Privacy Policy

  1. Introduction

Nordic Executive Medicine AB, org. no. 559076-6381 is responsible for personal data, as we process personal data in the business operations. This Privacy policy is available to communicate how we handle personal data. Before further details, we want to highlight three points that form the basis of our approach. The points are important to us because we know they are important to you:

  • We want to clarify the responsibilities for protecting your rights and your privacy.
  • We explain how we use the personal data you share with us, to offer you our Products and give you the best possible experience when you are in contact with us and use our Products.
  • This document shall give you an understanding of what data we collect and what we do, and do not do, with it.

 

  1. Parties and responsibility for the processing of personal data

Nordic Executive Medicine AB, org. no. 559076-6381, hereinafter also referred to as “NEM”, “The Company”, “We”, “Us” or “Our” is a supplier of medical goods and services “Products”, to both private and corporate customers. NEM is responsible for the processing of personal data you provide NEM, using the Products that We offer.

“You” or “Customer” is the legal person at NEM, to whom the Products are delivered, which can be private individuals, companies, health centers, small and large hospitals, occupational health care units, staffing companies, etc. You as a customer have your contact information registered with us, so that we can deliver the Products to you in accordance with the applicable agreement. The Company is responsible for processing the personal data you share with us when You:

  • use and order Products from NEM
  • enter an agreement with NEM and become a customer
  • register as a contact person with NEM on behalf of yourself, an organization, or a close relative
  • have a question and/or contact us via a communication channel
  • visits our website and accepts cookies
  • register for our newsletters and marketing through our website
  • fill out a quiz or other forms accessed through our website

 

  1. What personal data do we process about you?

As a registered care provider under the supervision of the Swedish Health and Social Care Inspectorate, IVO (IVO-ID Org-2019-00017456), we encounter sensitive personal data in the form of health information (medical records, health data, etc.). In order to be able to process this information in accordance with current law and to meet the National Board of Health and Welfare’s (Socialstyrelsens) requirements, we use encrypted patient record systems in everyday clinical practice.

NEM collect information about you as a client to process your purchase, create and approve the business relationship, collect declaration of interest, marketing, statistical purposes, invoicing, as a basis according to the Accounting Act, and to identify you and to be able to offer you as a customer the best possible care based on your patient data.

The processing of sensitive personal data, such as patient data, only takes place after you share this personal data with us. This personal information may be obtained by NEM orally, in writing and when using NEM’s Products. As a customer, you give us the right to process this personal data through your consent of the End User License Agreement and this Privacy Policy.

We use subcontractors in order to increase the security of the processing of your personal data. As a private healthcare provider, we are obliged to follow the same secrecy and duty of confidentiality as public healthcare. As a result, we have established routines for handling sensitive and confidential personal data. We also follow the guidelines that apply to quality assurance and quality development for care providers, specified by the National Board of Health and Welfare (SOSFS 2005: 12).

3.1 Administration of membership and agreement

When you order the Products we collect contact information about you. You as a physical person, “client”, and is a part of an active agreement with us, we possess personal data of. The extent of the personal data varies based on the Products you purchase.

The main purpose of processing personal data

·       Administration and registration of membership

·       Invoicing and payment of fees

·       Communication of registration process

Categories of personal data

·       Name

·       Contact information

·       Social Security Number

·       Organization number (personal data if sole proprietorship)

·       Role and company

Legal basis Contract
Storage time After canceling membership/agreement personal data is stored in accordance with regulatory law. Other personal data, not encompassed by regulatory laws will be deleted within three (3) months at the time of canceled membership and agreement.

 

3.2 Membership service and communication

If you contact us in any errand, the amount and category of personal data might vary based on which communication channel was used and what information you give us access to when contacting us. We intend to avoid personal data to any possible extent. To be able to offer the healthcare service correctly, personal data might be necessary, and the communication will thus be conducted in systems with special encryption for patient data processing.

The main purpose of processing personal data

·       Delivery of purchased product/service in accordance with Agreement

·       Communication with client with the purpose of delivering healthcare services

·       Treatment of health data with the purpose of delivering healthcare services

·       Communication regarding agreement, alterations of agreement, payment, and case management

·       Evaluation of provided services through customer surveys

·       Mediation of information to data processors with the purpose to deliver the service in accordance with the agreement.

Categories of personal data

·       Name

·       Contact information

·       Social Security Number

·       Health data

·       Genetic data (applies when purchasing NEM360 or FHV Support Plus)

Legal basis Contract
Storage time After canceling membership/agreement personal data is stored in accordance with regulatory law. Other personal data, not encompassed by regulatory laws will be deleted within three (3) months at the time of canceled membership and agreement.

 

3.3 Marketing and communication

We never market our products or services without collecting your consent for marketing purposes. This is collected by subscribing to our newsletters, agreeing to receive marketing and offers through email and agreeing to our Cookie Policy. You always have the right to change your consent by changing your settings in Cookie Management and/or unsubscribing to our newsletters. Read more about how we manage cookies in our Cookie Policy which can be found on our website nem.health/en/cookie-policy/.

We also treat personal data to conduct surveys and follow up on customer satisfaction. When you contact us through a communication channel your personal information will be used to manage the case, contact you, and contribute to improvement of our services.

The main purpose of processing personal data

·       Development of service, analysis, statistics, and marketing

·       Newsletters

·       Marketing and offers

·       Communication with potential clients of offering, services or answering other questions

·       To provide a safe service with an appropriate product offering we frequently send customer surveys to our customers.

Categories of personal data

·       Email

·       IP address

·       Cookies

·       Phone number (only if You provide this information to us to communicate about product and services)

Legal basis Consent
Storage time Read more about each cookie in our Cookie Policy. We store your data until you cancel newsletters and marketing communication.

 

3.4 Legal obligations

NEM also complies with the Swedish laws, rules and regulations that apply to the handling of sensitive personal data. All staff at NEM must consider the laws and regulations that apply. Licensed staff must work according to the laws and regulations applied in the Swedish health care system. All personnel categories are covered by secrecy towards individual customers and are, where applicable, legitimized by the Swedish National Board of Health and Welfare.

The main purpose of processing personal data

·       The Patient Data Act

·       The Patient Act and the Patient Safety Act

·       Publicity and confidentiality Act

·       Accounting Act

·       Health and Medical Care Act

·       The National Board of Health and Welfare Regulations and General Advice on care

·       Other laws and regulations applicable

Categories of personal data

·       Name

·       Contact information

·       Social Security Number

·       Health data

·       Genetic data (applies when purchasing NEM360 or FHV Support Plus)

Legal basis Legal obligations
Storage time After canceling membership/agreement personal data is stored in accordance with regulatory law.

 

  1. From which sources do we collect personal data?

NEM collects personal data when You choose to give us this information, and when conducting blood work as your health data is collected. Additionally, your employer might share personal information about you with us. In these cases your employer is the personal data controller and NEM is the personal data processor and process the information in accordance with established Data Processing Agreements.

  1. Who do we share personal information with?

We do not share personal data with third parties without establishing Data Processing Agreements and for any purpose other than to efficiently deliver our services, ensure and improve the quality of NEM’s products, improve our ability to process your personal data in a secure manner, or when we use IT services to in one way or another deliver our services in accordance with the Agreement. And where applicable after we have received consent from the individual to share personal information for other purposes. The latter can, for example, concern helping the customer get in touch with another care provider, partner, or sub-consultant to NEM, via, for example, a referral that contains relevant information, including sensitive personal data. They are thus considered personal data processors to NEM and will treat personal data in accordance with our instructions and established Data Processing Agreements. The processing of your personal data regarding storage and structuring takes place in systems that are encrypted.

 

  1. Where do we treat your personal data?

We always strive to process your personal information within EU/EES but sometimes it is not possible.

For some IT-support and subcontractors the data might be transferred to a country outside EU/EES. This is applicable for example if we share your personal information with a personal data processor, who is established or stores data in a country outside EU/EES, currently the US, where laws that does not give the same protection might occur. As personal data collectors we are responsible to take all reasonable legal, technical, and organizational measures to ensure that the treatment will be conducted in accordance with the regulations within EU/EES.

When personal information is treated outside EU/EES the security level is guaranteed either through a decision from the EU commission that the country is ensuring an adequate security level (read more here) or through the usage of so called appropriate data protection safeguards and standard contractual clauses (read more here).

In some cases we base the data transfer on the exception according to art. 49 GDPR, explicit consent or necessity of transfer in performance of contract or to perform measures prior to contract.

If you want more information about these data protection safeguards you can contact us.

 

  1. How long do we store your personal information?

NEM stores personal data about you as a customer, if you are covered by an active agreement, or when it is necessary to achieve the purposes described in the specific agreement, or this privacy policy. Upon termination of the agreement, your information may be saved for a period thereafter. The length and scope of how NEM save these, depends on the relationship you had with NEM. Your information may be stored for a longer period, for the purpose of tracking payment history in accordance with the Accounting Act, at least 7 years. Sensitive personal data such as patient records are stored for as long as laws and regulations require and/or allow it, so that we as care providers can fulfill our obligations to, for example, the Patient Safety Act, IVO and the National Board of Health and Welfare.

  1. What rights do you have?

If you are registered with NEM, you have several rights in conjunction with NEM treating your personal data. If you want to exercise your rights, you may contact us at [email protected]. If you want to submit a complaint of our processing to any protection authority we ask you to contact the Swedish Authority for Privacy Protection (IMY). There you can also find more information about Data Protection Regulation (EU 2016/679).

We list the registered rights below.

8.1 Right of access

You have the right to request a transcript of what information is registered about you, including sensitive personal data such as medical records and other patient information concerning you. When you file such a request, we might ask some questions to assure an efficient administration of your request. We will also take action to ensure that the data is requested and transferred to the right person. You also have the right to block your journals from being transferred to any other caregiver and you have the right to deviant sentences noted in your medical record.

There might be circumstances entailing that the requested information cannot be transferred, for example based on laws in other regulations or that the transfer will bring negative consequences for other people. We may also refuse to transfer a copy of information, if you as registered make so called unwarranted or unreasonable requests, such as requesting access several times during a short period of time.

 

8.2 Right to rectification

You have the right to have your personal information corrected if it is incorrect. This means that you as registered have the right to add such information that is missing and relevant considering the purpose of the treatment of personal data. If information in a medical record is incorrect or misleading it shall be noted in the medical record. It does not give the right to a patient to personally add notes in her medical record or decide what it should say. A patient has no right to add additional information, if the responsible of the medical record does not allow it.

 

8.3 Right to erasure

In some cases, you also have the right to get your personal information deleted (“right to be forgotten”), for example if your personal data is treated in opposition to the Data Protection Regulation (EU 2016/679) or other regulation. You can however not have your personal data deleted if there are legal obligations or grounds for Nordic Executive Medicine AB to keep the personal data.

 

8.4 Right to limitation of processing

You have the right to request limitation of processing personal information. If you oppose the data we process is correct, you may request a limitation of processing during the time needed to control whether they are correct or not.

If you have objected to a balancing of interest regarding legitimate interest that we have used as a legal basis for some purpose, you may request limitation of processing of data during the time needed to control whether our legitimate interest weigh more heavily than your interest to remove data.

If the processing has been limited according to one of the situations above, we can only, apart from the storing itself, treat the data to determine, make or defend legal claims, to protect another person’s rights or if you have made an explicit consent.

 

8.5 Right to object certain type of processing

You always have the right to object all processing of personal data that have balancing of interest as legal basis. In that case, we will evaluate if there is any crucial legitimate interest that oblige us to, despite your request, keep storing your data as for example due to obligations of medical records. You always have the right to object our direct marketing.

 

8.6 Right to data portability

If you have freely given us your personal information you have in some situations right to access and use your personal information in other aspects (“right to data portability”). In these events we have an obligation to facilitate this transfer of personal data. Based on the precondition that Nordic Executive Medicine AB process the personal data with support from consent or to fulfill an agreement with you.

 

8.7 Right to withdraw consent

If you have given consent of processing of your personal information you have the right to at any point in time withdraw this consent.

 

  1. Changes to the Privacy Policy

NEM reserves the right to change the privacy policy. In the event of such changes, you as a Customer will be informed via the website or by e-mail. By continuing to use NEM’s Products, you accept the changed conditions.

 

  1. If you want to know more

If you have questions about this privacy policy and the processing of your personal data, want to delete or change incorrect data or want a transcript of our subcontractors who process personal data, you can contact us at [email protected]