Privacy Policy
1. Introduction
Nordic Executive Medicine AB, Swedish organization number 559076-6381, is the data controller responsible for personal data as we process personal data in our business operations. This Privacy policy is available to communicate how we handle personal data. Before going into further details, we want to highlight three points that form the basis of our approach. The points are important to us because we know they are important to you:
- We want to clarify the responsibilities for protecting your rights and your privacy.
- We explain how we use the personal data you share with us to offer you our Products and give you the best possible experience when you are in contact with us and utilize our Products.
- This document shall give you an understanding of what data we collect and what we do and do not do with it.
2. Parties and Responsibilities for the Processing of Personal Data
Nordic Executive Medicine AB, Swedish organization number 559076-6381, from now also referred to as “NEM”, “NEM Health”, “The Company”, “We”, “Us”, or “Our”, is a supplier of medical goods and services, “Product”, or “Products”, to both private and corporate customers. NEM is the data controller responsible for the processing of personal data you provide NEM using the products that we offer.
“You”, “Customer”, “The Customer”, “Client”, and “The Client”, is the natural or legal person that has bought the Products from NEM or to whom the Products are delivered, which can be private individuals, patients, companies, health centers, small and large hospitals, occupational health care units, staffing companies, etc. depending on the specific conditions. As a customer, you have your contact information registered with us so that we can deliver the Products to you by the applicable agreement. The Company is responsible for processing the personal data you share with us when You:
- use and order Products from NEM
- enter an agreement with NEM and become a customer
- register as a contact person with NEM on behalf of yourself, an organization, or a close relative
- have a question and contact us via a communication channel
- visits our website and accepts cookies
- register for our newsletter and marketing through our website
- fill out a quiz or other forms accessed through our website
3. What Personal Data do we process about you?
As a registered care provider under the supervision of the Swedish Health and Social Care Inspectorate (IVO-ID Org-2019-00017456), we encounter sensitive personal data in the form of health information (medical records, health data, etc.). To process this information by current law and meet the Swedish National Board of Health and Welfare’s requirements, we use encrypted patient record systems in everyday clinical practice.
NEM collects information about you as a customer to process your purchase, create and improve the business relationship, collect declaration of interest, marketing, statistical purposes, invoicing, as a basis according to the Swedish Accounting Act, and to identify you and to be able to offer you as an individual the best possible care based on your patient data.
The processing of sensitive personal data, such as patient data, only takes place after you share this personal data with us. This personal information may be obtained by NEM orally, in writing, and when using NEM’s Products. As a client, you give us the right to process this personal data through your consent of the End User License Agreement and this Privacy Policy.
We use subcontractors to increase the security of the processing of your personal data. As a private healthcare provider, we are obliged to follow the same secrecy and duty of confidentiality as public healthcare. As a result, we have established routines for handling sensitive and confidential personal data in accordance with GDPR and the Swedish Patient Data Act. We also follow the guidelines that apply to quality assurance and quality development for care providers specified by the National Board of Health and Welfare (SOSFS 2005:12).
3.1 Administration of Membership and Agreement
When you order the Products, we collect contact information about you. If you are a natural person, a “client”, and part of an active agreement with us, we process personal data related to you. The extent of the personal data varies based on the Products you purchase.
| Processing Activities for the Purpose |
· Administration of registration and membership · Invoicing/Payment of fees · Communication about the registration process |
| Categories of Personal Data |
· Name · Contact information · Personal identification number · Organization number (personal data for sole proprietorship) · Position and Company |
| Legal Basis | Contract |
| Storage Period | After the termination of membership/contract, personal data is stored in accordance with legal requirements. Other personal data not covered by legal requirements is deleted within three (3) months upon the termination of membership and contract. |
3.2 Membership Service and Communication
If you contact us in any errand, the amount and category of personal data might vary based on which communication channel was used and what information you give us access to when contacting us. We intend to avoid personal data processing to any possible extent. To offer the healthcare service correctly, personal data processing might be necessary, and the communication will thus be conducted in systems with special encryption for patient data processing.
|
Processing Activities for the Purpose |
· Delivery of purchased product/service in accordance with the agreement · Communication with the client for the purpose of delivering healthcare services · Processing of health data for the purpose of delivering healthcare services · Communication regarding agreements, changes to agreements, payment, case management · Evaluation of service offerings through customer surveys · Transmission of information to data processors for the purpose of delivering services according to the agreement |
|
Categories of Personal Data |
· Name · Contact information · Personal identification number · Health data · Genetic data (applies to the purchase of NEM360 or FHV Support) |
| Legal Basis |
Contract |
|
Storage Period
|
After the termination of membership/contract, personal data is stored in accordance with legal requirements. Other personal data not covered by legal requirements is deleted within three (3) months upon the termination of membership and contract.
|
3.3 Marketing and Communication
We never market our products or services without collecting your consent for marketing purposes. This is collected by subscribing to our newsletter, agreeing to receive marketing and offers through email, and agreeing to our Cookie Policy. You always have the right to change your consent by changing your settings in Cookie Management and/or unsubscribing to our newsletters. Read more about how we manage cookies in our Cookie Policy, which can be found on our website: https://nem.health/en/cookie-policy/.
We also process personal data to conduct surveys and follow up on customer satisfaction. When you contact us through a communication channel, your personal information will be used to manage the case, contact you, and contribute to improving our services.
|
Processing Activities for the Purpose
|
· Development of services, analysis, statistical reporting, and marketing of products. · Sending newsletters · Sending marketing and offers · Communication with potential customers about offers, services, or other inquiries · Periodically sending customer surveys to improve service offerings |
|
Categories of Personal Data
|
· IP-adress · Cookies · Phone number (only if provided for communication about services) |
| Legal Basis | Consent |
|
Storage Period
|
Read more about how each cookie is stored in our Cookie Policy. We store your data until you opt out of newsletters and marketing. |
3.4 Legal Obligations
|
Processing Activities for the Purpose
|
· The Swedish Patient Data Act · The Swedish Patient Act and Patient Safety Act · The Swedish Public Access to Information and Secrecy Act · The Swedish Accounting Act · The Swedish Health and Medical Services Act · Regulations and general advice from the National Board of Health and Welfare · Other applicable laws and regulations |
|
Categories of Personal Data
|
· Name · Contact information · Personal identification number · Health data · Genetic data (Only in cases where they have been processed) |
| Legal Basis | Legal grounds |
| Storage Period | After the termination of membership and agreements, personal data is stored in accordance with legal requirements. |
4. From which sources do we collect Personal Data?
NEM receives personal data from you when you choose to provide us with this information, as well as during blood sample collection when your health data is processed. In addition to this, your employer may provide us with personal information about you. In this case, your employer is the data controller, and NEM is the data processor, handling the information in accordance with established data processing agreements.
5. Who do we share Personal Data with?
We do not share personal data with third parties without having established a data processing agreement and for purposes other than efficiently delivering our services securely, ensuring and improving the quality of NEM’s products, enhancing our ability to process your personal data in a satisfactory manner, or when using various IT providers to securely deliver our services as per the agreement. Additionally, if we have obtained specific consent from the individual, we may share their personal data for other purposes. The latter may include assisting the client in connecting with another healthcare provider, collaborator, or subcontractor to NEM, for example, through a referral containing relevant information, including sensitive personal data such as health data. In such cases, they are considered data processors for us, and they only process personal data in accordance with our instructions and established Data Processing Agreements. The processing of your personal data, such as storage and structuring, occurs in encrypted systems.
6. Where do we treat your Personal Data?
We always strive to process your personal data within the EU/EEA, but sometimes it may not be possible. For certain IT support and subcontractors, data may be transferred to a country outside the EU/EEA. This occurs, for example, when we share your personal data with a data processor that, either itself or through a subcontractor, is established or stores information in a country outside the EU/EEA, currently the USA, where laws may not provide the same level of protection for your personal data. As data controllers, we are responsible for taking all reasonable legal, technical, and organizational measures to ensure these processes comply with regulations within the EU/EEA.
When personal data is processed outside the EU/EEA, the level of protection is guaranteed either through a decision by the EU Commission stating that the country in question ensures an adequate level of protection (read more here) or using appropriate safeguards and standard contractual clauses (read more here).
In some cases, we base data transfer on exceptions under Article 49 of the GDPR, especially your explicit consent or the necessity of the transfer for the performance of a contract or for the implementation of pre-contractual measures.
If you would like additional information about these safeguards, feel free to contact us.
7. How long do we store your Personal Information?
NEM retains personal data about you as a customer for as long as you are covered by an active agreement or when it is necessary to achieve the purposes described in a specified agreement or this privacy policy. Upon termination of the agreement, your information may be retained for a certain period thereafter. The duration of retention and its scope vary based on the reason for processing. Your data may be stored for a longer period, for example, to track payment history in accordance with the Swedish Accounting Act for at least seven years. Sensitive personal data such as patient records are retained as long as laws and regulations require/permit it to enable us as healthcare providers to fulfill our obligations under, for example, the Swedish Patient Safety Act, the Health and Social Care Inspectorate, and the National Board of Health and Welfare in Sweden.
8. What Rights do you have?
As a registered individual with us, you have several rights concerning the processing of your personal data by Nordic Executive Medicine AB. If you wish to exercise your rights, please feel free to contact us at contact@nem.health. If, instead, you want to file a complaint with a supervisory authority, we ask you to contact the Swedish Authority for Privacy Protection. There, you can find more information about the General Data Protection Regulation (EU 2016/679).
Below, we list the rights of the data subject.
8.1 Right to Access
You have the right to request, free of charge, a record excerpt detailing the personal data processed in connection with your use of the service, including your medical record, who has accessed it, and for what purpose. When making such a request, we may ask you some questions to ensure the efficient handling of your request. We will also take measures to ensure that the data is requested and provided to the right person. You also have the right to block your medical records data, preventing it from being transferred to another healthcare provider, and you have the right to have dissenting opinions recorded in your patient record with us.
There may be circumstances preventing the disclosure of information, such as due to provisions in other legislation or if disclosure of the information would be detrimental to others. In some cases, we may also refuse to provide a copy of the data, for instance, if you, as the data subject, make unfounded or unreasonable requests, such as requesting access multiple times in a short period.
8.2 Right to Rectification
You have the right to have incorrect information corrected. This means that you, as the data subject, have the right to supplement with missing and relevant personal data for the purpose of data processing. If information in a journal entry is incorrect or misleading, it should be noted in the patient record. This so-called dissenting opinion should be recorded in the journal. It does not grant the patient the right to write in their patient record or determine its contents. A patient has no right to add additional information unless the person responsible for journaling permits it.
8.3 Right to Erasure
In certain situations, you have the right to request the deletion of your personal data (“the right to be forgotten”), for example, if your personal data is processed in violation of the General Data Protection Regulation (EU 2016/679) or other legislation. However, you cannot have your personal data deleted if there are legal obligations or rights for Nordic Executive Medicine AB to retain the personal data.
8.4 Right to Restriction
You have the right to request that our processing of your personal data be restricted. If you object to the accuracy of the processed personal data, you can request restricted processing while we verify whether the personal data is accurate. If you have objected to a legitimate interest balancing that we have made as the legal basis for a purpose, you can request restricted processing while we assess whether our legitimate interests outweigh your interests in having the data deleted. If processing has been restricted in any of the situations above, we may only, in addition to storage itself, process the data to establish, enforce, or defend legal claims, protect someone else’s rights, or if you have given your consent.
8.5 Right to Object to Certain Types of Processing
You always have the right to object to any processing of personal data based on a legitimate interest. We will then assess whether there are compelling legitimate grounds that require us to continue storing your data, such as the duty to keep medical records. You also always have the right to object to our direct marketing.
8.6 Right to Data Portability
If you have provided personal data to us voluntarily, you have, in certain situations, the right to obtain and use your personal data elsewhere (“the right to data portability”). In these cases, we have an obligation to facilitate such transfer of personal data. A prerequisite is that Nordic Executive Medicine AB processes the personal data based on consent or to fulfill a contract with you.
8.7 Right to Withdraw Consent
If you have given your consent for the processing of your personal data, you have the right to withdraw this consent at any time.
9. Changes to the Privacy Policy
NEM reserves the right to change the privacy policy. In the event of such changes, you, as the customer, will be informed via the website or email. By continuing to use NEM’s products, you accept the amended terms.
10. If you want to know more
If you have questions about this privacy policy and the processing of your personal data, want to delete or correct inaccurate information, or request a record excerpt of our subcontractors/data processors processing personal data, you can contact us at
.