Data Processing Record (Article 30 GDPR)

**Name:** Dr. Katiuscia Mercogliano **Profession:** Licensed Mental Health Therapist **Contact:** privacy@doctorktherapy.com **Address:** [Professional Practice Address] **Registration:** [Professional License Number] **DPO Contact:** privacy@doctorktherapy.com

**Primary Purposes:** • Providing online psychotherapy services • Managing patient appointments and scheduling • Maintaining clinical records for continuity of care • Processing payments for services • Communication regarding treatment **Legal Basis:** • Consent (Art. 6(1)(a) GDPR) - for therapy services • Contract (Art. 6(1)(b) GDPR) - service delivery • Legal obligation (Art. 6(1)(c) GDPR) - professional record keeping • Legitimate interests (Art. 6(1)(f) GDPR) - administrative purposes **Special Category Data (Art. 9 GDPR):** • Processing health data for healthcare purposes • Legal basis: Art. 9(2)(h) - healthcare provision • Consent obtained for all therapy-related processing

**Identity Data:** • Full name, date of birth • Contact information (email, phone) • Emergency contact details **Health Data (Special Category):** • Mental health symptoms and concerns • Treatment history and current medications • Therapy session notes and records • Progress assessments and treatment plans • Risk assessments and safety planning **Technical Data:** • IP addresses and session logs • Device and browser information • Platform usage statistics (anonymized) **Financial Data:** • Payment transaction records • Billing information and invoices • Package purchase history **Communication Data:** • Email correspondence • Appointment scheduling communications • Session recordings (with explicit consent)

**Internal Recipients:** • Dr. Katiuscia Mercogliano (primary therapist) • Administrative staff (appointment scheduling only) **External Recipients:** • PayPal (payment processing) - EU-US adequacy decision • Google Workspace (email, calendar) - EU-US DPA • Hosting providers (encrypted data storage) - EU-based • Professional supervisors (anonymized data for clinical supervision) **Conditional Recipients:** • Medical professionals (with explicit consent for referrals) • Emergency services (only in imminent risk situations) • Legal authorities (only when legally required) **No data is shared without legal basis or explicit consent**

**Clinical Records:** 10 years after last contact • Required by professional standards for mental health records • Ensures continuity of care if treatment resumes • Allows for legitimate follow-up and outcome tracking **Administrative Records:** 7 years after last service • Appointment histories and scheduling data • Payment records and financial documentation • General correspondence and administrative notes **Technical Logs:** 1 year maximum • Security logs and access records • Platform usage statistics • Error logs and system diagnostics **Communication Records:** 3 years • Email correspondence related to treatment • Appointment confirmations and reminders • Non-clinical administrative communications **Deletion Process:** All data is securely deleted using cryptographic erasure methods after retention periods expire. Backups are included in deletion schedules.

**Technical Measures:** • AES-256 encryption for all data at rest • TLS 1.3 encryption for all data in transit • Multi-factor authentication for all admin access • Regular automated backups with encryption • Secure data centers with 24/7 monitoring • Regular security vulnerability assessments **Organizational Measures:** • Staff training on GDPR and data protection • Incident response procedures and breach protocols • Regular policy reviews and updates • Access controls based on need-to-know principle • Data minimization policies and procedures • Privacy by design in all system implementations **Pseudonymization:** • Patient identifiers separated from clinical data where possible • Statistical analysis performed on anonymized datasets • Research and quality improvement use anonymized data only **Data Protection Impact Assessments:** • Conducted for all high-risk processing activities • Regular reviews of processing activities for compliance • Third-party processor agreements include GDPR requirements

**Primary Data Storage:** European Union All patient data is stored within EU data centers with GDPR compliance. **Third-Party Processors:** • **PayPal:** EU-US adequacy decision provides adequate protection • **Google Workspace:** Standard Contractual Clauses (SCCs) in place • **Backup Services:** EU-based providers with GDPR compliance **Transfer Safeguards:** • Standard Contractual Clauses for all non-EU transfers • Regular assessment of adequacy decisions • Encryption requirements for all transferred data • Right to object to international transfers **No data transfers to countries without adequate protection measures**

**Regular Reviews:** • Quarterly review of processing activities • Annual comprehensive GDPR compliance audit • Continuous monitoring of data protection measures • Regular assessment of third-party processors **Breach Detection:** • Automated monitoring systems for unauthorized access • Regular log analysis and anomaly detection • Staff training on identifying potential breaches • 24-hour breach notification procedures **Compliance Verification:** • Internal audits of data processing activities • Third-party security assessments annually • Staff competency assessments on data protection • Documentation and record-keeping validation **Updates and Changes:** This record is updated whenever processing activities change, at minimum annually, and is available for supervisory authority inspection.