GDPR compliance

Levvel Health’s Remote Patient Monitoring solution (levvel.connect) can comply to GDPR regulations as explained here:
Consent and legal basis for processing
Levvel Health assures that all patients can give their consent to data processing upon initial contact.
Such consent will be stored in the record permanently, or until the patient requests full deletion of data. In addition to consent from the patient, it is the responsibility of Levvel Health’s clients to provide legal basis for processing – in accordance with intended use for the provided Levvel Health solution.
Data control
To preserve subjects’ privacy, Levvel Health must:
  • Only process data for authorized purposes
  • Ensure data accuracy and integrity
  • Minimize the exposure of subject identities, and
  • Implement data security measures.
Levvel Health has fully encrypted database, and encryption keys are stored away from the actual database resulting in full pseudonymisation compliance.
The solution is developed and released as a fully certified ISO 13485:2016 system, which ensures full data control. Every component of the Levvel Health solution is extensively analysed with regard to patient risk, and the conclusion is documented.
Data security
Data security goes hand-in-hand with data control. GDPR puts security at the service of privacy. To preserve subjects’ privacy, organizations must implement:
  • Safeguards to keep data for additional processing
  • Data protection measures, by default
  • Security as a contractual requirement, based on risk assessment, and encryption
Levvel Health has implemented full encryption from end to end with the highest possible encryption level (256bit AES). Read more about the legal requirements here:
Right to erasure and access
Subject data cannot be kept indefinitely. GDPR requires organizations to completely erase data from all repositories when:
  • Data subjects revoke their consent
  • A partner organization requests data deletion, or
  • A service or agreement comes to an end
It is worth noting, however, that if there are legal reasons — specified in the regulation — an organization can retain and process a subject’s data. Exceptions are few, however. Levvel Health support the ability to allow any patient or user full access to all data stored in the system. All data can be exported to ensure full portability as well. Furthermore Levvel Health supports the ability to erase a patient’s data if so requested and if the request is legal according to data processing location, institution and country.
Risk mitigation and due diligence
Organizations must assess the risks to privacy and security, and demonstrate that they’re mitigating them. This requires they:
  • Conduct a full risk assessment
  • Implement measures to ensure and demonstrate compliance
  • Proactively help third-party customers and partners to comply, and
  • Prove full data control
The Levvel Health platform is developed under EN ISO 13485:2016 which implements absolute and fully documentable risk analysis, compliance and data control. Same EN ISO 13485:2016 certification regulates all changes and provides assistance to proactively support partners who are in compliance too.
Levvel Health has full control/track of data in an unbroken chain from user to clinician.
Due to the used EN ISO 13485:2016 QMS, Levvel Health can document all changes throughout the system, and roll back to previous versions on demand as a part of a recall or breach procedure.
Data protection is designed into the system as a default, which is documented by the EN ISO 13485:2016 implementation and can be audited by 3rd parties. Default security is the highest level. Any changes to data processing is likewise fully documented at any time.
Breach notification
When a security breach threatens the rights and privacy of a data subject or subjects, organizations must:
  • Notify authorities within 72 hours
  • Describe the consequences of the breach, and
  • Communicate the breach directly to all affected subjects
Levvel Health’s EN ISO 13485:2016 QMS system implements a full set of procedures for recall and handles data breaches, including who to notify within the relevant time limits.
Records of Activity
As an integral part of the solution, Levvel Health has implemented full audit logs for all activities in the system, including ID of operator and patient. Audit logs can be reviewed at will.
Levvel Health hereby submits full GDPR compliance.

Jesper Lodahl, CEO 
Levvel Health ApS
Deborah Cooley, Data Protection Officer & Customer Advocate
Levvel Health ApS


Levvel Health ApS
Savsvinget 7, DK-2970 Hørsholm, Denmark
+45 7071 3383

VAT NO.: 41230134

Follow us

Free Icon | Linkedin logo      Facebook Logo Icon of Glyph style - Available in SVG, PNG, EPS, AI & Icon fonts      Twitter icon


European Union's Horizon 2020 research and innovation programme | TiamatCo-funded by the Horizon 2020 of the European Union