Processing of personal data at Karolinska University Hospital
Karolinska University Hospital need to process your personal data when you request or receive medical care or treatment at the hospital. We are committed of protecting your privacy and only process your personal data in accordance with the purposes and instructions determined by Karolinska University Hospital. The following information is intended to provide general information about how Karolinska University Hospital process your personal data and your rights as a data subject.
What is personal data?
Personal data is any kind of information that can be directly or indirectly linked to a living natural person. This may for example be your name, personal identity number, social security number, postal address, email address, telephone number, photos and data concerning your health. Even sound recordings that are stored digitally can constitute personal data even if no names are mentioned in the recording.
What is processing of personal data?
Processing of personal data refers to all processing of personal data. This may for example include collecting, registering, storing, interacting, archiving, disclose or printing personal data.
The processing of your personal data is done in accordance with The General Data Protection Regulation (GDPR), The Patient Data Act, The Public Access to information and Secrecy Act and The Act concerning the Ethical Review of Research Involving Humans Act. Karolinska University Hospital has implemented guidelines regarding the processing of personal data to ensure that it is in accordance with applicable laws.
Who is responsible for processing the personal data?
Karolinska University Hospital is as the data controller responsible for the processing of personal data for which the hospital determines the purpose and means.
What are the purposes for processing the personal data?
Personal data that are handled in connection with a request or medical care or treatment are processed by Karolinska University Hospital in order to manage the request, carry out the administrative task connected to the request and provide medical care or treatment. The legal basis for the processing of the personal data is necessary to perform tasks carried out in the public interest and in the exercise of official authority vested in Karolinska University Hospital as the data controller. The legal basis for the processing of sensitive personal data, such as data concerning your health, is necessary for the purposes of medical diagnosis, the provision of health care or treatment and management of health care services. Personal data that are submitted in order to enter into an agreement/contract are processed for the purpose of entering into or fulfilling the agreement/contract.
Who can access the personal data?
Employees of Karolinska University Hospital have access to the personal data to the extent necessary in order to carry out their work duties. The personal data may also be disclosed to data processors, if applicable. Data processors may only process personal data in accordance with the purposes and instructions provided by Karolinska University Hospital. Karolinska University Hospital has implemented guidelines and routines regarding access to personal data to ensure appropriate security and confidentiality of the personal data, including technical measures to prevent unauthorized access to or use of personal data.
Secrecy in relation to personal data concerning health
Karolinska University Hospital processing of data concerning health or other personal circumstances, are protected by health and medical secrecy according with The Public Access to information and Secrecy Act. Disclosure of personal data Personal data concerning health or other personal circumstances may only be disclosed after an assessment of whether disclosure will lead to harm (Swe. "menprövning”), your consent or if another legal basis exists for a disclosure. Personal data may also need to be disclosed under the provisions of law or based on a decision by supervisory authority.
How long are the personal data kept?
Karolinska University Hospital only store personal data for as long as it is necessary for the purposes for which it is processed. Karolinska University Hospital are however subject to Swedish archiving legislation. Therefore, personal data may be processed for archival purposes. The basic principle of the archiving legislation is that the hospital must preserve official documents and medical records. Such data are deleted in accordance with current rules and decisions on deletion of data. Personal data that are not covered by the legislation are deleted when it is no longer necessary for the purposes for which the data are processed.
Your rights as a data subject
You as a data subject have right to obtain confirmation about whether Karolinska University Hospital process your personal data and, if so, receive a copy of your personal data. You have the right to request rectification if you believe that your personal data is incorrect, inaccurate, or incomplete. You have also the right to request that your personal data are deleted when no longer needed, or if the processing is unlawful. However as stated above, if the data is covered by archiving legislation, Karolinska University Hospital are not allowed to delete the personal data. You also have, in some specific cases, the right to request restriction of the processing of your personal data. If you would like to exercise your rights or have questions regarding Karolinska University Hospitals processing of your personal data, please send us a written request by email on: firstname.lastname@example.org or by post to:
Karolinska University Hospital
Registratorsfunktionen (Registry Office)
141 86 Stockholm, Sweden
More information and contact
If you have any questions or concerns regarding Karolinska University Hospital processing of personal data, you can contact our Data Protection Officer by email on: email@example.com
If you wish to file a complaint about Karolinska University Hospital processing of your personal data, you can submit a complaint to the Swedish Authority for Privacy Protection. Information on how to do this can be found on the Swedish Authority for Privacy Protection on this website: https://www.imy.se/en/individuals/forms-and-e-services/file-a-gdpr-complaint/