Back to Home

GDPR Compliance

General Data Protection Regulation Compliance Statement

Last Updated: October 31, 2025

CareApp24 is fully committed to compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and all applicable data protection laws. This document outlines our comprehensive approach to data protection and your rights under GDPR.

Our GDPR Commitment

  • Full compliance with GDPR requirements
  • Data Protection Officer (DPO) appointed and accessible
  • Regular audits and compliance assessments
  • Staff training on data protection principles
  • Transparent data processing practices
  • Secure data storage on EU-based servers

1. GDPR Principles We Follow

We process personal data in accordance with the six core GDPR principles:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. We clearly communicate what data we collect and how we use it.

Purpose Limitation

We collect data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

Data Minimization

We collect only the data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

Accuracy

We ensure personal data is accurate and, where necessary, kept up to date. We take reasonable steps to erase or rectify inaccurate data.

Storage Limitation

We keep personal data in a form that permits identification of data subjects for no longer than necessary for the purposes for which the data is processed.

Integrity and Confidentiality

We process data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

2. Legal Basis for Data Processing

We process personal data based on the following legal grounds:

Legal Basis Description Examples
Consent You have given clear consent for us to process your personal data Marketing communications, optional features
Contract Processing is necessary to fulfill a contract with you Service delivery, user account management
Legal Obligation Processing is necessary to comply with the law Medical record retention, tax compliance
Vital Interests Processing is necessary to protect someone's life Emergency medical situations
Legitimate Interests Processing is necessary for our legitimate interests Fraud prevention, system security

3. Your Rights Under GDPR

As a data subject, you have the following rights:

3.1 Right to be Informed

You have the right to clear information about how we collect and use your personal data. This is provided through our Privacy Policy and this GDPR Compliance document.

3.2 Right of Access (Article 15)

You have the right to access your personal data and receive information about how we process it. You can request:

  • Confirmation that we are processing your data
  • A copy of your personal data
  • Information about the processing purposes
  • Categories of data being processed
  • Recipients of your data
  • Storage periods

Response Time: Within 30 days of request

3.3 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected or completed if it is incomplete.

Response Time: Within 30 days of request

3.4 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent and there's no other legal basis
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased for compliance with a legal obligation

Note: This right does not apply when we need to retain data for legal obligations, particularly medical records required by healthcare regulations.

3.5 Right to Restriction of Processing (Article 18)

You have the right to restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

3.6 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON) and to transmit it to another controller.

3.7 Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests, direct marketing, or processing for research/statistical purposes.

3.8 Rights Related to Automated Decision Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

4. Data Protection Measures

4.1 Technical Measures

  • Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
  • Access Controls: Role-based access control (RBAC) with multi-factor authentication
  • Pseudonymization: Where applicable, we use pseudonymization techniques
  • Backup Systems: Regular encrypted backups with secure storage
  • Firewalls & IDS: Advanced firewall and intrusion detection systems
  • Regular Updates: Timely security patches and system updates

4.2 Organizational Measures

  • Data Protection Officer: Appointed DPO overseeing compliance
  • Staff Training: Regular training on data protection and security
  • Access Policies: Strict policies governing employee access to data
  • Incident Response Plan: Procedures for handling data breaches
  • Vendor Management: Due diligence on third-party processors
  • Regular Audits: Internal and external security audits

5. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify Supervisory Authority: Within 72 hours of becoming aware of the breach (Article 33)
  • Notify Affected Individuals: Without undue delay if the breach poses a high risk to rights and freedoms (Article 34)
  • Document the Breach: Maintain records of all breaches, effects, and remedial actions
  • Remediate: Take immediate action to mitigate effects and prevent recurrence

6. Data Processing Agreements (DPA)

We ensure that all third-party processors:

  • Sign Data Processing Agreements compliant with Article 28 GDPR
  • Provide sufficient guarantees of appropriate technical and organizational measures
  • Only process data on our documented instructions
  • Maintain confidentiality of personal data
  • Assist us in fulfilling our GDPR obligations

7. Data Protection Impact Assessments (DPIA)

We conduct DPIAs for high-risk processing activities, particularly:

  • Large-scale processing of special category data (health data)
  • Systematic monitoring of publicly accessible areas
  • Automated decision-making with legal effects
  • Processing involving new technologies

8. International Data Transfers

When transferring personal data outside the EEA, we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs): EU Commission approved clauses
  • Adequacy Decisions: Transfers to countries with adequate protection
  • Binding Corporate Rules: For intra-group transfers
  • Explicit Consent: When required by law

9. How to Exercise Your Rights

To exercise any of your GDPR rights, please:

  1. Submit a Request: Email us at gdpr@careapp24.eu or use our online form
  2. Verify Your Identity: We may request proof of identity to prevent fraudulent requests
  3. Specify Your Request: Clearly state which right you wish to exercise
  4. Receive Response: We will respond within 30 days (extendable by 2 months for complex requests)

10. Children's Data

We do not knowingly process personal data of children under 16 (or the applicable age in your jurisdiction) without parental consent. If we become aware of such processing, we will delete the data immediately.

11. Cookies and Tracking

We use cookies in compliance with ePrivacy Directive (2002/58/EC). You can:

  • Accept or reject cookies through our cookie banner
  • Manage cookie preferences at any time
  • Configure browser settings to block cookies

See our Cookie Policy for detailed information.

12. Supervisory Authority Contact

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority:

Supervisory Authorities

Hungary:

National Authority for Data Protection and Freedom of Information (NAIH)

Address: 1055 Budapest, Falk Miksa utca 9-11

Website: www.naih.hu

Email: ugyfelszolgalat@naih.hu

Germany:

Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Address: Graurheindorfer Str. 153, 53117 Bonn

Website: www.bfdi.bund.de

Email: poststelle@bfdi.bund.de

Ireland:

Data Protection Commission (DPC)

Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28

Website: www.dataprotection.ie

Email: info@dataprotection.ie

Contact Our Data Protection Officer

Email: dpo@careapp24.eu

Phone: +36 30 698 2603

Address:

CareApp24 - Data Protection Officer

1074 Budapest, Vörösmarty u 16-18 P1

For general inquiries: privacy@careapp24.eu

13. Updates to This Document

We may update this GDPR Compliance statement to reflect changes in our practices or legal requirements. The "Last Updated" date at the top indicates when the document was last revised. Significant changes will be communicated through our website and, where appropriate, via email.

14. Certification and Compliance

CareApp24 is currently in the process of obtaining the following certifications and compliance standards:

  • ISO 9001:2015 – Quality Management System (in progress)
  • ISO/IEC 27001:2013 – Information Security Management (planned after ISO 9001)
  • ISO/IEC 27018 – Protection of Personally Identifiable Information in Public Clouds
  • GDPR Compliance – General Data Protection Regulation alignment (in progress)
  • Healthcare Data Protection Standards

Note: Our certification process is ongoing. This document is designed to provide transparency about our GDPR and data protection commitments. For detailed information about how we process your specific data, please refer to our Privacy Policy.