Privacy and Security
Welcome to our privacy and security page! Here we have compiled all the information that is important for you to know about privacy and security in contact with Swedish Health Care.
We at Swedish Health Care Services i Malmö Aktiebolag, org. No. 556352-2316 (“Company” or “We”) protects your privacy and security. GDPR, the new Personal Data Processing Act, places greater demands on transparency and therefore this page is for you to know what we do in the processing of personal data. There are a number of areas that together give you the whole idea of how we look at integrity and security, both for those who have been in contact with or customer of the Company. These we have divided into a number of sections that may be updated and filled in with more information in the future.
GDPR stands for the General Data Protection Regulation and is a new data protection regulation from the EU that will become a law in all EU member states from 25 May 2018. GDPR will replace the current law of the Personal Data Act (PUL). The law is intended to protect the integrity of individuals and intends to modernize, harmonize and strengthen protection within the EU.
Within each EU member country there is a supervisory authority that will check this. In Sweden, this authority is called the Integrity Protection Authority, former Computer Inspectorate. On their website there is more information and assistance to share. https://www.datainspektionen.se/dataskyddsreformen/
Processing of personal data
The law is about how personal data are treated, which are two important concepts to understand. Personal data can be explained as any information relating to an identified or identifiable individual (also called a registered person), an identifiable physical person being a person identified directly or indirectly, in particular with reference to an identifier such as a name, an identification number, a location or online identifiers, or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of the physical person. Processing of these data means that a person carries out an action or combination of personal data or sets of personal data, regardless of whether they are performed automated or not. Examples of such treatment are collection, structuring, storage, processing, dispersion or deletion.
Sensitive personal data
There is a special category of personal data that the law takes up and as a person responsible for personal information need to pay particular attention to the sensitive personal data. Examples of sensitive personal data are data revealing ethnic origin, political opinions, religious or philosophical beliefs or information on health and sex life. The starting point is that it is forbidden to process these personal data, but there are a number of exceptions. In Sweden, an investigation is being carried out on these tasks and they are looking forward to developing supplementary Swedish legislation. Read more about sensitive personal information here.
Personal Data Responsible and Personal Data Counselor
In the processing of personal data, there are primarily two roles to know and depending on the role, there are different areas of responsibility. The personally responsible person (PuA) is the one who, under the law, has ultimate responsibility for the treatment and determines the purpose and means. The person responsible for personal data shall ensure that the law is followed, inform the persons whose personal data are processed and shall ensure compliance with the privacy data. The Personal Data Adviser (PuB) processes the personal data on behalf of the Data Protection Officer and is responsible for the technical and organizational security measures.
The company as a Personal Data Responsible
Basic principles of GDPR
The law is based on 7 basic principles:
- Legality, Correctness and Transparency
- Purpose limitation
- Data Minimization
- Storage Minimization
- Integrity and confidentiality
You can read more basic principles on the website of the Privacy Authority
In compliance with the principle of legality, regularity and transparency, support is required in the Data Protection Ordinance to allow the processing of personal data. These legal grounds relate to the need for consent, agreement, legal obligation, fundamental interests, public interest, authority or balance of interests in order to process personal data.
Legal basis for tasks in the Company’s services
What legal grounds exist for the processing of personal data in the Company’s services, “personal data administrators” must find out and document. It may vary on a case-by-case basis depending on the activity, which laws you need to follow, if you collect information that is required or that may be good to have.
In PUL we have had an exception in Sweden where we did not have to think about how personal data are processed, this exception is called the “Code of abuse”. This has meant that we have been able to have personal data in so-called unstructured material, which is running text and free text such as document, e-mail, web pages or notepad in a system. The abuse rule now disappears through GDPR and means that it needs to be mapped which personal data is contained in all unstructured material and handled in the same way as structured material.
The company as a personal information officer is responsible for the technical and organizational security measures in and around the company services. This means we need to ensure that there is the required security, such as encrypted storage, privilege management, ability to make registry extractions and delete personal data. When there are no functions for managing personal data, we have internal procedures for this. The measures taken by the Company are described in more detail below.
Authentication and Encryption
All data communication on our site is done with Secure Sockets Layer (SSL). The company uses encrypted communications in the form of 256-bit SSL encryption and 2048-bit public keys from RSA. All data communications to and from the user’s computers are encrypted with SSL, the most widely used Internet standard for encrypted communication.
Storage and backups
The company’s website is run on servers in 24-hour data halls, and staff are always available. Data retrieval is available at two geographically separated locations in Europe with full redundancy and backups taken daily.
Knowledge and information protection
Only a few key people know how the security system is built. All personnel are bound by a confidentiality agreement that prevents the dissemination of data, information, and the personal or customer’s personal data. Only authorized personnel have access to the data and the authority is controlled by the company’s IT department.
In GDPR there is a new requirement for personal data incidents, which means that incidents need to be reported to the Security Authority within 72 hours. In order to meet the new obligations under the Regulation, it is important to have adequate procedures in place to detect, report and investigate personal data incidents.
If an incident occurs, it may mean a personal data incident. A problem in the company’s IT environment that generates incorrect data or missing data is categorized as an application-related incident. Should this data contain personal data, it also becomes a personal data incident. It may also be a personal data incident if a security incident leads to unauthorized disclosure or unauthorized access to the processed personal data.
The company has an incident team that manages the necessary coordination, communication and responsibility to assess, respond to and learn from incidents to reduce the risk of recurrence. Depending on the nature and impact of the incident, the persons involved in managing the incident are involved. The process of handling is the basis for the flow, which, with complementary procedures, clarifies who does what and how the situation is to be addressed. The process is divided into sub-processes identification of incident, impact assessment, action process, communication and Root Cause Analysis (RCA).
When identifying an incident, an identification of the type of incident is the issue. In the subprocess Impact assessment is an analysis of the extent of which customers and users are affected by the incident and what the consequences are. The Action Process takes place in assessing and prioritizing the problem in order to safeguard the action plan as well as the implementation of the action. In a personal data incident, compilation of report is an activity, based on the privacy authority’s template which describes that we should include information about:
- What kind of incident is it?
- What categories of people may be affected
- How many people it concerns
- What consequences the incident may have
- What measures have been taken to counteract any negative consequences.
Incidents and actions are communicated to affected persons affected. In case of personal data incidents, notification to the Integration Protection Agency is an activity in this subprocess. After actions have been taken and the affected have been informed, a Root Cause Analysis is conducted to prevent the problem from occurring again.
It is our goal to comply with all applicable laws and regulations regarding personal data protection. This policy will help you to understand what kind of information the company collects and how it is used. By approving the policy upon submission of your information, you agree to the processing of your personal data in accordance with the below.
What personal data do we treat?
The company is personally responsible for processing your personal information. The company will process the personal data you provide or submitted to the Company for the purpose of fulfilling your commitments to you as users of our services or you as a job seeking candidate. Personal data may also be processed to enable the Company to fulfill its obligations under law, regulation or injunction from authority. The personal data processed by the Company are encrypted and processed as below. The company processes the personal data you have provided to us. Exactly what kind of personal information this is depends on which data you chose to register.
How do we use your personal information?
The company may wish to provide special offers that we believe may be of interest to you about our services or products or with these related information from the companies, authorities and organizations that have entered into an agreement with the Company (“Third Party”). You may choose not to share your information with Third Party when you submit your information to us. If you agree to provide us with information from us or Third Party, you may always remove this from the Swedish Health Care website (www.swedishhealthcare.com) (“Website”) at a later date.
If all or part of our business is sold or integrated with any other business, your personal information may be disclosed to our advisors, potential buyers and their advisors, and will be forwarded to the new owners of the business.
|Purpose of usage||Legal basis for usage||How long we save the data?|
|Improve the experience of your visit to our website||Consent (cookies)||1 years|
|Marketing and Advertising||Legitimate interest (with opt-out)||Opt-out, or up to 3 year|
|To administer your service||Necessary due to agreement||3 years|
|Perform and manage service issues||Necessary due to agreement||3 years|
|For troubleshooting, data analysis, statistics and counter abuse||Legitimate interest||3 years|
|Bookkeeping of transactions||Legal obligation||7 years|
How do we protect your personal information?
All personal data is processed in encrypted form with us or our partners in the EU.
How long will my personal information be saved?
If you provide your information as a prospect or customer for our services as well as as a candidate for vacancies, your information is stored for as long as necessary by law or in order to fulfill our or our partners’ obligations towards you. You can unsubscribe at any time as a user. Your data is stored no longer than permitted by applicable personal data law.
Access to, update and correction of your personal information
You have the right to receive, once per calendar year, free information about the personal data processed about you, regardless of how they were collected. If you want such information, you must submit a written request to the Company. The request must be submitted by you by post to the address stated on the Website in accordance with applicable privacy laws. It can not be sent by e-mail.
Cookies on Swedish Health Care
The company’s website contains so-called Cookies. Cookies allow the website to remember important information that makes your visit to the website more comfortable.
- You have logged in to the site and will not log in to any new page you visit.
- Help you keep track of the items you added to your shopping cart.
- Customize our services according to the user preferences you specified.
- Count the number of users and traffic. By understanding how the site is used, we can develop and improve it.
- Customize our services so that you get ads that are relevant to you.
- Collect and analyze behavioral data based on the use of website and services in order to enhance the user experience and also enable personalized communication and message to the user.
There are two types of cookies and both companies use the Company website. One type, called Permanent Cookie, saves a file that is left on the visitor’s computer. For example, it is used to customize a site according to the visitor’s wishes, choices and interests, as well as for statistical follow-up. Below we list all cookies, their purpose, the domain they belong to and their lifespan. The other type is called Session Cookie. Meanwhile, a visitor is on a webpage, temporarily stored in memory in the visitor’s computer. Session Cookies will disappear when you close your browser. The Company website also uses third party cookies for, among other things, Google Analytics and Remarketing. The purpose is to understand how our site is used and able to improve it, as well as being able to do targeted advertising. If you do not want to receive cookies, you can change your settings for cookies in your browser, and you can also block cookies. Please note that if you block cookies, you will not be able to use all features on the Company website.
Click the following links to learn more about changing the settings for cookies:
- Cookie settings in Internet Explorer
- Cookie settings in Firefox
- Cookie settings in Chrome
- Cookie settings in Safari
Cookies on www.swedishhealthcare.com