GDPR

How we fulfil our responsibilities as a Processor

When it comes to patients’ personal data or data concerning health under GDPR, we act as a Processor for our clients, who are the Controllers of this data. Below outlines the GDPR obligations that apply to Cemplicity as a Processor and how we fulfill them.

Controller’s instructions
We only process personal data on the documented instructions of a controller. This is managed through a clear outline of the processing during both the contractual and the program set-up stages.

Processor contracts
With all clients we have a robust legal process that ensures we have a binding contract with the Controller that complies with GDPR and any jurisdiction-specific data protection legislation.

Sub-processors
Where we engage sub-processors, it is only with the Controller’s prior written authorisation. All sub-processors undergo a thorough verification process to confirm they have appropriate security and data protection measures in place. Where they process any personal data on our behalf, we ensure our agreements include equivalent contractual protections.

Security
We implement appropriate technical and organisational measures to ensure the security of personal data, protecting against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Accountability obligations
We maintain robust internal processes to comply with GDPR’s accountability requirements. This includes maintaining detailed records of processing and having an appointed Data Protection Officer.

International transfers
Where international transfers are necessary, we ensure that the controller has authorised them and that the appropriate safeguards are in place. These are generally in the form of EU Standard Contractual Clauses, supplemented where necessary with the UK International Data Transfer Addendum or UK International Data Transfer Agreement (IDTA). Where available, we may also rely on UK or EU adequacy decisions including the EU–US Data Privacy Framework and the UK–US Data Bridge, where sub-processors are certified under these schemes.

Other obligations we adhere to if the situation arises:

  • Notification of personal data breaches: If we become aware of a personal data breach, we notify the relevant controller without undue delay.
  • Notification of potential infringements: If any controller instruction could lead to a GDPR or local law breach, we notify them immediately.
  • Cooperation with supervisory authorities: We are committed to cooperating fully with supervisory authorities to help them perform their duties.

Making the job of Controllers easier

As a company, we don’t believe GDPR means simply fulfilling our Processor obligations. It also means actively helping our clients as controllers meet theirs. We understand that as controllers, our clients carry additional responsibilities. We take an active role in supporting them, including:

Support with DPIAs (Data Protection Impact Assessments)
We work closely with clients when they are completing DPIAs, providing detailed explanations of our platform and how data flows through it. This includes mapping out the lifecycle of personal data within the Cemplicity platform, describing the security and privacy safeguards built in, and highlighting areas of potential risk and mitigation.

Transparency and assurance
We ensure Controllers can clearly explain to patients and stakeholders how their data is collected, processed, stored, and retained. This transparency is essential for GDPR compliance and helps controllers build trust with their patients.

Partnering with leading healthcare organisations
We work with some of the largest healthcare providers in the world, undergoing rigorous reviews from both a data protection and architecture perspective. While each organisation has its own requirements, we have streamlined these processes and provide robust documentation covering our architecture, infrastructure, and data governance practices. This helps clients complete their internal assurance activities more efficiently; while giving them the visibility they need to trust our platform.

Assistance with lawful basis and consent wording
While Controllers remain responsible for establishing a lawful basis for processing, we help them craft accurate and compliant consent statements where necessary. We also provide practical guidance on how our services align with legitimate purpose requirements and the expectations of supervisory authorities.