Our Commitment to Data Protection
ORaigent GmbH ("we", "us", or "our") is fully committed to protecting the privacy and security of all personal data we process. As a healthcare technology provider operating in the European Union, we recognize the critical importance of complying with the General Data Protection Regulation (GDPR) and German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG).
This GDPR Compliance Statement outlines our approach to data protection, the measures we have implemented, and our ongoing commitment to maintaining the highest standards of data privacy and security.
GDPR Compliance Framework
1. Legal Basis for Processing
We process personal data only under lawful bases as defined in Article 6 of the GDPR:
- Contract Performance (Art. 6(1)(b)): Processing necessary to provide our operating room scheduling services
- Legitimate Interest (Art. 6(1)(f)): System optimization, security monitoring, and service improvement
- Legal Obligation (Art. 6(1)(c)): Compliance with healthcare regulations, tax laws, and data retention requirements
- Consent (Art. 6(1)(a)): Marketing communications and optional features (with explicit opt-in)
For special categories of personal data (health data), we rely on:
- Article 9(2)(h) GDPR: Processing necessary for healthcare provision and management
- Article 9(2)(j) GDPR: Processing for public health purposes
- § 22 BDSG: German-specific provisions for health data processing
2. Data Protection Principles
All our data processing activities adhere to the six core GDPR principles:
Lawfulness, Fairness, and Transparency
We process personal data lawfully, fairly, and in a transparent manner. Our Privacy Policy provides clear information about what data we collect, why we collect it, and how we use it.
Purpose Limitation
Personal data is collected for specified, explicit, and legitimate purposes (operating room scheduling and management) and not further processed in a manner incompatible with those purposes.
Data Minimization
We collect only the personal data that is adequate, relevant, and necessary for the purposes for which it is processed. We do not collect excessive or unnecessary information.
Accuracy
We maintain accurate and up-to-date personal data. Healthcare organizations can update staff information at any time, and we promptly correct or delete inaccurate data upon request.
Storage Limitation
Personal data is retained only as long as necessary for the purposes for which it was collected. We have implemented clear retention policies and automated deletion procedures.
Integrity and Confidentiality
We implement appropriate technical and organizational measures to ensure security of personal data, including protection against unauthorized access, loss, or damage.
Technical and Organizational Measures
Security Measures
We have implemented comprehensive security measures as required by Article 32 GDPR:
| Security Category | Measures Implemented |
|---|---|
| Encryption | TLS 1.3+ for data in transit; AES-256 for data at rest |
| Access Control | Multi-factor authentication, role-based access control (RBAC), principle of least privilege |
| Network Security | Firewalls, intrusion detection/prevention systems, DDoS protection |
| Monitoring | 24/7 security monitoring, automated threat detection, comprehensive audit logging |
| Backup & Recovery | Automated encrypted backups, disaster recovery plan, 99.9% uptime SLA |
| Physical Security | ISO 27001-certified data centers, biometric access controls, video surveillance |
| Application Security | Regular penetration testing, vulnerability scanning, secure development lifecycle |
| Staff Training | Mandatory data protection training, confidentiality agreements, security awareness programs |
Organizational Measures
- Data Protection Officer (DPO): Dedicated DPO overseeing all data protection activities
- Privacy by Design: Data protection principles embedded in all system development
- Privacy by Default: Strictest privacy settings applied automatically
- Data Protection Impact Assessments (DPIA): Conducted for high-risk processing activities
- Vendor Management: All sub-processors vetted for GDPR compliance
- Incident Response Plan: Documented procedures for data breach management
- Regular Audits: Internal and external audits to verify compliance
Data Subject Rights
We respect and facilitate the exercise of all data subject rights under GDPR Articles 15-22:
| Right | Description | Response Time |
|---|---|---|
| Right of Access | Obtain confirmation of processing and access to personal data | Within 30 days |
| Right to Rectification | Correct inaccurate or incomplete personal data | Within 30 days |
| Right to Erasure | Request deletion of personal data ("right to be forgotten") | Within 30 days |
| Right to Restriction | Limit processing of personal data under certain conditions | Within 30 days |
| Right to Portability | Receive personal data in structured, machine-readable format | Within 30 days |
| Right to Object | Object to processing based on legitimate interests | Immediate assessment |
| Automated Decision-Making | Not be subject to solely automated decisions with legal effects | Human oversight provided |
| Right to Withdraw Consent | Withdraw consent for processing at any time | Immediate |
International Data Transfers
When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): EU Commission-approved clauses for all international transfers
- Adequacy Decisions: Transfers to countries recognized by the EU Commission as providing adequate protection
- Additional Safeguards: Supplementary measures including encryption, access controls, and data minimization
- Transfer Impact Assessments: Regular review of transfer mechanisms to ensure effective protection
Data Processing Agreement
As a data processor for our healthcare clients, we have implemented comprehensive Data Processing Agreements (DPA) that comply with Article 28 GDPR. Our DPAs include:
- Clear definition of processing scope, nature, purpose, and duration
- Detailed technical and organizational measures (TOMs)
- Sub-processor authorization and management procedures
- Data subject rights assistance procedures
- Data breach notification within 24 hours
- Audit rights and compliance verification mechanisms
- Data deletion and return procedures post-contract
View our Data Processing Agreement →
Data Breach Management
We maintain a comprehensive incident response plan that ensures:
- Detection: 24/7 monitoring and automated alerting for potential breaches
- Assessment: Immediate evaluation of breach scope, impact, and risk to data subjects
- Containment: Rapid isolation and remediation of security incidents
- Notification:
- Supervisory authority notification within 72 hours (Article 33 GDPR)
- Client (data controller) notification within 24 hours
- Affected individuals notified without undue delay if high risk
- Documentation: Comprehensive record of all breaches, impacts, and remediation actions
- Review: Post-incident analysis and implementation of preventive measures
Cookies and Tracking
Our website uses cookies in compliance with ePrivacy Directive and GDPR:
- Essential Cookies: Required for website functionality (no consent needed)
- Analytics Cookies: Used with explicit consent to improve user experience
- No Third-Party Tracking: We do not use advertising or third-party tracking cookies
- Cookie Management: Users can withdraw consent and delete cookies at any time
Supervisory Authority
Our lead supervisory authority under GDPR Article 56 is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Address: Kavalleriestraße 2-4, 40213 Düsseldorf, Germany
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
Website: www.ldi.nrw.de
Data subjects have the right to lodge a complaint with this supervisory authority or their local data protection authority if they believe their data protection rights have been violated.
Data Protection Officer
We have appointed a Data Protection Officer (DPO) as required by Article 37 GDPR, given that we process large amounts of special category health data. Our DPO is responsible for:
- Monitoring compliance with GDPR and other data protection laws
- Advising on data protection impact assessments
- Cooperating with supervisory authorities
- Serving as contact point for data subjects and authorities
- Conducting data protection training and awareness programs
- Reviewing contracts with processors and third parties
Contact Our Data Protection Officer
Email: dpo@oraigent.com
Phone: +49 5241 708900 (extension 102)
Mail: ORaigent GmbH - Data Protection Officer
Friedrich-Ebert-Straße 75
33330 Gütersloh, Germany
Regular Audits and Reviews
We conduct regular reviews to ensure ongoing GDPR compliance:
- Annual External Audits: Independent third-party GDPR compliance audits
- Quarterly Internal Reviews: Assessment of data processing activities and controls
- Monthly Security Testing: Penetration testing and vulnerability assessments
- Continuous Monitoring: Automated compliance checks and security monitoring
- Staff Training: Mandatory annual data protection training for all employees
- Policy Updates: Regular review and update of privacy policies and procedures
Transparency and Accountability
We maintain comprehensive documentation to demonstrate GDPR compliance (Article 5(2) - accountability principle):
- Records of Processing Activities (ROPA): Detailed documentation of all processing activities
- Data Flow Mapping: Visual representation of how personal data moves through our systems
- Privacy Impact Assessments: Documented assessments for high-risk processing
- Breach Register: Comprehensive log of all security incidents and responses
- Training Records: Documentation of staff data protection training
- Consent Records: Audit trail of all consent collection and withdrawal
- Data Subject Request Log: Record of all data subject rights requests and responses
Related Documentation
Updates to This Statement
We regularly review and update this GDPR Compliance Statement to reflect changes in:
- Our data processing activities and services
- Legal requirements and regulatory guidance
- Industry best practices and security standards
- Technological capabilities and security measures
When we make material changes, we will notify our clients via email and update the "Last Updated" date below.
Contact Information
ORaigent GmbH
Address: Friedrich-Ebert-Straße 75, 33330 Gütersloh, Germany
General Inquiries: info@oraigent.com
Data Protection Officer: dpo@oraigent.com
Phone: +49 5241 708900
Support: support@oraigent.com
Website: www.oraigent.com
Questions about our GDPR compliance? We're committed to transparency and are happy to answer any questions about our data protection practices. Contact our Data Protection Officer at dpo@oraigent.com
Last Updated: November 4, 2025
Version: 1.0
Document Status: Active