Doktor.se

Privacy Policy

Updated 2023-12-06

Doktor.se protects your personal integrity and works hard to ensure that your personal data is protected when using our services. Below is our privacy policy which describes how we process, use and protect your personal data and the rights you have as a registered user.

1. General

This privacy policy ("Privacy Policy") describes how Doktorse Nordic AB, reg. no. 559058-0089 ("Doktorse Nordic") and the relevant subsidiary process your personal data. Doktorse Nordic is the company that provides the Doktor.se application and the company that is the data controller for personal data relating to your user account ("app account"). However, the data controller for personal data processing carried out to provide healthcare is the company that provides the care (the healthcare provider). Digital care provided to you as a patient in the app is provided by Doktor.se Vingåkers Vårdcentral, 556599-4885 ("Vingåker Vårdcentral"). However, if you are listed at a healthcare center owned by a company within the Doktor.se group, that healthcare center is responsible for the processing of personal data relating to your care at that particular healthcare center. In general, Vingåkers Vårdcentral is the health care provider and data controller for all digital care when personal data is processed in connection with health care via the Doktor.se app (Doktorse Nordic is in this relationship only a data processor that provides the technical platform). However, if you seek care for certain symptoms that can be managed asynchronously, InnovDr AB, 559059-3256 may be a healthcare provider and thus a personal data controller. Doktorse Nordic is then a data processor to InnovDr. Doktorse Nordic and Vingåker/InnovDr have entered into a data processing agreement that regulates this relationship. To make it easier to understand how your personal data is processed, we describe in this Privacy Policy both the personal data processing relating to your app account and the personal data processing relating to you as a patient.

The Privacy Policy describes, among other things, the categories of personal data we process, the purposes for which we process them and the legal basis for the processing. We also explain who may have access to and process the data, the principles for deletion, which third parties we may share the personal data with, where the personal data is processed and your rights as a data subject in the form of the right to information, correction and deletion, etc.

From time to time, we may need to update or amend the Privacy Policy. If the changes are material, we will inform you in an appropriate way and ask you to take note of the changes made. The latest version of the Privacy Policy can always be found on our website (www.doktor.se).

We hope that this Privacy Policy answers your questions about our processing of your personal data. If you have any further questions or concerns, you are always welcome to contact us at the address Doktorse Nordic AB, Attn: Data Protection Officer, Sveavägen 63, 113 59 Stockholm, or by contacting us or our Data Protection Officer at dataskyddsombud@doktor.se (applies to both Doktorse Nordic AB and Vingåkers Vårdcentral AB/other healthcare clinics within the Doktor.se group).

 

2. How do we process your personal data?

·       How we collect your data

We collect your data directly from you when you download the app and create an account or otherwise use our digital healthcare services (the "Services").

If you agree, we can also access your medical records from another healthcare provider through collated medical records. The purpose of this is to be able to give you the right diagnosis and care and to avoid repeating your care history. You always have the right to object to collated medical records.

When you register, we may also retrieve your data through the electronic identification service you use or the population registration system.

3. Purposes of processing, legal basis and retention period

Your personal data will not be used in a way that is incompatible with the purposes for which it was collected. We process your data for the purposes listed below.

·        Providing you with your user account

To provide you with our Services, you need to create a user account. We use your data to verify your identity, to provide you with your user account and to communicate with you about the cases you create with us. To do this, we need the following personal data belonging to you ("User Data").

·       name, social security number, address and other contact details, including email address and telephone number;

·       your use of our application, including personal settings and preferences, such as whether you want to receive marketing from us.

The legal basis for processing personal data for this purpose is that it is necessary for the performance of our obligations under our contract with you.

We process your personal data for this purpose as long as you have an account with us.

·       Providing services within the framework of the Doktor.se platform

If you choose to use services that Doktor.se provides within the framework of the Doktor.se app, such as the "vaccination card", the data that you yourself provide is processed. This data may include, for example, which vaccinations you have had and when they were taken.

The legal basis for processing personal data for this purpose is that it is necessary for the performance of our obligations under our contract with you.

We process your personal data for this purpose as long as you have an account with us or until you actively choose to delete the information in these sections.

 

·       Providing care and fulfilling our legal obligations as healthcare providers

We also use your personal data, including your User Data, to provide you with healthcare and make medical diagnoses and to keep medical records. When you have initiated a case with us, Doktor.se Vingåkers Vårdcenter's staff will ask you questions to make medical assessments and give you advice. For these purposes, you may provide descriptions of symptoms and other information about your health, including photographs of your medical ailments ("Patient Data"). In those regions where a patient fee is payable by you as a patient, we also process your personal data to send an invoice. Furthermore, we process your personal data to administer high-cost protection and free cards at your request. The legal basis for the processing of personal data for this purpose is that it is necessary to provide you with healthcare and for us to fulfill our legal obligations as a healthcare provider, which means, among other things, that we must keep a record of your care. After your case has been closed, information about your care is transferred to your medical record. Correspondence is stored in the app for two weeks. We are required by law to keep medical records for at least 10 years from the last entry.

·       Communicate with you about our activities

We use your User Data to send you direct marketing and information about our Services and important events. Direct marketing refers to all types of outreach marketing activities, such as mailings, emails and text messages. You have the right to object, free of charge, to the use of your data for such purposes and every electronic mailing from us for marketing purposes contains an opt-out option.

The legal basis for the processing of personal data for this purpose is that it is necessary to fulfill our legitimate interest to market our services to you as our customer during our contractual relationship.

We process your personal data for this purpose as long as you have an account with us. You can unsubscribe from such mailings at any time.

·       Providing support

We also use your User Data to help you if you contact us for support, e.g. if you have questions about our Services or your account. We use your personal data to identify you, to communicate with you regarding your questions and to investigate any complaints or support issues.

The legal basis for processing personal data for this purpose is that it is necessary to fulfill our and your legitimate interest in providing you with support.

We process your personal data for this purpose for the duration of the support case, after which we delete the data.

·       Improving our Services

We process your data to improve our Services. When we use your data for this purpose, we use it in aggregated form (i.e. study overall user patterns using de-identified data) to the extent possible. We process the data by producing statistics on how you use our Services. We may do this, for example, by conducting user satisfaction and market research or by analyzing your use of the Services. We also use your data to make the Services more user-friendly, e.g. to troubleshoot, fix bugs, change the interface so that you can easily access the information you are looking for or highlight features in our Services that are frequently used by our users. For this purpose, we may also process your IP number.

The legal basis for processing personal data for this purpose is that it is necessary for our legitimate interest to continuously improve the Services.

We process your personal data for this purpose for two years from the date of collection.

·       Preventing abuse

Your personal data may also be used to prevent misuse of our services or to prevent, deter or investigate crimes against us. Abuse includes, but is not limited to, fraud, spamming, harassment, attempts to illegally log into user accounts, and other actions prohibited by our terms and conditions or by law.

The legal basis for the processing of personal data for this purpose is that it is necessary for our legitimate interest to avoid misuse of our services or to prevent, deter and investigate crimes against us.

We keep the information for as long as it is needed to investigate the crime.

·       Fulfilment of legal obligations

We may also process your personal data to enable us to fulfill our legal obligations under law, judgments or decisions by public authorities. The requirements may include requirements regarding accounting, patient data and health care legislation. For example, we may need to process your personal data (not health data) if you choose to list yourself at one of our healthcare centers.

The legal basis for processing personal data for this purpose is that it is necessary for the performance of our legal obligations or necessary for the provision of health care.

Personal data processed for accounting purposes is stored in accordance with the provisions of the Book-keeping Act.

Personal data processed by us as a healthcare provider for healthcare purposes is stored - if it is patient data - for at least 10 years. Other personal data is stored in accordance with an internal deletion plan.

·       How we share your data

We do not share your data with any third parties except as described below.

·       Other healthcare providers in the case of collated medical records

If you seek care from a healthcare provider other than us, they can, during an ongoing patient relationship with you, access your medical record information that we have about you through collated medical records. The purpose of this is to be able to give you the right diagnoses and care and to avoid repeating your care history. For your healthcare provider to be able to access your personal data through collated medical records, you need to give your consent to your healthcare provider. You always have the right to object to collated medical records and for us to block your medical records from being included in a system for collated medical records.

·       Our suppliers/partners: We may use third parties to manage one or more aspects of our business, including our processing of personal data. We may share personal data with these third parties in order for them to perform services on our behalf, such as sending messages and marketing communications to you, assisting with billing, storing our data and providing other IT services to us. When we use suppliers under this paragraph, we establish data processing agreements and take other appropriate measures to ensure that your personal data is processed in a manner consistent with this Privacy Policy and applicable regulations.

·       Sale or transfer: We may transfer or assign your personal information to a buyer or prospective buyer in the event of a sale, assignment or other transfer of all or a portion of our business or assets. In such a transfer, we will take reasonable steps, such as using confidentiality and assistance agreements, to ensure that the receiving party treats your information in a manner consistent with this Privacy Policy.

·       We may also share your personal data with, for example, the police, the Swedish Tax Agency or other authorities when we are required to do so by law.

3. How we protect your data

We take appropriate safeguards and maintain security standards to protect your personal data against unauthorized access, disclosure and misuse, including through the use of access restrictions to your data. Your personal data is stored on files that are accessible only to our employees, agents and service providers who need the data for the performance of their duties.

We use technical tools such as firewalls and passwords, and we ensure that our employees are trained in the importance of maintaining the security and confidentiality of the personal data we process and ensure that confidentiality agreements are in place.

As a healthcare provider, we also have a duty of confidentiality for personal data stored in your medical record. Only our employees who need the information to participate in your care or for their work in the health sector can access it.

 

4. Where we process your personal data

We always process your Patient Data within the EU/EEA.

We aim to always process your other personal data such as your User Data within the EU/EEA where all our own IT systems are located. However, such personal data may be shared with suppliers to us that either themselves or through subcontractors are established or store information in a country outside the EU/EEA, more specifically the USA. In such a case, we will take all reasonable legal, organizational, and technical measures necessary to ensure that the level of protection of the processing is equivalent to that in the EU/EEA. Such a level of protection exists, inter alia, if the country in question already ensures an adequate level of protection as decided by the European Commission or by using other appropriate safeguards such as standard contractual clauses (together with additional security measures) or approved codes of conduct in our contracts with such providers.

You can read more about which third countries the European Commission has deemed to ensure an adequate level of data protection at https://ec.europa.eu/info/law/law-topic/data-protection_sv.

For more information on safeguards for third country transfers, please contact the Data Protection Officer at dataskyddsombud@doktor.se.

 

5. Your rights

This section describes your rights as a data subject. You can always exercise these rights by contacting us at dataskyddsombud@doktor.se.

·       Right of access, your medical record and information on access to your personal data

If you wish to receive information about the personal data we process about you, you can request access to the data. The information will then be provided in the form of a register extract indicating which personal data we process, for which purposes we process them, where the data has been obtained from, which third parties the data has been transferred to and how long the data will be stored.

As a rule, you also have the right to access your medical records. If it would be harmful for you to have access to your medical records, the law states that they must not be disclosed. Therefore, the person responsible for the medical record, which is often the doctor in charge, makes an assessment of all disclosures.

You also have the right to receive information about the access to your personal data in your medical record including what direct access and other electronic access to your file that has taken place.

·       The right to rectification

You have the right to have inaccurate data about you rectified without delay. You also have the right to have incomplete data completed.

·       The right to be blocked

You have the right to block information in your medical record, which means that no other healthcare provider can access it, e.g. in the case of shared medical records.

·       The right to erasure

You have the right, under certain circumstances, to have your personal data deleted by us, if the personal data is no longer necessary for the purposes for which they were collected or processed; if the processing of personal data is based on your consent and you withdraw it; if you have objected to the processing of personal data and we do not have a legitimate interest that overrides your interest; if the personal data has been processed unlawfully; or if the personal data must be erased to comply with a legal obligation. However, in some cases we have the right to object to the erasure of your personal data and we will inform you if this is applicable.

To delete information from your medical record, you must apply for this and have your application approved by the Health and Social Care Inspectorate (IVO).

·       The right to restriction of processing

You have the right to request that we restrict the processing of your personal data in certain cases if you contest the accuracy of the personal data during the time it takes for us to verify the accuracy of the data, if the processing is unlawful and you oppose the erasure of the data and request a restriction instead, if we no longer need the personal data but you need it for the establishment, exercise or defense of legal claims, or if you have objected to processing based on our legitimate interest during the time we verify whether our interest outweighs yours.

·       The right to object

You have the right to object to the processing of your personal data on the basis of our legitimate interest. In this case, in order to continue processing, we must demonstrate compelling legitimate grounds which override your interests, rights and freedoms.

·       The right to data portability

Where we process your personal data on the basis of a contract with you or your consent, you have the right to receive the personal data you have provided to us and which relate to you in an electronic format that is commonly used, where technically feasible and where this can be done by automated means. Where applicable, you have the right to transmit such data to another controller (data portability).

The right to lodge a complaint

The Swedish Authority for Privacy Protection is the authority responsible for monitoring the application of the legislation by companies processing personal data. If you believe that we are processing your personal data incorrectly, in addition to contacting us, you can lodge a complaint with the Authority.

If you have any questions or comments, please contact us at dataskyddsombud@doktor.se.