GDPR Art. 37 · Designation

Data Protection
Officer

PISUM has formally designated a Data Protection Officer in accordance with GDPR Art. 37. The DPO is your independent point of contact for all privacy and data rights matters.

Designated: May 2026 · GDPR Art. 37–39

✓ Active DPO
🛡️
PISUM — Data Protection Officer
Designated DPO · GDPR Art. 37 · Since May 2026
support@pisum.app — subject: [DPO]
Response within 30 days (GDPR Art. 12)
Encrypted email (ProtonMail)

01 Formal designation

In accordance with GDPR Art. 37(1)(c), PISUM has designated a Data Protection Officer. The designation is mandatory because PISUM's core activities involve large-scale processing of special-category data (GDPR Art. 9) — specifically, radiology-related health data and voice audio streams that may include health-adjacent content.

Why a DPO is mandatory for PISUM

CriterionGDPR referenceApplies to PISUM
Large-scale processing of special category dataArt. 37(1)(c)Yes — health data in reports; voice audio dictation
Processing requires regular, systematic monitoringArt. 37(1)(b)Yes — subscription management, AI features monitoring
Processing involving sensitive categories at scaleArt. 9 + Art. 37Yes — Art. 9(2)(h) health care context
Designation scope. The DPO is designated for all processing activities conducted by PISUM as data controller, including: account management (Supabase), voice dictation (Deepgram), and the local patient database tool (SQLite). The DPO is also available to institutional users (clinics, hospitals) who use PISUM and have questions about their own compliance.

02 DPO tasks (GDPR Art. 39)

The PISUM DPO performs all tasks mandated by GDPR Art. 39:

1. Informing and advising

The DPO informs and advises PISUM and its employees of their obligations under GDPR and applicable national data protection law. This includes advising on new features before release, reviewing consent dialogs, and assessing sub-processor agreements.

2. Monitoring compliance

The DPO monitors PISUM's compliance with GDPR, including the assignment of responsibilities, raising awareness, training of staff, and the related audits. Monitoring activities include:

  • Annual review of all consent texts and privacy notices.
  • Review of sub-processor DPAs (Supabase, Deepgram).
  • Monitoring the incident log for events requiring Art. 33 notification.
  • Reviewing DPIA annually and on any significant change.

3. DPIA cooperation

The DPO provides advice and monitors the Data Protection Impact Assessment (DPIA) required by Art. 35 for PISUM's high-risk processing activities. The DPO reviewed and endorsed the PISUM DPIA v1.0 (May 2026) — see pisum.app/dpia.html.

4. Cooperating with supervisory authority

The DPO acts as the primary contact point for the supervisory authority (CNIL for France; INPDP for Tunisia) on all processing matters. In the event of a data breach, the DPO coordinates the Art. 33 notification within 72 hours.

5. Data subject requests

The DPO receives, processes, and responds to data subject requests (access, erasure, portability, objection, rectification) within the 30-day deadline specified by GDPR Art. 12. The DPO maintains a register of all requests received.

03 Independence guarantee (Art. 38)

GDPR Art. 38 requires that the DPO acts independently and is not dismissed or penalized for performing their tasks. PISUM guarantees the following:

  • No conflict of interest: The DPO does not hold any role within PISUM that could conflict with data protection responsibilities (Art. 38(6)).
  • Reporting directly to management: The DPO reports directly to the highest management level (Art. 38(3)) and is not subject to instructions regarding the performance of their tasks.
  • Adequate resources: The DPO is provided with sufficient time, resources, and access to personal data and processing operations to maintain expert knowledge (Art. 38(2)).
  • Confidentiality: The DPO is bound by secrecy and confidentiality regarding the performance of tasks (Art. 38(5)).
  • No dismissal for performance of tasks: The DPO shall not be dismissed or penalized for performing their data protection tasks (Art. 38(3)).
Independence in practice. The DPO reviewed and approved the Deepgram benchmarking risk disclosure in PISUM v2.x — including the requirement to obtain explicit consent before voice dictation and the mandate to sign a DPA with Deepgram within 90 days. This decision was made independently of commercial considerations.

04 Contact the DPO & exercising your rights

Any user, patient, or third party may contact the PISUM DPO directly to:

  • Exercise data subject rights (access, erasure, portability, rectification, objection)
  • Ask questions about PISUM's data processing practices
  • Report a suspected data protection violation
  • Request a copy of the DPIA or sub-processor list
  • Lodge a complaint about how PISUM handles personal data
ChannelDetailsResponse time
Email (DPO) support@pisum.app — subject: [DPO] Maximum 30 days (GDPR Art. 12). Complex requests: 60 days with notice.
General contact pisum.app/contact.html Within 5 business days for general inquiries
Breach reporting support@pisum.app — subject: [BREACH] DPO acknowledges within 24 hours; Art. 33 notification within 72 hours
Right to lodge a complaint with a supervisory authority. If you believe your rights under GDPR have not been respected, you have the right to lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or place of the alleged infringement — regardless of contacting the DPO first.

— France: CNIL — www.cnil.fr
— Tunisia: INPDP — www.inpdp.nat.tn
— Algeria: Commission nationale de protection des données personnelles (CNPDP)
— Morocco: Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP)

05 Notification to supervisory authority

GDPR Art. 37(7) requires the controller to publish the contact details of the DPO and communicate them to the supervisory authority. PISUM has notified the relevant supervisory authority of the DPO designation as follows:

AuthorityJurisdictionStatus
CNIL (France)EU — primary supervisory authorityDPO designation communicated — May 2026
INPDP (Tunisia)TunisiaNotification filed — May 2026
DPO register. The DPO maintains a register of all processing activities (Art. 30 record of processing activities / ROPA) and all data subject requests. This register is available to the supervisory authority upon request.

06 Formal designation act

Designation of Data Protection Officer

By this formal designation act, PISUM hereby designates the Data Protection Officer identified below, in accordance with Regulation (EU) 2016/679 (GDPR) Art. 37(1)(c).

The designated DPO accepts this designation and acknowledges the tasks defined in GDPR Art. 39, the independence guarantee of Art. 38, and the obligation of confidentiality under Art. 38(5).

This designation is effective immediately and shall remain in force until revoked in writing by PISUM management or the DPO. Any change in DPO shall be communicated to the relevant supervisory authority without undue delay.

The DPO's contact details are published at pisum.app/dpo.html in compliance with Art. 37(7).

PISUM
support@pisum.app
May 2026
GDPR Art. 37(1)(c)
✓ Active

Related compliance documents:

  • Privacy Policy — full data processing disclosure (GDPR Art. 13)
  • DPIA — Data Protection Impact Assessment (GDPR Art. 35)
  • Terms of Service — software license agreement