GDPR COMPLIANCE STATEMENT

Last Updated: [01-06-2026]

GDPR COMPLIANCE AT DOCTOR247

At Doctor247, protecting your privacy, confidentiality, and personal data is one of our highest priorities.

We are committed to ensuring that all personal information and health information collected through our platform is processed lawfully, fairly, transparently, and securely in accordance with:

• The General Data Protection Regulation (EU) 2016/679 (“GDPR”)
• The Data Protection Act 2018 (Ireland)
• Applicable Irish healthcare regulations
• European Data Protection Board (EDPB) guidance
• Medical confidentiality obligations applicable to healthcare providers

As a healthcare service provider, Doctor247 processes health information, which is classified as Special Category Personal Data under Article 9 of the GDPR and is subject to enhanced legal protection.

WHAT IS GDPR?

The General Data Protection Regulation (GDPR) is the primary data protection law governing the collection, use, storage, and sharing of personal data within the European Union and European Economic Area.

GDPR gives individuals greater control over their personal information and imposes strict obligations on organizations that process personal data.

OUR GDPR PRINCIPLES

Doctor247 follows the core GDPR principles when processing personal information:

Lawfulness, Fairness and Transparency

We only collect and process personal data where we have a lawful basis for doing so and we explain clearly how your information is used.

Purpose Limitation

Your information is collected only for specific, legitimate, and clearly defined purposes.

Data Minimisation

We only collect information that is necessary to provide healthcare services, comply with legal obligations, and operate our platform effectively.

Accuracy

We take reasonable steps to ensure that personal information remains accurate and up to date.

Storage Limitation

Personal data is retained only for as long as necessary to fulfil legal, regulatory, medical, and operational requirements.

Integrity and Confidentiality

We implement appropriate technical and organisational security measures to protect personal information against unauthorized access, disclosure, alteration, or destruction.

Accountability

Doctor247 maintains internal processes, policies, and safeguards designed to demonstrate compliance with GDPR requirements.

SPECIAL CATEGORY HEALTH DATA

As part of providing healthcare services, Doctor247 processes health information including:

• Medical history
• Consultation notes
• Symptoms
• Diagnoses
• Prescriptions
• Referral letters
• Medical certificates
• Laboratory results
• Health assessments
• Treatment plans
• Uploaded medical records

Under Article 9 GDPR, health information is classified as Special Category Personal Data and receives enhanced protection because of its sensitive nature.

OUR LEGAL BASIS FOR PROCESSING DATA

Doctor247 only processes personal information where a valid legal basis exists under Article 6 GDPR.

Depending on the circumstances, our legal basis may include:

Performance of a Contract

Processing necessary to provide healthcare services requested by you.

Legal Obligations

Processing necessary to comply with applicable healthcare, regulatory, tax, and legal obligations.

Legitimate Interests

Processing necessary for platform security, fraud prevention, service improvement, and operational management where such interests are not overridden by your rights.

Vital Interests

Processing necessary to protect an individual’s life or physical safety in emergency situations.

Consent

Where required, we obtain your explicit consent before processing certain categories of personal information.

LEGAL BASIS FOR HEALTH DATA PROCESSING

Because health information is classified as Special Category Personal Data, GDPR requires an additional legal basis under Article 9.

Doctor247 may process health information where processing is necessary for:

• Preventive healthcare
• Medical diagnosis
• Medical treatment
• Healthcare management
• Provision of healthcare services
• Public health obligations
• Legal and regulatory compliance
• Explicit patient consent where required

Healthcare services frequently rely on legal healthcare exemptions under Article 9 GDPR in addition to Article 6 lawful processing grounds.

INFORMATION WE COLLECT

We may collect the following categories of personal data:

Identity Information

• Full name
• Date of birth
• Gender
• Nationality

Contact Information

• Email address
• Telephone number
• Postal address

Account Information

• Username
• Login credentials
• Authentication records

Health Information

• Medical history
• Consultation records
• Prescriptions
• Referral letters
• Medical certificates
• Uploaded documents
• Clinical notes

Technical Information

• IP address
• Device information
• Browser information
• Platform usage data
• Log files

Payment Information

• Billing details
• Transaction records

Payment card information is generally processed by secure third-party payment providers.

HOW WE USE YOUR INFORMATION

Your information may be used for:

• Providing healthcare services
• Conducting consultations
• Issuing prescriptions
• Preparing referral letters
• Providing medical certificates
• Maintaining medical records
• Scheduling appointments
• Patient verification
• Customer support
• Platform administration
• Regulatory compliance
• Fraud prevention
• Security monitoring
• Service improvement
• Quality assurance
• Legal obligations

YOUR GDPR RIGHTS

Under GDPR, you may have the following rights:

Right of Access

You may request a copy of the personal data we hold about you.

Right to Rectification

You may request correction of inaccurate or incomplete personal information.

Right to Erasure

You may request deletion of your personal data where applicable under law.

Right to Restrict Processing

You may request that processing of your personal data be limited under certain circumstances.

Right to Data Portability

You may request a copy of your data in a structured, commonly used, machine-readable format.

Right to Object

You may object to certain processing activities where permitted by law.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw that consent at any time.

Right to Lodge a Complaint

You have the right to lodge a complaint with the Irish Data Protection Commission if you believe your data protection rights have been violated.

DATA SHARING

Doctor247 does not sell personal information.

We may share personal data only where necessary with:

• Healthcare professionals
• Pharmacies
• Laboratories
• Diagnostic providers
• Referral partners
• Payment processors
• Cloud hosting providers
• IT service providers
• Regulatory authorities
• Legal advisors
• Law enforcement agencies where legally required

All third parties are required to implement appropriate data protection and security measures.

INTERNATIONAL DATA TRANSFERS

Where personal data is transferred outside the European Economic Area (EEA), Doctor247 ensures that appropriate safeguards are implemented, including:

• European Commission Adequacy Decisions
• Standard Contractual Clauses (SCCs)
• Other GDPR-approved transfer mechanisms

DATA RETENTION

Doctor247 retains personal data only for as long as necessary to:

• Provide healthcare services
• Comply with medical record retention requirements
• Meet legal obligations
• Resolve disputes
• Enforce agreements
• Protect patient safety

Retention periods may vary depending on the nature of the information and applicable legal requirements.

DATA SECURITY

Doctor247 implements appropriate technical and organisational security measures including:

• SSL/TLS encryption
• Secure hosting environments
• Access controls
• Role-based permissions
• Authentication procedures
• Data encryption
• Monitoring and logging
• Security assessments
• Staff confidentiality obligations

While we strive to protect personal information, no internet-based transmission or storage system can be guaranteed to be completely secure.

COOKIES AND TRACKING TECHNOLOGIES

Doctor247 uses cookies and similar technologies to:

• Operate the website
• Improve performance
• Maintain security
• Analyse usage patterns
• Enhance user experience

Where required, consent is obtained before non-essential cookies are placed on your device.

AUTOMATED DECISION-MAKING

Doctor247 does not make clinical decisions solely through automated processing.

Healthcare decisions are made by qualified healthcare professionals exercising independent clinical judgment.

CHILDREN’S DATA

Doctor247 services are intended primarily for adults.

Where services are provided to minors through a parent or legal guardian, personal data is processed in accordance with applicable GDPR requirements and Irish law concerning children’s data.

DATA BREACH MANAGEMENT

Doctor247 maintains procedures for identifying, investigating, and responding to personal data breaches.

Where required under GDPR:

• Affected individuals will be notified;
• The Irish Data Protection Commission will be notified;
• Appropriate remedial action will be taken.

DATA PROTECTION OFFICER / PRIVACY CONTACT

For GDPR-related requests or privacy questions, please contact:

Data Protection Team

Email: privacy@doctor247.ie

Website: https://doctor247.ie

COMPLAINTS TO THE DATA PROTECTION COMMISSION

If you believe your personal information has been processed unlawfully, you may lodge a complaint with:

Data Protection Commission (Ireland)

Website: Data Protection Commission

The Data Protection Commission is Ireland’s independent supervisory authority responsible for enforcing GDPR and data protection laws.

Doctor247 is committed to maintaining the highest standards of privacy, confidentiality, security, and GDPR compliance in the delivery of healthcare services.

GDPR provides additional protection for health information because health data is classified as Special Category Personal Data under Article 9 GDPR and may only be processed under specific legal conditions with appropriate safeguards.