Introduction
You should be able to trust that we safeguard your privacy, are transparent about how we process your personal information, and that we handle your data in accordance with the applicable regulations at all times.
The privacy statement contains information you are entitled to when information about you is collected, as well as general information about how we process personal data. When we use ”you” in this statement, we refer to you as a customer, potential customer, or other contacts and collaborators for whom we have registered personal information.
A ”personal information” is any information or assessment that can be linked to you as an individual. It can be your name, contact information, or date of birth.
”Processing” means any use of personal information, such as collection, registration, storage, modification, sharing, anonymization, deletion, etc.
The Personal Data Act (which has implemented the General Data Protection Regulation) determines how we should process your personal information. There are specific requirements in the Personal Data Act regarding the processing of sensitive personal information, such as health information and medical assessments. In the law, such sensitive information is referred to as ”special categories of personal data.”
As a private healthcare facility, C-Medical must also adhere to the rules of the Health Act for the processing of personal information, in addition to other special laws. Relevant health laws include the Patient Records Act (with regulations), the Health Personnel Act, the Specialist Health Services Act, the Patient and User Rights Act, the Health Registry Act, and others. The Marketing Act and the Accounting Act are also examples of laws regulating C-Medical’s processing of personal information.
Data Controller
The data controller is the entity that determines the purpose of the processing of personal information and is responsible for ensuring that personal information is processed by applicable regulations.
Within the C-Medical, the data controller for your health information will be the company within the group that processes personal information about you.
Where We Obtain Your Information
The information we collect is received from you, among other things, through your conversations with healthcare professionals or through examinations and treatments you undergo with us.
Information may also be collected from other healthcare entities that have treated you, such as your general practitioner, other hospitals, or from providers of X-ray/MR/CT and laboratory services. Additionally, we receive information from insurance companies when using health insurance, and we verify your address against the population register if you are a private customer.
Some information is collected through the use of cookies when visiting our websites. You can read more about the use of cookies here.
Categories of Processed Personal Information
We only process personal information about you that is necessary to fulfill the purpose of the processing. We typically process the following categories of personal information:
Administrative information such as name, address, phone number, email, and social security number. Information about appointments. Payment information.
Medical record information such as medical history, previous treatments, medications you use, allergies, diagnoses, assessments, test results, images from X-rays/MRIs/CT scans, prescriptions, sick notes, and information about relatives, among others.
Note: When you are diagnosed, receive healthcare, or undergo medical treatment with us, we are obligated to record all information necessary to provide healthcare. This is done in our patient records system. Legal requirements dictate the contents of a patient record.
Communication, such as when you contact us in connection with treatment.
Technical information such as the type of PC/mobile device, internet connection, operating system, browser, and IP address. We collect this information through the use of cookies.
Providing personal information is voluntary, but failure to provide information may result in us being unable to deliver the services you desire.
Purpose of Processing Your Personal Information
We process your personal information for the following purposes:
- To identify you as a customer.
- To provide proper healthcare and medical services.
- Follow-up on potential and existing customer relationships.
- Marketing our services through newsletters.
- Ensuring information security by testing, improving, and developing our systems.
- Continuously delivering high-quality healthcare services through the use of data.
- Preventing and detecting illegal actions directed towards customers or C-Medical.
- For accounting purposes.
- For documentation purposes.
The legal basis for processing personal information for purposes 1 and 3 is that the processing is necessary to administer the agreement with you regarding healthcare.
The legal basis for processing personal information for purposes 2, 5, and 8 is that it is required by legal obligation.
The legal basis for processing personal information for purposes 4 and 6 is your consent.
The legal basis for processing personal information for purposes 7 and 9 is that it is required by legal obligation or a legitimate interest.
Who We Share Your Personal Information With
Healthcare Facilities or Other Healthcare Professionals
We share your health information with healthcare facilities, referring physicians, or other healthcare professionals who are also providing you with medical treatment if we are contacted with requests to disclose your patient information. This is done when it is necessary to provide you with proper healthcare, and it involves sharing necessary information with collaborating healthcare professionals who are subject to the same confidentiality requirements as C-Medical employees. As a patient, you have the right to object to such disclosure, as stipulated by the Healthcare Personnel Act.
Public Authorities
We disclose personal information to public authorities if required by law or in cases where there is suspicion of a violation of the law in connection with the use of our services.
Public Health Registries
We share information that we are obligated to share with public health registries, such as the cancer registry.
Data Processors
We further share personal information with our subcontractors who perform tasks and services on our behalf. In such cases, a separate data processing agreement is entered into, ensuring that the personal information transferred and processed is not used for purposes other than delivering the agreed-upon service. We use subcontractors for various tasks, including the operation and maintenance of IT systems and solutions.
Our subcontractors are primarily located and process personal information within the EU/EEA, meaning that these data processors are subject to the same regulations regarding the processing of personal information. In individual cases, data processors processing personal information outside the EU/EEA may be used. In such cases, we ensure that the processing is subject to an adequate level of protection.
Sharing of personal information may also occur in the event of a business transfer, such as a merger or other restructuring of C-Medical.
How We Ensure the Security of Your Personal Information
To protect your personal information, we implement necessary physical, technical, and administrative measures, such as securing premises and infrastructure.
In accordance with healthcare personnel regulations, our employees are bound by confidentiality regarding information concerning your health and the dialogues you have with us as a patient. For medical records, unauthorized individuals are prevented from accessing your information through various security measures, including access controls.
Subcontractors processing personal information on our behalf must also have implemented adequate security measures and are bound by confidentiality.
To ensure the security and confidentiality of your health information, it is important that communication with you is secure. Therefore, you should not send health information or other sensitive details to us via email or social media. Instead, please contact us by phone, through mail, or in person.
The exchange of personal information with insurance companies occurs via dedicated and encrypted lines, complying with requirements and standards.
How Long We Retain Your Information
We process information about you for as long as necessary to achieve the purpose for which it was collected. The information is then anonymized or deleted unless we are obligated to continue preserving information according to applicable laws, or there is another basis for further processing.
We do not delete information if there are outstanding or unresolved issues between you as a customer and C-Medical.
Administrative Information
Information related to the administration of contractual relationships is retained as long as we have a valid basis for processing and the information is considered necessary to preserve. After that, it will be deleted or anonymized so that it can no longer be linked to you as an individual. For example, payment information is retained for five years after the expiration of the last fiscal year, as required by the Accounting Act and regulations.
Patient Records
The general rule is that patient records should be kept as long as there is a presumed need for them due to the nature of healthcare. We generally retain records for 10 years. As long as the patient record exists, associated patient contact information is also retained.
Documentation
Some personal information will be kept for documentation purposes. This applies, for example, to consents that have been in effect or information necessary to establish, enforce, or defend legal claims.
Digital Communication
How you can communicate with us digitally may vary from clinic to clinic.
Appointment Booking
We have a form for appointment booking where you can enter your information and send us a request for an examination. Text information is automatically deleted after 21 days, while contact data is automatically deleted after five months.
SMS and Email
Correspondence via email and SMS is deleted at the end of each month. Health information that needs to be preserved is transferred to the journal system.
Your Rights
You have statutory rights under the Personal Data Act. If you wish to exercise your rights, please contact the clinic you have been in contact with.
Access
You have the right to receive information about the personal information we process about you and how we use it.
You have the right to access your patient record, as well as information about who has accessed your patient record and who has received information from it.
Rectification
You have the right to have your personal information corrected if it is incorrect or inaccurate. It is important that the information we have about you is correct, so, for example, we do not send invoices and other information to the wrong email address. If you discover an error, please contact us so that we can correct the information.
For information in the patient record, the right to have information corrected is limited by rules in the Healthcare Personnel Act. If we do not agree on corrections, you can request a note in the journal stating that you, as a patient, believe there is incorrect or misleading information in your journal.
Deletion
You have the right to have personal information deleted when it is no longer necessary to process it for the purpose for which it was collected, or you withdraw your consent to the processing. This applies unless there is another legal basis for processing. Similarly, you have the right to have any information processed on an illegal basis deleted.
You do not have the right to delete information processed based on a legal obligation. The same applies to information necessary to establish, enforce, or defend legal claims.
For information in patient records, the right to have information deleted is very limited due to rules in the Healthcare Personnel Act.
Data Portability
In principle, you should be able to take your personal information from us to another similar entity. The right to portability only applies to information that you have provided to us yourself and that is used to fulfill an agreement, or information based on consent. You can request such information to be delivered or sent directly to your new medical provider.
The majority of the processing C-Medical does with personal information is justified by a legal obligation to provide healthcare and is not subject to the right to data portability. Therefore, your ability to request delivery/transfer has no impact on our obligation to retain your patient record.
Objection
In certain cases, you have the right to object to the processing of your personal information. This does not apply to treatments related to delivering the services covered by your contractual relationship or purposes necessary to operate and manage your agreement.
Right to Restrict Processing
You have the right to demand that our processing of personal information about you be restricted. You can request this if:
You believe that the personal information we have stored about you is inaccurate.
You believe that our processing of personal information about you is unlawful.
We no longer need the personal information, but you need it to establish or enforce legal claims.
Consent
Health Insurance
For the follow-up of insurance matters, we need your consent to exchange health information with your insurance company.
Obtaining Relevant Information from Public or Private Healthcare Providers
You can give your consent for C-Medical to obtain relevant patient information from other public or private healthcare providers when necessary for your treatment.
Quality Registry – Research
You can also give your consent to use your health information and medical data for quality assurance purposes so that we can track your progress to develop and improve our services. Your data will be anonymized when extracted from the medical record and stored in the quality registry.
Newsletter
You can choose to give your consent to receive newsletters related to our services via email. As a patient, you can give your consent directly to the clinic. You can also subscribe to our newsletter through our website, regardless of who you are. We record your name and email address for the newsletter distribution. You also consent to us measuring the open rate and clicks on links in the newsletter. The newsletter contains information about our healthcare services and is sent out 4-12 times a year. You can unsubscribe from the newsletter at any time by clicking on the unsubscribe link in the latest newsletter.
You can withdraw your consent at any time if you wish. Withdrawing consent will not affect the legality of processing based on previous consent.
Contact Us Regarding Privacy Matters
If you have questions about our processing of personal information, you can contact the clinic manager at the clinic you have been in contact with. You are entitled to a response without undue delay, and no later than one month, if the question concerns your rights under the Personal Data Act.
C-Medical’s Data Protection Officer, Gisle Kjøsen, can be reached at: personvernombud@cmedical.no
Right to Complain
If you have received a final rejection of a complaint regarding C-Medical’s processing of your personal information and believe that we do not respect your rights under the Personal Data Act, you have the option to complain to the Swedish Data Protection Authority (Integritetsombudsmannen).
Implementation of Changes to this Statement
We will periodically update this privacy statement to keep you informed about how we process your personal information.
August 2024