In this article:


The UK General Data Protection Regulation (UK GDPR) and (amended) Data Protection Act 2018 (DPA 2018) came into force at 11pm on the 31st December 2020. The UK GDPR incorporates most of the EU GDPR into UK domestic legislation (there are some differences resulting from changes made by Brexit legislation, which largely relate to law enforcement and intelligence services).

The EU General Data Protection Regulation (EU GDPR) remains in effect in the EU. There is currently an agreement in place whereby the EU and the UK have granted each other “equivalency” for data protection purposes. This means that data transfers can continue between the UK and EU without any extra steps being taken to safeguard data.

This page tells you how Heydoc is helping clients to manage their obligations under the UK GDPR.


Heydoc wants to help clients to achieve and maintain compliance with the UK GDPR.
However, as Data Controllers, our clients remain responsible for their patient data and how they use Heydoc and allow access to the system.


Your data is physically stored on servers which have achieved the highest level of
security certification, as used by banks and government services. Our servers are
located in London, United Kingdom. Only a very limited number of authorised staff
from Heydoc can access these servers.

Data is replicated continuously, with multiple copies stored between security centres to ensure immediate failover. Data in transfer is fully encrypted using the most secure cryptographic technologies available (256-bit level of encryption). This means that when you access your data via the internet the Heydoc server will negotiate a secure link with the end user via a process called SSL. This is the same technology used for online banking and credit card transactions and is known to be the most secure system available.

Data Controllers and Data Processors

Heydoc acts as a Data Processor (as defined in the UK GDPR), acting on behalf of
our clients who are the Data Controllers, in respect of the patient data stored within Heydoc.

For an up to date list of our Subprocessors who have access to patient data, see here.

Subject Access Requests

Data Subjects have the right under the UK GDPR to access copies of information that Data Controllers hold about them through a subject access request (SAR). Heydoc makes it easy for its clients to handle SARs through the system. Using the system, clients can search for the relevant information that the requestor is looking for and share it with the data subject. Our clients are responsible for managing this process as the Data Controller and ensuring that they comply with the requirements of the UK GDPR and any other legal obligations.

Where Heydoc receives a SAR in respect of data that an individual believes is held
within the system, Heydoc will advise them to contact the relevant Data Controller. Heydoc will not take any other action in respect of a SAR unless in accordance with specific instructions from our client.

The Right of Erasure

The UK GDPR gives data subjects the right to have their personal data erased in certain limited circumstances. Clients can delete data within the Heydoc system, but it will only permanently be deleted by Heydoc at the specific request of the client to Heydoc. Heydoc will permanently delete the data at the client’s specific written

The Right to Rectification

The UK GDPR allows data subjects to have their data corrected when it is wrong. This
is easily managed by our clients within Heydoc as Data Controllers. Heydoc will not modify data other than in accordance with the specific written instructions of our client.

Third-Party Transfers

Heydoc only uses suppliers of services who have the highest security accreditation (e.g. AWS) to process any of the personal data stored within the Heydoc application. We review all of our sub-processors and hold them to the same standard required by the UK GDPR.

Unless otherwise required by law, Heydoc will not transfer any personal identifiable data to any third party other than in accordance with the specific instructions of our client.

The System

Heydoc is a web application designed for clinical management in any setting or location. Heydoc provides, maintains and supports the system to allow our clients to run their organisations and manage their patient records.

Heydoc has no control over the use of the system by our clients. It is the responsibility of our clients to ensure that they use the application in a responsible manner by:

  • Only allowing authorised users to access the system

  • Ensuring that the role-based access built into the system is used

  • Ensuring that users understand the implications of improper use of the

  • Where the system is used to communicate with patients, ensure that only
    the necessary information required is sent to the patient

Did this answer your question?