Quentin Mouilhaud

Technical development and complete legal compliance of a patient management platform for a medical practice operating internationally (France/Philippines).

The Challenge: Create a technical architecture for handling sensitive data (health) while adhering to a strict dual regulatory constraint: GDPR (Europe) and the Data Privacy Act of 2012 (Philippines).

Legal Ops & Tech Achievements:

"Privacy by Design" Architecture: Translating legal obligations directly into the database architecture (segregation of identity and medical data).

Security & Encryption: Technical implementation of data encryption at rest and in transit (SSL/TLS, AES) to ensure doctor-patient confidentiality.

Consent Management (CMP): Development of the granular consent collection module (opt-in) required for health data processing.

Cross-border Compliance: Mapping data flows and selecting compliant hosting providers according to data sovereignty standards to prevent illicit transfers outside secure zones.

Audit Trail (Audit Logs): Coding an unalterable logging system to track who accesses which patient file (major legal requirement).

A client (Tech/Digital sector) wished to integrate a critical third-party solution (API/SaaS) for their business. Before signing the contract and the DPA (Data Processing Agreement), the client needed to verify if the security guarantees provided by the vendor matched the technical reality.

My Achievements

I acted as the technical trusted third party between the Legal Department and the IT Department to validate the security of the future partner.

Black Box Security Audit: Preliminary analysis of the vendor's API and web application exposure (Search for OWASP Top 10 vulnerabilities, misconfigured headers, sensitive data exposure).

Verification of DPA Reality: Confronting contractual security clauses (encryption, location, access) with the observed technical reality. Example: Detection of unencrypted data flows while the contract guaranteed strict HTTPS.

Data Flow Mapping: Precise identification of data entry and exit points to validate compliance with data transfer requirements (GDPR/Schrems II).

Decision Support Report: Drafting a hybrid report (legal/technical) recommending specific clauses to be added to the contract to cover the identified technical risks.

Results

Identification of 3 critical security flaws before signing.

Renegotiation of the supplier contract with reinforced security clauses.

Validation of the technical "Go/No-Go" for General Management.

At the intersection of Business Law, Cybersecurity, and Operations.

A graduate of the Sorbonne in Business Law and holder of a Master's in Hotel Management, I offer a rare dual expertise: legal rigor combined with concrete technical mastery.

Unlike traditional consultants, I don't just write regulations; I understand the technical architecture that supports them. Recently certified eJPT (Junior Penetration Tester) and passionate about automation, I build the necessary bridges between your legal and technical departments.