Privacy Policy

The Medical Center (Stoðkerfi ehf.) emphasizes ensuring the confidentiality and security of personal information processed within the company. This privacy policy covers all personal information about individuals, e.g. individuals who do business with us and/or contact us, contacts who act on behalf of legal entities in business with the company, as well as other contacts or guardians.



1. Legal obligation

The medical center strives to comply with and respect the rules of the Act on the Protection of Personal Data and the Processing of Personal Data and the EU Regulation on the Protection of Individuals with regard to the Processing of Personal Data. This includes, among other things, minimizing the processing of personal data as much as possible and only processing the information for legitimate purposes.

Our staff are also bound by confidentiality under the Health Care Professionals Act and the Patients' Rights Act. The confidentiality obligation applies to all personal information that healthcare staff come to know in the course of their work, and remains so even if a patient dies or an employee leaves their job. We place great emphasis on maintaining the confidentiality of personal information.


2. Personal information

According to the Act on the Protection of Personal Data and the Processing of Personal Data, personal data is any information about an identified or identifiable individual. This refers to information that can be directly or indirectly traced to a specific individual, for example by name, social security number, email address or other factors that characterize an individual. Personal data can be in written form, on paper, in digital form or in an image.


3. Processing of personal data

The company's main activity is healthcare. In order to provide this service, it is necessary to record and process various personal information. Different types of personal information are collected depending on the nature of the business and/or relationship with us.

The main categories of personal information processed are the following:

  • Personal identification, such as name and social security number
  • Contact information, such as address, phone number, and email address
  • Communication and business history
  • Health information
  • Information about the next of kin
  • Legal information regarding accidents and compensation matters

According to the Health Records Act, it is mandatory to enter certain personal information in the health records of those who seek our services for healthcare. According to the Act, all items necessary for the patient's treatment must be entered in the health records. The Act stipulates certain minimum information that must be entered in the health records, as applicable at any given time. Processing information in the health records is necessary to ensure that healthcare professionals involved in the treatment have accurate and correct information to be able to assess the situation and provide appropriate treatment.

In addition to the information listed above, we may also collect and process other information that customers or their representatives/contacts provide to us, as well as information that is necessary for our operations. The information is primarily processed so that we can meet the needs of our customers, provide them with appropriate treatment and service.

The processing of personal data is also necessary for us to organize and manage our activities and operations, as well as for security purposes. We also need to process personal data in order to fulfill various obligations that we have, for example in connection with accounting laws and regulations and on the basis of contractual relationships. We therefore also record information about our customers for operational and accounting purposes.

We generally collect personal information directly from our customers or their contacts. In some cases, we receive information from third parties, such as family members, other healthcare professionals and/or government agencies. In such cases, we may need to access personal information online, such as phone numbers, social security numbers or addresses. If personal information is collected from a third party, we will make every effort to disclose this information, if possible.


4. Preservation

The personally identifiable data we hold is either stored in locked file cabinets in storage, in our offices or in appropriate computer systems, such as the Saga medical record system. The hosting of the computer system in question is in Iceland. Special processing agreements are made with the hosting providers of those computer systems and we emphasize that personal data is handled in accordance with the provisions of the Act on the Protection of Personal Data and the Processing of Personal Data.

We generally retain information about customers and customer representatives/contacts with medical records from the end of the business/business relationship and comply with relevant laws. In the case of information covered by accounting laws, it is mandatory to retain it for seven years from the end of the relevant financial year. With regard to the entry of personal information in medical records, we are always obligated to retain medical records in accordance with relevant laws.


5. Access and sharing of personal information

We try to limit access to personal information as much as possible and only those employees who need it have access to it. In terms of medical record information, it is doctors, nurses, paramedics, medical secretaries, systems engineers and the CEO, who have varying degrees of access due to their jobs. Access and access groups for the use of electronic medical records at Stoðkerfi are further described in the procedures/information document.

Our processors need to have access to certain data, for example, computer system administrators. In such cases, we are obliged to enter into agreements for the processing and ensure that data protection laws and regulations are observed.

We do not share personal information with third parties unless we are permitted to do so based on legal obligation, contract or consent. For example, we are required by law to submit certain information to government agencies, such as the Director of Health, Icelandic Health Insurance, tax authorities, etc. There may also be a need to share health information with other healthcare professionals, as well as lawyers who have a written authorization from the individual in question.

We will not share personal information outside the European Economic Area unless we are permitted to do so based on data protection legislation and the confidentiality obligations of healthcare professionals.


6. Websites and cookies

We use so-called cookies for measurements on our websites. Cookies are small text files that are stored on computers or smart devices. When you visit our website, information is recorded about the time, date, search terms, which website you came from, browser type, operating system type, etc. The information is used for website improvements and development, including to make them more efficient and improve the user experience. The information is not sold to third parties. No other automated decision-making takes place in our operations.


7. Safety precautions

We strive to take appropriate technical and organizational measures to protect personal data, taking into account its specific nature. These measures are intended to protect personal data against accidental loss or alteration and against unauthorized access, copying, use or disclosure.

Examples of security measures we take include:

  • We control access to all of our systems.
  • We store information in paper form in locked cabinets.
  • We provide training to staff.
  • We have a safety and quality committee that meets regularly.

 

When it comes to the security of medical records in particular, laws, regulations, and instructions from the Directorate of Health apply, which we place great emphasis on following.


8. Changes and corrections to personal information

It is important that the personal information we process is accurate. Therefore, it is important that we are notified of any changes that may occur to your personal information.

Individuals may have the right to have inaccurate personal data about them corrected. Taking into account the purposes of the processing of personal data, individuals may also have the right to have incomplete personal data about them completed, including by providing further information.

We would like to point out, however, that we are obliged under the Health Records Act to process certain personal information by entering it in the health record, cf. Section 3 above, and we are not permitted to change or correct that information except in certain circumstances. Information may not be deleted from the health record without the consent of the Director of Health.

Please direct all updates or requests in this regard to the Data Protection Officer, cf. Section 12 of this policy.


9. Rights of individuals regarding processing

Individuals have various rights under the Data Protection Act, including the right to access, erasure, restriction of processing and/or portability of personal data. Individuals also have the right to object in certain cases, and special rights in cases of security breaches in the processing of personal data.

Individuals who intend to submit a request in connection with the above rights are asked to contact the Data Protection Officer, cf. Section 12 of this policy.

The above rights are not absolute. For example, the law may oblige us to refuse a request for deletion or access to data, cf. also the discussion of medical records in Chapter 8.

If circumstances arise where we are unable to comply with a request for the above reasons, we will endeavour to explain why the request has been denied, subject to any limitations based on legal obligation.


10. Consent

Where the processing of personal data is based on consent, the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent up to the time of withdrawal.

It is worth noting that our processing of personal information is rarely based on consent. For example, entering information into a medical record is based on a legal obligation, cf. Chapter 3.


11. Inquiries and complaints to the Data Protection Authority

If you would like to exercise the rights described in sections 8 and 9 of this policy, or if you have any questions regarding this privacy policy or how we process personal data, please contact the Data Protection Officer as set out in section 12 below.

If you are dissatisfied with our processing of personal information, you can submit a complaint to the Icelandic Data Protection Authority (see more information at www.personuvernd.is).


12. Information about us and the Data Protection Officer

You can reach us by phone or email:

Medical Center/Support System Ltd.

Urðarhvarf 8, 203 Kópavogur

laeknastodin@orkuhusid.is / 520-0100

 

We have appointed a Data Protection Officer, who oversees matters relating to data protection, including this policy:

Tinna Björk Gunnarsdóttir, lawyer

Fortis Law Firm ehf.

tinna@fortislogmenn.is / 520-5800


13. Validity and review

We may need to change this Privacy Policy, for example, in accordance with changes in applicable laws or regulations or due to changes in how we process personal information.

This privacy policy was set on 29.09.2020