Privacy policy

Vaccinationscenter CPH > Privacy policy

PRIVACY POLICY FOR PATIENTS

Processing of information

In connection with our examination, diagnosis, and treatment of you as a patient, Vaccinationscenter CPH collects and processes a number of personal data about you as the data controller. We are obliged to do so under the Danish Authorization Act, Chapter 6, and the Executive Order on Medical Records.

This privacy policy describes how Vaccinationscenter CPH processes, uses, and discloses your personal data:

Types of data

Vaccinationscenter CPH collects and processes the following types of personal data about you (to the extent relevant to you):

General categories of personal data:
Name, address, email address, phone number, CPR number, gender, family and social relations, work relations, and education.

Special categories of personal data (“sensitive personal data”):
Health data (e.g., medical records, test results, X-rays, scan results, etc.), sexual matters, race or ethnic origin, and religious beliefs.

Purpose

We process your personal data for the following purposes:

  • Our examination, diagnosis, and treatment of you.

  • Preparation of medical certificates.

  • Preparation of attestations for use by authorities, insurance companies, etc.

  • Communication with or referral to other healthcare professionals, doctors, hospitals, or hospital laboratories.

  • Prescribing medications, including issuing prescriptions.

  • Reporting to clinical quality databases.

  • Submission of laboratory samples to hospital laboratories.

  • For billing purposes.

  • To comply with our legal obligations under applicable laws, including the EU General Data Protection Regulation, the Danish Data Protection Act, and other relevant healthcare legislation, such as:

    • Compliance with basic principles of data processing and legal grounds for processing.

    • Documentation obligations.

    • Implementation and maintenance of technical and organizational security measures, including but not limited to preventing unauthorized access to systems and information, preventing the reception or distribution of malicious code, and damage to computer systems and electronic communication systems.

    • Investigation of suspected or known security breaches and reporting to individuals and authorities.

    • Handling inquiries and complaints from data subjects and others.

    • Handling inspections and inquiries from supervisory authorities.

    • Handling disputes with data subjects and third parties.

    • Statistical research and scientific studies.

Voluntariness

When we collect personal data directly from you, you provide the information voluntarily. You are not obligated to give us this data. However, the consequence of not providing the data is that we may not be able to fulfill the purposes listed above, including in some cases the inability to examine, diagnose, or treat you.

Sources

In some cases, we collect personal data about you from other healthcare professionals, such as hospitals or via electronic medical record systems. We process the received data in accordance with this privacy policy.

Disclosure of personal data

To the extent necessary for your examination, diagnosis, or treatment, your personal data may be shared with the following recipients:

  • RKKP (clinical quality databases).

  • The Danish Patient Safety Authority.

  • The Danish Health Data Authority (medication, vaccinations, adverse events, and deaths).

  • The police and courts.

  • Social authorities.

  • The Danish Labour Market Insurance if required by applicable law.

  • Other healthcare professionals if necessary for your ongoing treatment.

  • You have the right to access your own data (right of access).

  • When referring patients, data is disclosed to the healthcare professionals to whom the referral is sent.

  • Laboratory samples are submitted to hospital laboratories.

  • For billing purposes, data is disclosed to regional billing offices.

  • For prescription issuance, data is shared with pharmacies and the Danish Medicines Agency via FMK.

  • For clinical quality database reporting.

  • In other cases, data may be disclosed to relatives or insurance companies.

Legal basis for processing and disclosure

The legal basis for collecting, processing, and disclosing your personal data is:

For general patient care, regular personal data is processed under Article 6(1)(c) and (d) of the GDPR, while sensitive personal data is processed under Article 9(2)(c) and (h) of the GDPR.

Furthermore, we are obligated to process a range of data about you under the Danish Authorization Act, Chapter 6, the Executive Order on Medical Records, particularly §§ 5-10, and the Danish Health Act, Chapter 9. Data for billing purposes is submitted monthly to the regional billing office per the rules of the Agreement on General Practice and Section 60 of the Health Act. Prescriptions and vaccinations are sent via the FMK IT service under Section 157 of the Health Act and the Executive Order on Prescriptions and Dose Dispensing of Medicines, particularly Chapter 3.

Clinical patient data is disclosed to clinical quality databases under Sections 195-196 of the Health Act and the Executive Order on Reporting to Clinical Quality Databases. Data may also be disclosed based on your explicit consent.

Your personal data will only be shared with insurance companies with your prior consent under Article 6(1)(a) and 9(2)(a) of the GDPR.

Your personal data will only be disclosed to relatives with your prior consent under Section 43 of the Health Act.

In the case of deceased patients, certain data may be disclosed to the deceased’s closest relatives under Section 45 of the Health Act.

Withdrawal of consent

If the processing of your personal data is based on consent, you have the right to withdraw your consent. Withdrawal does not affect the legality of any processing carried out before the withdrawal, including disclosures made based on the consent.

Use of data processors

Your personal data is processed and stored by our data processors, who do so on our behalf and according to our instructions. Our current data processors include:

  • EG Clinea (medical record system)

  • Other IT providers

  • DAK-E (digital care plans)

  • DMDD, Webreq, and Webpatient (for ordering lab tests and storing responses to questionnaires)

Retention period

We retain personal data for as long as necessary to fulfill the purposes listed above. However, under Section 15 of the Executive Order on Medical Records, we are required to retain data for at least 10 years from the last journal entry. In some cases, we may need to retain data longer, such as in the event of a complaint or compensation case, in which case the data will be stored until the case is fully resolved.

Your rights

You have certain rights under applicable law, including the right to access your personal data, the right to rectify incorrect data, the right to deletion, the right to restrict processing, the right to data portability, and the right to object to processing, including automated individual decision-making (“profiling”).

You also have the right to lodge a complaint with a competent supervisory authority, such as the Danish Data Protection Agency.

Contact

If you have any questions regarding the processing of your personal data or your rights, please feel free to contact us.