1. Controller of personal data and legal basis for processing
1.2 Our processing of your personal data is based on the performance of a contract with you or carried out on your behalf in order to enter into a contract, such as creating an account on our website. We also process your personal data when necessary to comply with legal obligations pursuant to EU and Member State law and, for certain processes, with your given consent.
2. Purposes of processing
2.1 Werlabs processes your personal data when necessary to fulfill contractual obligations to you. Werlabs needs to process personal data in order to perform services and deliver products and you therefore cannot be our customer unless we process your personal data.
2.2 Your personal data is used for invoicing, information and delivery of products, provision of services and communicating with you as a customer. It’s also used to make your patient journal available to you on our website.
2.3 Werlabs processes your personal data to fulfill legal obligations under applicable statutes of professional confidentiality for healthcare professionals as well as applicable patient data or journal archiving statute. As we are registered and active in Sweden, this is the Swedish Patient Data Act.
2.4 If you’ve consented to receiving newsletters from Werlabs we will also process your personal data to communicate with you about our services and how our business develops.
3. Personal data under processing
3.1 ”Personal data” is any information that can be attributed to a living, natural person. Werlabs collects and processes varying types of personal data, depending on the service or product you’ve ordered. A certain amount of personal data is also created through the provision of Werlabs services, for example the test results, analysis and comments made by laboratories, clinics and doctors.
3.2 Under all circumstances Werlabs will collect and process the following data from you as you use Werlabs services:
- a) Identifiers – first and last name, national identification number and gender,
- b) Contact information – address, e-mail, phone number,
- c) Payment data – address for invoicing, information to enable payment from or by third party such as credit card companies,
- d) Health data – data concerning your health, including test results and doctors’ comments as well as your journal,
- e) Service/test data – information about tests, samples or analyses you’ve ordered and undergone,
- f) IT-data – data collected from your computer or device as it interacts with our systems, such as your IP-address, which is collected to enable our website to function.
3.3 Should you contact Werlabs customer service, our response will require processing your personal data. Personal data processed for customer service process could include:
- a) Identifiers – such as first and last name and national identification number. Should you also write to us and give information about another individual’s identity, Werlabs won’t save that information unless it’s necessary to provide support or to investigate fraud or a similar purpose.
- b) Customer service data – information about the reason for your contact. If you write in to ask for help, Werlabs has no control over the information you provide us. Your description could include personal data related to other individuals or your own personal data, even when we have no reason for processing it. Werlabs won’t store irrelevant data after responding to you.
- c) Refund management – should the customer support ticket involve or lead to a refund, Werlabs will process information about your bank or card details as necessary to make the refund happen. Werlabs also processes information about price and other details about the payment that the refund relates to.
3.4 Werlabs website has a function for chatting with customer service. Anything that’s written in the chat window is stored and processed for developing that function and to manage any customer service needs that arise. When you write in the chat window Werlabs cannot connect that information to you unless you write your name or contact information or describes a specific customer service need.
4. Who we share your data with
4.1 Werlabs service is complicated. Werlabs will share your data with other companies and organisations in healthcare, and use services by software developers and other service providers. Werlabs will share your data with other parties when this is necessary in order to (i) fulfil our contractual obligations toward you, (ii) fulfil legal obligations pursuant to laws, other regulations or decisions made by courts or authorities. The following categories of recipients could take part of your personal data as described below:
- a) Clinics, hospitals and labs – Werlabs works with a number of different clinics, hospitals and labs to take samples and carry out tests. Werlabs also works with specialized labs who analyze samples and provide results for our doctors to provide comments on.
- b) Doctors – at times, Werlabs full-time doctors need help to handle workload. Werlabs works with well-picked doctors to analyze and comment on test results.
- c) Authorities – Werlabs may be required to give personal data to authorities. Werlabs will only do so when required by Union or Member State law. Werlabs will inform you of the obligation unless we’re prevented to do so by law.
- d) Messaging services – Werlabs uses services to communicate with you automatically with reminders and confirmations. This sort of company only receives your contact information (e-mail or phone number when applicable) and is bound by contract not to share your personal data unless necessary to provide the service to Werlabs.
- e) Developers and consultants – Werlabs works with developers and consultants from other companies to develop Werlabs IT-infrastructure and further develop services. This sort of developer may need access to basic personal data when necessary to provide support and develop the service. Everyone engaged by Werlabs in this way is bound by confidentiality.
4.2 Your sensitive personal data, such as health information, is processed according to applicable Union and Member State law. This information is only available to those who are supposed to be able to access it by law. This data will not be shared or transferred unless it’s necessary to provide a service and allowed by law, or mandated by law.
4.3 Werlabs keeps as much personal data processing as possible here in the EU/EEA. Should any data be shared with a service provider outside of the EU/EEA, the recipient will always enter into standard contractual clauses with Werlabs that ensures the recipient maintains a data protection standard equal to the EU/EEA.
4.4 No health data is ever transferred outside the EU/EEA by Werlabs or any service provider.
5. How long we keep your data
5.1 Personal data is only kept for as long as necessary to fulfil the purposes described above. That means most of your personal data will be erased automatically when a legal obligation to store the data expires or your customer relation to Werlabs has ended.
5.2 Werlabs stores personal data in patient journals for ten years after the last entry made to the journal.
5.3 Werlabs is obligated to keep financial information under the Swedish Bookkeeping Act, including personal data in invoicing and similar bookkeeping information, for seven years. Personal data kept for bookkeeping reasons will only be processed for that purpose.
5.4 Any personal data connected to a user account on Werlabs.com is kept by Werlabs for as long as that account remains open. You can choose to close your account and Werlabs will then erase your personal data unless it must be stored for specific purposes, as described above.
6. Deletion of personal data
6.1 Personal data is erased or anonymized when the data is no longer necessary. ”Anonymised” means to remove any connection to an individual from the information.
6.2 Before any data is used for statistical purposes or to develop products and services, they are anonymised and aggregated. This means the data can no longer be traced to you, by Werlabs or any other party. At that point the data is no longer personal data.
6.3 When Werlabs erases or anonymises personal data, Werlabs has no means to recreate or restore that personal data.
7. Security measures
7.1 As controller of personal data, Werlabs takes appropriate technical and organisational measures to protect the personal data in accordance with section two of the GDPR. Werlabs has internal policies and guidelines in place to handle information security and to prevent and investigate any leak or breach.
7.2 Should your personal data be involved in a security incident (so called “personal data breach”) Werlabs will contact you and inform you in accordance with the GDPR.
8. Cookies and tracking
8.2 There are two types of cookies.
- 1. Permanent cookies that are stored on your computer for a longer period.
- 2. A session cookie that is stored temporarily when you’re visiting the website. These are erased when you shut your browser.
8.4 Werlabs.com also has cookies from a third party that tracks your visit to Werlabs.com in order to enable advertising on other webpages.
8.6 Visitors to Werlabs.com can choose not to accept cookies by turning off cookies in their web browser.
8.7 Visitors can also change web browser settings to be notified whenever cookies are received. The web browser can also be used to erase previously stored cookies. You can find more information on this in your web browsers “help”-pages.
8.8 You can find more information about cookies on pages like www.aboutcookies.org or www.allaboutcookies.org.
9. Your journal
Werlabs’ patients have the option of accessing and reading their own charts. Under “My Journal” you can follow your test results and blood values over time. You can also find information about how the results should be interpreted. You have the option of choosing to share this information with others.
10. Your rights
10.1 Werlabs has elected to always have a Data protection officer. The Data protection officer is the contact for exercising rights against Werlabs, using the contact information below.
10.2 You have the right to recall your consent to specific processing, without affecting the legality of that processing before the consent is recalled. For example you may have chosen to consent to Werlabs contacting you with newsletters and similar information. In that case you can choose to unsubscribe by clicking a link in those e-–mails.
10.3 You have the right to request that our processing is limited to storage, and to object to our processing.
10.4 You have the right to request information about how we process your personal data, to be provided electronically or in paper. Werlabs will compile information about how your personal data is processed and provide you with this, normally within one month.
10.5 You have the right to request that Werlabs corrects personal data that you consider to be incorrect, and to provide complementary personal data (in certain cases) should you consider that Werlabs personal data gives an incorrect image of you.
10.6 You also have the right to request that Werlabs erases your personal data. Werlabs will erase personal data on your request to the extent that Werlabs is not obligated to keep the personal data under Union or Member State law. Werlabs will also continue to process personal data in specific situations, for example when your personal data is still required to fulfil contractual obligations against you. Werlabs will always answer you and explain our view of what personal data we can legally continue to process, and why.
10.7 You always have the right to lodge a complaint with the relevant authority in particular where you live, work or where an alleged infringement of the GDPR has occurred. For Sweden, the relevant authority is Datainspektionen. For the UK, the relevant authority is the Information Commissioner’s Office.
10.8 If you want to exercise your rights above we ask you to contact our Data protection officer with the following contact information: firstname.lastname@example.org