GDPR

GDPR & Data Security at MedCom

At MedCom, we understand that patient trust is paramount — and that trust begins with robust data protection.

We are fully committed to upholding UK GDPR (General Data Protection Regulation) standards, ensuring all client and patient data is managed lawfully, securely, and transparently.

What Data Protection Laws Apply?

As a UK-based service supporting medical professionals, MedCom adheres to:

UK GDPR (post-Brexit version of the EU GDPR)

Data Protection Act 2018

PECR (Privacy and Electronic Communications Regulations) — where applicable to email/SMS communications

Caldicott Principles – where sensitive patient data may be processed on behalf of healthcare professionals

These regulations govern how personal and sensitive data — including names, health information, contact details, and booking records — must be processed with strict confidentiality and care.

How MedCom Supports GDPR Compliance

MedCom is built using a secure automation platform trusted by professionals worldwide. Here’s how your data is protected:

Data Hosting & Security

Automation platform uses ISO 27001-certified data centres and end-to-end encryption for all data transmissions.

Data is stored securely in UK or EU data centres (available upon client request), supporting data residency requirements.

Regular penetration testing and system audits ensure ongoing security.

Role-Based Access Controls

Each clinic or practice account is isolated to prevent unauthorised access.

Role-based permissions restrict access to only those who need it (e.g., consultants, secretaries).

GDPR Features Built-In

Consent tracking: All form submissions and communications can include opt-in checkboxes and audit trails.

Data portability: Clients can request export or deletion of data in line with subject access requests.

Right to be forgotten: Patients or clients may request their data be erased in accordance with UK GDPR.

Data processing addendums (DPAs): Available for clinics and hospitals needing formal agreements for compliance.

Optional Data Processing on Behalf of Clinics

If MedCom handles bookings or enquiries on your behalf, we act as a Data Processor under UK GDPR. You remain the Data Controller, and we follow your instructions on how data is used and stored.

Your Practice, Your Data, Always

We do not share, sell, or use your clinic’s data for any purpose beyond your explicit instructions. Every MedCom deployment is configured individually, ensuring:

Data only flows between your website, your communications, and your team

Full transparency for you and your patients

Request a Data Protection Agreement

We’re happy to provide:

A copy of our GDPR policy

A signed DPA (Data Processing Addendum)

Technical security details upon request