GDPR Compliance

INTRODUCTION

Personal Data is processed by Vitala in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - hereinafter referred to as "GDPR") and the regulations concerning the protection of personal data applicable in the Sweden.

GDPR applies to any software user processing data in the EU or processing data of EU citizens.

Detailed information on how the data is processed can be found below.

PERSONAL DATA

7.1 Saatamme luovuttaa henkilötietojasi henkilötietoavustajillemme, kuten IT- ja pilvipalveluiden tai maksuhallinnon palveluita tarjoaville yrityksille.

7.2 Jos epäillään lain tai yleisten käyttöehtojemme rikkomista, saatamme luovuttaa henkilötietojasi lainvalvontaviranomaisille ja lainopillisille neuv

1. Who is a data controller?

Data controller refers to the entity or person that determines the purposes, conditions, and means of the processing of personal data.

Aasa Health AB, org. no. 559116-7936, with address Ola Hanssonsgatan 4, apt 1004, 112 52 Stockholm, Sweden (“we”, “our” “us”, “the Company”, or “Vitala”). We are the data controller in the following cases:

When you provide us with contact details;
‍
When we process technological data related to the use of the application;
‍
When you apply to us;
‍
When we conduct recruitments;
‍
When you are employed or when we commission you to perform services;
‍
When we process the complaint resolution process;
‍
When we archive data in accordance with legal requirements related to tax obligations;
‍
When we archive data in accordance with legal requirements related to employer obligations;
‍
When we archive data for the purpose of establishing, investigating, or defending legal claims.

2. Questions and contact information

If you have any questions or concerns after reading this document please do not hesitate to contact us. We appreciate your feedback. You can contact us by email gdpr@vitala.health .

3. Data Protection Officer

We have appointed a Data Protection Officer, Mrs. Beata Marek (“DPO”). You can contact our DPO by email gdpr@vitala.health .

4. What personal data can we collect and why?

As a data controller, we process personal data that comes directly from the person to whom the data pertains (“you”). or have been obtained from publicly available sources on the Internet.

The table below describes what purpose, what data we process and what is the legal basis:

Data

Legal basis

Support

All data provided by the data subject in connection with the need to provide support. Support may apply to our products, in particular Application software or the Care Portal.

Article 6.1.f of the GDPR.Our legitimate interest is to help the person who comes to us for support.

Contact

Purpose

All data provided by the data subject to contact us. If you contact us to establish cooperation, we have the right to call you back.

Article 6.1.f of the GDPR.Our legitimate interest is to contact with the person who expressed interest, we would answer his or her inquiry

Intention to establish contact

First name, last name, and position, have been obtained from publicly available sources on the Internet using the ZoomInfo program. Detailed information on how the data was collected can be found here: https://www.zoominfo.com/data-sources

Article 6.1.f of the GDPR.Your personal data is processed solely in connection with our intention to establish contact and invite you to consent to the presentation of a cooperation proposal (this is our legitimate interest).

Marketing

E-mail address, telephone number, name, surname, place of work or other data obtained by us in connection with our marketing activities. The data is obtained from the data subject with his or her consent

Article 6.1.a of the GDPR.If you have consented to marketing activities, we can direct activities to you.

Technology and development

All data collected in connection with the user's activity in the Application or Care Portal related to technological maintenance and development or possible subsequent provision of support.

Article 6.1.f of the GDPR.The legitimate interest lies in processing data that contains logs that can later be used to provide technical support and software development.

Recruitment

Data you provide to us. This usually includes name, surname, date of birth, place of previous work, education and other typical and permitted by labor law.

Article 6.1.a of the GDPR.We conduct recruitment based on your consent.

Data obtained in the course of employment or provision of services, which includes data obtained from you.

Article 6.1.b of the GDPR. Data processed in connection with the performance of the contract.Article 6.1.c of the GDPR.Data processed in accordance with labor law provisions

Bookkeeping

Data obtained from the data subject in connection with accounting services, including calculations or settlements (depending on the type of transaction).

Article 6.1.b of the GDPR. Data processed in connection with the performance of the contract.Article 6.1.c of the GDPR.Data processed in accordance with tax law provisions

Complaints

Data obtained from you and in connection with your activity, behavior, actions, etc. To the extent that we have access to data to make a complaint, we can access this data. However, this only applies to data sets that are in our possession, i.e. you have previously provided them to us.

Article 6.1.b of the GDPR. Data processed in connection with the performance of the contract.

Claims

Data that we have collected about you from you and is needed for the establishment, exercise or defense of legal claims.

Article 6.1.c of the GDPR.Data processed in accordance with civil law provisions

We, as a data processor, may also process medical data of the users of the Application. Detailed information about this can be found in the Privacy Policy of the App.

5. Source of data origin

We can collect data directly from you or the data have been obtained from publicly available sources (purpose: Intention to establish contact). If you have any questions feel free to ask.However, in exceptional cases, if we are a data processor, we may process data provided by the healthcare provider who creates your account in the Application and then sends you an invitation.

6. Consent as a legal basis for data processing

Consent is voluntary. You can withdraw your consent at any time. Please note that if you withdraw your consent, we will no longer process the data associated with further processing, but we have the right to retain information for the purpose of establishing, investigating, or defending legal claims, based on the consent provided, including when you granted and subsequently withdrew your consent.

7. Data processing time

The processing time varies depending on the processing activities. Where we are a data processor, we process data in accordance with the agreement with the data controller. Where we are a data controller, we can clearly specify that, depending on the purpose, data is processed for the following durations:

Support

From the moment you contact us for support until the end of the support, we process data (primary purpose). We have the right to retain information about the support provided for internal verification procedures, including for the purpose of establishing, investigating, or defending legal claims if they arise (secondary purpose). The data will be deleted after a period of 2 years.
‍
Contact

From the time you contact us until we provide you with a response (primary purpose). However, we may engage in prolonged correspondence, so we only delete correspondence after 2 years. We retain access to previous messages to understand the nature of the contact, the topics discussed, or to resume communication after an extended break with new information without duplicating previously provided information (secondary purpose).
‍
Intention to establish contact

We process data from the moment it is obtained in the system until you raise an objection (in such a case, we will delete the data from our resources). If you do not object, we will process your data for a period of 12 months from sending the message to you (primary purpose). After this period, the data may be processed for the purposes of establishing, pursuing or defending legal claims (secondary purpose).
‍
Marketing

From the time you grant us consent until you withdraw it (primary purpose). After this period, we may process information about when and for what you gave consent, as well as what information was provided to you and how, for the purpose of establishing, investigating, or defending legal claims. The data is deleted after a period of 2 years (secondary purpose). In the case of cookies, you manage cookie settings on our website, and your choices are automatically saved. Your last settings are remembered.
‍
Technology and development

From the moment you have an Account in our software until you delete your Account.
‍
Recruitment

From the moment of giving consent until the withdrawal of consent (primary purpose). After this period, we have the right to archive information about when and for what you gave consent. Although the recruitment process has ended, we retain this data for the purpose of establishing, investigating, or defending legal claims to demonstrate processing activities related to the consent you provided (secondary purpose). The data is deleted after a period of 2 years.
‍
HR

From the moment HR acquires data related to the management of employee processes until the end of the legal basis for processing the data. Labor law regulations impose obligations on us regarding data retention, including storing information related to employment.
‍
Bookkeeping

From the moment we receive data for accounting purposes until the end of the legal basis for processing the data. Tax regulations impose obligations on us regarding data retention, including storing information about issued invoices or accepted liabilities.
‍
Complaints

From the moment of filing a complaint until the completion of the complaint handling (primary purpose). After this period, we have the right to archive information about when, in connection with what, and how the complaint was processed and for whom, for the purpose of establishing, investigating, or defending legal claims (secondary purpose). The data is deleted after a period of 2 years.
‍
Claims

From the moment a claim is established or a claims process is initiated until the necessary period for handling the claim - any data subject to archiving may be processed for the purpose of handling this processing goal. The data is deleted when the statutory limitation periods for claims expire, or when the proceedings are concluded conclusively. We have the right to retain information beyond this period about when, in connection with what, and who was involved, what the outcome was, and if applicable, details of the proceedings - unless it concerns proceedings where the judgment is expunged, in which case the data is deleted in due course.

8. Your rights

You have the right to access your data, rectify, transfer (if the basis for processing is art. 6.1.a GDPR, delete or limit processing, the right to object (if the basis for processing is art. 6.1.f GDPR), the right to lodge a complaint to the supervisory body The supervisory authority, due to Vitala's registered office, is The Swedish Authority for Privacy Protection. More information you can find here: https://www.imy.se/en/individuals/forms-and-e-services/file-a-gdpr-complaint/

9. Data recipients

We may share your personal information with the following categories of individuals/entities:

Business Partners and Vendors: We share Personal Data with a limited number of partners, service providers, and other persons/entities who help run our business (“Business Partners”). Specifically, we may employ third-party companies and individuals to facilitate our Services, provide Serviceson our behalf, perform Service-related functions, or assist us in analyzing how our Services are used. Our Business Partners are contractually bound to protect your Personal Data and to use it only for the limited purpose(s) for which it is shared. Business Partners’ use of Personal Data may include, but is not limited to, the provision of services such as data hosting, IT services, customer services, and payment processing.

Our Advisors: We may share your Personal Data with third parties that provide advisory services to Vitala, including, but not limited to, our lawyers, auditors, accountants, and banks (collectively, “Advisors”). Personal Data will only be shared with Advisors if Vitala has a legitimate business interest in the sharing of such data.

Third Parties Upon Your Direction or Consent: You may direct Vitala to share your Personal Data with third parties. Upon your request and consent, we may share such Personal Data with those third parties that you identify.

Third Parties Pursuant to Business Transfers: In the event of are organization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Vitala’s corporate entity, assets, or stock(including in connection with any bankruptcy or similar proceedings), we may share your Personal Data with a third party.

Government and Law Enforcement Authorities: If reasonable and necessary, we may share your Personal Data to (i) comply with legal processes or enforceable governmental requests, or as otherwise required bylaw; (ii) cooperate with third parties in investigating acts or omissions that violate this Privacy Policy or the Terms and Conditions; or(iii) bring legal action against someone who may be violating the Terms and Conditions or who may be causing intentional or unintentional injury or interference to the rights or property of Vitala or any third party, including other users of our Services.

10. What Happens to Personal Data Submitted by Minors?

Vitala does not knowingly collect Personal Data from individuals under the age of 18. Additionally, our Services are not directed to individuals under the age of 18. We request that these individuals not provide Personal Data to us. If we learn thatPersonal Data from users under the age of 18 has been collected, we will deactivate the User Account associated with that data and take reasonable measures to promptly delete such data from our records. If you are aware of a user under the age of 18 accessing the Services or Platform, please contact us at lisa@vitala.health.

11. Profiling

We do not profile personal data. We do not use automated programs.

12. Transfer of data to third countries

The transfer of data to third countries takes place on the basis of the agreements we have signed. The table below does not provide a compilation of entities used in connection with the management of employee affairs and work. This information is available in the relevant document for inspection by authorised personnel (employees and collaborators).

According to the provisions of the GDPR, each case of transferring personal data to a third country (outside the EEA) must be based on the appropriate legal basis for data processing. One of the mechanisms through which companies transfer personal data outside the EEA is the article 45 of GDPR. The European Commission has the power to determine, on the basis of article 45 of GDPR whether a country outside the EU offers an adequate level of data protection. The second way is the article 46.2.c of GDPR, so-called Standard Contractual Clauses (SCC). SCCs are template contracts that the European Commission has approved for use and permitted their application by issuing relevant decisions in this regard. Below are the entities we cooperate with and the appropriate legal basis for data transfer: