Last Updated: May 15, 2019
This FAQ contains important information about data protection, privacy, and, in particular, how Butterfly addresses compliance with the European Union's General Data Protection Regulation ("GDPR"). It also aims to better inform our customers, medical professionals (like you), regarding the patient data you provide to Butterfly.
What is the GDPR?
The General Data Protection Regulation ('GDPR') is the comprehensive European Union (EU) data protection law that took effect on May 25, 2018. The GDPR applies to persons or organizations processing personal data about EU data subjects, which includes Butterfly and its customers.
What personal data do we process?
In connection with our Services, medical professionals can upload and host within the Butterfly Platform certain patient data. This may include: the patient's name, gender, date of birth as well as the MRN scans captured through the IQ Device. It may also include the medical professional’s clinical notes on the patient and their scans. All patient data processed by Butterfly within its platform ("Patient Data") is considered personal data and the EU, and many countries outside the EU, have laws which protect the collection, use, storage and transfer of the personal data of their citizens. In fact, Patient Data is in many places treated as sensitive data (or "special category data") and is therefore subject to elevated protection and compliance requirements, including under the GDPR.
Butterfly has however taken steps so that its customers can confidently capture and store Patient Data using the Butterfly Services.
What are the relevant roles of Butterfly, the patient, and medical professionals under GDPR?
When medical professionals transmit Patient Data to Butterfly they (or the hospital they work for) are the controller, Butterfly is the processor, and the patient is the data subject.
Butterfly sometimes acts as a controller in its relationship with medical professionals, for example when Butterfly collects information about medical professionals for the purposes of marketing, sales and managing the relationship with the medical professional (or the hospital they work for).
What is Butterfly doing to comply with and help its customers comply with the GDPR?
Butterfly has embarked on a compliance project with support from specialist external advisors to address GDPR compliance. Specific measures we have taken include:
Butterfly Network is committed to addressing GDPR compliance and understands the importance of this to its customers.
How does Butterfly Network comply with EU data export laws?
EU data protection law prohibits the export of personal data outside of the European Economic Area ("EEA") to non-EEE recipients, unless certain safeguards are in place.
Butterfly Network is headquartered in the United States, though it offers its Services to customers around the world, including medical professionals located in the EEA. Therefore, Butterfly will process personal data that originates from the EEA on its servers and facilities in the United States. To ensure compliance with EU data export laws, Butterfly signs the EU Standard Contractual Clauses (also sometimes called "Model Clauses") with its EU customers. These are standard form data export terms that have been pre-approved by the European Commission, and by signing them Butterfly commits to protect personal data (including Patient Data) it receives from its EU customers to EU data protection standards.
[In addition, Butterfly is currently in the process of self- certifying to the EU-US and Swiss-US Privacy Shield to facilitate the lawful transfer of data from the EEA and Switzerland to Butterfly for processing in the United States.]
What about third parties who work with Butterfly?
When Butterfly contracts with a third party that in any way interacts with Patient Data, Butterfly first requires that these third parties pass a security and risk assessment to ensure they uphold the same standards as Butterfly with respect to personal data. In addition, GDPR requires that these companies are contractually obligated to implement and uphold equivalent security measures to protect Patient Data.
Our current list of sub-processors is as follows, as our business grows and evolves, the Subprocessors we engage may also change. Please check back frequently for updates.