For any question mail us at [email protected]

888-277-9372
Schedule a Call

RxEPA GDPR Compliance

What it is, what we are doing, and what you can do

The GDPR became enforceable on May 25, 2018, and increased oversight for global privacy rights and compliance. At RxEPA, we have embraced GDPR requirements, and this guide is intended to help our customers understand RxEPA’s GDPR posture.
Note: This is not intended as a comprehensive legal analysis of GDPR.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European data protection and privacy law:

  • Adopted: April 14, 2016
  • Effective: May 25, 2018 (after a 2-year preparation period)

It replaced the earlier EU Directive 95/46/EC and introduced a unified, stronger privacy framework across all EU member states. Unlike its predecessor, the GDPR applies immediately in all member states without the need for local laws.

Key purpose: Strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, treating privacy as a fundamental human right.

How does the GDPR work?

Major principles and changes under GDPR:

  1. Expansion of scope
    • Applies to all organizations in the EU.
    • Applies globally to organizations processing EU citizens’ data (“extraterritoriality”).
  2. Expanded definitions
    • Broader definition of personal data and special categories of data.
  3. Expanded individual rights
    • Right to be forgotten – Request deletion of personal data.
    • Right to object – Prohibit certain uses of personal data.
    • Right to rectification – Request correction of incomplete or incorrect data.
    • Right of access – Know what personal data is being processed and how.
    • Right of portability – Request transfer of data to another organization.
  4. Stricter consent requirements
    • Consent must be explicit and specific to each purpose.
    • Silence, inactivity, or pre-ticked boxes do not count as consent.
    • Separate consent required for different processing activities.
  5. Strict processing requirementsOrganizations must provide fair and transparent information about processing, including:
    • Contact details for the data controller
    • Purpose of data collection (purpose limitation)
    • Data minimization – only collect what is necessary
    • Retention limits – keep data only as long as needed
    • Legal basis – valid grounds such as contract, consent, or legitimate interest

Who Does GDPR Affect?

GDPR applies broadly to:

  • Any organization operating in the EU (controllers and processors).
  • Any organization outside the EU offering goods/services to EU residents or monitoring their behavior.

This is the principle of extraterritoriality.

Key Definitions

    • Data Subject: Any identifiable natural person (not limited to EU citizens). Can be identified by name, ID, location, IP, or other personal identifiers.
    • Personal Data: Any information relating to a data subject (e.g., names, emails, IP addresses, financial data, biometric data, location, etc.). Even pseudonymized data may qualify.
    • Special Categories of Data: Sensitive data (e.g., health, race, religion) requiring stronger safeguards.
    • Processing: Any operation performed on personal data (collection, storage, use, transfer, deletion, etc.).
    • Controller: Determines purpose and means of processing.
    • Processor: Processes data on behalf of the controller.

In most cases:

  • You (RxEPA customer) = Controller
  • RxEPA = Processor

How Does RxEPA Comply with GDPR?

We began preparing for GDPR well before enforcement and continue to monitor updates. Compliance is an ongoing commitment.
Our efforts include:

  • Reviewing and updating internal processes, procedures, systems, and documentation.
  • Supporting customer requests regarding GDPR rights.
  • Monitoring developments such as the Schrems II decision on EU-US data transfers.
  • Using Standard Contractual Clauses (SCCs) where applicable for data transfers.
  • Engaging with third-party subprocessors only after due diligence and requiring them to maintain minimum security practices.

Supporting Individual Rights

  • Right to be forgotten – Customers can terminate their RxEPA account anytime.
  • Right to object – Option to opt out of data science projects.
  • Right to rectification – Update account settings or contact us to correct data.
  • Right of access – Transparency via our Privacy Policy; contact us for details.
  • Right of portability – Request export of account data to a third party.

How RxEPA Processes Data

We use third-party Sub-processors for services such as:

  • Business analytics
  • Cloud infrastructure
  • Email notifications
  • Payments
  • Customer support

We maintain an up-to-date list of subprocessors on our website.

Do You Need to Comply with GDPR?

Yes, if your organization processes the personal data of EU residents. Because of GDPR’s broad extraterritorial reach, many non-EU organizations are subject to it.

We strongly recommend that all customers consult with legal or professional advisors regarding their GDPR obligations.

Risks of Non-Compliance

Failure to comply with GDPR can result in severe penalties:

  • Fines up to €20 million or 4% of global annual turnover, whichever is higher.

Key Takeaway

  • RxEPA is HIPAA compliant and aligned with GDPR requirements.
  • We act as a processor, while our customers remain controllers.
  • Compliance is a shared responsibility – we provide tools, safeguards, and support, while customers ensure they meet their own obligations.

For more information, review our Privacy Policy or contact [email protected]

GDPR Requirement GDPR Reference Actor(s) Actions Taken
Lawful Basis Article 6, Article 11 Shared RxEPA: Establishes a lawful basis to process personal data. Data Subject: Provides consent where consent is the lawful basis.
Processing children’s personal data Article 8 RxEPA Does not distinguish between different types of personal data and does not knowingly collect children’s personal data.
Data protection by design Article 25 Shared RxEPA: Collects only the minimum personal data necessary for operations. Customer: Manages content within the RxEPA platform.
Data Protection Impact Assessments Article 35 Shared RxEPA: Assigns responsible staff to perform necessary DPIAs. Customer: Determines what content is shared with business partners and may assist RxEPA as processor.
Encryption Article 32 Shared RxEPA & Customer: Ensure security compliance. All personal data is encrypted in transit and at rest using AES-256 bit encryption.
European Data Protection Board Article 68 Shared RxEPA & Customer: Monitor EDPB guidance and adapt practices accordingly.
Personal data inventory Article 30 Shared RxEPA & Customer: Maintain required records of processing activities.
Right to erasure Article 17 Shared RxEPA: Staff appointed to respond to erasure requests. Data Subject: Exercises their right to erasure as facilitated by RxEPA.