Data protection

GDPR programme

How Doctena applies the General Data Protection Regulation across our six legal entities, from the role model and the Data Processing Agreement to the Data Protection Officer and the per-country supervisory authority routing.

Last reviewed
Next review
Owner
Data Protection Officer
Version
2.4.0
On this page

The role model

The GDPR distinguishes between a controller (the actor who decides the purposes and means of processing) and a processor (the actor who processes data on the controller's instructions). The Doctena platform binds together three populations, with the following role allocation:

Doctena's GDPR role model. A patient, the data subject, reaches a practitioner through a practice visit or call, or books online with or without a Doctena account, and the practitioner can also connect through a gateway integrator. GDPR processing consent is collected either by the practitioner or by Doctena, and data-subject rights are exercised by, or with the approval of, the practitioner. Within Doctena's per-country legal entity and its agenda and portal systems, the practitioner controls the doctor-patient record (patient profile, appointment data and doctor/patient notes), while Doctena controls the Doctena Account (user profile, links to appointments, feedback and preferences); a copy of the user profile is made on each booking under the website privacy policy. Below sit Doctena's processors: the cloud, mail and SMS providers named in its data-processing agreements. Pink marks data controlled by the practitioner and blue marks data controlled by Doctena; orange arrows show PII subcontracting and black arrows show PII transfers.
Doctena's GDPR role model: who controls and who processes patient data across patients, practitioners and Doctena's per-country entities.
PartyRoleExamples
The patient Data subject Person whose data is processed.
The healthcare professional or practice Controller of the appointment record and clinical content Decides which patient details are needed for the consultation, sets the retention period inside our allowed window, exercises the rights to instruct on processing under Art. 28.
Doctena Processor for the appointment record; controller for the Patient Doctena Account, our website, our marketing communications and our security telemetry Operates the platform on which the controller works; binds the controller through a Data Processing Agreement; runs the website and CRM in its own right.
Sub-processors Sub-processors of Doctena, working only on documented Doctena instructions AWS, Cloudflare, Cronofy, Whereby, Postmark and the others listed at /sub-processors.
Gateway partners Subcontractors of the practitioner. They act on the practitioner's instructions, not on Doctena's. Doctena does not contract with them and no Doctena DPA covers them. The practitioner's medical-software vendor with a Doctena integration; the destination calendar when the practitioner enables sync (Microsoft 365, Google Workspace, Apple iCloud). See the Gateway partners section below for the full picture, including the one exception (Cronofy).

Patients

A patient can hold a Patient Doctena Account. From that account, the patient books appointments with the practitioners of their choice. When the patient books, the account data needed for the appointment is copied into the practitioner's own space inside Doctena. From that moment the practitioner becomes the controller of the copied appointment record, and Doctena acts as the practitioner's processor for it, working only on the practitioner's instructions.

This means a patient's data can live in two places at once: in the Patient Doctena Account that the patient controls with Doctena, and in one or more practitioner spaces, each controlled by the practitioner who received the booking.

When a patient asks to be erased, Doctena erases the Patient Doctena Account it controls. For the copies held by practitioners, Doctena cannot delete a controller's records on its own initiative, so Doctena assists the patient in contacting the practitioners who hold a copy, so that the patient can exercise their rights with each controller directly.

Practitioners and practices

A practitioner or practice is the controller of the patient data inside their own space: the appointment records, the free-text notes and any documents they add. The practitioner decides which patient details are needed, sets the retention period inside the window Doctena allows, and instructs Doctena on the processing under Article 28.

For the appointments booked into a practitioner's space, Doctena is the practitioner's processor. Doctena operates the platform, stores and serves the data, and acts only on the practitioner's instruction. The Data Processing Agreement described below binds Doctena to that role.

Gateway partners

Doctena integrates with two families of third-party software the practitioner brings into the relationship: the practitioner's medical software (their electronic health record or practice-management system) and the practitioner's calendar (Microsoft Outlook, Google Workspace, Apple iCloud). Both families are referred to as gateway partners. They are the third-party layer at the edge of the Doctena platform.

The three information flows

Personal information can reach Doctena along three different paths. The path determines who controls the data and which contract covers it.

  1. Online booking: the patient books directly through Doctena on doctena.com or a Doctena white-labelled portal. Doctena receives the data first; the practitioner is notified through their Doctena account.
  2. Via the practitioner: the patient consults or telephones the practitioner; the practitioner records the appointment in Doctena on the patient's behalf. The practitioner is the source of the data Doctena receives.
  3. Via gateway or medical software: the practitioner's medical software synchronises appointment data with Doctena, in one direction or in both. The gateway carries the data over a link the practitioner has authorised.

In GDPR terms, gateway partners act on the practitioner's instructions, not on Doctena's. The practitioner is the controller of their patient data; the gateway partner is the practitioner's processor for the slice of data that flows through it. Doctena does not contract with gateway partners and does not maintain a separate Article 28 DPA with them.

The practitioner must have their own Article 28 data-processing agreement with the gateway partner that defines the purpose of the data sharing, the security measures, the retention and the sub-processors the gateway in turn relies on. This is true for both the medical-software integration and the calendar sync.

The practitioner's obligations

If you enable a gateway integration as a practitioner, you must:

  • Hold your own Article 28 data-processing agreement with the gateway provider that documents the purpose of the data sharing, the security measures and the retention. Doctena will not provide it for you.
  • Configure the scope of the sync to the minimum the workflow requires. For example, anonymise the appointment title if your national medical-confidentiality rules require keeping the patient name in the medical-records system only.
  • Disable the integration on departure from a practice, so that historical appointments do not stay in the new calendar or the next medical-software instance.
  • Confirm, before enabling, that the gateway provider's data residency and sub-processor chain are compatible with the data-protection rules that apply to your patients.

Data Processing Agreement

Every healthcare professional contracting with Doctena signs a Data Processing Agreement under Article 28 of the GDPR. The current template is v2.0.0, dated 1 February 2026, published in English, French, German and Dutch. The DPA covers:

  • Subject matter, nature, purpose and duration of the processing.
  • Categories of personal data and data subjects.
  • Confidentiality commitments binding every Doctena employee with access.
  • Technical and organisational measures cross-referencing the Security page.
  • Sub-processing: prior notice, list, and 14-day objection window.
  • Cooperation with audits and inspections.
  • Breach notification without undue delay and no later than 48 hours, so the controller can meet its own 72-hour obligation under Article 33.
  • End-of-contract data return or deletion within 90 days.
  • Liability and indemnification.
  • Standard Contractual Clauses where transfers to third countries occur.

Since mid-February 2026, every new contract signed with a healthcare professional automatically includes the DPA signature: the customer contract embeds the DPA, so the two are signed together.

The full text and downloadable PDF are on the DPA page.

Sub-processors and change notice

Doctena commits to a 14-day prior notice for any addition or change of a sub-processor that touches patient or customer personal data. The current register, the per-supplier residency and the underlying contracts are published at /sub-processors and kept current. The history of additions, removals and changes is recorded there.

Data residency

Patient appointment data and the production database are hosted in the European Union. Our primary region is AWS Frankfurt (eu-central-1), deployed across at least two availability zones for resilience. Encrypted disaster-recovery copies are held in AWS Ireland (eu-west-1), a second EU region.

Where a sub-processor offers functionality that cannot be obtained from an EU-only vendor (for instance Postmark, for transactional email), we transfer the minimum personal data necessary under the safeguards described in International transfers below.

Retention and deletion

Our default retention windows reflect the obligations imposed on healthcare professionals across the countries we serve. The practitioner, as the controller of the appointment record, may instruct us to apply a shorter period in writing, down to one year from the last appointment, except where law mandates a longer period.

The full schedule is on the Data Retention page. At the end of the contract with a practitioner, the practitioner's controlled dataset is returned (as an export) or deleted within 90 days, except for backups which roll off naturally.

Breach notification

Where Doctena is the controller, the law requires us to notify the Luxembourgish CNPD within 72 hours of becoming aware of a personal data breach (Article 33), and to notify the affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).

Where Doctena acts as a processor, our DPA commits us to notify the affected controller without undue delay and no later than 48 hours after becoming aware of the breach, so the controller can meet its own 72-hour obligation under Article 33.

To date, Doctena has had no notifiable personal data breach.

Data Protection Officer

Doctena has designated an external Data Protection Officer for all EU and EEA entities. The designated DPO advises the controller, acts as the contact point for the supervisory authorities, and acts as the contact point for data subjects.

  • Lead: Christina Webersohn
  • Co-signatory: Kemal Webersohn, LL.M.
  • Organisation: WS Digital Compliance GmbH
  • Postal address: Dircksenstraße 51, 10178 Berlin, Germany
  • Email: [email protected]
  • Firm website: ws-compliance.de
  • Country aliases: see /dpo for per-country privacy mailboxes

Supervisory authorities

Under Article 56(1) GDPR, Doctena's lead supervisory authority is the Luxembourgish CNPD. You may also lodge a complaint with the authority of your country of residence or place of work. The full per-country table for LU, BE, NL, DE, AT and CH lives on /data-subject-rights.

Health data and professional secrecy

Patient appointment data, free-text consultation notes and uploaded documents constitute special category data concerning health under Article 9(1) of the GDPR. Our lawful basis is Article 9(2)(h): processing necessary for the purposes of preventive medicine, provision of healthcare, or management of healthcare services, by or under the responsibility of a health professional bound by a duty of professional secrecy.

Doctena employees who can access clinical content are restricted to a small named list of authorised support and engineering staff. Every access is audited and tied to a documented ticket or maintenance operation. No employee can access patient clinical content for any other reason.

Doctena does not use patient clinical data to train any machine-learning model, internal or external. See the AI use page for the full position.

International transfers

Patient records stay in the EU: primary hosting in AWS Frankfurt (eu-central-1), with encrypted disaster-recovery copies in AWS Ireland (eu-west-1). Where a sub-processor delivers a function we cannot get from an EU-only vendor, Doctena covers the transfer with layered safeguards:

  • Standard Contractual Clauses (contractual baseline): every non-EU/EEA transfer is covered by the European Commission's Standard Contractual Clauses (Decision 2021/914), Module 3 (processor-to-processor), together with a documented Transfer Impact Assessment. This is the baseline our DPA imposes on every sub-processor.
  • EU-US Data Privacy Framework (where certified): where the US recipient is additionally certified under the DPF, the transfer also rests on the European Commission's adequacy decision of 10 July 2023.

The per-supplier residency and the current list of third-country sub-processors are on the sub-processors page.

Data subject rights

The full set of Articles 15-22 GDPR rights and the procedure to exercise them are documented at /data-subject-rights. Doctena responds within one calendar month and at no cost.

Version 2.4.0 · Updated 2026-06-14 · Added the patient and practitioner role sections (copy-on-booking controller transfer), restored the 90-day end-of-contract deletion window, restated breach notification (CNPD within 72 hours plus the DPA's 48-hour processor commitment), noted that every new contract since mid-February 2026 embeds the DPA signature, linked the new Data Retention page, and trimmed the residency and sub-processor wording · Replaces the previous GDPR centre at doctena.com/<locale>/gdpr/.

Also in this category

Privacy