Data protection

GDPR programme

How Doctena applies the General Data Protection Regulation across our six legal entities, from the role model and the Data Processing Agreement to the Data Protection Officer and the per-country supervisory authority routing.

Last reviewed
Next review
Owner
Data Protection Officer
Version
2.1.0
On this page

The role model

The GDPR distinguishes between a controller — the actor who decides the purposes and means of processing — and a processor — the actor who processes data on the controller's instructions. The Doctena platform binds together three populations, with the following role allocation:

Three flows of patient data reach Doctena: (1) direct online booking, (2) via the practitioner, (3) via the practitioner's medical software acting as a gateway partner. The diagram also shows the outbound calendar sync from Doctena through Cronofy to the practitioner's external calendar (Microsoft 365, Google Workspace or iCloud).
Different flows of information — how patient data reaches Doctena, and how it returns to the practitioner's external calendar.
PartyRoleExamples
The patient Data subject Person whose data is processed.
The healthcare professional or practice Controller of the appointment record and clinical content Decides which patient details are needed for the consultation, sets the retention period inside our allowed window, exercises the rights to instruct on processing under Art. 28.
Doctena Processor for the appointment record; controller for the Doctena account, our website, our marketing communications and our security telemetry Operates the platform on which the controller works; binds the controller through a Data Processing Agreement; runs the website and CRM in its own right.
Sub-processors Sub-processors of Doctena, working only on documented Doctena instructions AWS, Cloudflare, Cronofy, Whereby, Postmark and the others listed at /sub-processors.
Gateway partners Subcontractors of the practitioner — they act on the practitioner's instructions, not on Doctena's. Doctena does not contract with them and no Doctena DPA covers them. The practitioner's medical-software vendor with a Doctena integration; the destination calendar when the practitioner enables sync (Microsoft 365, Google Workspace, Apple iCloud). See the Gateway partners section below for the full picture, including the one exception (Cronofy).

Gateway partners

Doctena integrates with two families of third-party software the practitioner brings into the relationship: the practitioner's medical software (their electronic health record or practice-management system) and the practitioner's calendar (Microsoft Outlook, Google Workspace, Apple iCloud). Both families are referred to as gateway partners. They are the third-party layer at the edge of the Doctena platform.

The three information flows

Personal information can reach Doctena along three different paths. The path determines who controls the data and which contract covers it.

  1. Online booking — the patient books directly through Doctena on doctena.com or a Doctena white-labelled portal. Doctena receives the data first; the practitioner is notified through their Doctena account.
  2. Via the practitioner — the patient consults or telephones the practitioner; the practitioner records the appointment in Doctena on the patient's behalf. The practitioner is the source of the data Doctena receives.
  3. Via gateway / medical software — the practitioner's medical software synchronises appointment data with Doctena, in one direction or in both. The gateway carries the data over a link the practitioner has authorised.

In GDPR terms, gateway partners act on the practitioner's instructions, not on Doctena's. The practitioner is the controller of their patient data; the gateway partner is the practitioner's processor for the slice of data that flows through it. Doctena does not contract with gateway partners and does not maintain a separate Article 28 DPA with them.

The practitioner must have their own Article 28 data-processing agreement with the gateway partner that defines the purpose of the data sharing, the security measures, the retention and the sub-processors the gateway in turn relies on. This is true for both the medical-software integration and the calendar sync.

The practitioner's obligations

If you enable a gateway integration as a practitioner, you must:

  • Hold your own Article 28 data-processing agreement with the gateway provider that documents the purpose of the data sharing, the security measures and the retention. Doctena will not provide it for you.
  • Configure the scope of the sync to the minimum the workflow requires — for example, anonymise the appointment title if your national medical-confidentiality rules require keeping the patient name in the medical-records system only.
  • Disable the integration on departure from a practice, so that historical appointments do not stay in the new calendar or the next medical-software instance.
  • Confirm — before enabling — that the gateway provider's data residency and sub-processor chain are compatible with the data-protection rules that apply to your patients.

Data Processing Agreement

Every healthcare professional contracting with Doctena signs a Data Processing Agreement under Article 28 of the GDPR. The current template is v2.0.0, dated 1 February 2026, published in English, French, German and Dutch. The DPA covers:

  • Subject matter, nature, purpose and duration of the processing.
  • Categories of personal data and data subjects.
  • Confidentiality commitments binding every Doctena employee with access.
  • Technical and organisational measures cross-referencing the Security page.
  • Sub-processing — prior notice, list, and 14-day objection window.
  • Cooperation with audits and inspections.
  • Breach notification within 48 hours of awareness.
  • End-of-contract data return or deletion within 90 days.
  • Liability and indemnification.
  • Standard Contractual Clauses where transfers to third countries occur.

The full text and downloadable PDF are on the DPA page.

Sub-processors and change notice

Doctena commits to a 14-day prior notice for any addition or change of a sub-processor that touches patient or customer personal data. The current register, the per-supplier residency and the underlying contracts are published at /sub-processors and refreshed at least monthly. The history of additions, removals and changes is published as a changelog so that customers can subscribe.

Data residency

Patient appointment data and the production database are hosted in the European Union — specifically in the eu-central-1 AWS region (Frankfurt, Germany). The active region is replicated to a second EU availability zone for resilience.

Where a sub-processor offers functionality that cannot be obtained from an EU-only vendor — currently Postmark (transactional email), Mapbox (maps), Cloudinary (image manipulation) and Webflow (Doctena Boost websites) — we transfer the minimum personal data necessary under the European Commission's Standard Contractual Clauses (Decision 2021/914) together with a documented Transfer Impact Assessment.

Retention and deletion

Our default retention windows reflect the obligations imposed on healthcare professionals across the countries we serve. The practitioner — as the controller of the appointment record — may instruct us to apply a shorter period in writing, down to one year from the last appointment, except where law mandates a longer period.

The full schedule is on the Privacy Policy retention table. At the end of the contract with a practitioner, the practitioner's controlled dataset is returned (as an export) or deleted within 90 days, except for backups which roll off naturally.

Breach notification

Where Doctena becomes aware of a personal data breach, we notify the affected controller within 48 hours of awareness, so that they can in turn meet their 72-hour notification window under Article 33 GDPR. Where Doctena is the controller, we notify the relevant supervisory authority within 72 hours, and we notify the affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).

We have never had a notifiable breach since Doctena's foundation in 2013. Our incident commitments are documented on the Security page.

Data Protection Officer

Doctena has designated an external Data Protection Officer for all EU and EEA entities. The designated DPO advises the controller, acts as the contact point for the supervisory authorities, and acts as the contact point for data subjects.

  • Lead: Christina Webersohn
  • Co-signatory: Kemal Webersohn, LL.M.
  • Organisation: WS Compliance GmbH
  • Postal address: Dircksenstraße 51, 10178 Berlin, Germany
  • Email: dpo@doctena.com (operational) · privacy@doctena.com (general)
  • Country aliases: see /dpo for per-country privacy mailboxes

DPO certificates

Each Doctena country entity holds a written designation issued by WS Compliance GmbH (formerly trading as WS Datenschutz GmbH). Certificates are renewed every two years.

  • Luxembourg — certificate refresh pending
  • Belgium — certificate refresh pending
  • Netherlands — certificate refresh pending
  • Germany — certificate refresh pending
  • Austria — certificate refresh pending
  • Switzerland — certificate refresh pending

Supervisory authorities

Under Article 56(1) GDPR, Doctena's lead supervisory authority is the Luxembourgish CNPD. You may also lodge a complaint with the authority of your country of residence or place of work. The full per-country table for LU, BE, NL, DE, AT and CH lives on /data-subject-rights, and the procedure to file a complaint with Doctena first is on /complaints.

Health data and professional secrecy

Patient appointment data, free-text consultation notes and uploaded documents constitute special category data concerning health under Article 9(1) of the GDPR. Our lawful basis is Article 9(2)(h): processing necessary for the purposes of preventive medicine, provision of healthcare, or management of healthcare services, by or under the responsibility of a health professional bound by a duty of professional secrecy.

Doctena employees who can access clinical content are restricted to a small named list of authorised support and engineering staff. Every access is audited and tied to a documented ticket or maintenance operation. No employee can access patient clinical content for any other reason.

Doctena does not use patient clinical data to train any machine-learning model, internal or external. See the AI use page for the full position.

International transfers

Patient records stay in the EU (AWS Frankfurt). Where a sub-processor delivers a function we cannot get from an EU-only vendor, Doctena covers the transfer with the European Commission's Standard Contractual Clauses, Module 3 (processor-to-processor), and a documented Transfer Impact Assessment. The per-supplier residency and the current list of third-country sub-processors are on the sub-processors page.

Data subject rights

The full set of Articles 15-22 GDPR rights and the procedure to exercise them are documented at /data-subject-rights. Doctena responds within one calendar month and at no cost.

Version 2.1.0 · Updated 2026-05-16 with information-flow diagram, gateway-partner clarification and slimmed cross-links · Replaces the previous GDPR centre at doctena.com/<locale>/gdpr/.

Also in this category

Privacy