GDPR Compliance
Overview
vitalera fully complies with the General Data Protection Regulation (GDPR), ensuring the protection and privacy of personal health data for all users within the European Union. As a CE-marked MDR medical device software platform for remote patient monitoring, GDPR compliance is integral to how vitalera handles patient vital signs, clinical observations, and healthcare communications.
Key Principles
| Principle | Implementation |
|---|---|
| Lawfulness | Data processing based on consent and legitimate interest |
| Purpose Limitation | Data collected only for specified healthcare purposes |
| Data Minimization | Only necessary data is collected and processed |
| Accuracy | Tools for patients to review and update their data |
| Storage Limitation | Data retention policies aligned with regulatory requirements |
| Security | Encryption, access controls, and security monitoring |
Data Subject Rights
vitalera supports all GDPR data subject rights:
- Right of Access: Patients can view all their personal data
- Right to Rectification: Patients can update incorrect data
- Right to Erasure: Account deletion functionality available
- Right to Data Portability: Data export in standard formats
- Right to Object: Patients can withdraw consent at any time
Data Residency
All patient data is stored in the EU (Ireland, eu-west-1) on AWS infrastructure with AES-256 encryption at rest and TLS 1.2+ in transit. No health data leaves the European Economic Area.
Data Processing
- Data Controller: The healthcare organization using vitalera
- Data Processor: FOLLOWHEALTH S.L. (vitalera platform operator)
- Data Processing Agreement: Available for all clients