Tuotempo and
the General Data Protection Regulation

What is the GDPR?
When does it come into effect?
How is the GDPR different from the Directive? How are obligations changing?
What is tuOtempO’s role?
Does tuOtempO comply with the GDPR?
Where are tuOtempO servers located?
How can tuOtempO assist in your GDPR compliance efforts?
Who can I contact if I still have doubts about GDPR?

The GDPR will become enforceable on May 25, 2018, and will set a high bar for global privacy rights and compliance. We are actively preparing our business and compliance processes for when the GDPR takes effect and this guide is intended to help our customers do the same.

Please note that this guide is for informational purposes only and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.

What is the GDPR?

By now, you will probably have heard of the GDPR: the General Data Protection Regulation, a European privacy law approved by the European Commission in 2016. The GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC (the “Directive”), which has been the basis of European data protection law since 1995.

A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data. It will have a significant impact on businesses around the world.

When does it come into effect?

The GDPR was adopted in April 2016, but will officially be enforceable beginning on May 25, 2018. There will not be a “grace period,” so it is important that organizations impacted by the GDPR get ready for it now.

How is the GDPR different from the Directive? How are obligations changing?

While the GDPR preserves many principles established by the Directive, it introduces several important and ambitious changes. Here are a few that we believe are particularly relevant to tuOtempO and our customers:<

  1. Expansion of scope: As mentioned above, the GDPR applies to all organizations established in the EU or processing data of EU citizens, thus introducing the concept of extra-territoriality, and broadening the scope of EU data protection law well beyond the borders of just the EU.
  2. Expansion of definitions of personal and sensitive data, as described above.
  3. Expansion of individual rights: EU citizens will have several important new rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability. You must ensure that you can accommodate these rights if you are processing personal data of EU citizens.
  • Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
  • Right to object: An individual may prohibit certain data uses.
  • Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected
  • Right of access: Individuals have the right to know what data about them is being processed and how.
  • Right of portability: Individuals may request that personal data held by one organization be transported to another.
  1. Stricter consent requirements: Consent is one of the fundamental aspects of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s strict new requirements. You will need to obtain consent from your subscribers and contacts for every usage of their data, unless you can rely on a separate legal basis. The surest route to compliance is to obtain explicit consent. Keep in mind that:
  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent: data subjects must explicitly opt-in to the storage, use and management of their personal data.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.
  1. Stricter processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:


  • Contact details for the data controller
  • Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
  • Retention period: This should be as short as possible (“storage limitation”).
  • Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of your healthcare service, an individual has consented (see consent requirements above), or the processing is in the organization’s “legitimate interest.”

There are many other principles and requirements introduced by the GDPR, so it is important to review the GDPR in its entirety to ensure that you have a full understanding of its requirements and how they may apply to you.

What is tuOtempO’s role?

If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in. A controller is the organization that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing.

A processor is the organization that processes the data on behalf of the controller.

The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party.

Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor as well.

In the context of the tuOtempO application and our related services our customers are acting as the controller.  Our customers, for example, decide:

  • what information from their contacts is uploaded or transferred into their tuOtempO account
  • direct tuOtempO, through our application, to send messages to its patients.

The appointment of tuOtempO as Responsible by the Owner takes place through the signature accepting the General Conditions of Use attached to our order form.

Does tuOtempO comply with the GDPR?

tuOtempO is a supporter of the strong data privacy and security principles that GDPR emphasizes, many of which tuOtempO instituted long before the GDPR was enacted. At tuOtempO, we believe that the GDPR is an important milestone in the data privacy landscape, and we are committed to achieving compliance with the GDPR on or before May 25, 2018.

tuOtempO’s GDPR preparation started more than a year ago, and as part of this process we have reviewed all of our internal processes, procedures, data systems, and documentation to ensure that we will be ready when the GDPR goes into effect. While much of our preparation is happening behind the scenes, we are also working on a number of initiatives that will be visible to our users and we are, among other things:

  • Analyzing all of our current features and templates to determine whether any improvements or additions can be made to make them more efficient for those users subject to the GDPR
  • Evaluating potential new GDPR-friendly features and templates to add to our application

In addition, we will be prepared to address any requests made by our customers related to their expanded individual rights under the GDPR:

  • Right to be forgotten: You may terminate your tuOtempO account at any time, in which case we will permanently delete your account and all data associated with it.
  • Right to object: You will be able to opt out of inclusion of your data in our upcoming benchmark project by simply changing the Privacy Setting on your account
  • Right to rectification: You may access and update your tuOtempO account settings at any time to correct or complete your account information. You may also contact tuOtempO at any time to access, correct, amend or delete information that we hold about you
  • Right of access: We collect only administrative information and billing information about our customers. If you have specific questions about particular data, you can contact privacy@tuOtempO.com for further information at any time.

Right of portability: We will export your account data to a file or to third party at any time upon your request.

Where are tuOtempO servers located ?

Amazon Web Services, Ireland and Frankfurt, both within the European Community.

For customers in US, AWS is certified for the purposes of the EU-US Privacy Shield. View the certificationhere.

How can tuOtempO assist in your GDPR compliance efforts?

As Managers appointed by your Structure, there are several ways in which tuOtempO can help you ensure compliance with your Patient’s Privacy and Compliance with the GDPR. We have grouped the support modalities in 4 Macro areas (Security, Data Storage, Individual Rights Expansion and More Restrictive Consent).



The GDPR requires that Owners and Managers implement appropriate technical and organizational measures to guarantee a level of security appropriate to the risks presented. We are aware that our customers act as data controllers and that is why we always work with the utmost attention to do everything in our means to protect our customers’ data.

We follow generally accepted industry standards to protect the information that is provided to us, both during transmission and once received. We maintain adequate administrative, technical and physical safeguards to protect Personal Data from accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse and any other unlawful processing of personal data in our possession.

This includes, for example, firewalls, OTP protection, and other access and authentication controls. We use SSL technology to encrypt data during transmission over the public Internet and we also use application-level security features to anonymously personalize data. The following table shows a brief list of the security measures adopted in relation to specific requests of the GDPR.

GDPR Requirement How tuotempo can help you
You must be able to recover data quickly if it is lost.

And you must also protect them against accidental destruction
Article 32 (Paragraph 2)

  • Automatic data protection, thanks to the programming of backups
  • From a backup, data can be restored if it has been deleted
  • The backups reside on 3 different supports, one of which is always on a data center more than 200 km from the others
In order to avoid data being misused through a data breach, it may be appropriate to encrypt the data.
Article 32 (paragraph 1b)
  • The sensitive fraction of stored data is encrypted with SHA-256 encryption
  • The data is encrypted during transmission with Https protocol
  • The data is encrypted during the backup
It is necessary to guarantee “data confidentiality” and integrity
Article 32 (paragraph 1b)
  • We commission at least one annual Audit from an external IT security expert a Vulnerability Assessment & Penetration Testing to identify any vulnerabilities
  • Automatic monitors alert us to any abnormal or suspicious activity on personal data
  • We keep a log of all the activities performed regarding personal data in order to easily trace and analyze any activity at a distance of time
After a data breach, it is necessary to notify the authorities within 72 hours of the discovery
Article 32 and 33
  • The monitors that identify anomalous access patterns send a notification via SMS or Push to the security managers
  • Customers can subscribe to a notification page to be notified in real time on the status of the application and on any relevant events.


Despite our utmost commitment, as we know, no method of transmission over the Internet or electronic storage method is 100% secure. For this reason we have activated the privacy@tuotempo.com box, in addition to the ordinary support channels, where you can inform us of any suspicion that your personal data has been compromised and activate our verification process. For our part, if we become aware of a violation of our security systems, we will inform your facility and the authorities of the violation in accordance with the applicable law.



We only retain the Personal Data collected from a User for as long as the User’s account is active or otherwise for a limited period of time as long as we need it to fulfill the purposes for which we have initially collected it, unless otherwise required by law. We will retain and use information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements as follows:

  • The contents of closed accounts are deleted within 3 months of the date of closure
  • Backups by default are kept for 24 months but our customers can change the duration of the backup with a minimum of 3 months
  • Our customers can choose if and for how long to show a patient’s appointment history online
  • Our customers who offer access to the online Health Dossier to their patients through our platform, can choose how long to keep the history of documents visible and accessible online through the Privacy environment within the administration console.
  • tuOtempO does not keep any reports or images, but only retrieves them when the patient requests it and only for the minimum time necessary to deliver them to the patient. All documents are deleted at the end of the request.

C. Individual Rights Expansion


tuOtempO can help you promptly respond to requests from your patients pursuant to their expanded individual rights under the GDPR

  • Right to be forgotten:
    • You may delete individual patients upon their request at any time. In addition you can selectively remove appointments and, where present, every single reference to your clinical history including links to invoices, reports and images. Removal can also be done en bloc, keeping the patient active but removing all of his history.
    • Patients can at any time access their account on your online portal based on the tuOtempO application and remove all their data.
    • In both cases of removal, the data in production systems will be erased at maximum speed.
    • Even if a Patient has exercised the Right to Foreclosure on the production environment, the Patient data may still reside on our servers for the duration of the Backup retention for one of two reasons:
      • It is extremely complex to isolate and remove individual personal data within the archive of a Backup file
      • The holder is required to retain the data longer for contractual, legal or compliance reasons

In these circumstances, we give the Patient a guarantee that your personal data will not be restored to production systems in case you need to retrieve information from backup files. tuOtempO maintains a register of obligations that allows it to selectively delete the data of the user who requested it during any backup restore process.

  • Right to rectification

A Patient or an Operator commissioned by the Patient can always access and update the data within the tuOtempO application to correct or complete the information.

  • Right of access

As mentioned above, any of your Patients may contact us directly to request to access information that we hold about them.

  • Right of portability

The Patient can export all documents concerning him at any time by logging into his Patient Portal account based on the tuOtempO application.



As already mentioned, the GDPR strongly emphasizes the need to legally obtain and process email addresses, mobile phone numbers and other personal data from patients, doctors and other contacts.

The GDPR defines 6 legal bases for data processing, the best known of all is clearly the request and obtention of explicit consent from the party concerned. We will analyze it first.


The personal data of your patients can be collected and transferred on tuOtempO through integration flows or registration procedure made available by our application and activated and configured by our customers.

  • In case of transfer via Integration, tuOtempO assumes that the information transferred by the Data Controller has received the appropriate consent and that the consents are defined for the various purposes of the processing that the Customer can perform through the tuOtempO application.
  • In case of acquisition of consent through registration form to the portal services, our application allows you to define what consents to request and what information to present. To help you comply with the GDPR
    • the patient registering with the portal services must explicitly select which consent to give, since they are deactivated by default. In the absence of consent to the basic information the registration procedure will not be successful.
    • to help you obtain proof of consent and store a record of your Patient consent in your tuOtempO account. In fact, when a Patient registers, tuOtempO records the mobile address, e-mail address, IP address and timestamp associated with each patient who completes and sends the form, providing an easy access consent test.
    • the consent received online can be easily transferred to the management system (HIS or EHR) of our customers if the customer master’s database is located there.



If you look carefully at a patient’s digital pathway and the variety of communications that he can receive before, during and after an interaction with the structure (eg a visit) it is easy to deduce that the purposes of treatment are multiple. tuOtempO has decided to adopt a model based on a wide set of 6 different consents to allow the patient to be able to opt in or opt out of individual services without having to renounce all of them. In this way it is possible, for example, for a patient to renounce receiving requests for reviews (opt-out) without losing access to memos or communication campaigns.

To help our customers find their bearings, we have published the list of consents on the Configure> Privacy page and for each of them the collection and withdrawal methods. Furthermore, in a specific section, the customer can enter and differentiate the information for each individual consent.

For convenience, we list the consents in the following table.


1. General Conditions.

If the patient already exists, consent is considered already acquired. If the patient is new, he will have to accept the general conditions during registration.

On-site or via online patient registration On-site
2. Automatic communications

The consent is collected together with the acceptance of the communication details (point 1).

On-site or via online patient registration


Via the patient profile page

Via the patient profile page
3. Information and commercial communications

The consent must be collected at the facility and included in your management system. Both the consent and revocation actions must be synchronized from your management system to tuOtempO and vice versa.

For all the campaigns sent through tuOtempO the patient can revoke the consent to receive the communications through an unsubscribe in a link within all the Email communications or by replying “STOP” to the informative or commercial SMS. For campaigns using our client’s PUSH messages on APP, patients can remove consent from their phone’s notification preferences.

On-site or acquired by tuotempo via integration Via the patient profile page

Unsubscribe via Email
Unsubscribe via SMS
Unsubscribe via turning off push notifications

 4. Access to online documents

Consent is collected through synchronization with the software that generates and / or manages the documents (eg reports). The same can be revoked by the patient from the Privacy section on the My Profile page. It is possible to send a special text message to patients who have not yet consented.

On-site or acquired by tuotempo via integration Via the patient profile page
5. Health dossier

The consent to activate the Dossier is collected during the first access to the Dossier. On the My Profile page, the patient can remove consent at any time from the Privacy section.

Online on first access to dossier Via the patient profile page
6. Reviews

The patient can remove consent by unsubscribe from the email inviting them to leave a review

Unsubscribe via Email


As for the communication campaigns that you can send to your patients through the tuOtempO application, in addition to the options for revoking consent, our customers also have the possibility:

  • To include a “change your preferences” link in the footer of any Email campaign, which will give each recipient the ability to easily update their profile details within the Patient Portal, helping you meet the GDPR access requirements.
  • To update on your Patient’s behalf information about their users or contacts when requested by a Patient on the phone or at the counter.

Please note that any consent obtained from your users and contacts must comply with the GDPR requirements, regardless of when consent was obtained. However, the Recital 171 of the GDPR indicates that it is possible to continue to rely on any existing consent that meets the GDPR standards for consent. This means that it is not necessary to request your users’ consent or contacts again when GDPR enters into force, if you have met all the requirements of the GDPR when you initially obtained your consent. We recommend consulting a legal counsel to determine if:

  • the consent obtained before the GDPR complies with the requirements
  • re-contact your patients to request consent again in accordance with the GDPR requirements
  • rely on a different legal basis for treatment under the GDPR (see next section of the Legitimate Interest).


In general, it is necessary to review the privacy statement and the processes of your organization to ensure that they provide adequate communication that the personal data of their patients will be transferred to third parties and in particular to tuOtempO as one of the Managers, delineating, if possible, the processing activities applicable performed by tuOtempO, such as collection (for example, through the registration form) and storage of personal data (eg within your tuOtempO account to allow you to access your Patient Portal or send communication campaigns).


A legal alternative to the collection of consent, which is widely discussed in preparation for the GDPR in the field of marketing and communications is Legitimate Interest, or the possibility of communicating without consent if it is conceivable there is a real interest from those who receive a message.

E.g. consent may not be necessary when the owner, for direct sales of his products or services, uses contact data collected by the interested party in the context of the sale of a product or service, provided that it is communicating similar services to those which are the object of the sale and there is no refusal by the interested party to such use, initially or on the occasion of subsequent communications.

In the Health field, most (often all) of the communications are addressed to existing Customers (Patients for whom a service has been provided) or to Imminent Customers (Patients who have booked a service). The Legitimate Interest is therefore particularly interesting in the health sector, because it is an effective legal basis especially in the regulation of communications with customers.

Before getting excited, however, remember that:

  • The legitimate interest of the data controller may constitute the legal basis for data processing, provided that the rights between the holder (the Structure) and the data subject (the Patient) are balanced.
  • Under the new principle of accountability, with the GDPR it is up to companies to carry out this balancing, allowing a generalized application. The company will therefore have to determine if its actions are in line with the patient’s reasonable expectations.
  • On the basis of legitimate interest it is not possible to process sensitive data, for which it is necessary to collect consent.

The last point reminds us that at least a consent to the general privacy notice describing the processing of sensitive data is necessary. Therefore the Legitimate Interest is to be explored in the health field mainly for communications to existing or imminent patients. From the practical point of view, it translates into the possibility of our client to decide to consider the interested party’s reasonable expectations:

  • Receive all the email, SMS and Push communications of transactional type sent to patients in relation to upcoming events (confirmation of appointment, confirmation of cancellation, reminder) or past (report availability, satisfaction survey)
  • Receive recall or prevention campaigns related to a past act
  • Deliver a reminder to a patient who has booked on the phone his first act at your facility by giving telephone consent pending written consent


In practice it may not be necessary for some or all of the listed purposes to re-acquire consent or acquire it explicitly.

In short, both the GDPR and the draft Regulation e-Privacy, have set themselves and are setting the goal of balancing the interests of companies with those of those concerned, specifically, in terms of processing activities for marketing purposes.  The intent is undoubtedly to favour commercial activities without, however, invading the sphere of interests of each individual subject in an abusive and uncontrolled manner, making the applicable legislation clearer and more transparent.

It is therefore a good idea to ask 3 questions in the evaluation of Legitimate Interest:

  1. Do you have a legitimate interest in sending this message?This may include the need to cross-sell other products / services or promote wider use of an already purchased item


  1. Do you need to send the message to reach these interests? If the same result could reasonably be achieved by other less intrusive means (such as unsolicited visits to a website), legitimate interests do not apply


  1. Have you balanced the act of sending the message against the interests, rights and liberties of the individual? See the analysis of reasonable expectations.


The instrument of Legitimate Interest if applied with responsibility and moderation can be a useful tool especially in the transition phase to the GDPR.

Who can I contact if I still have doubts about GDPR?

If you have specific questions about the GDPR and the tuOtempO configuration to get Compliance, you can send an email to privacy@tuotempo.com

Last Updated: April  11, 2018