Your rights
The GDPR grants every person whose personal data is processed by Doctena the following rights:
| Right | What it lets you do |
|---|---|
| Article 15 access | Receive a copy of the personal data we hold about you, and information about how we process it. |
| Article 16 rectification | Have inaccurate or incomplete data corrected. |
| Article 17 erasure | Have your data deleted, subject to overriding legal obligations (in particular the 10-year medical record retention). |
| Article 18 restriction | Have processing paused while a dispute is resolved. |
| Article 20 portability | Receive a portable, machine-readable copy and have it transmitted to another controller of your choosing. |
| Article 21 objection | Object to processing based on legitimate interest, including profiling and direct marketing. |
| Article 22 automated decisions | Not be subject to a decision based solely on automated processing with legal or similarly significant effect. |
| Article 7(3) withdraw consent | Withdraw any consent you previously gave, with effect for the future. |
| Article 77 complaint | Lodge a complaint with a competent supervisory authority. |
How to exercise them
You can exercise any of these rights using one of the channels below. Pick the channel that fits your preference; we treat all of them with the same priority.
Privacy center
privacy.doctena.com
Multi-language intake form. The form is currently powered by Typeform; a first-party form is on the roadmap.
privacy@doctena.com
Plain email with the type of request and enough information for us to identify you.
Postal
Doctena S.A., Data Protection Officer
42 Rue de la Vallée, L-2661 Luxembourg
Erasure and export in practice
Two situations come up most often. How we handle erasure and export depends on whether you hold a Doctena account.
If you have a Doctena Patient Account
You can serve yourself from your Account Settings. You can export a machine-readable copy of your data at any time, and you can delete your account directly. Deleting your account automatically triggers the anonymisation of the data we hold as controller, so no separate request is needed.
If you booked without a Doctena account
When you book an appointment, a copy of your booking data is placed in the practitioner's space, and the practitioner becomes the controller of that copy. If you do not hold a Doctena account, the controller for your appointment data is the practitioner, so erasure and access requests for that data go to them. Contact the practitioner, who instructs Doctena (acting as their processor) to act on the request. We assist in facilitating that contact and we carry out the practitioner's instructions.
Either way, we complete a well-formed deletion request within one month, including removal from routine backups within that window.
Our SLA
Identification and security
Where we have reasonable doubts about the identity of the requester, we may ask for additional information to confirm it (Article 12(6) GDPR). We do not ask for more than is necessary. For example, we may ask for the date of a recent appointment and the name of the practitioner, rather than a copy of your identity document. If identity cannot be confirmed, we may refuse to act on the request and we will explain why.
Fees
Doctena does not charge for responding to a data-subject request. Where a request is manifestly unfounded or excessive, in particular because of its repetitive character, Article 12(5) GDPR allows us to either charge a reasonable administrative fee or refuse to act. We rarely invoke this: in practice, every well-formed request is handled at no cost.
Doctena as processor vs. controller
Where Doctena acts as the processor for a healthcare professional (for example, the appointment record), the primary controller is the practitioner. We forward your request to that practitioner and cooperate with them to fulfil it. Where Doctena acts as the controller in its own right (Doctena account, marketing communications), we handle the request directly. The GDPR page sets out the full role model.
Requests for or by minors
Requests on behalf of a minor must be submitted by the legal guardian. We may require evidence of the guardianship before acting on the request. Once a minor reaches the age of majority in their country, they may submit requests in their own name.
If you are not satisfied
If our response does not resolve your request, you have the right to lodge a complaint with the supervisory authority of your country of residence, place of work or place of the alleged infringement (Article 77 GDPR). Our lead supervisory authority is the CNPD in Luxembourg.
| Country | Authority | Website |
|---|---|---|
| Luxembourg (lead supervisory authority) | CNPD | cnpd.public.lu/ |
| Belgium | APD / GBA | www.autoriteprotectiondonnees.be/ |
| Netherlands | AP | autoriteitpersoonsgegevens.nl/ |
| Germany | BlnBDI | www.datenschutz-berlin.de/ |
| Austria | DSB | www.dsb.gv.at/ |
| Switzerland | EDÖB | www.edoeb.admin.ch/ |