The General Data Protection Regulation (GDPR) is Europe's framework for data protection laws, replacing the previous 1995 data protection directive, representing a significant step forward in data privacy and protection for EU residents.
Finger-Ink's primary purpose has always been to facilitate the collection of private health information. It was initially designed, and continues to be designed with privacy and security at the forefront.
The GDPR prompted us to formalize these practices into official policies, extending these controls and policies to all our customers, irrespective of their location.
Does the GDPR apply to you?
If you're using Finger-Ink to collect or process the data of any European Union resident (regardless of whether your clinic is physically located in the EU), then the GDPR applies to you too.
Finger-Ink and the GDPR
Under the GDPR, Finger-Ink acts as both a data controller and a data processor:
As a data controller, we manage information about our customers (i.e. you)
As a data processor, we assist in collecting and processing patient information via the app, and our web Forms.
As such, we need to make sure we have the right policies and procedures in place to be compliant. Here's what we've done:
Terms of Service & Privacy Policy
We've revised our Privacy Policy and Terms of Service to align with the requirements of the GDPR. This ensures that the agreements we have with you, our users, are fully compliant.
By accepting our updated policies and terms, you're effectively meeting the GDPR requirements for data processed outside of the EU. So, even though your patient data is hosted in the USA, your use of Finger-Ink is still in line with GDPR compliance.
Data Processing Addendum (DPA)
Our Data Processing Addendum is integrated into our Terms of Service and Privacy Policy where relevant. It ensures that, that despite Finger-Ink most of its sub-processors not being physically located in the EU, you can confidently use Finger-Ink for gathering patient data.
It also includes as link to the Standard Contractual Clauses which can provide you with additional assurance as to our data protection commitments, if you require.
Data Protection Officer (DPO)
We've designated an in-house Data Protection Officer (DPO) at Finger-Ink. Their responsibilities include ensuring that Finger-Ink is compliant with the GDPR, advising on data protection duties, and serving as a liaison for both individuals whose data we handle and regulatory authorities.
Our DPO can be contacted at privacy@finger-ink.com.
EU Representative
The nominated Representative for data protection matters within the European Union, pursuant to Art. 27 of Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR), is:
Adaptant Solutions AG
Rosenheimer Str. 139
81671 Munich
Germany
Inquiries may also be submitted through Adaptant’s contact form.
Sub-processors
Finger-Ink relies on a number of third-party tools in order to provide our service effectively. We have made sure all our sub-processors are compliant with the GDPR. You can find a full list of the sub-processors we use here.
Finger-Ink's responsibilities as a data controller
Like you, we're also a controller of data — but it's your data, and not that of your patients. This includes details like your contact information, business details etc.
Similar to your responsibilities towards your patients' data, we handle your information with the utmost care.
Complete deletion of your Finger-Ink account
Your Finger-Ink account is irreversibly deleted if you so request. A copy of your Response data is available to you from within your Cliniko account through data exports. If you require an export of any other data we hold about your account, please get in touch.
Opt out from marketing communication
We may send out necessary emails from time-to-time regarding your account. These are required and you cannot opt out from them.
You can, however, opt out of other, marketing-related emails from us — such as emails announcing a new feature or version. Just get in touch if you'd like to do this.
How Finger-Ink helps with your responsibilities under the GDPR
Like Cliniko, Finger-Ink is a processor of your data. As such, we also provide tools for you to comply with your patients' requests.
Obtaining lawful consent
The GDPR dictates that your patient grants you lawful consent to the processing of their data. Usually, this is done through gathering their acceptance to your privacy policy.
Finger-Ink has a special privacy policy field type. This is designed for you to include the exact text of your privacy policy within your Form itself. Whether a patient accepts or rejects your policy, their answer flows through to the appropriate place on patient record in Cliniko.
Facilitating the Right to Object
The Right to Object specifies, among other things, that patients should be able to withdraw their consent to any marketing-related communication from you.
Finger-Ink allows you to add fields to your Forms that will gather a patient's preference for both email & SMS marketing-related communications. These populate the appropriate areas on the patient record, which Cliniko takes into account when sending out these communications.
The Right of Access & Right to data Portability
As Finger-Ink just passes information along to Cliniko, you can ensure you comply with the Right of Access and Right to data Portability by exporting your patients' information from Cliniko and sending it to them.
The Right to Erasure
The Right to Erasure essentially means that you should be able to permanently delete your patients' data.
Finger-Ink enables you to do this by searching for the appropriate Responses by patient name in the Inbox & Processed tabs, then permanently deleting them.
Contact Us
If you have any questions about this, or anything related to data security or privacy, please don't hesitate to get in touch.