GDPR Compliance at Executive Health Sweden AB Personal Integrity
At Executive Health Sweden AB we are proud to say that the personal integrity of our customers is of great importance to us. Therefor we have developed clear and structured procedures for the protection of our customers’ personal data.
All our employees are clearly informed and well aware of the high priority given to the continuation of the responsible treatment of all personal data relating to our clients. This especially considering the sensitive nature of the collected data. Our routines emphasize especially how to inform the client about what type of data is being processed and for what purpose.
As a health care-related clinic a journal (EMR) is kept of examinations of the client. Executive Health has as an overall objective is to limit the transfer of personal data to the EMR only in a continuous dialogue with the client. The EMR contains the results from the examinations and personal data such as name, personal number, address, cell phone number and email address. Currently Executive Health uses two different EMRs; Journal III from CGM and Echo from Kaiku Health Oy. In Journal III the personal data is stored in servers located at the clinic in a room equipped with a security door. In Echo the personal data is transferred between the clinic and the Finnish company Kaiku Health using bank security before it is stored on servers that lies under the supervision of Kaiku Health. No transfers are made to a third party or a non-EU country.
Purpose of the treatment
Personal data collected during the screening is used to execute the service bought by the client and any other use of personal data requires the explicit consent of the client. To be a part of the newsletters and emails from Executive Health the client has to further give his
or her explicit consent. The consent can be withdrawn or upheld by the client at any point with immediate effect.
Lawfulness of the treatment of personal data
The by far most extensive treatment of personal data is done in the EMR in connection to the examination or in dialogue with the doctor in charge. This treatment of personal data is crucial for the clinic to be able to perform its obligations towards the client. The client is at any stage entitled to correction of any inaccuracy and also has the right to have all its personal data deleted. For any treatment of personal data beyond what is necessary to complete the service to be lawful the explicit consent of the client is needed.
Especially for Screening customers
By using BankID all screening customers at Executive Health has the opportunity to leave health related personal data in a special module in the EMR Echo. All information received at the clinical examination and the personal medical call will be transferred into a separate module in Echo. Every result from a specialist examination will be put into Journal III by the specialist in charge. The information of the Screening is summarized by the doctor in charge before it is handed over to the client both digitally and in paper form at the revisit around 10 days after the examination. This way the client gets access to all the results from the screening. After the revisit the personal data exists only digitally in the two EMRs at the clinic, Journal III and Echo, and data will be removed upon request of the client. The clinic would like to remind our clients that since the screening in most cases is followed up within a couple of years the norm is to save the data as reference for the next examination. By signing in via a separate module in Echo with BankID all screening customers at Executive Health can communicate with employees at the clinic.
For the protection of the personal data of all our clients Executive Health has implemented all necessary technical and organizational security measures available. The personal data is
stored according to all relevant standards regarding operational environment and the data is only accessible to some limited authorized personnel.
Please be observant that when contacting the clinic by email, the clinic cannot guarantee the integrity of the transferred information since the content may be visible to a third party. Executive Health recommends contact through phone or regular post when confidential and sensitive information is transferred to guarantee that no unauthorized third party get access to the data.
The clients’ rights regarding personal data
All clients at Executive Health has the right to receive information about what types of personal data is being treated and for what purpose. The client has the right to have any erroneous data changed, data removed or to limit the treatment of personal data according to your wishes. Personal data that is solely treated on the basis of the explicit consent of the client is to be terminated immediately upon the withdrawal of the same consent. If the clinic is required by law to store the personal data, the client has the right to receive information regarding this. All clients at Executive Health has the right to have his or her data to a transferrable medium.
Any possible studies on the clinical results among our clients will only be handled according to the rules stipulated in acts with current Ethical Approval. No genetic or biometric data can be processed without a previous stipulation in an Ethical Approval for a Scientific Research.