GDPR Compliance
General Data Protection Regulation compliance for HealthTalk.
Overview
HealthTalk processes personal data and special category data (health data) in accordance with GDPR requirements. MEDrecord acts as a data processor on behalf of healthcare organizations (data controllers).
Legal Basis
Personal data processing is based on:
- Contract - Performance of healthcare services
- Legal obligation - Healthcare documentation requirements
- Vital interests - Emergency communications
- Consent - Marketing communications (where applicable)
Data Subject Rights
HealthTalk supports all data subject rights:
| Right | Implementation |
|---|---|
| Access | Export patient data via API or admin |
| Rectification | Update patient records |
| Erasure | Data deletion workflow |
| Restriction | Communication opt-out |
| Portability | Standard format export |
| Objection | Preference management |
Data Processing
Categories of Data
- Patient identification data
- Contact information
- Communication preferences
- Message content and history
- Health-related information
Retention Periods
Data retention follows healthcare regulations:
- Message content: Per organizational policy (minimum 10 years for medical records)
- Audit logs: 7 years
- System logs: 1 year
- Analytics data: Aggregated and anonymized
Technical Measures
- Encryption at rest and in transit
- Pseudonymization where possible
- Access controls and logging
- Data minimization in processing
Organizational Measures
- Data Protection Officer appointed
- Staff training on data protection
- Data processing agreements with all sub-processors
- Regular privacy impact assessments
Data Processing Agreement
A Data Processing Agreement (DPA) is provided to all customers as required by Article 28 GDPR.
Last updated on