Curoflow telemedicine platform is the optimal choice for GDPR compliance
Compliance with the GDPR isn't a choice you're faced with - it's a must. We know how difficult it can be and have therefore focused on developing Curoflow in compliance with the GDPR, without third-party suppliers outside of the EU. Let us tell you what’s important and how the Curoflow telemedicine platform is probably the only simple, legal option for processing personal data and personal information.
In short: The GDPR - problem and solution
The Schrems II judgment and the problem with American cloud services
On July 16, 2020, the high-profile Schrems II judgment was made in Case C-311/18, in which Austrian private citizen Max Schrems had sued Facebook for transferring his personal data to the US. The Court of Justice of the European Union ruled that this violates the GDPR as personal data in the US does not have sufficient protection against the country's intelligence activities. As a result of this ruling, US cloud services are now generally considered to be in violation of the GDPR.
Curoflow is the choice for GDPR compliance
Curoflow’s digital cloud services process and store personal data on Swedish servers without subsuppliers transferring your data outside the EU. Curoflow is thus not dependent on American subsuppliers, such as Microsoft, Zendesk, Zoom, Twilio and AWS, as most other options on the market are. If you want to be confident that all your data is stored and processed in compliance with the GDPR, the Curoflow telemedicine platform is the simple, obvious choice.
In more detail
The GDPR problematizes the use of American cloud services
In the Schrems-II judgment, the Court of Justice of the European Union ruled that the so called Privacy Shield Agreement between the EU and the US does not provide sufficient protection for personal data when transferred to the US. The CJEU also stated that the transfer of personal data through standard contractual clauses is only applicable if the level of protection in the recipient country is "substantially equivalent to that guaranteed within the EU by the General Data Protection Regulation". This is not considered to be the case in the US, where Facebook and many other large IT companies are subject to the Foreign Intelligence Surveillance Act (FISA), a law that allows US authorities to obtain personal data of EU citizens from these companies, in violation of the GDPR.
On 18 June 2021, the European Data Protection Board (EDPB) published recommendations complementing the Schrems II judgment. These recommendations allow data controllers in the EU to take into account the practical application and assess the risks to personal data in the recipient country. However, it is required that you clearly demonstrate, through documentation and objective stances, that the recipient country's legislation is not applied in practice in a problematic manner. You can e.g. demonstrate that US authorities, in practice, have never requested access to the type of personal data in question, but this must be complemented in an overall assessment based on other sources as well.
European organizations switch to European cloud services
Despite these guidelines, many organisations in the EU are still using American cloud services, but due to the risk of data leakage to US authorities, there is a trend towards switching to European alternatives, as the following examples show:
- Many authorities in Sweden, such as the Swedish Public Employment Service, the Swedish Tax Agency, the Land Survey, the Swedish Transport Administration and the Swedish Social Insurance Agency are looking at alternative solutions to American cloud services such as Microsoft Teams or Zoom. See further:
(SWE) Lantmäteriet’s cloud services (voister.se)
(SWE) Authorities are leaving Teams (svt.se) - The City of Stockholm will not use the cloud platform Microsoft 365. See further:
(SWE) Stockholm municipality turns down Microsoft (idg.se) - In Germany, one of the country's data protection authorities has decided that a German publisher's use of Mailchimp is in violation of the GDPR. Mailchimp is a popular newsletter and email marketing software.
The responsibility is yours
If you choose a software provider that uses third-party solutions outside the EU/EEA, they, and especially you as the personal data controller, must ensure compliance with the GDPR. You need individual and explicit consent from each user/patient using your digital healthcare platform and a general acceptance of a privacy policy is not enough. In addition to this, a comprehensive investigation is required, on the risks of how personal data may be processed in countries outside the EU, (e.g. the US) and whether the GDPR is being complied within each process. Such an investigation is almost impossible to carry out without an enormous effort, both in resources and time. If data communication or video calls are made through American subsuppliers, you need to ensure that the data cannot be accessed by US authorities and that the data can be erased anywhere if your patient exercises their right to "be forgotten". The responsibility falls on you as a personal data controller.
Curoflow processes personal data on Swedish servers
Curoflow is developed in Sweden and processes all data on dedicated servers in Sweden without subsuppliers that neither directly nor indirectly processe data outside the EU. Curoflow is thus not dependent on subsuppliers such as Microsoft, Zendesk, Zoom, Twilio or AWS, as most other options on the market are. The solutions we have for SMS, electronic identification, card and mobile payments all come from Swedish companies and we check that their privacy policies (incl. subsuppliers) certify that they store and process the data on servers in Sweden.
Curoflow is the safe choice for your patient communication
The GDPR is a complex set of regulations that requires a lot of resources to come to grips with. In 2022 however, this is a necessity and especially regarding the sensitive information that is shared between healthcare providers and their patients. To avoid the risk of violating the GDPR's ever-changing guidelines, we recommend refraining from American cloud services and going for the safe option. If you want to be confident that all data is stored and managed in compliance with GDPR, Curoflow is the simple, obvious choice. As we primarily target the healthcare sector, our telemedicine platform is fully CE marked under the MDR (EU Medical Device Regulation) which provides an extra level of assurance in how we handle our quality management system.