International Transfers of Data

General Data Protection Regulation (GDPR)

The GDPR (General Data Protection Regulation) is a new EU regulation replacing the 1995 EU Data Protection Directive (DPD), to significantly enhance the protection of personal data of EU citizens. It increases the obligations on organizations who collect or process personal data.

This regulation will go into effect on May 25th, 2018. It builds on many of the 1995 Directive’s requirements for data privacy and security, but also includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.


The GDPR sets forth certain Privacy Guidelines to enhance the protection of data for European citizens. These Privacy Guidelines apply to all personal data MEDITECH receives from Europe, regardless of the medium or format in which the information is stored.

Data processing roles

MEDITECH plays two separate roles when processing personal data transferred from Europe, that of (1) Data Controller, and (2) Data Processor.

MEDITECH as a Data Controller

As a data controller, MEDITECH determines the purposes for, and the manner in which, it collects, stores, and processes relevant personal data.

MEDITECH collects and processes personal data relating to its customers, vendors, partners and associates. Personal data collected from, and processed by, customers, vendors, and partners is limited to what is necessary in the business relationship, e.g. name, contact details, payment records, contracts, and business correspondence.

MEDITECH as a Data Processor

As a data processor, MEDITECH processes personal data for its customers who are data controllers, leveraging our MEDITECH EHR system. In this capacity, MEDITECH does not own or determine the purposes for which it processes personal data.

MEDITECH’s customers, as data controllers, collect data and determine the purpose for which it is processed. MEDITECH receives and processes personal data for, and at the instruction of, its customers, and in such circumstances has no direct relationship with the individuals to whom such personal data relates. As a data processor acting on behalf of MEDITECH customers who are data controllers, MEDITECH is required to perform services in accordance with its contract with each customer.

Data integrity and purpose limitation

MEDITECH processes personal data only in a way that is compatible with, and relevant to, the purpose for which it was collected, or subsequently authorized by the customer data controller or individual. To the extent necessary for those purposes, MEDITECH takes reasonable steps to ensure that personal data is reliable for its intended use, as well as accurate, complete, and current.


MEDITECH acknowledges that, subject to certain legal limitations, individuals have the right to access their own personal information/data, which we maintain as a controller. Any individual who seeks access, or who seeks to correct, amend, or delete inaccurate data held by MEDITECH as a data controller, should direct his query to the authorized representative (contact information listed below). MEDITECH will respond to such requests within a reasonable timeframe. When acting as a data processor, MEDITECH supports any access requests addressed to a MEDITECH customer.

Right to withdraw consent

If you have given us your consent to process your data, you also have the right to withdraw your consent at any time. If you want to withdraw your consent, please contact the MEDITECH representative listed below.  

Right to lodge a complaint

MEDITECH hopes that we can resolve any query or concern you raise about our use of your information.  

Customers have the right to file a complaint concerning our processing of their personal data. All queries and complaints shall be handled in a timely manner by the MEDITECH representative in accordance with internal procedures.

The GDPR also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live, or where any alleged infringement of data protection laws occurred.  

Contact Information

MEDITECH commits to resolve complaints about your privacy and our collection or use of your personal information. European residents with inquiries or complaints regarding this privacy notice or our compliance should first contact MEDITECH as follows:

In Europe:

Charlotte Scott
Corporate Services Executive 
Head Office
One Northumberland Avenue, London WC2N 5BW
+44 (0) 7811 946890 

In US:

Phil Polimeno 
Data Protection Officer, Associate Vice President, Information Technology & Facility Operations
7 Blue Hill River Road
Canton, MA 02021