Privacy Statement

Certicor Health BV

Effective date: May 2026

Certicor Health BV ("Certicor", "we", "us") provides a secure digital platform that enables healthcare professionals to request and receive specialist medical review of diagnostic data (such as ECG images).

We are committed to protecting personal data and ensuring that all processing takes place in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), and in line with healthcare-specific security standards.

1. Introduction

This Privacy Statement explains:

  • which data is processed
  • for what purposes
  • how data is protected

2. Roles and Responsibilities

  • Certicor primarily acts as a processor.
  • Controllers: healthcare professionals or organisations providing diagnostic data
  • Certicor processes data solely on behalf of the controller

3. Data Minimisation and Platform Design

  • No full patient records
  • Only minimal demographic data where strictly necessary (e.g. age, sex)
  • Diagnostic data (such as ECG images) is processed solely for review purposes
  • Reviewing specialists do not receive identifiable patient information

4. Categories of Data Processed

  • Health data: diagnostic images (e.g. ECG snapshots) and specialist review / medical advice
  • Basic metadata / clinical context: age or date of birth (with limited precision where possible) and sex
  • Professional user data: name, professional identification and authentication data
  • Technical and security data: login activity, system logs, and access records to health data (audit trail)

5. Purposes of Processing

  • Facilitating specialist medical review
  • Communication between the requesting professional and the reviewer
  • Ensuring traceability and accountability within medical decision-making

6. Legal Basis

Processing is based on the legal basis of the controller (usually medical necessity, legal obligation, or legitimate interest within healthcare law).

Certicor processes data solely on the basis of contractual instruction (data processing agreement in accordance with GDPR Article 28).

7. Security Measures

  • Encryption of data in transit (e.g. TLS)
  • Role-based access control (need-to-know principle)
  • Two-factor authentication for users with access to health data
  • Logging of all access to health information
  • Data masking to prevent unnecessary exposure of identity data
  • Secure hosting within certified infrastructure

8. Retention Periods

Data is retained only as long as necessary for the intended medical and legal purpose, as determined by the controller.

9. Data Sharing

  • authorised medical reviewers within the platform
  • service providers necessary for secure platform operation (e.g. hosting)
  • authorities when legally required

10. International Data Transfers

Where applicable, data is processed within the European Economic Area (EEA). If data is transferred outside the EEA, appropriate safeguards are applied (such as Standard Contractual Clauses).

11. Data Subject Rights

  • right of access
  • right to rectification
  • right to erasure (where legally permitted)
  • right to restriction of processing
  • right to data portability

12. Data Breaches

  • Controllers are informed without undue delay
  • The incident is assessed and reported where required
  • Authorities are informed within statutory deadlines

13. Data Protection Officer / Governance

Certicor has appointed a responsible person to oversee data protection within the organisation.

For data protection questions: Email: privacy@certicor.nl

14. Changes to This Privacy Statement

This Privacy Statement may be updated periodically. Users are encouraged to consult the most recent version to stay informed about how data is protected.

2026 Certicor Health. All rights reserved.