Latest update 20210329
1 BACKGROUND AND SCOPE
Feelgood ("Feelgood", "we", "us") offers a complete selection of healthcare and working environment services to organizations all over Sweden. The customers are found in a variety of industries, both within the private and public sectors. Feelgood also provides services to physical persons.
In Sweden the processing of personal data is regulated by the EU's General Data Protection Regulation ("GDPR") and the supplementing Data Protection Act (2018:218). For healthcare providers, additional supplementary regulation can be found in the Patient Data Act (2008:355). Feelgood is therefore subject to all three regulations.
2 WHY AND HOW ARE WE PROCESSING PERSONAL DATA?
As a healthcare provider we are obliged to process personal data about our patients in order to comply with the requirements in the Patient Data Act. Furthermore, some personal data is necessary to process in order for us to conduct our business activities in an effective manner, such as for the performance of a contract that we have entered into with our business customers or directly with the individuals. If we do not have access to this personal data, it may prevent us from entering into contracts or fulfilling our obligations under existing contracts.
In the following section, we describe why, how and on what legal bases that Feelgood processes personal data.
2.2 Feelgood's patients
2.2.1 What personal data is processed and how is it collected?
The categories of personal data concerned are health status, information pertaining to healthcare appointments, name, social security number and contact information. The personal data is collected directly from the patients, healthcare personnel or through web based tools. Subject to consent from the patient, medical journal data may also be obtained from other healthcare providers or from public authorities. Data in Feelgood's medical journal system is not shared with other healthcare providers without the patient's consent.
2.2.2 For what purposes is the personal data processed?
The personal data is processed in order to be able to provide a good and secure care to patients. Moreover, the personal data is used in a coded format for statistical purposes with respect to the business and to healthcare.
2.2.3 What is the legal basis for the processing?
In its capacity as a healthcare provider, Feelgood processes patient data in compliance with the Patient Data Act which stipulates particularly strict requirements how certain personal data, due to its sensitive nature, must be processed and in what way. This means that Feelgood has a legal obligation to process patient data irrespective of whether the patient has consented to the processing or not.
2.2.4 How long is the personal data stored?
According to the Patient Data Act, medical records must be stored for at least 10 years from the date when the last note was made in the medical journal.
2.3 Business customers' employees
2.3.1 What personal data is processed and how is it collected?
Where Feelgood is the controller for processing of personal data pertaining to services used by business customers' employees, but where the processing is not regulated by the Patient Data Act, Feelgood may (depending on the service at hand) process the following categories of personal data: name, contact information, details of the employee's branch or department, test results and status regarding educational services. The personal data is collected either directly from the individual or from its employer.
2.3.2 For what purposes is the personal data processed?
The personal data is processed in order to provide the agreed services.
2.3.3 What is the legal basis for the processing?
Feelgood has a legitimate interest in being able to perform the contracts with its business customers.
2.3.4 How long is the personal data stored?
The personal data is stored as long as Feelgood has not been notified that the employee no longer is employed by the business customer or during the time when contract between the business customer and Feelgood is in force. In the first scenario the personal data will be deleted within one (1) month from received notice, in the second scenario within one (1) year from when the contract between the business customer and Feelgood has terminated.
2.4 Contact persons at existing and potential business customers
2.4.1 What personal data is processed and how is it collected?
Feelgood processes the following categories of personal data: name, contact information, position and where applicable data in correspondence. The personal data is collected either directly from the individual or from its employer.
2.4.2 For what purposes is the personal data processed?
The personal data is processed in order to enable communication in the way that is customary for the relevant kind of business relationship and for marketing purposes.
2.4.3 What is the legal basis for the processing?
Feelgood has a legitimate interest in being able to perform the contracts with its business customers and to market its services.
2.4.4 How long is the personal data stored?
Personal data that has been processed in connection with a customer engagement, may be used in order to adapt tenders in a subsequent procurement process as well as for marketing purposes.
Contact information to representatives of potential business customers is deleted when the dialogue has ended if no customer relationship has been initiated.
Where the data subject has objected to processing of his/her personal data for marketing purposes, data for the purpose of administrating and managing the objection will however be processed.
2.5 Contact persons at suppliers and partners
2.5.1 What personal data is processed and how is it collected?
Feelgood processes the following categories of personal data: name, contact information, position and, where applicable, data in correspondence. The personal data is collected either directly from the individual or from its employer.
2.5.2 For what purposes is the personal data processed?
Feelgood processes personal data in order to enable the administration of purchase agreements and the communication in the way that is customary for the relevant kind of business relationship.
2.5.3 What is the legal basis for the processing?
Feelgood has a legitimate interest in being able to conduct its business, including managing its supplier relationships.
2.5.4 How long is the personal data stored?
The personal data is stored during the term of the contract.
2.6.1 What personal data is processed and how is it collected?
The categories of personal data that are processed by Feelgood are: contact information, sex, year of birth, information regarding experiences and skills and where applicable name and contact information of reference persons and test results. The personal data is collected directly from the applicant itself and where applicable from the reference persons' statements.
2.6.2 For what purposes is the personal data processed?
In order to enable Feelgood to administer the relevant recruitment process.
2.6.3 What is the legal basis for the processing?
Feelgood has a legitimate interest to conduct, simplify, and render its recruiting processes more efficient and/or take measures prior to or in accordance with agreements with the applicant.
2.6.4 Who are given access to the personal data?
Where recruitment firms are managing the recruitment, the recruitment firms are given access to the personal data.
2.6.5 How long is the personal data stored?
The personal data is stored during the recruitment process. Following the end of the recruitment process, the personal data may, subject to the job applicant's consent, be stored for one (1) year for the purpose of other recruitments.
The personal data may also be stored during two (2) years from when the recruitment process was concluded for documentation purposes in case of potential claims in accordance with the Discrimination Act (2008:567). In case of a legal dispute, the personal data is stored in accordance with section 3 below.
3 HOW LONG IS THE PERSONAL DATA STORED?
Personal data is processed for the purposes and during the time periods described above. Moreover, personal data that is included in financial statements is processed during seven years from the end of the calendar year during which the financial year ended, which is a requirement according to the Accounting Act (1999:1078).
Personal data may also be stored for up to ten (10) years from the point of time when the statute of limitation period starts, in order to be able to establish, exercise or defend legal claims.
4 WHEN AND WITH WHOM DO WE SHARE PERSONAL DATA?
We may share personal data as follows:
- when it is a legal obligation or in order to respond to requests from public authorities;
- within our company group for the purposes expressed above;
- with companies that provide services to us or to our customers in collaboration with us;
- with a third party in case of a contemplated or actual reorganization, merger, acquisition, sale, joint venture, engagement or other disposition of whole or parts of our business, assets or stocks;
- to protect or preserve our rights.
If personal data is stored outside of the EU/EES we are taking appropriate safeguards in accordance with applicable law. Data subjects may, upon request, be provided with additional information about these safeguards.
5 WHAT RIGHTS DOES THE DATA SUBJECT HAVE?
5.1 Right to access
The data subject has a right to contact Feelgood and request access to the personal data that Feelgood, in its capacity as controller, processes and information about the purpose of the processing and with whom the personal data has been shared.Feelgood shall, in its capacity as controller, free of charge, provide the data subject with a copy of the personal data that is processed. If additional copies are requested, Feelgood may charge an administrative fee.
5.2 Right to rectification, erasure and restriction on processing
The data subject has a right to, without undue delay, have its personal data rectified or, under certain circumstances, restrict the processing thereof or have the personal data deleted. If the data subject is of the opinion that Feelgood processes personal data about the data subject that are inaccurate or incomplete, the data subject may request the data to be rectified or completed.
Furthermore, the data subject has a right to get its personal data deleted, inter alia where the processing of personal data no longer is necessary or if the processing is based on consent and such consent has been withdrawn.If the data subject requests that the personal data shall be rectified, deleted or that the processing shall be restricted, Feelgood, in its capacity as controller, has a routine to use its reasonable efforts to inform each recipient of the personal data about the data subject's request.
5.3 Right to object
The data subject has a right to, at any time, object to the processing of its personal data if the legal basis for the processing is a public interest or a legitimate interest in accordance with article 6.1 (e) or (f) GDPR.
The above means that the data subject may object to processing of its personal data for direct marketing purposes.
If the data subject objects to the processing, Feelgood may only continue to process the personal data if compelling legitimate grounds exist for the processing or if it is motivated to store the personal data for the purpose of being able to establish, exercise or defend legal claims.
5.4 Right to data portability
The data subject has a right to receive the personal data that it has provided to the controller and has a right to transfer the personal data to a different controller. This only applies if it is technologically possible and if the legal basis for the processing is consent or if the processing has been necessary for the performance of a contract with the data subject.
5.5 Right to withdraw consent
If the legal basis for the processing of personal data is the data subject's consent, the data subject has a right to withdraw its consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before the consent was withdrawn.
5.6 Specifics regarding patients' rights
For medical notes, the Patient Data Act applies. These notes are locked (signed) and cannot be changed or deleted. In general you, as a patient, have the right to request extracts from your medical record and its access logs. If you as a patient consider data in your medical record to be inaccurate, the healthcare provider may enter a rectification into the medical journal. A rectification is a note that refers to the inaccurate data and provides the accurate information. Both the original note and the rectification note remain in the medical journal. The foregoing applies provided that the patient and the healthcare provider agree that the note shall be rectified. In situations where the healthcare service provider and the patient disagree concerning the correctness of the medical record or where the patient requests destruction of the medical journal, the patient may file a request to the supervisory authority the Health and Social Care Inspectorate ("IVO"), Sw: Inspektionen för vård och omsorg. After IVO has made a decision, the medical journal is rectified or deleted in accordance therewith.
6 CONTACT INFORMATION
For occupational healthcare and other healthcare, the company with which your company has entered into a contract, is the controller. If you have used Feelgood's services in your capacity as a private individual, the controller is the company that you have bought the service from.
In both situations, one of the following companies is the controller:
- Feelgood Svenska AB
- Feelgood Företagshälsovård AB
- Feelgood FHV Östersund AB
- Feelgood FHV Södra AB
- Feelgood Sjukvård AB
- Feelgood Online AB
- Medicin Direkt Östersund AB
If you have any questions about the Policy or other questions about how Feelgood processes personal data, please contact our Data Protection Officer at firstname.lastname@example.org.
Data subjects also have the right to file a complaint with the competent supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection, Integritetsskyddsmyndigheten (former Swedish Data Protection Authority, Datainspektionen).
7 CHANGES TO THE POLICY
Feelgood reserves its right to change and update the Policy. In case of material changes, Feelgood will give notice in an appropriate manner. We do however encourage you to read the Policy now and then. The date of the latest changes to the Policy will be published on our webpage.