We need your information for testing and product development

Introduction

HJN Sverige AB, with company registration number 559170-5396 (“HJN Sverige”), and its wholly owned subsidiaries, HJN Proaktiv Hälsovård AB with company registration number 559335-6644 (the “healthcare clinic” or “Atrium Vårdcentral”) and NH Consumer Services AB with company registration number 559397-8702 (the “Neko clinic”) (together “we” or “us”) are committed to the protection of your personal data. We take measures to ensure that your personal data is protected when we use your personal data and that the use of your personal data complies with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR).

In this information: (a) we describe how we collect, use and share your personal data for the purposes of testing and product development; (b) references to a “Clinic” shall mean Atrium Vårdcentral or the Neko clinic which is visited by you as a patient (as applicable) and such clinics together are referred to as the “Clinics”. You also find information on which rights you have in relation to your personal data.

Personal data means any information that directly or indirectly identifies you, for example your name, a picture of you or other information about your health status.

Processing means any action taken (normally electronically) with regards to your personal data, for example collection, structuring, storage and disclosure.

Who is covered by this information

This information covers you as a patient who is visiting a Clinic which, as part of providing you medical care, is using equipment (such as scanners) provided by HJN Sverige.

Responsibility for the use of your personal data

The healthcare clinic, Neko Health and HJN Sverige each acts as separate data controllers.

HJN Sverige and the Clinics are each responsible (as separate data controllers) for their own use of your personal data as described in this information, unless stated otherwise.

Personal data that we collect

We collect and use the following categories of personal data about you:

Sources from which we collect personal data

Neko Health and the healthcare clinic

Each Clinic will collect your personal data directly from yourself when you seek medical care from it, e.g. when you disclose information to the healthcare professional (in writing or orally) or as a result of medical examinations (e.g. when using HJN Sverige's medical equipment).

HJN Sverige

Provided that you give your explicit consent (as further described below), HJN Sverige will receive your personal data as necessary from the relevant Clinic, to carry out tests and product development.

Neko Health's and the healthcare clinic's use of your personal data

Each Clinic separately uses your personal data for the following purposes.

Share your personal data with HJN Sverige for HJN Sverige's testing and product development

What we do: If you have given your explicit consent, the Clinic that you as a patient are visiting will disclose your personal data to HJN Sverige in order to allow HJN Sverige to carry out tests, develop and improve the equipment which has been used to provide you with medical care. Personal data that is shared will include information from e.g. patient records and data generated from the medical equipment used when providing you with medical care (see categories of personal data in the table below).

When providing your consent, you also give your approval to the Clinic to disclose your patient data in accordance with the rules on secrecy and duty of confidentiality under the Swedish Patient Safety Act (2010:659).

Categories of personal data Legal basis
  • Demographic data
  • Physical characteristics
  • Picture material
  • Health data
  • Patient records

Consent (Article 6.1 (a) of the GDPR). The use of your personal data for the above purpose is based on your given consent.

Explicit consent (Article 9.2 (a) of the GDPR). Any special categories of personal data (such as information relating to your health) will only be used for the above purpose based on your explicit consent.

Please note that you have the right to withdraw your consent at any time.

Storage period: Personal data is stored for this purpose until the disclosure has been made to HJN Sverige.

HJN Sverige's use of your personal data

Testing and product development

What we do: If you have given your explicit consent, HJN Sverige will use your personal data to carry out tests in order to develop, improve and optimize the medical equipment offered to you atNeko Health and/or the healthcare clinic (as applicable). Such personal data will include information from e.g. patient records of the Clinic that you as a patient have visited and data generated from the medical equipment used by the healthcare clinic when providing you with medical care (see categories of personal data below).

Categories of personal data Legal basis
  • Demographic data
  • Physical characteristics
  • Picture material
  • Health data
  • Patient records

Consent (Article 6.1 (a) of the GDPR). The use of your personal data for the above purpose is based on your given consent.

Explicit consent (Article 9.2 (a) of the GDPR). Any special categories of personal data (such as information relating to your health) will only be used for the above purpose based on your explicit consent.

Please note that you have the right to withdraw your consent at any time.

Storage period: Personal data is stored for this purpose during the product tests and until the development work relating to such tests has ended. In practice, this normally is for a period of 24 months from your last visit to the applicable Clinic and/or use of the patient application whichever is later) relating to the same matter/care as when you provided your consent. At the end of the 24-month period, we will no longer use your personal data for this purpose, unless you provide a new consent in the same manner.

Moreover, HJN Sverige will pseudonymize your personal data (i.e. replace your personal data with artificial identifiers or similar) to the extent feasible during the testing period, as well as taking steps to ensure that pictures of you do not appear together with any other information which may identify you directly.

Reports and statistics on an aggregated level (which do not contain any personal data) will be stored until further notice.

Establish, exercise and defend legal claims and rights

What we do: HJN Sverige uses, when needed, your personal data to manage, defend and exercise legal claims and rights, e.g., in connection with a dispute or court proceeding. For this purpose, HJN Sverige will also store your documented consent allowing HJN Sverige to use your personal data for testing and development, as further described above.

Categories of personal data Legal basis
Relevant categories of personal data that are necessary to manage, defend or exercise the legal claim or right in the specific case.

Legitimate interest (Article 6.1 (f) of the GDPR). The use of your personal data is necessary to satisfy HJN Sverige's legitimate interest of managing, defending and exercising legal claims and rights.

It is the assessment that HJN Sverige's legitimate interest outweighs your interest of not having your personal data processed for this purpose.

Establish, exercise and defend legal claims (Article 9.2 (f) of the GDPR). Any special categories of personal data (such as information relating to your health) will only be used for this purpose where necessary to establish, exercise and defend legal claims.

Storage period: Personal data is stored for this purpose until the product testing and development work are finished (as further described in the above section testing and product development), or the longer period as necessary to manage and defend a legal claim or dispute which has occurred during such 24-month period.

Your documented consent, including your name, will be stored until the product testing and development work are finished, and thereafter for an additional period of ten (10) years to manage, defend and exercise legal claims and rights under the GDPR.

Fulfil legal obligations

What we do: HJN Sverige will use, when needed, your personal data to fulfil HJN Sverige's legal obligations, e.g. to fulfil our data protection obligations with regard to data subject rights.

Categories of personal data Legal basis
Relevant categories of personal data that are necessary to fulfil the specific legal obligation. Fulfil legal obligation (Article 6.1 (c) of the GDPR). The use of your personal data is necessary to fulfil HJN Sverige's legal obligations.

Storage period: Personal data is stored for such period that is necessary in order for us to fulfil the specific legal obligation.

Other transfers of personal data by HJN Sverige

Transfers of personal data to service providers

HJN Sverige will transfer your personal data to recipients that provide services to HJN Sverige and that need access to your personal data to provide such services. These service providers provide inter alia IT services (e.g. support and data storage services). Those service providers process personal data on HJN Sverige's behalf as processors for HJN Sverige and HJN Sverige is responsible for the processing of your personal data as described above. They must not use your personal data for their own purposes and are contractually and legally obliged to protect your personal data and are bound by confidentiality obligations.

Transfers of personal data to other data controllers

HJN Sverige may, under limited circumstances, disclose your personal data as stated below. The recipient is responsible (controller) for its own collection and use of personal data, unless otherwise is stated.

Purpose Recipients Categories of personal data Legal basis for the transfer
Manage a sale or merger of HJN Sverige
  • Buyers
  • Potential buyers
  • External advisors
Relevant categories of personal data that are necessary to manage the sale or merger

Legitimate interest (Article 6.1 (f) of the GDPR). The use of your personal data is necessary to satisfy HJN Sverige's legitimate interest of selling or merging the business. It is the assessment that HJN Sverige's legitimate interest outweighs your interest of not having your personal data processed for this purpose if the buyer carries out the same or similar type of business.

Establish, exercise and defend legal claims (Article 9.2 (f) of the GDPR). Any special categories of personal data (such as information relating to your health) will only be used for this purpose where necessary to establish, exercise and defend legal claims.

Manage, defend and exercise legal claims and rights
  • Opposing party
  • External advisors
  • Public authorities
  • Law enforcement
Relevant categories of personal data that are necessary to manage, defend or exercise the legal claim or right in the specific case.

Legitimate interest (Article 6.1 (f) of the GDPR). The use of your personal data is necessary to satisfy HJN Sverige's legitimate interest of managing, defending and exercising legal claims and rights. It is the assessment that HJN Sverige's legitimate interest outweighs your interest of not having your personal data processed for this purpose.

Establish, exercise and defend legal claims (Article 9.2 (f) of the GDPR). Any special categories of personal data (such as information relating to your health) will only be used for this purpose where necessary to establish, exercise and defend legal claims.

Your personal data will not be transferred to any countries outside the EU/EEA

Your personal data will not be transferred to any countries outside the EU/EEA HJN Sverige will not transfer your personal data to any countries outside of the EU/EEA.

Your rights

You have certain rights in relation to your personal data. If you wish to exercise your rights, please contact us by e-mailing HJN Sverige at gdpr@nekohealth.com or Neko Clinic at gdpr-clinic@nekohealth.com or the healthcare clinic at info@atrium.se.

We normally respond to your request within one month following the date we received your request. However, if your request is complicated or if you have submitted several requests, we may need additional time to handle your request. We will in such a case notify you and the reasons of the delay. If we cannot, wholly or in part, comply with your request we will notify you and the reasons for this.

When you submit a request to exercise your rights, we need to confirm your identity to ensure that you are not somebody else than who you claim to be. This is to avoid that we e.g. disclose personal data to an unauthorised person or in error delete personal data. If we do not have sufficient information to confirm your identity, we can request that you provide supplementary information about yourself needed to confirm your identity. We only request such information that is reasonable and necessary to your identity. The time to respond to your requests starts when we have confirmed your identity.

Below we describe the rights that you have in relation to your personal data. For further information on your rights, please see the website of your supervisory authority. In Sweden, the supervisory authority is the Swedish Authority for Privacy Protection (IMY).

Right to access (Article 15 of the GDPR)

You have the right to request confirmation from us as to whether we process your personal data and in such a case receive a copy of your personal data together with additional information on our use of your personal data. Please note that the right to a copy of your personal data may not adversely affect the rights of others.

Right to rectification (Article 16 of the GDPR)

You have the right to request that we rectify or supplement your personal data if you consider that your personal data is incorrect, incomplete, or misleading.

Right to withdraw your consent (Article 7 of the GDPR)

You have the right to at any time withdraw your consent to our processing of your personal data by changing your account settings on our platform or contacting us on the contact details below. When you have withdrawn your consent, we will not continue to use your personal data based on the consent previously provided.

Right to erasure (Article 17 of the GDPR)

You have in certain situations the right to request erasure of your personal data (“the right to be forgotten”). By way of example, the right to erasure applies if we still process your personal data but no longer need the personal data for the purposes for which it was collected, or if you object to our use of your personal data under article 21 of the GDPR and we cannot show a compelling reason to further use your personal data notwithstanding your objection.

There are also several exemptions from the right to erasure, including if we are obligated under law to keep your personal data or if the personal data is needed to exercise, manage, and defend legal claims.

Right to object to our use of personal data (Article 21 of the GDPR)

In certain situations, you have the right to object to our use of your personal data. Where we rely on a legitimate interest for the use of your personal data under article 6.1 f) of the GDPR, you have the right to object to the use for reasons which relate to your particular situation. If we cannot show a compelling reason to continue to use your personal data, we will stop using your personal data for the relevant purpose. Moreover, despite an objection we have the right to continue our processing if needed to establish, exercise, or defend legal claims.

Right to request restriction of your personal data (Article 18 of the GDPR)

In certain situations, you have the right to request restriction of your personal data which means that you can, at least for a certain period, stop us from using your personal data. The right to request restriction of your personal data applies if you consider that the personal data about you is incorrect and during the period that we verify this, if the use of your personal data is unlawful and if you wish that we continue to store your personal data instead of deleting the personal data, and if we no longer need your personal data for the purposes for which we collected the personal data, but you need the personal data to establish exercise and defend legal claims and rights.

You also have the right to request restriction of your personal data if you have objected to our use of your personal data under article 21 of the GDPR and during the period, we verify whether we have a compelling reason to continue to use your personal data.

If the use of your personal data has been restricted, we are normally only allowed to store your personal data and not use them for any other purpose than to establish, exercise and defend legal claims and rights.

Right to copy of certain personal data and transfer of the personal data to an external recipient (data portability) (Article 20 of the GDPR)

The right to data portability means that you have a right to receive a copy of the personal data that you yourself has provided to us in a structured commonly used format. Moreover, where it is technically feasible, you also have the right to request that the copy of your personal data is transferred directly to an external recipient.

The right to data portability under this information notice only applies to personal data that we process based on your consent.

Specific rights under the Swedish Patient Data Act (2008:355)

You as a patient have a right to receive additional information on your rights related to Neko Health's and the healthcare clinic's use of your personal data under the Swedish Patient Data Act (2008:355).

Right to lodge a complaint

You have the right to lodge a complaint with your supervisory authority. In Sweden, the supervisory authority is IMY.

Automated individual decision-making

We do not carry out any automated individual decision-making which have legal effects or similar significant effects on you.

Updates to this information

We regularly update this information. Our use of personal data may change, for example we may collect personal data for new purposes, collect additional categories of personal data or share your personal data with other recipients than outlined in this information. If our use of personal data changes, we will update this information to reflect such changes. At the top of this page, you can see when this information was last updated. If we make material changes that are not only editorial to this information, we will notify you of any such changes and what they mean to you in advance.

If you have questions about this information

If you have questions about this information, our use of your personal data or if you wish to exercise your rights, please contact us at:

HJN Sverige

Email: gdpr@nekohealth.com

Postal address:
Jaktgatan 14
11545 Stockholm
Sweden

Atrium Vårdcentral

Email: info@atrium.se

Postal address:
Warfwinges väg 30A
112 51 Stockholm
Sweden

NH Consumer Services AB (Neko Clinic)

Email: gdpr@nekohealth.com

Postal address:
Jaktgatan 14
11545 Stockholm
Sweden

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your country. You can find the Swedish supervisory authority's (IMY) contact details here.