GDPR Compliance
How the platform meets European data protection requirements.
What Is GDPR
GDPR (General Data Protection Regulation) is the European data protection law. It applies to any platform that processes personal data of people in the EU — regardless of where the platform itself is based. It governs Personally Identifiable Information (PII): any data that can identify a person, including names, emails, phone numbers, IP addresses, and health information.
Fines for violations can reach 4% of global annual revenue or 20 million euros, whichever is higher.
How It Applies to the Platform
Roles and responsibilities
| Party | GDPR Role | Key Obligations |
|---|---|---|
| Each clinic | Data Controller | Owns the patient relationship. Has a lawful basis for every type of data collected. Publishes the privacy notice. Responds to patient rights requests. Reports breaches to ANSPDCP (the Romanian supervisory authority) within 72 hours. |
| RestartiX | Data Processor (for patient data) / Controller (for the thin slice of platform-account data) | Processes patient data only as instructed by clinics. Signs a DPA with every clinic. Maintains a Record of Processing Activities. Reports incidents to clinics without undue delay so the clinic can meet its 72-hour notification window. |
| Patient | Data Subject | Has enforceable rights over their data (see Patient Rights). Exercises those rights against the controller — the clinic — with the platform helping route the request. |
For the substantive design — the two-tier consent surface, clinic-owned privacy notices, break-glass access, and DSAR routing — see How Patient Data Is Protected.
Required documents
| Document | Who Needs It | Purpose |
|---|---|---|
| Data Processing Agreement (DPA) | RestartiX + each clinic | Legal contract defining what data is processed and how |
| Sub-processor list | RestartiX (public) | Lists all third parties that process data (Clerk, AWS, Daily.co) |
| Privacy Policy | Each clinic | Tells patients what data is collected and why |
| Data Protection Impact Assessment (DPIA) | RestartiX | Mandatory risk assessment for health data processing |
| Record of Processing Activities (ROPA) | RestartiX + each clinic | Formal inventory of all data processing — available to regulators |
How the Platform Supports GDPR
Consent management
The platform supports a two-tier consent surface:
- Tier A — SaaS-style consents (platform terms, platform privacy notice, marketing email/SMS, analytics, AI processing). Collected at sign-up; the toggleable ones can be flipped from patient settings at any time.
- Tier B — form-driven medical consents (telemedicine, video recording, biometric capture, treatment-specific). Signed at booking time on the clinic's signed forms, with three signature modes: in-portal click, drawn on tablet at the clinic, or sent to phone via link.
Both tiers write to a single append-only consent ledger. Each grant records who signed, when, from where, against which exact version of the policy or form text, and via which signature mode. Withdrawal is immediate, recorded, and per-purpose — withdrawing video-recording consent does not affect the other consents on file.
Consent given at one clinic does not extend to another. Each clinic is a separate controller with its own privacy notice, its own consent records, and its own DSAR contact.
For the full mechanics — including how clinics publish their privacy notice via versioned templates and how withdrawal differs across consent types — see How Patient Data Is Protected.
Data minimization
- The platform only stores what is explicitly defined in forms and fields
- No implicit data collection, no tracking pixels, no hidden analytics
- Analytics data is pseudonymized — no direct patient identifiers
Breach notification
Under the controller/processor split, the clinic is responsible for notifying the supervisory authority (ANSPDCP) within 72 hours of becoming aware of a personal-data breach affecting their patients. The platform's role is to detect incidents quickly and notify clinics without undue delay so they can meet that window.
- Automated monitoring detects unusual access patterns and authentication failures
- A documented procedure governs the platform-side response:
- Detection and initial assessment (within 12 hours)
- Severity classification
- Notification to affected clinics — same-day where possible, with all the technical details the clinic needs to make their own notification decision
- Joint coordination with the affected clinics if a multi-tenant incident requires aggregate communication
- Documentation and post-incident review
If the incident affects only the platform's own account-level data (login credentials, security telemetry on the account itself), RestartiX is the controller for that slice and notifies ANSPDCP directly.
Cross-border data transfers
If any sub-processor transfers data outside the EU (AWS, Clerk, Daily.co), the platform maintains Standard Contractual Clauses (SCCs) for each transfer, as required post-Schrems II.
When GDPR and Healthcare Retention Conflict
GDPR gives patients the right to delete their data, but healthcare regulations require retaining medical records for minimum periods. These can conflict:
| Situation | What We Do |
|---|---|
| Patient asks to delete all data | Medical records are anonymized (all identifying info removed) but the record structure is preserved. GDPR explicitly allows this under Art. 17(3)(c) when retention is required for legal obligations. |
| Audit logs contain PII | Logs are retained for the required period, but PII is redacted when a patient is anonymized. |
| Consent records | Never deleted — they serve as legal proof under all applicable laws. |
For developers
Technical details — GDPR implementation, anonymization logic, consent tracking schema, and data export endpoints — are available in the GDPR Compliance reference.