The EU General Data Protection Regulation (GDPR) came into force on the 25th of
May 2018. The GDPR changes how personal data is handled and increases or
reinforces the rights of data subjects. This page tells you how Heydoc is helping
clients manage GDPR.


Heydoc wants to help clients be compliant and maintain compliance with GDPR.
However, as Data Controllers our clients remain responsible for how they use
Heydoc and allow access to the system.


Your data is physically stored on servers which have achieved the highest level of
security certification, as used by banks and government services. Our servers are
located in London, United Kingdom. Only a very limited number of authorised staff
from Heydoc can access these servers. Data is replicated continuously, with
multiple copies stored between security centres to ensure immediate failover. Data
in transfer is fully encrypted using the most secure cryptographic technologies
available (256-bit level of encryption). This means that when you access your data
via the internet the Heydoc server will negotiate a secure link with the end user via
a process called SSL. This is the same technology used for online banking and
credit card transactions and is known to be the most secure system available.
Data Controllers and Data Processors

Heydoc acts as a Data Processor within the definitions GDPR, acting on behalf of
our clients who are the Data Controllers in respect of the personal data stored on
the Heydoc.

Subject Access Requests

Data Subjects have similar rights under the GDPR to the current law to access
copies of information that Data Controllers hold about them through a subject
access request (SAR). Heydoc makes it easy for its clients to handle SARs through
the system. Using the system, clients can search for the relevant information that
the requestor is looking for and share it with the data subject. Our clients are
responsible for managing this process as the Data Controller and ensuring that
they comply with the requirements of the GDPR and any other legal obligations.
Where Heydoc receives an SAR in respect of data that an individual believes is held
within the system, Heydoc will advise them to contact the Data Controller they
believe is using the application. Heydoc will not take any other action in respect of
an SAR unless in accordance with specific instructions from our client.
The Right of Erasure

The GDPR gives data subjects new rights to have data about them erased in certain
limited circumstances. Clients can delete data within the Heydoc system, but it will
only permanently be deleted by Heydoc at the specific request of the client to
Heydoc. Heydoc will then permanently delete the data at the client’s specific

The Right to Rectification

The GDPR allows data subjects to have their data corrected when it is wrong. This
is easily managed by our clients within Heydoc as Data Controllers. Heydoc will
not modify data other than in accordance with the specific instructions of our

Third Party Transfers

Heydoc only uses suppliers of services who have the highest security
accreditation (e.g. AWS) to process any of the personal data stored within the

Heydoc application. Unless otherwise required by law, Heydoc will not transfer
any personal identifiable data to any third party other than in accordance with
the specific instructions of our client.

The System

Heydoc is a web application designed for clinical management in any setting or
location. Heydoc provides, maintains and supports the system to allow our clients
to run their organisations and manage their patient records.
Heydoc has no control over the use of the system by our clients. It is the
responsibility of our clients to ensure that they use the application in a
responsible manner by:

  • Only allowing authorised users to use the system

  • Ensuring that the role based access built into the system is used

  • Ensuring that users understand the implications of improper use of the

  • Where the system is used to communicate with patients, ensure that only
    the necessary information required is sent to the patient

Did this answer your question?