GDPR & Security?
This document is intended for future and existing customer (practitioners) as well as for gateway partners. It describes where, why and how Doctena S.A. and it’s subsidiaries implement Security and Compliance for the services they offer.
The document starts with the compliance part, by describing which different roles and responsibilities the patients, practitioners, gateway partners and Doctena take in the context of GDPR. This part also highlights some important elements on how we enforce compliance using data processing agreements.
The second part of the document focuses on how Doctena implements security both technically and at company level ensuring your data is protected according to the industry standards.
The General Data Protection Regulation (GDPR) sets the bar high in regards to protecting the integrity of the individual in the EU. GDPR is the European regulation for protecting personal data, applying to all organizations (including medical practices) operating within the EU, but also for any non-EU organizations that process data of people in the EU. The definition of personal data under GDPR has been boiled down into “any information allowing to identify a person”. The purpose of GDPR is to harmonize the data protection laws across all member countries of the EU to strengthen the integrity of the individual. The law is in effect since May 25th, 2018.
GDPR applies to both data controllers and data processors. The data controller is the party who determines the purposes and the manner in which the collected personal data is processed. While the data processor is a third-party entity processing personal data on behalf of the controller. Doctena is very clear and transparent in this: The practitioner is controller and owner of their patient/appointment data.
Roles and responsibilities
Doctena is both a data controller and a data processor but for different parts of the data.
- As a cloud calendar company providing a service to practitioners, Doctena mainly acts as a data processor. We process data on behalf of the practitioner who defines what happens with this data (modification, removal, transfer, GDPR rights …) and the practitioner remains owner of the data. This data includes the Patient profile, the appointment data and the optional doctor/patient notes linked to the appointments. This also applies when the practitioner implements a synchronisation with our services using a gateway provider.
- For patients with a Doctena account, Doctena plays the role of controller only for the account data (preferences, name, address, phone, email, address, ratings, etc.) which is there only to facilitate the management of the patient’s appointments using our online services. During each booking, we basically copy the data from the Doctena account into the Doctor patient profile and appointment, from where on this copy becomes controlled by the practitioner. As part of the Doctena account we also control a logical link to the Doctor appointments, allowing us to show the patient’s practitioners and appointments.
Different flows of information
In the below diagram you see the three ways personal information can flow from the patient into our systems.
The patient is the person using the Doctena services directly or indirectly through the practitioner to find and manage their medical appointment. In GDPR terms, the patient is always the data-subject (final owner of personal data) and always has the right to define what happens with its data unless there are legal obligations to the request (eg. court order, criminal investigation, …)
The practitioner is the person or legal entity that sub-contracts Doctena to provide them an online agenda and to collect the related patient data. The practitioner is the final receiver of the patient’s data (DOCTOR-PATIENT) and defines the purpose of processing and data collection. It is their responsibility to ensure the patient data is handled securely and according to the regulation when selecting sub-contractors like Doctena or a Doctena connected gateway partners. This security enforcement is done in good confidence and by the use of data processing agreements provided by Doctena that clearly define what Doctena is allowed to do with the data in name of the practitioner, and what is the level of security Doctena implements to protect this data.
In GDPR terms, the practitioner is always the controller (Main responsible) of the patient data and the related appointment data (DOCTOR-PATIENT).
Many different medical softwares exist and are in use by practices/cabinets internally. Gateway partners are legal entities (sometimes the same as the medical software provider)
that are specialized in linking some data from the medical software with the Doctena services. For integrations with Doctena only the practitioner’s data (DOCTOR-PATIENT) is concerned. This can be from the medical software to Doctena, from Doctena to the medical software, or in both direction depending on the needs of the practitioner. Doctena also provides external plugins like calendar synchronisations (e.g. Cronofy) that sync Doctena agenda’s to exchange, gsuite, outlook, … which are also considered as gateway partners.
In GDPR terms, Gateway partners are always processors (sub-contractor) of the practitioner. The practitioner must have a data processing agreement in place with the gateway partner in which the
practitioner clearly defines what can be done with their data and for what purpose and how it is secured. Gateway partners are seen by Doctena as a sub-processor of the
practitioner which received the credentials/permissions to act on their behalf. Therefore, no special data processing agreement is required between Doctena and the Gateway partner, unless there is a special additional personal data processing involved that requires additional arrangement.
The Doctena group refers to Doctena S.A. and its subsidiaries in the different countries:
- Doctena SA – 6 Rue Adolphe, L-1116 Luxembourg (Luxembourg)
- Doctena Austria (formally a3L e-solutions) – Mooslackengasse 17, A-1190 Wien (Austria)
- Doctena Belgium Sprl – Square de Meeus 37, B-1000 Bruxels (Belgium)
- Doctena Switzerland GmbH – Hagenholzstrasse 83b, 8050 Zürich (Switzerland)
- Doctena Germany GmbH – Platz vor dem Neuen Tor, 10115 Berlin (Germany)
- Doctena Netherlands BV – Barbara Strozzilaan 201, 1083 HN Amsterdam (Netherlands)
- Doctena Afspraken Sprl – Square de Meeus 37, B-1000 Bruxels (Belgium)
Data processing agreement.
We have prepared a Data Processing Agreement (DPA) that is the same for all our customers, which you as practitioners (data controller) can sign with Doctena (data processor) to define how Doctena is allowed to use your data. As part of GDPR practitioners are required to have such an agreement in place with all of their sub-contractors to comply with the regulation, and you should add it to your own GDPR documentation. The DPA describes the GDPR terms, roles and the obligations of the data processing for both the processor and the controller. It includes most of the information we describe in this article.
If you are using a gateway integration into our system, you need to make sure you have a data processing agreement in place with this integrator in which you clearly give the mandate to the integrator that you as a data controller allow the integrator to act on your behalf onto your Doctena resources
Doctena defines the following services as part of the sub-contracted processing activities which are always to be taken together:
- (i) Management of patient’s data regarding his/her doctors’ appointment and follow-up services;
- (ii) Management of the doctor’s agenda/calendar; Including Gateway interfaces used by Gateway partners.
- (iii) Management of the IT infrastructure, software, maintenance and administration related to the Principal Agreement services.
The nature of operations carried out on the data for the purpose of (i), (ii) and (iii) are:
- Collection, storage and modification of personal information of patient required by the doctor to organize the appointment
- Search of patient account using one of its stored personal data
- Communications with data subject regarding appointment using email or (mobile) number
- Data imports into Doctena services using Doctor provided structured data (e.g. Onboarding)
- Automated backup of data
The category of data subject is: Patients.
Because there are multiple types of data that can enter into our systems as part of your usage, we include the most common data categories typically used in our system as part of the data processing agreement. This does not mean you or patients are obliged to share all types of data, but that Doctena is authorized to process on behalf of the practitioner in case it is entered into our doctor/patient notes or during general use of our system. These are the categories and types of data that can be collected by our service
- Personal data of identification: name, title, email, address (private and professional), previous addresses, (mobile) phone number (private, professional), identifiers attributed by
- Personal details: age, sex, date of birth, place of birth, registry office and nationality;
- Data of electronic identification: IP addresses, cookies, moments of connection, electronic signature;
- Data relative to the care: data relative to resources and procedures used for the medical and paramedical care of the patients (e.g. doctor/patient notes, reason of visit);
- Details of the other members of the family or the household: children, supported people, other members of the household, information on parents and relatives;
- Pseudonymization: Controls to protect Confidentiality, Integrity and Availability of data (e.g. hashed credentials).
- (only if option is activated) Data of identification: emitted by public services, e.g. national identification number, social security number, number of ID card, passport.
When we work with external partners or subcontractors, we require them to apply at least the same security standards as us. We don’t want to have any weak links in our production and operation chains when it comes to security. Doctena publishes a list of its own sub-contractors (cloud, sms, email services…) as part of its data processing agreement. These sub-contractors have been selected on their compliance with the security and privacy rules. We maintain our own data processing agreements with each of these processors (sub-contractors) where we define the purpose of processing and where we enforces at least the same level of security/privacy as is promised to the practitioners in the principal data processing agreement. The processors (sub-contractors) of Doctena are forbidden to process or transfer data in a third country (countries outside EU/EEA, except if they have a valid adequacy decision by the European commission on the protection of personal data). Any change of processor (sub-contractor) of Doctena will be communicated to all controllers (practitioners) who get 14 days to object this change before it is implemented.
Due to the legal medical data retention obligations in the different countries where Doctena is active, we decided that all data is stored for 10 years and then anonymized automatically. Data can also at any time be anonymised by the practitioner using the online agenda.
Data subject rights
To facilitate both patients and practitioners to answer frequently asked questions regarding GDPR and to allow them to execute their rights, we have put in place our own Doctena privacy center. Our privacy center will ask you some questions to help you to quickly point you to the information you are looking for.
When we receive requests to execute GDPR rights (right to rectification, right to deletion, …) these requests are processed and validated internally by the Chief information security officer (CISO) or specially trained support officer. If the request is valid, two types of actions can take place depending on the type.
- For DOCTOR-PATIENT related requests, the request is always forwarded to the controller (practitioner). Only if they give their explicit consent for the action, Doctena will execute the request.
- For DOCTENA-ACCOUNT related requests, the request is executed without involvement of the practitioner
Doctena will notify the controller (practitioner) per email of any personal data breach not later than 48 hours after having become aware of it. The notification will be sent along with any necessary documentation to enable the controller (practitioner), where necessary, to notify this breach to the competent supervisory authority.
Data processing and storage location
Doctena’s server infrastructure is hosted on Amazon Web Services and only uses data centers located in the Frankfurt region (eu-central-1) to ensure the data never leaves the EU. Amazon Web Services is fully compliant with GDPR for which you can get additional information on the link below.
Why an external data protection officer?
We could have chosen to assign an internal DPO, but because we wanted to be very transparent to the patients, practitioners and authorities, we chose to assign this role to an external impartial company that is specialized in data privacy and the evolution of the regulation. They act as intermediate between data subjects (patients) and Doctena to ensure the patient’s rights are properly executed. Upon non-compliance by Doctena, the DPO has the obligation to notify this to the related authorities. This forces us to stay on top of the requirements and their yearly audits and our regular meetings helps Doctena to remain compliant.
Our commitment to Security
We take security and privacy very seriously at Doctena. Our customers’ and their patients’ data privacy is of utmost importance to us, and as a company we have implemented a series of measures to ensure that this data is safe!
Security is not only a word for us, but a concept that needs to be owned and executed upon on a daily basis. Therefore, we address security from multiple standpoints.
Dedicated people and responsibilities
Doctena has a dedicated Chief Information Security Officer (CISO) which is a senior employee holding a Master’s degree in Security and has a professional background in computer security. His role is to make sure that Security remains a daily focus area. He does so by implementing processes and technologies as well as coordinating the various teams and business units around Security. He reports directly to our Chief information officer (CIO) and also to our group Chief executive officer (CEO) to make sure that the security focus starts at the highest management level.
Security by Design
Whenever we innovate and work on new products and features, the “Security” item is one of the first steps on the checklist. That way, we can be sure to design our products with security in mind, and make the technological and architectural decisions that lead to secure implementations.
Multi layered security infrastructure
We use several well-known industry standard solutions to continuously check and protect our platforms from possible security issues:
- A Web Application Firewall, which is our first line of defense against common threats like distributed denial of service attacks (DDOS) and malicious web requests. This also includes the automatic blocking of well known bad reputation sources (e.g. dark web) on the internet.
- An Automated Penetration Testing platform which regularly scans our platforms and notifies our development teams whenever there is a potential new security risk (e.g. recently discovered vulnerability), so that we can immediately apply corrective measures.
- A Static Code Analysis platform that gives an even deeper level of security by actually looking at our constantly evolving code and evaluating every possible entry point into our application. It detects and notifies our development teams where they might have missed something.
- Our Software composition analysis tools allow us to scan the external dependencies (libraries) used by our code for vulnerabilities.
- An Intelligent Attack Prevention System that learns normal behavior using AI and notifies us as soon as suspicious, out of the ordinary, activity is detected on the platform. Such security risks are automatically prevented by this system and informs our security team on these activities for followup actions.
These services come at a price, and Doctena allocates a significant amount of its IT budget to these security tools because we understand how important this is for you, but also the survival of our business.
- No real patient data is used in our test environments or on local developer devices.
- Our business intelligence department only gets access to fully anonymized data.
- We never send emails containing personal data of patients. Where personal data needs to be sent per email, it is sent in an anonymized way.
Automated security updates
As part of our continuous deployment system we include the latest security updates to all our systems on a weekly, and for most even on an almost daily basis. This means that even without our security teams having to be aware of newly released security patches, they will be automatically included each time we deploy a new version of our software.
- All our databases are encrypted at rest with the industry standard 256 bit AES algorithm.
- Passwords are never stored in clear text, but hashed in an irreversible way
- Where technically possible, highly sensitive data like doctor and patient notes are additionally encrypted on database field level.
- All laptops and computers of our employees are encrypted, and we enforce strict security protocols with them.
- Industry standard encryption for “data in transit” is applied in all communication, making sure that no 3rd person can intercept the communications between our platform and the user’s web browser when using the platform.
We have four complete isolated environments in place that each have their own dedicated servers with different credentials per environment to ensure a potential breach on one of them, does not impact the other.
- Testing – Used by development to try out new code
- Staging – Isolated environment that most resembles production as a final step before code is pushed to production.
- Production – Highly monitored environment where only a limited amount of people have access to
- Demo – Identical environment as production, with only data from potential customers that want to test the system.
Our code base is fully tracked with a version control system and different branches per environment. This is part of our change management process which allows us to clearly see who added which code at what time. Every new addition to the code is reviewed by a senior team lead, and triggers automated tests on our most common business logic. Only project leads can deploy code to the production and demo environments.
An important element of our continuous deployment system is the fact that our whole infrastructure is defined by code, rather than by manual configuration. This allows us to quickly set up identical environments and server configurations, that do not leave space for manual mistakes or security mis configurations. It also allows us to automatically scale our production servers when more performance is needed, without the need of manual action with potential mistakes.
All our application databases are set up with high availability to ensure that at any given moment all data is in at least 2 geographically isolated data centers. On daily basis an automated snapshot is taken from these databases for disaster recovery in combination with another daily worst case disaster recovery copy that is stored in a highly secured and encrypted storage solution in another datacenter. The webservers that provide our services are also setup with high availability.
Monitoring and alerting
All important servers and resources are monitored with advanced tools that alert us, usually even before something really goes wrong. This allows our infrastructure team to quickly inform the required teams to act.
Once a year our platforms are audited by a well-known IT security company that also certifies large and complex banking systems for security and resilience. The results of these audits are analyzed and acted upon by our IT teams so that the audit company can issue us a certificate demonstrating our high levels of security.
To provide more proof on our level of security, Doctena works on achieving the ISO27001 certification. We already implemented a solid internal information security management system which imposes strict policies and procedures internally, and we will soon go for this certification to give you an even higher level of trust into our systems.
ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes best practice for an ISMS (information security management system). Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and provides an independent, expert verification that information security is managed in line with international best practice and business objectives. ISO 27001 is supported by its code of practice for information security management, ISO/IEC 27002:2013
Since its creation, Doctena has not suffered any security breaches!
If you have any questions in regards to GDPR and your use of Doctena, feel free to email
Please note that this post is for informational purposes only, and should not be considered legal advice.