On May 25, 2018, a new privacy law called the General Data Protection Regulation (GDPR) took effect in the European Union (EU). It replaces the Data Protection Directive (‘the Directive’), which has been in effect since 1995.
While the GDPR preserves the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle, or analyze personal data.
As part of Healthy.io’s commitment to assist its customers on their journey to GDPR compliance, it developed product-specific papers to help its customers prepare for GDPR. These papers describe tools and capabilities healthy.io builds into its products and other defined procedures that can assist organizations in addressing individual ‘data subject’ rights under the GDPR.
Healthy.io is committed to General Data Protection Regulation (GDPR) compliance. Healthy.io's Engineering, Product, Security, and Legal teams have been working to align its procedures, documentation, contracts, and services to support compliance with the GDPR. It also supports its customers on their GDPR compliance journey with its strong foundation of implemented security and privacy frameworks and certified security and privacy controls.
Data Processing Agreement
Healthy.io has published a Data Processing Agreement (DPA) for each of its product groups to incorporate the appropriate terms required by the GDPR into the relevant customer agreements. Under the supervision of EU privacy experts, Healthy.io created these DPAs, designed them to comply with the GDPR, and reflect the specific details of the data processing activities within Healthy.io services. All customers processing personal data that is subject to the GDPR through Healthy.io services must have a DPA with the company to allow both the customer and Healthy.io to comply with the GDPR DPA requirements.
Most of the agreements signed with Healthy.io customers before May 2018 did not include a GDPR DPA. If the customers’ current Healthy.io service agreement does not have a GDPR DPA, they should download, sign, and return the DPA or DPAs appropriate to the Healthy.io service they use.
As the GDPR and other privacy regimes require, Healthy.io provides users with information regarding affiliates and trusted third-party vendors that it engages as sub-processors to support it in providing various solutions and services. Healthy.io also includes other helpful information regarding data center providers and locations.
Developer Access to Production
A limited group of developers serves as the maintenance-and-support group and receives access to the production system. They undergo corresponding training and abide by strict security and privacy policies covering important domains such as access control, awareness, and more.