GDPR Compliance Documentation

Document Version: 1.0
Last Updated: January 4, 2026
Effective Date: January 4, 2026

1. Introduction

This document outlines Hakim's compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 for users located in the European Union and European Economic Area.

1.1 Controller Information

Data Controller: Hakim Telehealth Platform
Contact: [email protected]

1.2 Data Protection Officer (DPO)

Email: [email protected]
Responsibilities: Ensuring GDPR compliance, handling data subject requests, liaising with supervisory authorities

2. Legal Basis for Processing

Hakim processes personal data under the following legal bases as defined in Article 6 and Article 9 of GDPR:

2.1 Consent (Article 6(1)(a) & Article 9(2)(a))

When Applied: Optional marketing communications, use of non-essential cookies, AI-powered feature enhancements, research participation

Implementation: Explicit, informed, and freely given consent with clear consent mechanisms in app, easy withdrawal options, granular consent for different purposes, and consent records maintained with timestamps

2.2 Contractual Necessity (Article 6(1)(b))

When Applied: Creating and managing user accounts, facilitating telemedicine consultations, processing appointments and scheduling, enabling patient-provider communication, managing medical records, processing payments

2.3 Legal Obligation (Article 6(1)(c) & Article 9(2)(h))

When Applied: Retaining medical records (healthcare regulations), reporting to health authorities, tax and accounting requirements, responding to legal requests, preventing fraud and money laundering

2.4 Legitimate Interests (Article 6(1)(f))

When Applied: Fraud prevention and security, platform improvement and analytics (using de-identified data), internal administrative purposes, network and information security

2.5 Special Category Data - Health Data (Article 9(2)(h))

When Applied: Provision of healthcare services, medical diagnoses and treatment, preventive medicine, public health monitoring

Additional Safeguards: Enhanced encryption, strict access controls, healthcare professional oversight, additional security measures

3. Data Subject Rights

Hakim facilitates the exercise of all GDPR data subject rights:

3.1 Right of Access (Article 15)

Implementation: User dashboard with full data access, downloadable data export feature, response within 30 days (extendable to 60 days if complex)

Information Provided: Categories of data processed, purposes of processing, recipients of data, retention periods, rights available

3.2 Right to Rectification (Article 16)

Implementation: In-app profile editing, medical record amendment requests (with provider approval), correction within 30 days

3.3 Right to Erasure / "Right to be Forgotten" (Article 17)

Implementation: Account deletion feature, clear process for erasure requests, exceptions communicated clearly (legal retention requirements)

Exceptions: Medical records: 7-year retention required by law; Financial records: Tax law requirements; Legal claims: Until resolved

3.4 Right to Data Portability (Article 20)

Implementation: Structured data export (JSON/CSV format), machine-readable format, direct transfer to other providers (where technically feasible), medical records in HL7 FHIR standard

3.5 Right to Object (Article 21)

Implementation: Opt-out of marketing communications, object to automated decision-making, object to profiling, object to legitimate interest processing

3.6 Rights Related to Automated Decision-Making (Article 22)

Implementation: Human review option for AI symptom checker, transparency about AI use, explanation of automated decisions, right to contest automated decisions

Automated Systems: AI symptom checker (advisory only, not diagnostic), provider matching algorithm, appointment scheduling optimization

4. Data Protection by Design and Default

4.1 Technical Measures

Encryption: TLS 1.3 for data in transit, AES-256 encryption for data at rest, end-to-end encryption for messages, encrypted backups

Access Control: Role-based access control (RBAC), multi-factor authentication, principle of least privilege, regular access reviews

Pseudonymization: User IDs instead of names in analytics, de-identification for research data, separation of identifying data from medical data

4.2 Organizational Measures

Data Minimization: Collect only necessary data, regular data review and purging, purpose limitation enforced

Privacy by Default: Strictest privacy settings by default, opt-in for non-essential features, granular privacy controls

Staff Training: Regular GDPR training for all staff, specialized training for data handlers, confidentiality agreements

5. Data Breach Procedures

5.1 Breach Detection

Monitoring: 24/7 automated security monitoring, intrusion detection systems, regular security audits, user-reported breach channel

5.2 Notification Procedures

To Supervisory Authority (Article 33): Within 72 hours of becoming aware, including nature of breach, approximate number of affected individuals, contact point for information, likely consequences, and measures taken or proposed

To Data Subjects (Article 34): Without undue delay if high risk to rights and freedoms, in clear and plain language, including likely consequences, measures taken, and recommendations for protection

6. Third-Party Processors

All third-party processors have signed Data Processing Agreements (DPAs) including:

Key Providers

Supabase (Database Hosting): DPA in place, GDPR compliant, EU data residency option, sub-processor list provided

Chapa (Payment Processing): DPA in place, PCI DSS compliant, data localization in Ethiopia, GDPR commitments

Telebirr (Payment Processing): DPA in place, local Ethiopian processor, GDPR commitments

6.1 DPA Requirements

All DPAs include: Processing only on documented instructions, confidentiality obligations, security measures (Article 32), sub-processor requirements, data subject rights assistance, deletion or return of data after contract, audit rights, breach notification obligations

7. International Data Transfers

7.1 Transfer Mechanisms

Standard Contractual Clauses (SCCs): European Commission approved SCCs, regular review and updates, transfer impact assessments

For each international transfer: Assessment of local laws, evaluation of safeguards, supplementary measures if needed, documentation maintained

8. Exercising Your Rights

To exercise your GDPR rights, contact us:

Request Channels

Email: [email protected]
In-app support
Written mail

Response Timeframes

Acknowledge: Within 3 business days
Respond: Within 30 days (extendable to 60 days if complex)

9. Contact Information

Data Protection Officer:
Email: [email protected]
Response time: Within 5 business days

Privacy Team:
Email: [email protected]
Response time: Within 3 business days

Emergency Contact:
For data breaches: [email protected]
24/7 availability

Document Control:
Created: January 4, 2026
Version: 1.0
Next Review: July 4, 2026
Owner: Data Protection Officer

← Back to Home