GDPR Compliance Statement

At Movementor, we take the privacy and security of personal data seriously, especially when it pertains to sensitive information such as patient data. In accordance with the General Data Protection Regulation (GDPR) UK, we are committed to ensuring that all personal data we handle on behalf of our clients is processed in compliance with the highest standards of data protection.

1. Data Controller and Data Processor Roles

Movementor acts as a Data Processor on behalf of our clients, who are the Data Controllers. As a Data Processor, we are responsible for processing patient data solely in accordance with agreed scope with our clients and for the purposes specified in the agreement between us and the Data Controller.

2. Types of Data Processed

We process personal data that may include, but is not limited to:

• Patient Identification Data: Date of birth.

• Health Information: Medical history, diagnostic data, and treatment records.

• Other Sensitive Data: Information relevant to patient care or administrative processes as determined by the Data Controller.

3. Lawful Basis for Processing

The lawful basis for processing patient data is determined by our clients, the Data Controllers. We only process data in accordance with the legitimate interests, contractual obligations, or consent established by the Data Controller, ensuring compliance with Article 6 and, where applicable, Article 9 of the GDPR.

4. Data Security Measures

We implement stringent technical and organisational measures to protect patient data, including:

• Encryption of data both in transit and at rest.

• Regular security assessments and vulnerability scanning.

• Access controls to ensure that only authorised personnel have access to patient data.

• Comprehensive incident response procedures in the event of a data breach.

5. Data Transfers

All data processed by Movementor is stored outside of the European Economic Area (EEA) with Amazon AWS acting as a subcontractor for eu.pythonanywhere.com (see here and here for more details). Amazon AWS is covered by the EU-US Privacy Shield Framework. In the event that data needs to be transferred outside of the EEA, we will ensure that appropriate safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), are in place to maintain GDPR compliance.

6. Retention of Data

We retain patient data only for as long as necessary to fulfil the purposes outlined by our clients and in accordance with our contractual obligations. Upon the termination of services or as requested by the Data Controller, we securely delete or anonymise the data as required by GDPR.

7. Data Subject Rights

We fully support the rights of data subjects as outlined in the GDPR. Patients may exercise their rights, such as the right to access, rectification, erasure, or objection to data processing, by contacting the Data Controller (our client). We will assist the Data Controller in fulfilling these requests in accordance with GDPR guidelines.

8. Data Breach Notification

In the unlikely event of a data breach that affects patient data, Movementor will notify the Data Controller without undue delay and provide all necessary information to support the Controller in their obligation to report the breach to relevant authorities and affected individuals as required under Articles 33 and 34 of the GDPR.

9. Data Processing Agreements

We ensure that all data processing is governed by a legally binding Data Processing Agreement (DPA) with each of our clients, outlining the scope, nature, and purposes of the processing, as well as the security measures and responsibilities of both parties.

10. Contact Us

For further information regarding our GDPR compliance and data protection practices, or if you have any concerns regarding the processing of personal data, please contact our Data Protection Officer (DPO) at info@movementor-app.co.uk.