GDPR Compliance

Doctorita is fully committed to compliance with the General Data Protection Regulation (GDPR) and protecting the fundamental rights and freedoms of individuals with respect to the processing of their personal data.

As a healthcare technology platform operating within the European Union, we recognize the heightened sensitivity of health data and apply the strictest data protection measures.

This page outlines our GDPR compliance framework, including our legal basis for processing, data protection measures, and how we respect the rights of data subjects.

Under GDPR Article 6, we process personal data based on the following legal grounds:

Contractual Necessity (Article 6(1)(b)): Processing is necessary to provide our clinical documentation services to healthcare providers who have entered into a contract with us.

Consent (Article 6(1)(a), Article 9(2)(a)): For processing health data, we rely on explicit consent from healthcare providers who have obtained proper patient consent for recording and documenting consultations.

Legal Obligation (Article 6(1)(c)): We process data to comply with legal requirements, such as tax laws and healthcare record-keeping regulations.

Legitimate Interests (Article 6(1)(f)): We process certain data for legitimate business purposes, such as fraud prevention, security monitoring, and service improvement, where such processing does not override individual rights.

For Special Categories of Data (Article 9): Health data processing is based on explicit consent and is necessary for healthcare purposes under Article 9(2)(h), with appropriate safeguards in place.

We adhere to all six GDPR data protection principles (Article 5):

Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner. We clearly communicate how data is used.

Purpose Limitation: We collect data only for specified, explicit, and legitimate purposes (clinical documentation) and do not process it in ways incompatible with those purposes.

Data Minimization: We collect only the data necessary to provide our services. No excessive or irrelevant data is processed.

Accuracy: We maintain accurate and up-to-date records. Healthcare providers can update patient information at any time.

Storage Limitation: We retain data only as long as necessary for the purposes for which it was collected, in line with healthcare record-keeping requirements (typically 7-10 years).

Integrity and Confidentiality: We implement appropriate technical and organizational measures to ensure data security, including encryption, access controls, and regular security assessments.

Under GDPR, individuals (data subjects) have the following rights, which we fully respect and facilitate:

Right to be Informed (Article 13-14): We provide clear information about data processing through our Privacy Policy.

Right of Access (Article 15): You can request a copy of all personal data we hold about you. We will provide this within 30 days of your request.

Right to Rectification (Article 16): You can request correction of inaccurate or incomplete data.

Right to Erasure (Article 17): You can request deletion of your data ("right to be forgotten"), subject to legal record-keeping requirements.

Right to Restrict Processing (Article 18): You can request that we limit how we use your data in certain circumstances.

Right to Data Portability (Article 20): You can request your data in a structured, machine-readable format (JSON/CSV) to transfer to another service.

Right to Object (Article 21): You can object to processing based on legitimate interests or for direct marketing.

Rights Related to Automated Decision-Making (Article 22): While we use AI for transcription and summaries, final clinical decisions remain with healthcare providers. You have the right to human review of AI-generated content.

To exercise any of these rights, contact our Data Protection Officer at dpo@doctorita.com.

We implement comprehensive measures to ensure data security and GDPR compliance:

Technical Measures: TLS 1.3 encryption for data in transit; encryption at rest for cloud storage; secure authentication; role-based access control; time-limited presigned URLs for file access; regular security audits and vulnerability assessments.

Organizational Measures: Data Protection Officer (DPO) oversight; staff training on GDPR and data protection; data processing agreements with all sub-processors; incident response procedures; privacy by design and by default in system architecture.

Pseudonymization and Minimization: We use unique identifiers (nanoid) for records; we collect only essential data fields; user-generated content remains under your control.

We have Data Processing Agreements (DPAs) in place with all third-party processors who handle personal data on our behalf.

These DPAs ensure that processors only process data according to our instructions, implement appropriate security measures, and assist us in fulfilling data subject rights.

Doctorita operates primarily within the European Union (Romania).

Where possible, we select EU-based data centers for our infrastructure.

We conduct Transfer Impact Assessments (TIAs) to ensure that international transfers meet GDPR requirements.

In compliance with GDPR Article 33-34, we have established procedures for detecting, responding to, and notifying data breaches:

Detection: We monitor systems for unauthorized access, data leaks, or security incidents.

Assessment: Upon discovering a breach, we assess the risk to individuals' rights and freedoms.

Notification to Supervisory Authority: If the breach poses a risk, we notify the Romanian data protection authority (ANSPDCP) within 72 hours.

Notification to Data Subjects: If the breach poses a high risk to individuals, we notify affected data subjects without undue delay.

Documentation: We maintain records of all data breaches, including facts, effects, and remedial actions taken.

To report a suspected data breach, contact security@doctorita.com immediately.

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, particularly those involving health data and automated decision-making.

Our DPIAs evaluate: the nature, scope, context, and purposes of processing; the necessity and proportionality of processing; risks to individual rights and freedoms; measures to address risks and demonstrate compliance.

For any GDPR-related questions, concerns, or to exercise your rights, contact our Data Protection Officer:

Email: dpo@doctorita.com

Address: Data Protection Officer, Doctorita SRL, Sos. Mihai Bravu 510B, Bucharest, Romania

Supervisory Authority: You also have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro