GDPR Compliance
How the platform meets European data protection requirements.
What Is GDPR
GDPR (General Data Protection Regulation) is the European data protection law. It applies to any platform that processes personal data of people in the EU — regardless of where the platform itself is based. It governs Personally Identifiable Information (PII): any data that can identify a person, including names, emails, phone numbers, IP addresses, and health information.
Fines for violations can reach 4% of global annual revenue or 20 million euros, whichever is higher.
How It Applies to the Platform
Roles and responsibilities
| Party | GDPR Role | Key Obligations |
|---|---|---|
| RestartiX | Data Processor | Process data only as instructed by clinics. Sign a DPA with every clinic. Maintain a Record of Processing Activities. Report breaches to clinics within 72 hours. |
| Each clinic | Data Controller | Have a lawful basis for every type of data collected. Publish a privacy policy. Respond to patient rights requests. Report breaches to the supervisory authority. |
| Patient | Data Subject | Has enforceable rights over their data (see Patient Rights). |
Required documents
| Document | Who Needs It | Purpose |
|---|---|---|
| Data Processing Agreement (DPA) | RestartiX + each clinic | Legal contract defining what data is processed and how |
| Sub-processor list | RestartiX (public) | Lists all third parties that process data (Clerk, AWS, Daily.co) |
| Privacy Policy | Each clinic | Tells patients what data is collected and why |
| Data Protection Impact Assessment (DPIA) | RestartiX | Mandatory risk assessment for health data processing |
| Record of Processing Activities (ROPA) | RestartiX + each clinic | Formal inventory of all data processing — available to regulators |
How the Platform Supports GDPR
Consent management
- Consent is collected per-clinic through blocking forms — patients must sign before proceeding
- Each consent records: who signed, when, from where, and under which policy version
- Consent can be withdrawn at any time — withdrawal takes effect immediately and is recorded in the audit trail
- Consent given at one clinic does not extend to another
Data minimization
- The platform only stores what is explicitly defined in forms and fields
- No implicit data collection, no tracking pixels, no hidden analytics
- Analytics data is pseudonymized — no direct patient identifiers
Breach notification
- Automated monitoring detects unusual access patterns
- A documented procedure ensures notification within 72 hours:
- Detection and initial assessment (within 12 hours)
- Severity classification
- Notification to affected clinics and supervisory authority (within 72 hours)
- Notification to affected patients if risk is high
- Documentation and post-incident review
Cross-border data transfers
If any sub-processor transfers data outside the EU (AWS, Clerk, Daily.co), the platform maintains Standard Contractual Clauses (SCCs) for each transfer, as required post-Schrems II.
When GDPR and Healthcare Retention Conflict
GDPR gives patients the right to delete their data, but healthcare regulations require retaining medical records for minimum periods. These can conflict:
| Situation | What We Do |
|---|---|
| Patient asks to delete all data | Medical records are anonymized (all identifying info removed) but the record structure is preserved. GDPR explicitly allows this under Art. 17(3)(c) when retention is required for legal obligations. |
| Audit logs contain PII | Logs are retained for the required period, but PII is redacted when a patient is anonymized. |
| Consent records | Never deleted — they serve as legal proof under all applicable laws. |
For developers
Technical details — GDPR implementation, anonymization logic, consent tracking schema, and data export endpoints — are available in the GDPR Compliance reference.