Medoma privacy policy

Medoma AB is a modern healthcare company that provides IT services to facilitate distributed health care to care providers. We believe that, with a combination of a patient-adapted healthcare model, great healthcare providers, good processes and the latest technology, we can create good care in a way that has not been possible before. We always strive to use the latest technology and create the very best care experience.

This information ("Privacy Policy") informs you about how we, as the controller of personal data, process your personal data in connection with, for example, applying for a job with us, participating in some of our events, visiting our website https://www.medoma.com or otherwise come in contact with us. It also describes your rights and how you can enforce them.

We, Medoma AB (reg. no. 559328-9738 and registered address Birger Jarlsgatan 57C, 113 56 Stockholm, Sweden) follow the instructions from your healthcare provider and treating physician and acts as the data processor. If you have any questions regarding our processing of your personal data, you are always welcome to contact us at dpo@medoma.com or via the contact details at the end of this privacy policy.

1 Medoma’s processing of patient data on behalf of care givers

1.1 Medoma acts as a Processor when we process your personal data on behalf of your healthcare provider, who is  the data controller. This Privacy Policy does not describe Medoma's processing of patients' personal data in Medoma's role as Processor.

1.2 For information about healthcare providers 'processing of patients' personal data, please see your current healthcare provider's privacy policy.

1.3 As a patient and user of Medoma's services, you can always reach out to us, however we act as a Processor for a healthcare provider, so we will refer you to your current healthcare provider directly. It is only after instructions from the healthcare provider that Medoma can answer your request

2 Where we collect personal data

1.1 We collect personal data from:

a) You, e.g. when you send a work application to us, when you apply for one of our events or information which you provide us continuously during a recruitment process. (e.g during interviews).

b) Publicly available sources, such as public registers and social media within the context of background checks which we perform regarding certain potential candidates for a position at Medoma.

c) References which you have named, to the degree that we collect personal data from you regarding your references during a recruitment process.

3 When and why we collect personal information

3.1 Recruitment of new talent

3.1.1 Purpose: Conduct recruitment processes. Medoma processes your personal data for the purpose of handling your application during a recruitment process. During the recruitment process, we also process your personal data to review received application documents, assess them and to conduct interviews.

3.1.2 We ask you not to provide us with sensitive personal data in your application, for example by providing information about your health in your personal letter.

a) Categories of personal data: Identification data (such as name,identification number), Contact data (such as name, phone number, address,e-mail address), Data in CV (such as previous employment), Data in personal letter,Interview notes, Reference data and Information from references.

b) Legal basis: The processing is only to the extent necessary to fulfill Medoma's legitimate interest in recruiting new employees and to evaluate candidates when recruiting new employees.

c) Retention period: Personal data is kept until the position is filled, or when applicant is disqualified from the recruitment process.

3.1.3        Purpose: Storing your application for future hiring. In the event that you have applied for a position at Medoma but we have not been able to offer you a position, we may want to save your application for future recruitments. In such cases, we will ask for your consent. If you agree, we may contact you if a position becomes available with us that we believe fits your profile.

a) Categories of personal data: Identification data (such as name,identification number), Contact data (such as name, phone number, address,e-mail address), Data in CV (such as previous employment), Data in personal letter, Interview notes, and Information from references.

b) Legal basis: The processing takes place with the support of your consent.

c) Retention period: Personal data is kept for a period of 12 months after the current recruitment process has ended. However, you can withdraw your consent at any time.

3.1.4 Purpose: Conducting background checks. As part of the recruitment process, we may perform background checks in order to further evaluate your application. Such background checks may include searches against the National Board of Health and Welfare's register of certified healthcare personnel, to the extent that Medoma's customer requests this.

a) Categories of personal data: Identification data (including social security number), Contact data (such as name, phone number, address,e-mail address), if information about identification, possibly information on social media.

b) Legal basis: The processing is done only to the extent necessary to fulfill Medoma's legitimate interest in evaluating your application, and our customers', as well as our, legitimate interest in establishing that we can offer the right person (including, where applicable, with the right certified competence) employment with Medoma. Processing of social security numbers is necessary regarding the purpose of the processing.

c) Retention period: Personal data is kept until the position is filled.

3.1.5 Purpose: Find suitable candidates. In order to search for suitable candidates for vacant and future positions at Medoma, we may process your personal data.

a) Categories of personal data: Identification data (such as name, identification number), Contact data (such as name, phone number,address, e-mail address, Data in CV, Data in personal letter, and other data you provide relevant to the recruitment process (e.g., portfolios,recommendations etc.).

b) Legal basis: The processing is done only to the extent necessary to fulfill  our legitimate interest in searching for and contacting suitable candidates for positions with us.

c) Retention period: Personal data is kept until the position is filled.

3.1.6 Purpose: Let applicants connect with us and/or send an open application. If you choose to connect with Medoma or submit an open application to us, we may contact you if a position becomes available with us that we deem to fit your profile.

a) Categories of personal data: The categories of personal data vary depending on the data you choose to provide to Medoma, but may include Identification data, Contact data, Data in CV, Data in cover letter.

b) Legal basis: We processes your personal data in accordance with your consent, article 6(1)(a) GDPR.

c) Retention period: We store your Personal data until it is no longer necessary, as per your withdrawal of your consent or a maximum of 6-12 months. You can withdraw your consent at any time.

3.1.7 Purpose: To ensure our interests and protect our business from legal claims: We will retain personal data we believe necessary to protect and enforce our legal rights, interests and the interests of others. This can, for example, be in connection with legal claims, discrimination claims, regulatory functions,compliance and audits. This processing is based on a balance of interests.

a) Categories of personal data: Identification data (such as name and identification number) Contact data (such as name, phone number, address and e-mail address), Interview notes, Information from references, any sensitive personal data such as health information.

b) Legal basis: The processing is done only to the extent necessary for us to fulfill our legitimate interest to defend and enforce legal claims. Any sensitive personal data, for example information about health, is only processed if it is necessary to establish, assert or defend legal claims.

c) Retention period: Data relevant to an individual recruitment process such as interview notes and information from references are saved for two (2) years after the recruitment process has ended. Data on unsuccessful candidates will be deleted after three (3) months after the end of the recruitment process.

3.1.8 Purpose: To comply with our legal obligations. We collect and retain certain types of personal data which we are required to in accordance with applicable laws. For example, if you get hurt or sick at work, we are required to report and keep a record of those injuries in order to comply with applicable labor legislation.

a) Categories of personal data: Identification data (such as name and identification number) Contact data (such as name, phone number, address and e-mail address), Interview notes, Information from references, any sensitive personal data such as health information.

b) Legal basis: The processing is done only to the extent necessary for us to fulfill our legal obligations. Any sensitive personal data, for example information about health, is only processed if it is necessary to establish, assert or defend legal claims.

c) Retention period: Data relevant to an individual recruitment process such as interview notes and information from references are saved for two (2) years after the recruitment process has ended.

3.2 Processing regarding stakeholders, customer contacts and participants in events

‍

2.2.1 Purpose: Provide you with information about our business and events. When you make a purchase order or order a demo-version of our Services, we may process your personal data to provide you with marketing about our services, such as invitations to events and other marketing activities.. We will store information about your order and what we believe might be of interest to you. You can unsubscribe from our e-mails at any time by clicking on the unsubscribe link in the e-mail or by contacting us.

a) Categories of personal data: Identification data (such as name and personal identification number/organisation number), and Contact data (such as phone number, address, and  e-mail address).

b) Legal basis: The processing is done to the extent it is necessary for us to fulfill our legitimate interest to give our customers personalized and relevant content and offers upon the placement of an order with us. With regard to direct marketing of our offers, we abide by applicable marketing acts, which allows us to promote our own and similar products and services without prior consent.

c) Retention period: Personal data is kept for two (2) years from your last activity or until you have notified us that you no longer wish to receive marketing from us. You always have the option to refuse to receive future mailings about marketing from us, in which case we will cease marketing. Every mailing from Medoma for marketing purposes contains an option to unsubscribe. If you unsubscribe, we will stop marketing.

3.2.2 Purpose: Sending you relevant marketing when you visit our website. When you browse our website, we may store certain cookies in order to analyse browsing preferences in order to show you relevant marketing when you come back to our site. This means that we store information about you that be believe might be of interest to you and adjust the marketing you see on our website accordingly. More information on the types of cookies we use, information they gather, why they gather this information and how you can manage your cookie settings, please visit our Cookie Policy.

a) Categories of personal data: Identification data (such as name and personal identification number/organisation number), and contact data (such as phone number, address, and e-mail address).

b) Legal basis: We process your personal data only to the extent necessary to fulfill our legitimate interest to understand our visitors and provide them with personalized and relevant offers and content. As applicable, we also rely on your consent for our use of cookies under the e-Privacy Directive.

3.3.3 Purpose: Manage business relationships with potential and existing customers. In order to establish and manage business relationships with potential and existing customers, we process your personal data, e.g. to be able to contact you as a potential customer regarding Medoma's services and products.

a) Categories of personal data: Identification data (including social security number for individual companies), Contact data, Organizational data.

b) Legal basis: The processing is done only to the extent necessary to fulfill our legitimate interest in managing and maintaining business relations with the company you represent, as well as Swedish Marketing Practices Act with regards to consent, alternatively an established customer relationship. This consent can always be withdrawn by either clicking on the message, or by contacting us if you no longer want to receive these messages. Processing of social security numbers is necessary with regards to the purpose of the processing.

c) Retention period: Personal data is retained, if a business relationship has not developed, two (2) years since the last contact with you. Personal data is preserved, if there is already a business relationship, for as long as the contractual relationship applies and for a subsequent period that is necessary to establish, assert or defend legal claims, which can be up to the general limitation period, which in Sweden is ten (10) years.

3.2.4 Purpose: Implementation of seminars, training courses and other marketing activities. In order to be able to provide and administer seminars, training courses and other marketing activities, we process the participants' personal data.

a) Categories of personal data: Identification data, Contact data,Organizational data, Information on registration for and participation in events, Dietary preferences (including any allergies, where necessary).

b) Legal basis: The processing is based on Medoma's legitimate interest in being able to administer and carry out seminars and training courses that you have signed up for. Data on dietary preferences (including any allergies, where necessary) are processed with the support of your express consent.

c) Retention period: Personal data is kept during the relevant training and thereafter for one (1) year for marketing purposes. Data on dietary preferences are deleted after the event has been completed.

3.3      Our website

3.3.1        Purpose:Evaluate and follow up on the usage of our website. In order to analyze and better understand how you use our website, we process your personal data that we have collected via cookies and similar technologies. This is done,among other things, by collecting information about the individual web pages you visited, which websites or keywords referred you to the website and information about how you interact with the website. [We collect and store device-related personal data about your usage of the website, to help us design and improve our website and its functions to better suit your needs. We may also use your IP address to help diagnose problems without servers and administer our website, analyse trends, visitor movements and gather demographic information to assist us in identifying visitor preferences. For statistical purposes, we may store information about how many individual visitors to our website we have. This to get a better understanding of our customers’ needs and interests, so we can develop and improve our services.Please see our Cookie Policy for more information about the use of cookies.]

a)      Categories of personal data: User-generated data, Identification data, Geographical data.

b) Legal basis: The processing is done only to the extent necessary to fulfill our legitimate interest in evaluating and monitoring the use of our website. The processing is based on your consent where required by law.

c) Retention period: Reports at an overall level that do not contain any personal data and statistics are stored indefinitely.

3.3.2 Purpose: Improve your experience on our website. In order to improve your experience on our website and provide you with tailored content when appropriate, we will collect and process your personal data, e.g. via cookies and similar technologies. This means that we e.g. may save information about your browsing history and selected settings on the website for the purposes just mentioned.

a) Categories of personal data: User-generated data, Identity data,Geographical data.

b) Legal basis: The processing is necessary to satisfy our legitimate interest in improving your experience on our website and providing you with tailored content. The processing is based on your consent where required by law.

c) Retention period: Reports at an overall level that do not contain any personal data and statistics are stored indefinitely.

3.4 AI Training and Development

3.4.1 Purpose: Train and improve our AI models and services. To enhance our artificial intelligence (AI) systems and improve the quality and relevance of our services, we may process personal data as part of training and developing our AI models. This includes analyzing user interactions, content inputs, and feedback to identify patterns, improve system accuracy, and develop new functionalities. The data may also be used to test and validate updates to our AI systems to ensure consistent and reliable performance. Where feasible, we will anonymize or pseudonymize data used for these purposes to minimize the impact on your privacy.

a) Categories of personal data: User-generated data (e.g., input text, uploaded content, interaction logs), Identification data (where applicable, e.g., user IDs, if not anonymized) and feedback and usage data

b) Legal basis: The processing is necessary for our legitimate interest in developing, improving, and testing our AI models and services.Where consent is required by law (e.g., for certain data categories or jurisdictions), we will obtain your consent prior to processing.

c) Retention period: Personal data used for AI training and development will be retained only as long as necessary to achieve the stated purpose. Anonymized or aggregated data sets, which do not contain personal data, may be stored indefinitely for ongoing development and statistical analysis.]

3.5 Other processing

3.5.1  If we were considering any new use of your personal data beyond the purposes set out in this Policy, we will ask for your permission before any such processing.

4  Recipients which we share personal data with

4.1 When necessary, we share personal data with the recipients below. Unless otherwise specified, named recipients are independently responsible for the processing of personal data.

4.2 In order to fulfill the purposes of the processing of personal data,we share your personal data with service providers that we have hired. These suppliers provide e.g. systems for recruitment processes. The service providers we have engaged may only process your Personal Data according to our express instructions and may not use your data for their own purposes. They are also obliged by law and agreement with us to take appropriate technical and organizational security measures to protect your data.

5 Security measures

5.1 To protect your personal data and the privacy of our users, we have implemented physical, technical and organizational security measures.

5.2 To protect the privacy of your personal information, we maintain both technical and organisational safeguards,and we update and test our security regularly. However, an information system is never completely secure. Hence, we cannot guarantee the absolute security of your information. We are not responsible for the security of information you transmit to us over networks that we do not control, including the Internet and wireless networks.

5.3 If Medoma transfers or discloses your personal data to a recipient in a country outside the EU/EEA area (third country), Medoma will ensure that appropriate protective measures have been taken (such as the European Commission's standard contractual clauses and other necessary measures), adherence to applicable EU-US Data Protection Framework, to protect the personal data.

a) According to the Data Protection Regulation, you have the right, on request, to receive a copy of the documentation that demonstrates that the necessary protective measures have been taken in order to protect your personal data when transferred to a third country.

b) If you would like to know more about the processing of your personal data and if your personal data is transferred to a third country, please contact us at the contact details provided at the end of this Privacy Policy.

6 Your rights

6.1 In connection with our processing of your personal data, you have, under certain conditions, the right to exercise the following rights. To exercise your rights, you can contact us.You will find our contact details at the end of this Privacy Policy.

6.2 Access. You may request confirmation of whether or not we are processing your personal data. If we process personal data about you, you also have the right to receive additional information such as the purpose of the processing.You also have the right to receive a copy of the personal data that we process about you. If the request is made electronically, the information will also be obtained in a commonly used electronic format unless you request otherwise.

6.3 Correction. If you discover that personal data relating to you is inaccurate,incomplete or incorrect, you have the right to have your personal data corrected.

6.4 Object to certain processing.You may object at any time to the processing of your personal data based on a legitimate interest, in light of your specific situation. If we cannot demonstrate a compelling legitimate reason for continuing the processing that outweighs your interests, or if the processing is not necessary to establish, assert and defend legal claims, we are obliged to cease the processing you object to.

6.5 Deletion. You may have your personal data deleted under certain circumstances, e.g. when the personal data is no longer needed to achieve the purpose for which the personal data was collected.

6.6 Limitation of processing. You can ask us to limit the processing of your personal data to only include the storage of your personal data under special circumstances,e.g. if the processing would be illegal but you do not want your personal data to be deleted.

6.7 Withdraw Consent. You always have the right to withdraw your consent to the processing of personal data to the extent that the processing is based on your consent.

6.8 Data Portability. You have the right to request to receive a machine-readable copy of the personal data processed on the basis of your consent or when the processing is necessary to fulfill a contract with you, and when personal data have been obtained by you (data portability), and to request that the information be transferred to another personal data controller (if possible).

6.9 Complaint to relevant supervisory authority. You are welcome to contact us with questions or complaints regarding the processing of your personal data. However, you also have the right to submit a complaint regarding the processing of your personal data to the Swedish Authority for Privacy Protection (Integritetskyddsmyndigheten). You can contact the Swedish Authority for Privacy Protection at imy@imy.se or visit www.imy.se.

6.10 Data Erasure. Medoma will process your personal data until it is no longer needed to fulfill the above-mentioned purposes or until you request to no longer be registered with Medoma. In such a case, the personal data will be deleted without undue delay. If a business relationship has not developed within three years of Medoma receiving your notification of interest, your personal data will be deleted. Medoma has also established data erasure routines to be able to regularly delete such contact details that no longer fulfill their purpose.

7 Updates to these terms

7.1  We reserve the right to make changes and updates to this Privacy Policy. When we make such updates or changes, the “Last Revised”-date at the top of this Privacy Notice will be updated. The changes made will be described under the section “Change History”.The new version of this Policy will apply at the date of publication.

8 Contact information

8.1 If you have any questions regarding the processing of your personal data or if you wish to exercise any of your rights under Applicable Data Protection Legislation, please contact Medoma at the contact details below.

8.2 Personal data controller:

Medoma AB, org. no: 559328-9738

Borger Jarlsgatan 57C

113 56 Stockholm

Sverige

Email: info@medoma.com

You are always able to contact our Data Protection Officer at:

Email address: dpo@medoma.com

9 Categories of personal data

9.1  Below you will find an explanation of the categories of personal data that we can collect and save about you.

9.2 Categories and: examples of personal data.

9.3 Details in a CV : Work experience, education, language skills,qualifications, possible Arbetslivserfarenhet,  utbildning,språkkunskaper, kvalifikationer, or pro bono activities

9.4 Details in a personal letter

9.5 Notes from interviews

9.6 Information from references

9.7 Identity details: Name and Surname and social security number if applicable

9.8 Contact details: Address, email address, phone number

9.9 Organizational details: Your associated company, working role, title

9.10 Information on registration for and participation in events: Activity, time

9.11     Food Preferences: Food preferences, Allergies if applicable

9.12     Geographical details: Location data from your device that may be collected via cookies

9.13     User generated details: Click and visit visit history, technical data relating to devices used and their settings  (e.g. language setting, IP address, browser settings, time zone, operating  system, screen resolution and platform),information about how you have  interacted with us, where and for how long different pages visited, response  times, how you reach and leave the website, etc.

9.14     Information about work certificates within the health sector: Information regarding your work certificates from Socialstyrelsens  register överlegitimerad hälso- och sjukvårdspersonal.

9.15 Information on Social Media

9.16 Sensitive personal details: e.g. health details.

10 Key Terms

10.1 Terms defined by law, such as"personal data", "processing" and " data controller" shall in this Privacy Policy have the same meaning as inapplicable data protection legislation, unless otherwise stated.

10.2 Processing refers to all actions involving your personal data including collection, handling, storage,sharing, access, use, transfer and deletion or destruction.

10.3 "Personal data"refers to any information that can be directly or indirectly (e.g. in combination with other information) linked to an identifiable or identified natural person.

10.4 A  “data controller” is a natural or legal person who, alone or together with others, determines the purposes and means for the processing of personal data.

10.5 A “Processor” is a natural or legal person which processes personal data on behalf of the controller.

10.6 The "applicable data protection legislation" means the legislation and regulations in force from time to time, including regulations issued by the relevant supervisory authorities, regarding the protection of the fundamental rights and freedoms of natural persons and in particular the right to the protection of their personal data which is applicable to the current processing, including the European Parliament's and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and on the repeal of Directive 95/46/EC(General Data Protection Regulation) ("GDPR ")as well as legislation,ordinances and regulations that supplement the Data Protection Regulation.

11 Change History

Document revised 2024-12-16
Previous version 2023-01-10.