Privacy statement

All processing of personal data must be legal, fair and transparent. Personal data means any information about an identified or identifiable natural person. Personal data can be name, telephone number, address, e-mail, social security number etc. Health information is categorized as sensitive information where there are special requirements for handling.

Groruddalsklinikken is a private healthcare provider and must comply with the Health Act’s rules for processing personal data. The health laws that are relevant and deal with the processing of personal data are the Specialist Health Services Act, the Health Personnel Act, the Patient Records Act (incl. the Patient Records Regulations), the Patient and User Rights Act, the Health Archives Act etc. All laws and regulations can be read at www.lovdata.no.

Privacy in relation to our patients and customers is important to Groruddalsklinikken and we work actively to safeguard your privacy. Groruddalsklinikken employees who come into contact with personal data have a duty of confidentiality. The same applies to others who process personal data on our behalf.

Data controller

The person who determines the purpose of the processing of the personal data is called the data controller. The controller ensures that personal data is processed in accordance with the applicable regulations.

This is how Groruddalsklinikken uses personal information

We collect personal data only when it is necessary for us to be able to offer our services to you. The purpose of processing your personal data is to provide proper health care and offer our medical services. In addition to this, in some cases we process personal data for marketing purposes. This is of course done in accordance with the applicable rules/laws.

We delete personal data when it is no longer necessary to fulfill the purpose for which it was originally collected. When it comes to personal data stored in patient records, other rules apply. See more under the section on deletion of personal data.

Patient information linked to patient records

The personal information that we collect is information that is necessary to provide you with proper health care. We have received the information we process from you, other hospitals, doctors etc. where you have received treatment, from tests we take etc.

When you receive health care or medical treatment from Groruddalsklinikken, we are obliged to enter all the information necessary to provide health care into our system for patient records. There are legal requirements for keeping patient records and which information must be written down. The journal can, for example, contain contact information, next of kin, medical history, previous treatments, which medicines you use, diagnoses, images from X-rays etc.

Sharing of personal data

Other healthcare organizations or other healthcare personnel

We may be contacted by other healthcare organisations, the doctor who referred you to us or other healthcare personnel who also provide you with medical treatment and who ask to be handed over your patient information.

Healthcare personnel have the opportunity to hand over your confidential information to collaborating healthcare personnel who are subject to the same duty of confidentiality as our employees. This is only done to the extent that it is considered necessary to provide you with proper health care and the rules follow from Section 25 of the Health Personnel Act. As a patient, you have the right to object to such disclosure. The information that is possibly shared is limited to what is necessary. We only share such information with the referring doctor or if requested by the cooperating personnel.

Public authorities

If it is required by law or there is a suspicion that an offense has been committed in connection with the use of our services, the information we have stored about you may be disclosed to public authorities.

Data processors

A data processor is an independent company or legal entity that processes personal data on behalf of the controller – for example Groruddalsklinikken’s system suppliers.

Groruddalsklinikken ensures that all data processors are subject to the same duty of confidentiality as employees at Groruddalsklinikken, and that agreements on the use of data processors meet the Personal Data Act’s requirements for the use of data processors/content of data processor agreements.

Groruddalsklinikken mainly uses data processors who process personal data within the EU/EEA. This means that these data processors are subject to the same regulations when it comes to the processing of personal data. With few exceptions, data processors located outside the EU/EEA are used. In these cases, Groruddalsklinikken has ensured that these data processors are subject to a sufficient level of protection for the processing of personal data in accordance with GDPR art 45 et seq.

Your rights

Insight

You have the right to know what information is stored about you in our systems. To get an overview of these, you can send a request to post@groruddalsklinikken.no. Remember that you must not provide sensitive personal information in the inquiry.

Correction and deletion

Correction

The information we have stored about you must be up-to-date and correct. If you discover an error, you must contact us so that we can have them corrected. The possibility of having information corrected is limited by rules in the Health Personnel Act regarding the content of your patient record.

Deletion

Contact us if you want information to be deleted. The possibility of having information deleted is limited by rules in the Health Personnel Act regarding the content of your patient record

Storage time

Groruddalsklinikken does not store personal data longer than is necessary to fulfill the purpose of the treatment and the statutory obligations we have. Regarding personal data stored in the patient record, other rules apply.

Journals must, in accordance with the regulations, be kept until, due to the nature of the health care, it is no longer assumed that they will be used. Groruddalsklinikken is obliged by the health archive regulations to hand over medical records to the Norwegian health archive accordingly.

Right to demand limited processing of personal data

You can demand that Groruddalsklinikken’s processing of personal data about you is restricted. This can be done by moving them to another processing system, making selected information unavailable or by removing public information from the website. This applies:

• If you believe that the personal data we have stored about you is inaccurate, in this regard the processing may be limited during the period it takes to check whether the personal data is correct.
• If you believe that our processing of personal data about you is illegal.
• If Groruddalsklinikken no longer needs the personal information, but you need it to establish or enforce applicable legal requirements.

Right to data portability

You have the right to take your personal data from Groruddalsklinikken to another similar service provider. This right only applies if the processing of your personal data takes place on the basis of a consent from you or in connection with the fulfillment of an agreement between you and Groruddalsklinikken. This does not apply to information relating to patient records.

Right to complain to the Norwegian Data Protection Authority

If you disagree with how we process personal data, you can complain to the Norwegian Data Protection Authority. You can read more on the Norwegian Data Protection Authority’s website:

https://www.datatilsynet.no/om-datatilsynet/kontakt-oss/hvordan-kan-jeg-klage-til-datatilsynet/

Privacy Commissioner

Contact our data protection representative if you have questions about the processing of your personal data, or if you want to request correction, deletion or access or if you have other questions. We will respond to your inquiry as soon as possible.

Customer satisfaction measurements

In order to measure the patients’ satisfaction after being with Groruddalsklinikken, we send out surveys. Groruddalsklinikken uses Netigate to carry out investigations.

We will always inform you about the purpose of the survey, and the customer satisfaction surveys that Groruddalsklinikken sends out are anonymous. Groruddalsklinikken will not share the information with others or use the information for purposes other than those specified. Since the survey is anonymous, no information is stored that can be linked to you as a respondent.

Use of telephone number / email

Contact information such as telephone number or e-mail is used to contact you who have registered an appointment or expressed an interest in setting up a consultation with a doctor. Groruddalsklinikken does not send sensitive information via SMS or e-mail. Communication via SMS and e-mail is not sufficiently secured for the transfer of sensitive information.

Marketing and newsletters

Social Media

We would like to be available to our customers and potential customers in social media and have a profile on Facebook and LinkedIn. The purpose of these pages is to convey information about our services, our contact information and opening hours available to our customers/patients and potential patients. If you contact us using these channels, you should not share personal information. If you have questions that contain sensitive personal data (e.g. information about your health), please contact us by phone so that we can help you.

Newsletter

Groruddalsklinikken sends newsletters by e-mail to contact persons in companies affiliated with Groruddalsklinikken. In the newsletter, we want to provide access to good and quality-assured information on various topics related to HSE.

Groruddalsklinikken uses the e-mail service Mailchimp for sending newsletters. Email address, IP address, opening rate and clicks will therefore be processed and stored by Mailchimp in the USA. E-mail address and possibly name will also be visible to those who work in Groruddalsklinikken’s information/marketing department.

Our members can unsubscribe from the newsletter at any time. This is done by accessing our latest newsletter and pressing the unsubscribe link. They can also choose to tell why you do not wish to receive the newsletter from us. This is voluntary and you will be removed from the list anyway, even if they choose not to say why. If you choose to unsubscribe from the newsletter, all information will be deleted from us and from our account at Mailchimp.

Groruddalsklinikken AS will not use your information for other marketing or other services than to send out this newsletter.

Especially for Groruddalsklinikken

Groruddalsklinikken is responsible for processing personal data from employees of our business customers after an agreement has been entered into. This applies both in relation to the delivery of company healthcare services and other healthcare services at individual level.

Groruddalsklinikken processes the personal data independently as part of the service delivery and not on behalf of or following instructions from our customers.

Groruddalsklinikken therefore does not enter into data processing agreements with its customers. This is also in accordance with the Norwegian Data Protection Authority’s assessment of responsibility for the provision of occupational health services. The fact that Groruddalsklinikken business health receives employee lists with names, social security numbers, email addresses and department affiliations from the customers does not in itself require a data processing agreement, because this is considered a transfer of data between two independent data controllers.