Privacy

Data subject rights

The rights you have under the GDPR over your personal data, and how to exercise them with Doctena.

Last reviewed
Next review
Owner
Data Protection Officer
Version
1.1.0
On this page

Your rights

The GDPR grants every person whose personal data is processed by Doctena the following rights:

RightWhat it lets you do
Article 15 accessReceive a copy of the personal data we hold about you, and information about how we process it.
Article 16 rectificationHave inaccurate or incomplete data corrected.
Article 17 erasureHave your data deleted, subject to overriding legal obligations (in particular the 10-year medical record retention).
Article 18 restrictionHave processing paused while a dispute is resolved.
Article 20 portabilityReceive a portable, machine-readable copy and have it transmitted to another controller of your choosing.
Article 21 objectionObject to processing based on legitimate interest, including profiling and direct marketing.
Article 22 automated decisionsNot be subject to a decision based solely on automated processing with legal or similarly significant effect.
Article 7(3) withdraw consentWithdraw any consent you previously gave, with effect for the future.
Article 77 complaintLodge a complaint with a competent supervisory authority.

How to exercise them

You can exercise any of these rights using one of the channels below. Pick the channel that fits your preference; we treat all of them with the same priority.

Erasure and export in practice

Two situations come up most often. How we handle erasure and export depends on whether you hold a Doctena account.

If you have a Doctena Patient Account

You can serve yourself from your Account Settings. You can export a machine-readable copy of your data at any time, and you can delete your account directly. Deleting your account automatically triggers the anonymisation of the data we hold as controller, so no separate request is needed.

If you booked without a Doctena account

When you book an appointment, a copy of your booking data is placed in the practitioner's space, and the practitioner becomes the controller of that copy. If you do not hold a Doctena account, the controller for your appointment data is the practitioner, so erasure and access requests for that data go to them. Contact the practitioner, who instructs Doctena (acting as their processor) to act on the request. We assist in facilitating that contact and we carry out the practitioner's instructions.

Either way, we complete a well-formed deletion request within one month, including removal from routine backups within that window.

Our SLA

Identification and security

Where we have reasonable doubts about the identity of the requester, we may ask for additional information to confirm it (Article 12(6) GDPR). We do not ask for more than is necessary. For example, we may ask for the date of a recent appointment and the name of the practitioner, rather than a copy of your identity document. If identity cannot be confirmed, we may refuse to act on the request and we will explain why.

Fees

Doctena does not charge for responding to a data-subject request. Where a request is manifestly unfounded or excessive, in particular because of its repetitive character, Article 12(5) GDPR allows us to either charge a reasonable administrative fee or refuse to act. We rarely invoke this: in practice, every well-formed request is handled at no cost.

Doctena as processor vs. controller

Where Doctena acts as the processor for a healthcare professional (for example, the appointment record), the primary controller is the practitioner. We forward your request to that practitioner and cooperate with them to fulfil it. Where Doctena acts as the controller in its own right (Doctena account, marketing communications), we handle the request directly. The GDPR page sets out the full role model.

Requests for or by minors

Requests on behalf of a minor must be submitted by the legal guardian. We may require evidence of the guardianship before acting on the request. Once a minor reaches the age of majority in their country, they may submit requests in their own name.

If you are not satisfied

If our response does not resolve your request, you have the right to lodge a complaint with the supervisory authority of your country of residence, place of work or place of the alleged infringement (Article 77 GDPR). Our lead supervisory authority is the CNPD in Luxembourg.

CountryAuthorityWebsite
Luxembourg (lead supervisory authority)CNPDcnpd.public.lu/
BelgiumAPD / GBAwww.autoriteprotectiondonnees.be/
NetherlandsAPautoriteitpersoonsgegevens.nl/
GermanyBlnBDIwww.datenschutz-berlin.de/
AustriaDSBwww.dsb.gv.at/
SwitzerlandEDÖBwww.edoeb.admin.ch/