EU GDPR Compliance Policy
How PreConsult complies with European Union data protection requirements.
Last updated: 17 December 2025 | Version: 1.0
This policy explains how Slay Pty Ltd (ABN 59 686 642 366) trading as PreConsult complies with the General Data Protection Regulation (EU) 2016/679 (GDPR) when processing personal data of individuals in the European Union, including Ireland. This policy supplements our main Privacy Policy.
1. Scope and Application
1.1 When This Policy Applies
This EU GDPR Compliance Policy applies when PreConsult:
- Processes personal data of individuals located in the European Union (including Ireland)
- Provides services to healthcare organisations operating in the EU
- Offers goods or services to EU residents
- Monitors the behaviour of EU residents
1.2 Regulatory Framework
PreConsult complies with:
- General Data Protection Regulation (EU) 2016/679 (GDPR) - the primary EU data protection law
- ePrivacy Directive 2002/58/EC - for electronic communications and cookies
- National implementing legislation - including Ireland's Data Protection Act 2018
- Medical device regulations - where applicable to clinical decision support
1.3 EU Representative
EU Representative Status
As PreConsult is established outside the EU, we will appoint an EU representative under Article 27 GDPR before commencing EU operations. Details will be published here once appointed. For enquiries prior to this appointment, contact privacy@preconsult.ai.
1.4 Our Commitment
PreConsult is committed to:
- Processing personal data lawfully, fairly, and transparently
- Collecting data only for specified, explicit, and legitimate purposes
- Ensuring data is adequate, relevant, and limited to what is necessary
- Keeping data accurate and up to date
- Retaining data only as long as necessary
- Processing data securely with appropriate technical and organisational measures
- Demonstrating accountability through documentation and compliance measures
2. Data Controller and Processor Roles
2.1 PreConsult as Data Processor
For patient health information, PreConsult acts as a data processor on behalf of healthcare organisations (the data controllers). This means:
- The healthcare organisation determines the purposes and means of processing
- PreConsult processes data only on documented instructions from the controller
- We enter into Data Processing Agreements (DPAs) with all EU healthcare customers
- We provide assistance with data subject requests, breach notifications, and DPIAs
2.2 PreConsult as Data Controller
PreConsult acts as a data controller for:
- Practitioner and staff account information
- Business contact information for healthcare organisations
- Website visitor data and marketing communications
- Supplier and partner information
2.3 Data Processing Agreement (Article 28 Compliance)
EU healthcare organisations using PreConsult will receive a Data Processing Agreement (DPA) that fully complies with Article 28 GDPR requirements. Our DPA includes:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data processed
- Categories of data subjects
- Obligations and rights of the controller
- Technical and organisational security measures (Article 32)
- Sub-processor arrangements and prior authorisation requirements
- International transfer mechanisms (including SCCs where applicable)
- Data breach notification procedures (within timeframes required by Article 33)
- Assistance with data subject rights requests (Article 28(3)(e))
- Assistance with DPIAs and prior consultation (Article 28(3)(f))
- Audit and inspection rights
- Deletion or return of data upon termination
Our EU-specific DPA template with Standard Contractual Clauses is available: EU Data Processing Agreement. Contact legal@preconsult.ai for customised agreements.
2.4 Records of Processing Activities (Article 30)
PreConsult maintains Records of Processing Activities (ROPA) as required by Article 30 GDPR. As a data processor, our records include:
- Name and contact details of the processor and each controller on whose behalf we act
- Categories of processing carried out on behalf of each controller
- International transfers and transfer mechanisms used
- A general description of technical and organisational security measures
Our ROPA is regularly reviewed and updated to ensure accuracy. Controllers may request relevant extracts of our ROPA relating to their data by contacting privacy@preconsult.ai.
3. Lawful Basis for Processing
3.1 Article 6 Lawful Bases
We rely on the following lawful bases under Article 6 GDPR:
| Processing Activity | Lawful Basis |
|---|---|
| Patient health information (as processor) | As instructed by controller (typically consent or legitimate interests) |
| Practitioner account management | Performance of contract (Article 6(1)(b)) |
| Service improvement and analytics | Legitimate interests (Article 6(1)(f)) |
| Legal compliance and audit | Legal obligation (Article 6(1)(c)) |
| Marketing communications | Consent (Article 6(1)(a)) or legitimate interests |
| Emergency situations | Vital interests (Article 6(1)(d)) |
3.2 Legitimate Interests Assessment
Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) considering:
- Purpose test: Is there a legitimate interest behind the processing?
- Necessity test: Is the processing necessary for that purpose?
- Balancing test: Do the individual's interests override the legitimate interest?
LIA documentation is available upon request to EU data protection authorities.
4. Special Category Data
4.1 Health Data Processing
Health data is "special category data" under Article 9 GDPR, requiring additional protections. When processing health data, we rely on:
- Article 9(2)(h): Processing necessary for healthcare purposes, including medical diagnosis and the provision of health treatment
- Article 9(2)(a): Explicit consent where appropriate
4.2 Additional Safeguards
For health data, we implement additional safeguards:
- Processing only by or under the supervision of healthcare professionals
- Subject to professional confidentiality obligations
- Strict access controls and need-to-know restrictions
- Enhanced encryption and security measures
- Regular privacy impact assessments
5. Data Subject Rights
EU individuals have the following rights under the GDPR:
5.1 Right to Be Informed (Articles 13-14)
You have the right to clear, transparent information about how we use your data. This policy and our Privacy Policy fulfil this obligation.
5.2 Right of Access (Article 15)
You can request:
- Confirmation of whether we process your personal data
- A copy of your personal data
- Information about how and why we process it
We will respond within one month (extendable by two months for complex requests).
5.3 Right to Rectification (Article 16)
You can request correction of inaccurate personal data or completion of incomplete data.
5.4 Right to Erasure (Article 17)
You can request deletion of your data in certain circumstances. However, this right does not apply where processing is necessary for:
- Compliance with legal obligations
- Archiving in the public interest or scientific/historical research
- Establishment, exercise, or defence of legal claims
- Healthcare record retention requirements
5.5 Right to Restrict Processing (Article 18)
You can request restriction of processing while we verify accuracy, consider objections, or where processing is unlawful but you don't want erasure.
5.6 Right to Data Portability (Article 20)
You can receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
5.7 Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
5.8 Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. See Section 11 for our approach to AI.
5.9 Exercising Your Rights
For patients: Contact your healthcare provider directly, as they are the data controller for your health information.
For practitioners and other individuals: Contact us at privacy@preconsult.ai or write to our Privacy Officer.
6. Data Residency and International Transfers
6.1 EU Data Residency
For EU healthcare organisations (including Ireland), PreConsult hosts primary data within the European Union:
Primary hosting location: Dublin, Ireland (eu-west-1)
This means your patient health information, clinical records, interview transcripts, and audit logs are stored and processed within the EU, ensuring compliance with GDPR requirements.
6.2 Limited International Transfers
While primary data remains in the EU, some processing may occur outside the EU in limited circumstances:
| Service | Destination | Transfer Mechanism |
|---|---|---|
| User authentication (centralised) | Australia | EU SCCs + encrypted session tokens only |
| AI Language Models (where EU not available) | USA | EU SCCs + explicit consent |
| SMS Delivery | USA | EU SCCs (minimal data: phone number, patient first name, clinic name) |
| Voice Processing (optional) | USA | EU SCCs + explicit consent |
Note: Patient health data and clinical records remain in the EU. Only authentication tokens and specific optional services involve international transfers.
6.3 Transfer Mechanisms
For any international transfers, we use the following approved mechanisms:
- Standard Contractual Clauses (SCCs): Commission Implementing Decision (EU) 2021/914
- Adequacy decisions: Where available for the destination country
- Supplementary measures: Technical and organisational measures as recommended by the EDPB
6.4 Transfer Impact Assessments
We conduct Transfer Impact Assessments (TIAs) for international transfers, considering:
- The legal framework of the destination country
- Relevant government access laws and practices
- Effectiveness of supplementary measures
- Specific circumstances of the transfer
7. Data Security Measures
7.1 Technical Measures
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Access controls: Role-based access, multi-factor authentication
- Network security: Firewalls, intrusion detection, DDoS protection
- Monitoring: Real-time security monitoring, anomaly detection
- Backup: Encrypted backups with tested recovery procedures
7.2 Organisational Measures
- Policies: Comprehensive information security policies
- Training: Regular staff training on data protection and security
- Access management: Need-to-know access, regular access reviews
- Vendor management: Security assessments for all sub-processors
- Incident response: Documented procedures for security incidents
7.3 Certifications and Standards
Our security practices align with:
- ISO 27001 Information Security Management principles
- OWASP security guidelines for web applications
- ENISA guidelines for cloud security
8. Data Retention
8.1 Retention Periods
| Data Category | Retention Period | Basis |
|---|---|---|
| Patient health records | As per applicable national healthcare record requirements | Healthcare record-keeping requirements |
| Practitioner accounts | Duration of account + 2 years | Audit and legal compliance |
| Security logs | 12-24 months | Security monitoring and incident investigation |
| Marketing data | Until consent withdrawn + 6 months | Consent management |
8.2 Retention Review
We regularly review retained data and securely delete data that is no longer needed, unless retention is required by law.
9. Data Breach Procedures
9.1 Breach Detection and Assessment
We maintain procedures to detect, investigate, and assess personal data breaches, including:
- 24/7 security monitoring
- Incident reporting channels for staff
- Breach assessment criteria and escalation procedures
9.2 Notification to Supervisory Authority
Where a breach is likely to result in a risk to individuals' rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours
- Provide details of the breach, likely consequences, and mitigation measures
- Update the notification if further information becomes available
9.3 Notification to Data Controllers
As a data processor, we will notify affected data controllers (healthcare organisations) without undue delay upon becoming aware of a breach affecting their data.
9.4 Notification to Individuals
Where a breach is likely to result in a high risk to individuals' rights and freedoms, we will (or assist the controller to) notify affected individuals directly.
10. Data Protection Impact Assessments
10.1 When DPIAs Are Conducted
We conduct Data Protection Impact Assessments for processing that is likely to result in high risk, including:
- Large-scale processing of health data
- Use of new technologies (including AI)
- Systematic monitoring of individuals
- Processing that could affect individuals' access to services
10.2 DPIA Process
Our DPIA process includes:
- Description of processing operations and purposes
- Assessment of necessity and proportionality
- Assessment of risks to individuals
- Measures to address and mitigate risks
- Review and approval by appropriate personnel
10.3 Consultation
We will consult with the relevant supervisory authority prior to processing if a DPIA indicates high residual risk that cannot be mitigated.
11. AI and Automated Decision-Making
11.1 Our Approach to AI
PreConsult uses AI to support clinical decision-making. Our approach ensures compliance with Article 22 GDPR:
- No solely automated decisions: All AI outputs are suggestions requiring human review
- Human-in-the-loop: Qualified practitioners must review and approve AI suggestions
- Meaningful human oversight: Practitioners exercise genuine discretion, not rubber-stamping
- No legal or significant effects: AI suggestions do not directly determine treatment or access to services
11.2 Regional Feature Availability
Important: Due to EU medical device regulations, some clinical decision support features may not be available in the EU:
- Differential diagnosis (DDx) and management (Mx) suggestions are not currently available in the EU
- PreConsult provides AI-powered history collection, clinical summaries, and practitioner-authored documentation tools
11.3 AI Transparency
We provide transparency about AI use:
- Clear labelling of AI-generated content
- Information about how AI suggestions are generated
- Explanation of AI limitations in our Usage Policy
11.4 Your Rights Regarding AI
Where AI is involved in processing your data, you have the right to:
- Be informed about the use of AI in processing
- Request human review of any decision that significantly affects you
- Express your point of view and contest decisions
- Request meaningful information about the logic involved
12. Sub-Processors
12.1 Sub-Processor Categories
We use sub-processors in the following categories for EU data:
| Service Category | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Cloud Infrastructure | Hosting and data storage | Ireland (EU) | N/A (no transfer) |
| AI Language Models | Conversational AI and clinical summaries | EU or USA | EU SCCs where required |
| SMS Delivery | Interview invitation messages | USA | EU SCCs + supplementary measures |
| Voice Processing | Voice interview services (optional) | USA | EU SCCs + explicit consent |
| Email Delivery | Transactional emails | EU or USA | EU SCCs where required |
| User Authentication | Account credentials and login sessions | Australia (centralised) | EU SCCs (encrypted tokens only) |
A detailed list of specific sub-processors is available to EU healthcare organisations upon request as part of our Data Processing Agreement.
12.2 Sub-Processor Changes
Data controllers have the right to object to new sub-processors. We will:
- Notify controllers of any intended changes to sub-processors
- Provide reasonable time (typically 30 days) to raise objections
- Work with controllers to address legitimate concerns
13. Contact and Complaints
13.1 Contact Details
Data Protection Contact:
Slay Pty Ltd (trading as PreConsult)
ABN 59 686 642 366 | ACN 686 642 366
Email: privacy@preconsult.ai
Address: Melbourne, Australia
13.2 EU Representative
Details of our appointed EU representative will be published here before commencing EU operations. For enquiries, contact privacy@preconsult.ai.
13.3 Supervisory Authorities
You have the right to lodge a complaint with a supervisory authority. Key contacts include:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28, Ireland
Website: www.dataprotection.ie
Phone: +353 (0)1 7650100 / +353 (0)578 684 800
European Data Protection Board
Website: edpb.europa.eu
The EDPB website provides links to all EU member state supervisory authorities.
We encourage you to contact us first so we can try to resolve your concern directly.
Further Information
For more information about how we protect your data, please see our main Privacy Policy. For UK-specific information, see our UK GDPR Compliance Policy. For questions about this EU GDPR Compliance Policy, contact privacy@preconsult.ai.