Privacy

Data Protection Officer

Doctena's information security management system is owned internally by the CTO/CISO, supported by a group-level external data-protection advisor. This page documents how to reach the data protection function and how that advisory model is set up.

Last reviewed
Next review
Owner
Data Protection Officer
Version
2.3.0
On this page

How to reach the DPO

Data Protection Officer

Christina Webersohn

Senior Consultant

Co-signatory: Kemal Webersohn, LL.M.

WS Digital Compliance GmbH

Dircksenstraße 51, 10178 Berlin, Germany

Reach the data protection function through Doctena at privacy@doctena.com, or contact the advisory firm directly through its website.

WS Digital Compliance GmbH · Managing directors: Kemal Webersohn & Christian Scholtz · Handelsregister Amtsgericht Berlin Charlottenburg HRB 185725 B

Country-specific privacy mailboxes

For data-subject requests under Articles 15 to 22 GDPR, see /data-subject-rights.

The data protection function

Doctena's information security management system is owned internally by the CTO/CISO. The day-to-day data protection function is run inside Doctena and supported by a group-level external data-protection advisor, whose advisory scope mirrors the tasks set out in Article 39 of the GDPR:

  • Inform and advise Doctena and its employees about their obligations under the GDPR and the national data protection laws of the countries we serve.
  • Monitor compliance with the GDPR, with this Trust Center's stated commitments, with Doctena's policies, and with the contracts we sign with controllers.
  • Provide advice on the Data Protection Impact Assessment process and monitor its performance.
  • Cooperate with the supervisory authorities and act as a contact point for them.
  • Act as a contact point for data subjects on all matters relating to the processing of their personal data and the exercise of their rights under the GDPR.

The advisor has direct reporting access to executive management and a standing invitation to every Information Security Steering Committee. Doctena does not instruct the advisor on the substance of this advice, preserving the independence that an external model is designed to provide.

Why a group-level external advisor

Doctena engages a specialist privacy firm (WS Digital Compliance GmbH, Berlin; brand WS Compliance, formerly trading as WS Datenschutz GmbH) as its group-level external data-protection advisor, on a data-protection-officer-as-a-service basis, since 2019. A single advisor working across the group gives Doctena:

  • Multi-jurisdiction expertise across LU, BE, NL, DE, AT and CH from a single team.
  • A documented absence of conflict of interest with any operational role.
  • Continuity independent of internal staffing.
  • Visibility on best practice from a portfolio of comparable health and SaaS clients.

How the advisory model is set up

The data-protection advisory engagement is held at group level and covers every Doctena legal entity through a single external advisor. A single point of contact serves the group rather than a separate appointment per country, which keeps the advice consistent across the jurisdictions we operate in.

Under the revised Swiss FADP, announcing a data protection advisor to the FDPIC is voluntary for private controllers. Doctena's Swiss entity is covered by the same group-level engagement for consistency (see the representative analysis below).

EU and Swiss representatives

Doctena S.A. is established in the European Union and is therefore not required to designate a separate EU representative under Article 27 GDPR. The Luxembourg controller acts as the relevant contact for the lead supervisory authority (CNPD). For data subjects, the contact above is the single point of contact regardless of country.

Switzerland applies a narrower test. Under Article 14(1) of the revised Swiss Federal Act on Data Protection (FADP, in force since 1 September 2023), a controller established abroad must designate a representative in Switzerland only if four cumulative conditions are all met: the processing relates to offering goods or services to, or monitoring the behaviour of, persons in Switzerland; it is large-scale; it is carried out regularly; and it poses a high risk to the data subjects. Doctena Switzerland GmbH is established in Switzerland and is therefore outside the scope of Article 14; for the group's other entities, our assessment is that the four cumulative conditions are not met. Doctena has therefore not designated a Swiss representative.