How Chain.care Complies with GDPR and HIPAA
1. Legal Basis for Processing
We only process personal data when we have a valid legal basis as required by Article 6 of the GDPR:
- Consent: Where you have given explicit consent for specific purposes
- Contract: Processing necessary to provide our services to you
- Legal Obligation: Processing to comply with a legal obligation
- Legitimate Interests: Processing based on our legitimate interests, where they don't override your rights
For special categories of data (such as health data), we rely on:
- Explicit consent
- Processing necessary for healthcare purposes under the supervision of health professionals
- Processing necessary for scientific research purposes with appropriate safeguards
2. Data Protection Principles
We adhere to the core GDPR principles in all our data processing activities:
- Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner
- Purpose Limitation: We collect data for specified, explicit, and legitimate purposes
- Data Minimization: We limit data collection to what is necessary
- Accuracy: We take reasonable steps to ensure personal data is accurate and up-to-date
- Storage Limitation: We retain data only as long as necessary
- Integrity and Confidentiality: We implement appropriate security measures to protect data
- Accountability: We demonstrate compliance with these principles
3. Data Subject Rights
We respect and facilitate the following rights for individuals:
- Right to Access: You can request confirmation of whether we process your data and receive a copy of that data
- Right to Rectification: You can request correction of inaccurate data or completion of incomplete data
- Right to Erasure: You can request deletion of your data under certain circumstances
- Right to Restriction of Processing: You can request restriction of processing under certain circumstances
- Right to Data Portability: You can request your data in a structured, machine-readable format
- Right to Object: You can object to processing based on legitimate interests or for direct marketing
- Rights Related to Automated Decision-Making: You have rights regarding automated decision-making, including profiling
To exercise these rights, please contact our Data Protection Officer at [email protected].
4. Technical and Organizational Measures
We implement appropriate technical and organizational measures to ensure security, including:
- Encryption: End-to-end encryption for sensitive data both in transit and at rest
- Access Controls: Role-based access control and strong authentication
- Regular Testing: Security assessments and penetration testing
- Staff Training: Regular data protection and security training for all staff
- Data Protection by Design: Privacy considerations integrated into product development
- Regular Audits: Internal and external compliance reviews
5. Data Processing Agreements
When we act as a data processor, we enter into Data Processing Agreements (DPAs) with our customers (the data controllers). These agreements ensure that:
- We only process data according to documented instructions
- We implement appropriate security measures
- We assist data controllers in fulfilling their GDPR obligations
- We delete or return data after the processing is complete
6. International Data Transfers
When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
- European Commission's Standard Contractual Clauses
- Transfers to countries with an adequacy decision
- Binding Corporate Rules, where applicable
- Other legally compliant transfer mechanisms
7. Records of Processing Activities
We maintain records of our processing activities as required by Article 30 of the GDPR, including:
- Purposes of processing
- Categories of data subjects and personal data
- Recipients of personal data
- Data retention periods
- General description of security measures
8. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible
- Inform affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
- Document all breaches, including facts, effects, and remedial actions taken
9. Data Protection Officer
We have appointed a Data Protection Officer (DPO) responsible for:
- Informing and advising Chain.care on GDPR compliance
- Monitoring compliance with the GDPR and internal policies
- Cooperating with supervisory authorities
- Acting as a contact point for data subjects
Contact our DPO at:
Email: [email protected]
Attention: Data Protection Officer
10. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) prior to high-risk processing activities to:
- Identify and assess risks to individuals
- Implement measures to address those risks
- Document our decision-making process