Privacy policy
Introduction
Purpose of the policy
The purpose of this policy is to describe our (’MedHelp’, ’we’, or ’us’) processing of your (the ’data subject’, ’you’ or ’you’) and how we consider and apply rules and laws, primarily the General Data Protection Regulation (GDPR), on processing of personal data.
Scope of the policy
This policy applies to personal data that we process in our capacity as data controller.
As part of our product range, we may process your personal data in the capacity of a data processor. The data controller is, in that case, your employer and it is your employer who must provide information about such processing. However, we have included general information for this situation at the end of this policy.
Processing of your personal data
What personal data is processed?
We may process the following personal data:
| General Personal Data: | Name, personal identification code, address | Usage Data: | Navigation, interaction and time spent on our websites and related services |
| Contact Details: | E-mail, phone number | Technical Data: | IP address, type and version of operating system, browser and device, time settings, language, and cookies |
| Professional Data: | Workplace, employer, duties, education | Other Data: | Other information that you provide and choose to share in your communication with us |
| Health Information: | Absence cause. |
Collection of personal data
We collect your General Personal Data, Contact Details, Professional Data and Other Data from you in connection with your employment with us, when you contact us in support matters, in connection with you asking questions regarding MedHelp’s services and products, in our sales efforts and when you apply for a job with us.
We may also collect your General Personal Data, Contact Details and Professional Data from third parties or open sources for marketing purposes, recruitment or in our sales efforts together with you representing a customer, potential customer, partner or potential partner.
In connection with your visit to our website and use of our services and products, we may collect your General Personal Data, Usage Data and your Technical Data.
In connection with you filing a absence notice, you may Health Information consisting of your absence cause.
Purpose and legal basis for the processing of personal data
Marketing and sales
In order to market and promote the sale of MedHelp’s products, we process personal data consisting of General Personal Data, Contact Details and Professional Data. Among other things, we maintain customer registers, receive expressions of interest regarding our services and products, distribute marketing material and initiate contacts with potential customers and in turn we process personal data for these purposes. Furthermore, we use this data to enter into agreements, administer existing agreements and settle terminated agreements between us and our customers or partners.
We process personal data for these purposes based on our legitimate interest to market our services and products and to raise awareness of MedHelp’s brand in general. In order to administer ongoing agreements, we also process personal data with regard to our legal obligations regarding tax and reporting duties to authorities and stock exchanges.
In cases where you subscribe to digital distribution of marketing material, you can always unsubscribe from such distributions by clicking on the link in the relevant email.
Communication and support
To communicate with you in general and especially in support cases, we use your General Personal Data, Contact Details and Other Data. Depending on the reason for your contact, we may also establish an internal contact case where we save your General Personal Data, Contact Details and Other Information in order to investigate and respond to your communications and to take any action. Our processing of personal data in this case is based on our legitimate interest in responding to your communications and handling your contact matter.
To improve our website, products and ancillary services
In order to improve our website, products and related services, we collect and analyze Technical Data and Usage Data to review usage patterns and user behaviors as well as statistics on how users interact with our website. We may also process such data to fulfill a support case. We carry out such processing of your Personal Data on the basis of our legitimate interest in continuously improving the website, our products and our surrounding services.
When we use your personal data for this purpose, we do so, to the extent possible, through anonymized data where we study overall usage patterns using aggregated data. The anonymization of data means that it no longer constitutes personal data, as it is no longer possible to identify individuals.
We may also anonymize your Professional Data and Other Data (including health data) in such a way that the data no longer is attributable to you as an individual. The anonymized data may be used to analyze trends as well as develop and improve our products and services.
Hiring and recruitment
In order to recruit competent and suitable staff for employment and consulting services and to administer incoming employment applications and ongoing employment and consulting assignments, we process General Personal Data, Contact details, Professional Data and Other data.
In recruitment and for the processing of incoming employment applications and when evaluating consulting services, we process personal data on the basis of our legitimate interest in recruiting competent and suitable personnel.
During ongoing employment and consulting assignments, we process your personal data in order to be able to monitor and monitor our obligations and rights according to agreements and on the basis of our legitimate interest. We also process personal data in order to comply with our legal obligations regarding reporting to authorities.
Processing with consent
MedHelp may process Health Information consisting of absence cause provided that you consent to the processing of such personal data in connection with you submitting a absence notice. In connection with us asking for consent, there is more detailed information regarding the processing provided.
Storage and deletion of personal data
In cases where our personal data processing is based on our legal obligations, we store the personal data for as long as required by the relevant legal obligation (e.g. seven years for accounting, contracts and invoices).
In cases where our personal data processing is based on our legitimate interest, the personal data is processed for the period when the purpose for which it was collected is still relevant. For example, personal data collected for the purposes of sales or marketing is processed and stored for as long as you are still relevant to our marketing (e.g. ongoing negotiation or processing) or for the duration during which MedHelp has a business relationship with someone you represent, but the data is deleted at a fixed time (two years) after our last contact.
We are keen to ensure that personal data collected for one purpose is not used for another type of purpose. For example, we have procedures in place to prevent information we collect for marketing purposes from being used for recruitment purposes.
After our storage ceases, the personal data is deleted which means that the processing ceases. Deletion can take place either by deletion or by anonymization. Technical Data and Usage Data are deleted on an ongoing basis through anonymization.
Sharing of personal data
Third parties who access the data
We may share your personal data with different suppliers to manage one or more parts of our business, including our website and ancillary services. Such suppliers process personal data on our behalf for the purpose of storing data or performing other services on our behalf.
As a result of MedHelp’s ISO 27001:2022 certification, MedHelp has implemented, and maintains, a robust supplier review process which includes reviewing a supplier’s processing of personal data (if applicable). Such an audit includes verification that the provider has the necessary technical and organizational security measures implemented to protect your personal data and that the processing takes place as described in this policy and otherwise in accordance with applicable legislation.
We always enter into a personal data processing agreement with suppliers who will process personal data on our behalf. Such data processing agreement imposes a legal obligation on the supplier to maintain technical and organizational security measures. We are always responsible for the processing a supplier carries out on our behalf.
We may also share your personal data with various authorities and other public actors such as the Swedish Social Insurance Agency, the Swedish Police Authority and the Swedish Tax Agency when we are required to do so by law.
Transfer to third countries
Among the suppliers that MedHelp hires for the processing of personal data are suppliers with ownership in countries outside the EU/EEA – primarily the United States. MedHelp ensures compliance by requiring that the storage of personal data takes place within the EU/EEA and entering into personal data processing agreements as above. Further, MedHelp ensures that there is an adequate level of protection that can be applied to the country in question and the relevant provider.
Primarily this is ensured that there is an adequacy decision issued by the European Commission in respect of the country in question. With regards to the United States, an adequacy decision has been issued since July 2023 in accordance with art. 45 GDPR for transfers to the United States on the basic condition that the provider is certified under the Data Protection Framework (DPF). MedHelp primarily chooses suppliers that are certified under the DPF and thus covered by the aforementioned adequacy decision.
Secondary to the above, MedHelp relies on other transfer mechanisms, such as the Standard Contractual Clauses for third-country transfers issued by the European Commission in June 2021 with additional safeguards as recommended by applicable recommendations.
Your rights
Right to register extract
You have the right to request information about what personal data is being processed, the purpose of the processing, the storage period and the recipients of the personal data.
Right to rectification
You have the right to request that inaccurate or incomplete personal data be corrected or completed without undue delay.
Right to erasure (right to be forgotten) and withdrawal of consent
You have the right to request the deletion of your personal data if it is no longer needed, if the processing is unlawful, if the personal data is inaccurate or if you withdraw your consent. You always have the right to withdraw your consent and instructions on how to proceed will be posted in connection with our request for your consent.
However, despite your request to the contrary, we may continue to process your personal data for a certain period of time in order to comply with legal obligations or if we otherwise have legitimate grounds for continued storage.
Right to restriction
You have the right to request restriction of the processing of your personal data if the accuracy of the personal data is contested, the processing is unlawful, or you need the personal data to continue to be processed in order to assert your legal claims. The meaning of restriction is that the personal data continues to be stored but without being used for any processing.
Right to data portability
You have the right to receive your personal data in a structured format or to request that it be transferred directly to another data controller, but only if the processing is automated and based on consent or agreement.
Right to object to processing
You have the right to object to processing that takes place on the basis of our legitimate interest or for marketing purposes, after which the processing shall cease if our legitimate interest does not outweigh your legitimate interest in the objection.
Right to complain to a supervisory authority
You have the right to turn to the Swedish Authority for Privacy Protection (IMY) if the processing is considered to be in violation of the GDPR. See contact information above.
Right not to be subject to automated decision-making
You have the right to request that you are not subject to automated decision-making with legal or similar consequences.
Exercise of rights
Your request to exercise any (or more) of the above rights should be made to our Data Protection Officer at the contact details set out above. The request will be processed within one month and MedHelp reserves the right to take adequate steps to verify your identity. MedHelp also reserves the right, in the event that your request is manifestly unfounded or unreasonable, to charge a reasonable fee for responding to your requests or, alternatively, to refuse to comply with your request.
Data controller, contact details and supervisory authority
Data Controller
MedHelp A/S (CVR 31784883) is the data controller for the processing described in this policy.
Contact details (data protection officer)
If you have questions or concerns regarding our personal data processing or if you want to exercise your rights regarding the personal data processing, you are welcome to contact us through our Data Protection Officer:
E-mail: privacy@medhelpcare.com
Postal address: Medhelp A/S c/o ECIT Services A/S Hørkær 12A 2730 Herlev
Contact information (supervisory authority)
If you are dissatisfied with how we process your personal data, you always have the right to turn to the supervisory authority for Privacy Protection (Datatilsynet) to submit a complaint:
Datatilsynet
Carl Jacobsens Vej 35 2500 Valby
Tlf. 33 19 32 00
dt@datatilsynet.dk
Regarding the processing of your personal data in connection with MedHelp's products
Description
MedHelp provides a digital platform to manage, identify, act on and document sick leave and rehabilitation among employees. MedHelp’s customers consist of companies that hire MedHelp and use MedHelp’s digital platform as part of their systematic work environment management, to manage and follow up on sick leave, carry out and document rehabilitative efforts with the goal of reducing sick leave.
MedHelp’s products include personal data processing consisting of, among other things, your General Personal Data, Contact Details and Professional Data. The processing of personal data also includes the processing of the special category of personal data health data.
MedHelp’s products include profiling of personal data. The profiling is based on age, gender, organizational affiliation and information about sick leave. Based on these parameters, MedHelp’s platform can recommend that a preventive action is undertaken.
Controllership of personal data in MedHelp’s platform
All the processing of personal data that takes place within the framework of MedHelp’s products is carried out by MedHelp on behalf of MedHelp’s customers. Therefore, MedHelp acts as a data processor to the data controller, which is your employer. We have entered into a data processing agreement with your employer that clearly defines our respective responsibilities and imposes clear and concrete obligations on us at MedHelp in terms of security. If applicable, MedHelp can be engaged as a subcontractor to an occupational health service. MedHelp then has a data processing agreement with the occupational health service, which in turn has a data processing agreement with your employer. Your employer is still, as a rule, the data controller for the processing MedHelp performs.
The fact that your employer is the data controller applies with the following exceptions. If the product purchased by our customer (your employer) includes a component of healthcare advice by a nurse or other medical professional, the personal data processing that takes place within the caregiving falls under the healthcare provider’s personal data responsibility – i.e. the healthcare provider is the controller. Currently, the healthcare provider is Kry Primärvård AB (556665-8364). More information about Kry’s processing of personal data can be found here.
MedHelp’s use of anonymized data
As a result of the personal data that we process on behalf of our customer, anonymized data is generated (see above under Purpose and legal basis for the processing of personal data). Anonymization of data means that individual markers and characteristics such as name and social security number are separated from other data in a way that makes it impossible to identify an individual. The data must also be of such a quantity that it is not possible to distinguish an individual by means of exclusion, and MedHelp has established technical procedures to ensure this.
MedHelp uses anonymized data to compile statistics on the absence situation in Sweden in general but also at the customer-level. All statistics are also reproduced completely anonymously, which means that the statistical data is anonymized, and the presentation of the statistics is therefore also anonymized.
Transfer to third countries
MedHelp’s Products are provided through a service provider with U.S. ownership. For this service provider, MedHelp has verified and continuously monitors the applicability of adequacy decisions through the provider’s certification under the DPF. For more information on how MedHelp processes personal data in the context of transfers to third countries, see under the heading ”Transfer to third countries” above.
Exercise of rights
If you wish to exercise your rights under the GDPR or would like more information about the processing of personal data in MedHelp’s platform and for what purposes we process personal data within our platform, please contact your employer.
As a rule, we are prohibited by law and contract from taking any steps to comply with your request for the exercise of your rights if your request relates to the personal data processed within MedHelp’s products.
Approved by MedHelp’s Board of Directors on May 5th, 2025
