Updated October 22, 2020
This article explains the methods, procedures, and legal basis for Doxy.me’s GDPR compliance. It based on the Regulation (EU) 2016/679 otherwise known as the General Data Protection Regulation or the “GDPR”. Any capitalized terms not otherwise defined shall have the same meaning as defined in Article 4 of the GDPR.
Doxy.me processes Personal Data as a Data Processor on behalf of the Provider who may also be referred to as the Data Controller that may include one or more Data Subjects (including the Provider).
Summary of Our GDPR compliance:
- You can enable custom terms of service - You may need to include a specific opt-in message prior to starting a new session. That requires enabling custom terms of service for your patients during check-in available in Professional and Clinic accounts.
- Only the Provider name and email address is required to open an account. Nothing more personal information is required, though some optional services (such as Stripe payment system) may request more.
- Patient data are not stored - Doxy.me does not store protected health information about your patients.
- You can request to delete or update data - A user has the right to perform themselves or to contact us to correct, access, or delete their personal information.
Doxy.me’s obligations as related to the GDPR include, but are not limited to:
- Article 28, Section 1: Providing sufficient guarantees to controller that it has implemented appropriate technical and organizational measures to ensure the protection of the rights of the data subject.
- Article 28, Section 3: We will provide a data processing agreement to the Provider upon request if the Provider is considered a "data controller" as defined in the GDPR.
- Article 29: We will only process Personal Data on instructions from the provider.
- Article 32, Section 1: We will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk to protect the ongoing confidentiality, integrity, availability, and resilience of processing systems and services and other obligations stated in this article.
- Article 32, Section 2: We will use industry best methods and the measures described in Annex 3 to prevent Personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
- Article 33, Section 2: We will notify the provider without undue delay and at most 72 hours after becoming aware of a Personal Data Breach.
- Articles 44, 45, and 46: To the extent any processing or sub-processing of Personal Data takes place in any country outside the EEA, ensure that the country is an Adequate Country.
Legal basis of processing
We may process Your Personal Data if one of the following applies:
- You have given Your consent for one or more specific purposes;
- provision of Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof;
- processing is necessary for compliance with a legal obligation to which We are subject;
- processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in Doxy.me;
- processing is necessary for the purposes of the legitimate interests pursued by Doxy.me or by a third party.
In any case, we will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
Purposes of processing
Personal Data is collected to allow Us to provide Our Services, comply with legal obligations, respond to enforcement requests, protect its rights and interests (or those of our users or third parties), detect any malicious or fraudulent activity, as well as the following: Analytics, Registration and authentication, Handling payments, Hosting and back-end infrastructure, Managing contacts and sending messages, Traffic optimization and distribution, User database management, Access to third-party accounts, Infrastructure monitoring, Operations, Data transfer outside the EU, Commercial affiliation, Backup saving and management, Contacting the User, Displaying content from external platforms, Tag Management, Content performance and features testing (A/B testing), and Advertising.
EU-U.S. Privacy Shield Framework
Doxy.me participates in and complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union and Switzerland to the United States. The policies and rights outlined below are therefore equally and explicitly applicable to Users from Switzerland, except if stated otherwise. The Owner has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
In July 2020, the Court of Justice of the European Union (CJEU) declared the EU-U.S. Privacy Shield Framework “invalid.” However, Doxy.me remains in the program and continues to abide by its intent and rules. The decision by the CJEU does not relieve participants of their obligations under the EU-U.S. Privacy Shield Framework.
Transfer Impact Assessment
The CJEU determined that two U.S. laws impacted the rights and privacy of EU citizens. The purpose of this Transfer Impact Assessment is to assist the Customer in determining that the transfer of any personal data from the EU to the U.S. using the Doxy.me Service would not be subject to either law.
Executive Order 12333 relies on voluntary cooperation of a company to provide information to a law enforcement agency. Doxy.me does not foresee a reason why the minimal personal information (Provider name and email address) stored in our Services would ever be requested for a law enforcement investigation. Typically, that information is publicly or easily available.
Section 702 of the Foreign Intelligence Surveillance Act authorizes compelled assistance directives to request information about non-U.S. persons living overseas. As with EO 12333 above, doxy.me cannot envision a scenario where a top U.S. agency would believe that foreign intelligence information (classified as "secret") would existing in our Services.
The U.S. Department of Commerce has filed a formal response with some initial observations and guidance concerning the relevance of the contested areas of U.S. law. With that guidance, Doxy.me believes that transfers to the U.S. should not automatically be seen as constituting high risk processing under the GDPR. Instead, it should be determined whether such transfers could result in a high likelihood of harm (such as the possibility of government access). Given the nature of the data being transferred, We believe that no harm will result in entering a name and email address into the Doxy.me Service.
To be clear: the CJEU ruling doesn't change Our firm commitment to protect Your data. Nor does it change Our security operations that have protected Your data since Doxy.me began its operations.
For any further legal GDPR questions, please contact the support team.