Personal data policy for patients (end customers)
1. Personal data responsibility and basis for processing
1.2 The processing of personal data when using Encia's services takes place on the basis of an agreement with you, the registered person, or against a customer of Encia with whom you have an agreement. Processing also takes place to comply with legal obligations according to law and government decisions and, for special treatments, with your consent.
2. Purposes of the processing
2.1 Encia processes your personal data when this is necessary to perform in accordance with an agreement with you or against a customer of Encia with whom you have an agreement. Encia must process personal data in order to be able to deliver the services and products that Encia offers and you can therefore not be a customer of Encia without us processing your personal data.
2.2 Your personal information is used, among other things, for invoicing, information and delivery of products, performance of services and contact with you as a customer.
2.3 Encia processes your personal data in the ways required to comply with obligations incumbent on Encia in accordance with government decisions and laws, such as the Public Access to Information and Secrecy Act (2009: 400), the Health and Medical Services Act (2017: 30) and the Patient Data Act (2008: 355) .
2.4 If you have chosen to agree to receive newsletters from Encia, we will also process your personal data to send you information about our business.
3. Personal data processed
3.1 A personal data is all information that can be linked to a living person. Encia collects and processes different types of personal data within the framework of its business, depending on the type of service you use.
3.2 Encia will collect the following personal information from you when you use Encia services:
a) Information about your identity - first name, last name, social security number and gender.
b) Your contact details - address for invoice and delivery, e-mail address, telephone number.
c) Payment information - information for making payments to Encia, or issuing invoices.
d) Health information - information about your health and medical history
3.3 If you contact Encia for help with a case or for a refund, the case will require Encia to process your personal data. Personal data that is processed within the framework of customer service can be, for example:
a) Information about identity - such as first name, last name and social security number.
b) Case description - in your contact and description of the support case, Encia can not control what information you provide.
4. Recipients of personal data
4.1 Encia's service is complicated and presupposes that we collaborate with and interact with other actors in healthcare and that we take the help of developers and other suppliers. Encia will therefore transfer your personal data and enlist the help of other actors to process your personal data when necessary to (i) fulfill the agreement with you, (ii) comply with law, constitution or decision. The following types of recipients may be relevant:
a) Clinics, health centers, X-rays and laboratories - Encia collaborates with various care providers who may receive your personal data within the framework of your care chain.
b) Hired staff - Sometimes our own staff is not enough, Encia therefore collaborates with selected doctors and nurses.
c) Authorities - Encia may need to disclose information to authorities if we are required to do so by law or if you request that we do so. In some cases, Encia may be required by law to tell you that your personal information has been requested by authorities.
d) Notification services - Encia uses services to communicate automatically to you, e.g. with confirmations or reminders. These companies only have access to your contact information and have undertaken not to share your personal information beyond what is necessary to carry out the service.
e) Developers and consultants - Encia enlists the help of developers and consultants from other companies to build Encia's IT infrastructure. Such developers may need access to simpler personal information about you when needed for development or troubleshooting.
f) Your insurance company - When you come as a patient via an insurance company, you have agreed with your insurance company that your information may be shared with your insurance company within the framework of what can be considered reasonable for your insurance company to fulfill its obligation to you.
4.2 Sensitive information about you, including your health information, is processed in accordance with law. Such information will therefore only be available to such personnel who must have access to it by law.
4.3 Encia processes as much of its data as possible within the EU / EEA. If data is transferred for processing by a supplier or subcontractor outside the EU / EEA, the recipient has always entered into a contractual agreement with Encia that ensures that the recipient maintains a level of protection comparable to the EU / EEA.
5. Retention of personal data
5.1 Personal data is retained for as long as is necessary to fulfill the purposes described above. This means that most personal information about you will be deleted automatically after a statutory filing period has expired or your customer relationship with Encia has ended.
5.2 Encia retains information that appears in patient records for ten years from the last entry in the record.
5.3 Encia is obliged according to the Accounting Act (1999: 1078) to retain certain personal data, ex. those that appear in invoices and similar accounting documents, for seven years. Personal data retained for accounting purposes will only be used for that purpose.
6. Thinning of personal data
6.1 Personal data is thinned or depersonalized when the data no longer needs to be retained. Depersonalized means that the information can no longer be used to identify a person.
6.2 Before the data is used as a basis for statistics and product development, it is depersonalized and aggregated, which means that it can no longer be linked to you, either by Encia or by anyone else. The information then no longer contains personal data.
6.3 When Encia performs a thinning of personal data, this can not be recalled / recreated and when the thinning is performed, no person can be associated with the remaining information.
7. Information security
7.1 Encia, as the controller of personal data, takes appropriate technical and organizational measures to protect the personal data processed in accordance with Section 2 of the Data Protection Regulation. Encia has specific internal guidelines and processes to address information security issues and to prevent and detect leaks.
7.2 If your personal data is covered by a security incident that has occurred (so-called "personal data incident"), Encia will contact you in accordance with the Data Protection Ordinance.
CookiesCookies are used
8.1on Encia's website. Cookies are small text files that are stored on the visitor's computer and that make it possible to follow what the visitor does on the website.
8.2 There are two types of cookies:
a. A permanent cookie that remains on the visitor's computer for a certain period of time.
b. A session cookie that is temporarily stored in the computer's memory while a visitor is browsing a website. Session cookies disappear when you close your browser.
8.4 Encia.se also contains cookies from third parties who note your visit to the website to enable advertising on other websites.
8.5 No identification information, such as e-mail or name, is stored about visitors through cookies.
8.6 The visitor can choose not to accept cookies by disabling cookies in their own browser's security settings.
8.7 The visitor can also set the browser so that he or she gets a question every time the website tries to place a cookie on the visitor's computer. Previously stored cookies can also be deleted through the browser. See the browser's help pages for more information on this.
8.8 The Swedish Post and Telecom Agency, which is the supervisory authority in the area, provides further information about cookies on its website (http://www.pts.se/).
9. Your rights
9.1 Encia has a data protection officer. The Data Protection Officer is the contact person for the exercise of rights vis-à-vis Encia with contact information specified below.
9.2 You have the right to revoke consent to a certain treatment free of charge without this affecting the legality of the treatment before the revocation. For example, you may have chosen to consent to Encia contacting you with newsletters and other mailings. You can then choose to unsubscribe by following a link in these mailings.
9.3 You have the right to request that the treatment be limited to storage and to object to the treatment.
9.4 You also have the right to request a register extract, in electronic format or on paper. Encia will compile information about how your personal data is processed and send it to you, normally within a month.
9.5 You have the right to request that Encia correct personal data that you consider to be incorrect and to submit additional personal data (in special cases) if you believe that the personal data that Encia has processed has given an incorrect picture of you.
9.6 You have the right to request that Encia delete your personal data. Encia will then delete personal data that Encia does not have to retain in order to fulfill legal obligations. Encia will also continue to process personal data in certain other cases, including when personal data must be processed in order to fulfill an agreement with you. Encia will always respond to you and explain its views on what personal data Encia has the right to continue to process.
9.7 You always have the right to lodge a complaint with the supervisory authority i Sweden “Integritetsmyndigheten”