under GDPR, individuals have the following rights regarding their personal data:
Right to Access: Individuals can request copies of their personal data and information about how it's processed.
Right to Rectification: Individuals can request correction of inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): Individuals can request deletion of their personal data under certain circumstances.
Right to Restrict Processing: Individuals can request limitation on how their data is used.
Right to Data Portability: Individuals can receive their data in a structured, machine-readable format.
Right to Object: Individuals can object to certain types of data processing.
Rights Related to Automated Decision-Making: Individuals have rights regarding automated decisions that significantly affect them.
6. Exercising Data Subject Rights
To exercise any of these rights:
- Submit requests through your healthcare provider (Data Controller)
- Or contact us directly at gdpr@careflow.com
- We will respond within 30 days of receiving a valid request
- We may require identity verification before processing requests
- No fee is charged for requests unless they are manifestly unfounded or excessive
7. Data Security Measures
We implement state-of-the-art security measures to protect personal data:
- Encryption: End-to-end encryption for data in transit and at rest (AES-256)
- Access Controls: Role-based access with multi-factor authentication
- Regular Audits: Annual security assessments and penetration testing
- Staff Training: Mandatory GDPR and security training for all personnel
- Incident Response: 24/7 monitoring and documented breach response procedures
- Certifications: ISO 27001, SOC 2 Type II, and HIPAA compliance
8. Data Retention
We retain personal data only as long as necessary:
- Active account data: Duration of service agreement
- Healthcare records: As required by healthcare regulations (typically 7-10 years)
- Financial records: As required by tax and accounting laws
- Backup data: 90 days after account closure
- Audit logs: 7 years for compliance purposes
9. International Data Transfers
When transferring data outside the EEA, we ensure appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions for certain jurisdictions
- Binding Corporate Rules where applicable
- Additional security measures for sensitive health data
- Transparency about data transfer locations
10. Sub-Processors
We use carefully vetted sub-processors for specific services:
- Cloud infrastructure providers (e.g., AWS, Azure)
- Payment processors (PCI-DSS compliant)
- Email service providers
- Analytics and monitoring services
All sub-processors are bound by GDPR-compliant data processing agreements. A current list of sub-processors is available upon request.
11. Data Breach Notification
In the event of a personal data breach:
- We will notify you (the Data Controller) within 72 hours of discovery
- We will provide details about the nature and scope of the breach
- We will describe measures taken to address the breach
- We will assist you in notifying supervisory authorities if required
- We will cooperate in notifying affected individuals if necessary
12. Data Protection Impact Assessments (DPIA)
We conduct DPIAs for high-risk processing activities:
- New features or significant system changes
- Processing of special category data
- Large-scale processing operations
- Automated decision-making with legal effects
We provide DPIA documentation to customers upon request.
13. Children's Data
Special protections apply to data of individuals under 16:
- Parental consent required for processing
- Age verification mechanisms in place
- Additional security measures for minors' data
- Limited data collection and processing
14. Supervisory Authority
You have the right to lodge a complaint with your local data protection authority. For EU/EEA matters, our lead supervisory authority is:
Irish Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28, Ireland
Website: www.dataprotection.ie
15. Updates to This Policy
We may update this GDPR compliance statement to reflect:
- Changes in GDPR requirements or guidance
- New features or services
- Changes in data processing practices
- Feedback from supervisory authorities
Material changes will be communicated via email and in-app notifications.
16. Contact Our Data Protection Officer
For GDPR-related questions or requests, contact our Data Protection Officer:
- Email: dpo@careflow.com
- Phone: +1-800-CAREFLOW (for EU callers: +353-1-XXX-XXXX)
- Mail: Data Protection Officer, CareFlow, 123 Healthcare Way, Medical District, CA 94000, USA
Note: This document provides an overview of our GDPR compliance. For detailed technical and organizational measures, please refer to our Data Processing Agreement (DPA) available to all customers.