The Times They Are a-Changin’

Information and guide to the
EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) applies as of 25 May 2018. The aim and objective of the EU General Data Protection Regulation is to protect the personal data of all persons who are located in the European Union. It specifies how the personal data of EU citizens must be handled by all enterprises, public authorities and organisations – regardless of where they are located – which collect, process and analyse their data. It strengthens the rights of all EU citizens in respect of their personal data and gives them more control over their personal data. 

The EU General Data Protection Regulation means, first of all, a great deal of work for all veterinary practices, organisations and enterprises operating in the veterinary sector. In order to make it a bit easier for you to deal with the EU General Data Protection Regulation, we have summarised the most important changes contained in the GDPR and developed a guide for implementing the GDPR.

At the same time, we have updated our own privacy policy and added a new page to our website providing an overview of data protection. We hope that our offer helps you to more easily and more effectively prepare for the GDPR and to process and protect the data of your customers, partners and employees in compliance with the EU General Data Protection Regulation.

What is personal data?

According to the EU General Data Protection Regulation, personal data is any information which, when correlated with a person, can provide insight into that person’s physical, physiological, genetic, mental, economic, cultural or social identity. These are general personal identifiers such as an individual’s name, date of birth and age, place of birth, address, email address or telephone number, identification numbers such as a passport number, national insurance number or tax identification number, banking information such as a person’s bank account number, account balances or credit card information, online data such as IP addresses or location data, physical characteristics such as sex, skin, hair or eye colour or clothing size, and ownership information related to property such as cars, real estate or vehicle registration plates. Employer or other references, income, assets and debts are also classified as personal data, as is all data which allows a person to be identified. Personal data concerning an individual’s sexual orientation, health status, political opinions, race or ethnic origin, trade union membership and religious and philosophical beliefs enjoys special protection.

The most important changes for people

Your employees, your customers and all other persons who you work with in veterinary practices, organisations and enterprises have the right to receive information about the nature and scope of the processing of their personal data. They can object to the processing of their personal data and request the alteration, restriction, transmission and deletion of their personal data. Furthermore, they can withdraw the declaration of consent they gave pursuant to data protection law at any time.

The most important changes for enterprises

Your veterinary practice and all veterinary practices, organisations and enterprises you work with are obligated to document the processing of personal data in writing, to protect personal data with appropriate security measures and to inform public authorities of any breaches of personal data immediately. You must clearly indicate that personal data is being collected, give precise information on the purpose and scope of the processing of the personal data, and specify how you store, alter, transmit and delete personal data. Furthermore, you must appoint and train a data protection officer and update your privacy policy and any contracts you may have in place with other veterinary practices, organisations und enterprises.


Guide for implementing the GDPR

To enable you to more easily implement the extensive requirements of the EU General Data Protection Regulation concerning the collection, storage and use of personal data, we recommend the following steps:

Find out what personal data you administrate, where you store personal data and whether you transmit personal data. Remember to think of the personal data of your employees (personnel files, time recording systems, rosters, tax advisors, email programs, documents containing personal data, websites, photos, quality management systems or practice management software), your customers (registration forms, practice management software, diagnostic equipment, examination forms for laboratory tests, teleradiology and hereditary diseases, photos or websites) and all veterinary practices, organisations und enterprises (third parties) who you work with (the contact details of your contact person, bank transfers/reverse transfers or contracts). 

If you use VetZ products, you will find personal data in easyVET, easyIMAGE, XDR, XCR, vetsXL.com and petsXL.com.

Specify which personal data you process, how personal data is used, who can access personal data and to whom you transmit personal data. To do this, you, as the controller, must prepare a written record (your data governance policy or, in the language of the GDPR: a documentation of your processing activities) where you describe in a detailed and structured way how you ensure that the processing of personal data in your practice, your enterprise or your organisation is compliant with the GDPR. This document enables you to show to your employees, customers and third parties that you are transparent and to protect yourself in matters of data protection law. The document must contain a list of all the applications, procedures and files you use when processing personal data (examples can be found in Step 1). It must describe what technical and organisational measures you have taken to protect personal data. And it must list all processors (for example your payroll office, your laboratory or VetZ/vetsXL.com) to whom you transmit personal data. Please keep in mind that this document is a dynamic document and that you have to update it as soon as the processing of personal data at your practice, your enterprise or your organisation changes.

The following VetZ products must appear in your documentation if you use them: easyVET, easyIMAGE, XDR and XCR, vetsXL.com and petsXL.com as applications and VetZ as a processor if you use vetsXL.com or petsXL.com.

Put security mechanisms into effect to protect personal data, to identify data breaches in time and to reliably prevent the misuse of data. Security measures may take many forms and place highly diverse technical and organisational demands on you. The technical demands include secure firewalls, up-to-date anti-virus protection, encryption and pseudonymisation, data backup and recovery procedures and secure password protection for all applications and services which you use. The organisational demands include that you process only the personal data that you really need for the intended purpose – and only for as long as you need it. For example, if you collect a pet owner’s personal data, you usually do not need his or her date of birth or profession or national insurance number. The organisational demands also include ensuring the confidentiality, integrity and availability of the systems and services employed. It is especially important to review the effectiveness of the technical and organisational measures on a regular basis and to raise awareness of data protection and information security in your practice, enterprise or organisation.

VetZ products protect personal data through clearly defined access controls (password protection), encryption when storing and transmitting data and providing a high level of communications and systems security.

Document how you process personal data and update your privacy policy. The EU General Data Protection Regulation sets new standards not only for processing personal data, but also for documenting how personal data is processed. You therefore have to document not only the purpose of the processing but also the category of the processed data and your technical and organisational security measures, and to name any third parties to whom you transmit personal data. Your documentation must be transparent both internally and externally and has to be trackable. It has to allow you, your employees and your customers to clearly and unambiguously understand how you process personal data. If there is a breach of data security or a case of data misuse, you must report, document and store the incident.

In our privacy policy, which you can read on our overview of data protection page, we document how VetZ and VetZ products process personal data.


The GDPR has been in force for 201 days.

If you have any questions about the EU General Data Protection Regulation and its implementation, we recommend that you contact law firms and companies that specialise in the GDPR. Get step-by-step support so that all aspects of data protection are taken into account for your practice, enterprise or organisation. If you have any questions about VetZ or VetZ products, you can contact our data protection officer at any time. You can find the contact information and all details concerning our data protection in our current privacy policy.