GDPR Notice

1 Our Commitment to GDPR

eMedClinic (trading name of Apogeu Proeminente Unipessoal Lda, NIF 518240290) is committed to full compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which came into effect on 25 May 2018. As a Portuguese-registered company operating an online health platform serving EU residents, GDPR compliance is central to our clinical governance and operational framework.

This notice summarises our key GDPR obligations and how we meet them. For full details of how we handle your personal data, please read our Privacy Policy. Our GDPR framework is consistent with the clinical governance structure submitted to the Entidade Reguladora da Saúde (ERS) as part of our operational registration.

2 Lawful Basis for Processing

We process personal data only where we have a lawful basis to do so under GDPR Article 6. The bases we rely on are:

• Contract (Article 6(1)(b)) — processing necessary to fulfil our service agreement with you, including booking and delivering consultations
• Legal obligation (Article 6(1)(c)) — processing required by law, including medical record retention obligations under Portuguese law and tax obligations under Autoridade Tributária e Aduaneira requirements
• Legitimate interests (Article 6(1)(f)) — processing for our genuine business interests where these are not overridden by your rights, including fraud prevention and anonymised website analytics
• Explicit consent (Article 6(1)(a) and Article 9(2)(a)) — processing of special category health data, which requires your explicit and informed consent before any processing takes place

3 Special Category Health Data

Health data is a special category of personal data under GDPR Article 9, requiring the highest level of protection. As a healthcare provider registered under CAE codes 86220 and 86906, the protection of patient health data is a fundamental regulatory and ethical obligation.

We process health data only with your explicit consent and only to the extent strictly necessary to provide your medical consultation. The specific purposes for which health data is processed are:

• Delivery of your booked consultation by a licensed medical practitioner
• Generation and storage of your consultation record and any prescription issued
• Enabling continuity of care across subsequent consultations
• Compliance with mandatory medical record retention requirements under applicable Portuguese and EU law

We never use health data for marketing, profiling, advertising, or any purpose beyond direct patient care. Health data is stored on encrypted, EU-based servers and is accessible only to you and your treating doctor. All clinical platform partners have executed Data Processing Agreements (DPAs) confirming these obligations.

4 Your GDPR Rights

Under GDPR you have the following rights, which you may exercise at any time free of charge:

• Article 15 — Right of access: obtain a copy of your personal data held by us
• Article 16 — Right to rectification: correct inaccurate or incomplete personal data
• Article 17 — Right to erasure: request deletion of your data (subject to legal retention obligations)
• Article 18 — Right to restriction: restrict how we process your data in certain circumstances
• Article 20 — Right to portability: receive your data in a structured, commonly used, machine-readable format
• Article 21 — Right to object: object to processing based on legitimate interests
• Article 7 — Right to withdraw consent: withdraw consent at any time without affecting the lawfulness of prior processing

To exercise any right, contact us at info@emedclinic.com. We will acknowledge your request within 72 hours and respond in full within 30 days. This may be extended to 90 days for complex requests, in which case we will notify you of the extension and the reason within the initial 30-day period.

Please note that the right to erasure does not apply to health data where retention is required by law. We will advise you of any applicable legal retention obligation at the time of your request.

5 International Data Transfers

All personal data is stored and processed within the European Economic Area (EEA) wherever possible. Our primary clinical platform infrastructure is hosted on EU-based servers.

Where we use third-party processors that transfer data outside the EEA (including certain Google Analytics processing), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46. No health data is transferred outside the EEA under any circumstances.

6 Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, subject to any overriding legal obligations. Our retention periods are as follows:

• Consultation records and health data: retained for a minimum of 10 years following the last consultation, in compliance with Portuguese medical record retention law
• Billing and financial records: retained for 10 years in compliance with Autoridade Tributária e Aduaneira requirements
• Website analytics data: retained for a maximum of 26 months (Google Analytics default), after which data is automatically deleted
• Cookie consent records: retained for 1 year from date of consent
• Account registration data: retained for the duration of your account and for 3 years following account closure

On expiry of the applicable retention period, data is securely deleted or anonymised. You may request early deletion subject to the limitations described in Section 4 above.

7 Data Breach Procedure

We maintain a documented data breach response procedure in accordance with our clinical governance obligations. In the event of a personal data breach:

• We will assess the breach and its likely impact within 24 hours of becoming aware
• We will notify the Portuguese data protection authority (CNPD) within 72 hours where required under GDPR Article 33
• Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify affected individuals directly without undue delay under GDPR Article 34
• All breaches, regardless of notification obligation, will be logged in our internal breach register

8 Data Protection Contact

eMedClinic handles all data protection matters directly under the oversight of the Sole Director. All data protection enquiries, requests to exercise your rights, or concerns about how we handle your data should be directed to:

9 Supervisory Authority

You have the right to lodge a complaint with the Portuguese data protection supervisory authority if you believe we have not handled your personal data in accordance with GDPR:

We would, however, welcome the opportunity to address any concern directly before you contact the CNPD. Please contact us at info@emedclinic.com in the first instance.