Data Protection and Compliance
agenda.ch values data confidentiality and transparency.
For example, we are
taking proactive measures to ensure that our service meets Swiss standards (in anticipation
of the new DPA Data Protection Act). as well as the new European Data Protection Regulation
DPSR applicable since 25 May 2018. We would therefore like to inform you of some changes to
our General Terms and Conditions for agenda.ch clients, as well as the
addition of Conditions for booking appointments online, which must now be validated by your clients
/ patients for all appointments booked online since May 15, 2018.
Before presenting the
concrete actions, it is important to detail the specific case of agenda.ch. Indeed, agenda.ch is a SaaS
platform for "B to B" agenda management, Our corporate and freelance clients therefore use it to collect
and store appointment scheduling and customer/patient data.
It is thus necessary to identify and
clearly distinguish two responsibilities:
1. The data controller
(Data Controller) - it's
the company / the person who decides which data to collect, and who defines the purpose of this data collection,
in our case the agenda.ch customer (doctor, osteopath, beautician, etc.).
2. The subcontractor
(Data Processor)- (here agenda.ch)
is the company that "processes" the data. personal data on behalf of the data controller.
As a subcontractor, we only process personal data managed by our service agenda.ch on the documented instructions of the person responsible
for the treatment (our client). This means that we do not handle, disseminate, use, share the data collected
through of our platform, as this data does not belong to us.
In addition, all data from agenda.ch is stored at our provider Exoscale in Switzerland.
Here is a brief summary of the ongoing actions:
- Since May 15, 2018, we have integrated into the appointment booking form the obligation for a client/patient to check
detail the data collection and processing flows specific to them.
We regularly update this Privacy Principles page with explanations of how personal
information and data a detailed description of our security practices, as well as a description of our security policies and procedures. data processing conditions explaining how the customers
can have more information about our security.
- Idem for details on how we work with trusted partners and online sources to improve the quality of personal information that
we hold about users, to understand how users interact with our site and to discover the types of services they are interested in.
The main objective of the future Swiss Data Protection Act and the GDPA (General Data Protection Regulations) is to strengthen the
legal framework for the protection of personal data, and to standardise it throughout Europe. In our context,
the rules promulgated by RGPD (and the future DPA) mainly call for common sense measures to be taken: an architecture modern
and secure, a good organization, a little documentation, these measures allow to be in conformity with the majority of the rules.
More information on this will follow soon.
Current agenda.ch application architecture :
All the data of agenda.ch are hosted in Switzerland (at Exoscale).
An agenda.ch client has access to its agenda.ch space, accessible via a password stored in encrypted form, accessible via SSL.
An account is blocked after a number of unsuccessful login attempts.
agenda.ch does not use or process data from its clients, in particular their patient or client file.
All our backups are encrypted.
We have implemented an application logging policy to detect and trace any intrusion attempt into our application architecture.
Planned evolution of our services towards a "Privacy by Design":
With the implementation of these measures, we want
to ensure our customers to be in compliance with the future DPA law and the GDPR on aspects related to their data processor.
- We will be able to perform physical destruction of all data of a user, or a customer of a customer, upon request.
- We will create pages to allow users, once logged in, to view and modify their personal information;
- We are studying the creation of a form to collect requests for access to users' personal information, in particular
to trigger a right to oblivion and to make them physically and therefore permanently delete. We will determine in the coming
months whether this request will be handled by agenda.ch customers or by agenda.ch directly.
- We will be adding information in our Help Center https://help.agenda.ch on how to enforce users' rights to their data and
to control the use of your personal information through our services. We also explain how we can handle requests for information concerning
the data you may receive from clients/patients of European nationality.
This page will be regularly updated, last update on November 12, 2019.