Understanding GDPR
The General Data Protection Regulation (GDPR) is a set of regulations designed to protect the privacy and personal data of individuals within the European Union (EU). For health practices using Peptalkr, compliance with GDPR is crucial to ensure the safety and confidentiality of patient information.
Key Principles of GDPR
Lawfulness, Fairness, and Transparency: Peptalkr processes patient data in a legal, fair, and transparent manner. Users are informed about how their data is collected, used, and shared. Refer to our privacy policy for further information.
Purpose Limitation: Data is collected for specific, explicit, and legitimate purposes. Peptalkr only uses patient information to enhance practice efficiency and patient care.
Data Minimisation: Only necessary data is collected and processed. Peptalkr ensures that the amount of data collected is limited to what is needed for its intended purpose. For example, we DO NOT process or store:
Treatment notes.
Patient addresses, last names or dates of birth (except where we are collecting this information via a Peptalkr form. This data is erased from Peptalkr servers immediately upon successful delivery into Cliniko, and within 30 days from our and our subprocessors backup logs.
Health history (as above, except where we are collecting this information via a Peptalkr form).
Patient attachments and files.
Patient case information.
Accuracy: Patient data is kept accurate and up-to-date. Peptalkr provides tools for users to update and correct their information as needed.
Storage Limitation: Data is kept only for as long as necessary. Peptalkr has policies in place to delete data that is no longer required for processing. We delete data under the following circumstances:
When an account is suspended due to non-payment: we delete patient data from our databases within 7 days, and from within our backup logs within 60 days.
When an account is cancelled: we delete patient data within 24 hours, and from within our backup logs within 60 days.
When you request it: we delete patient data within 7 days, and from within our backup logs within 60 days.
Integrity and Confidentiality: Peptalkr implements strong security measures to protect patient data from unauthorised access, breaches, and other security threats. Refer to our security measures for further information.
Accountability: Peptalkr takes responsibility for complying with GDPR principles and can demonstrate compliance through documented policies and practices.
How Peptalkr Ensures GDPR Compliance
Data Encryption: All patient data is encrypted both in transit and at rest, ensuring it remains secure.
Access Controls: Strict access controls are in place, allowing only authorised personnel to access patient data.
Data Subject Rights: Patients have rights under GDPR, including the right to access their data, request corrections, and demand deletion. Peptalkr facilitates these rights through our user-friendly customer support interface. Actions are handled manually.
Data Breach Notification: In the event of a data breach, Peptalkr has procedures to promptly notify affected individuals and regulatory authorities within 72 hours.
Data Processing Agreements: Peptalkr enters into data processing agreements with all third-party service providers to ensure they also comply with GDPR requirements. We have agreements in place with:
Twilio
Campaign Monitor
Amazon Web Services
SendGrid
Intercom
Typeform
Your Role in GDPR Compliance
As a user of Peptalkr, you play a vital role in maintaining GDPR compliance:
Ensure Consent: Obtain explicit consent from patients before processing their data.
Regularly Review Data: Periodically review and update patient information to ensure its accuracy.
Report Issues: Report any suspected data breaches or security concerns to Peptalkr support immediately.
By adhering to these guidelines you can confidently manage patient data while staying compliant with GDPR.