This statement describes how we collect and process personal data about our customers and users of our products and services. All references to “we” and “us” refer to Dignio AS. If you have any further questions after reading this statement, please do not hesitate to contact us by email to email@example.com.
The products and services we offer to our customers are developed on the basis of privacy by design – meaning that privacy is encompassed in the entire design of the system which enables us to store and process personal- and health data in a safe manner. All data registered in our system is stored safely in the cloud and is only available to authorized personnel.
In addition to personal data processed by our products/services, we collect personal data about our customers, suppliers, newsletter subscribers and persons contacting us for information. In the sections below we provide further details about what kind of personal data we collect, how it is processed and what your rights as a data subject are.
1. The data we collect
When you enter into a subscription agreement with us or purchase one of our products, we will collect the following data about you:
- Company name
- Company org. no.
- Phone number
- Delivery address
- Payment details
- Information about customer’s company manager (name, mobile number, email address)
- Information about customer’s contact person(s) (name, email)
- Information about customer’s admin user (name, username, email address, phone number and personal identification number)
This information is collected to fulfil the contract with the customer and is stored throughout the subscription period in order for us to manage the customer relationship and to provide support services. We retain some information beyond the subscription period for the following reasons:
- Accounting (Pursuant to Norwegian law, we must keep accounts for 5 years)
- Claim outstanding debts (If you still owe us money after the subscription period expires)
- Defend legal claims (If there is a dispute regarding the terms of the subscription agreement)
- Our customers obligation to document patients’ treatment pursuant to the Patient Journal Act (pasientjournalloven)
Our health care system Dignio Prevent
Dignio delivers a health care system to customers which enables remote care of patients. With regards to the data collected and stored by the customer in the system, Dignio acts as data processor and the customer is the data controller. The software allows the customer to specify (configure) the amounts and types of personal data that will be collected from the patients. The responsibility for ensuring that all personal data collection, as specified (configured) by customer, is lawful, lies exclusively with the customer, provided that the software offers the necessary tools for this.
Only technical personnel in Dignio subject to strict confidentiality obligations have access to the information contained in the system (and described in more detail below).
Dignio Prevent is developed as an “electronic health record” (behandlingsrettet helseregister) pursuant to the Patient Journal Act (pasientjournalloven) and fulfil all the requirements in Normen. The system is designed not to collect information which is unnecessary for the purposes that the system was designed to support. In Dignio Prevent customers can collect and store data about both patients and health care professionals/employees.
When the customer registers a new patient in Dignio Prevent, the following data will usually be registered about the patient:
- Personal identification number
- Phone number
- Information about the patient’s health
Once the patient is registered in the system, health care professionals employed by the customer can register journal notes on the patient’s user profile, including medication plans. The system will also store data and results from patient measurements (both clinical and questionnaires) conducted by the patient.
The above data is necessary to ensure correct identification of patients as well as proper documentation of the patient’s treatment in an electronic health record pursuant to the Patient Journal Act.
This data is stored until it is no longer considered necessary by customer for treatment purposes. The assessment of whether data is considered necessary, will be undertaken by the customer. We will delete data upon request from the customer (e.g. as a result of a deletion request from a patient).
Data about customer’s employees/health care professionals
When new user profiles for employees/health care professionals are created in the system, the customer can register the following information about such individuals in Dignio Prevent:
- Personal identification number
- Email address
- Phone number
In addition, Dignio Prevent collects log data, inter alia to ensure information security and prevent unauthorised use. These logs will store data on inter alia the system users’ activities in the system.
The above data is necessary to ensure proper documentation of the patient’s treatment in an electronic health record pursuant to the Patient Journal Act.
This data is stored until it is no longer considered necessary by customer for treatment purposes. The assessment of whether data is considered necessary, will be undertaken by the customer. We will delete data upon request from the customer (i.e. upon request from an employee).
Our patient app MyDignio
MyDignio patient app is used by patients and is connected to the Dignio Prevent health care system. MyDignio enables correspondence between patients and health care professionals as well as transmission of measurement results and patient notifications.
All users of the MyDignio patient app must be registered with a user profile. When logging into the app, users will be asked to enter a username and password.
In order for patients to monitor their own health, MyDignio gives users access to all relevant information stored in their patient profile in Dignio Prevent. This includes the following information:
- Results from measurements completed by the patient
- Notifications relating to measurements from Dignio Prevent
- Messages (sent from patient to Dignio Prevent and received by patient from Dignio Prevent)
- Journal notes
- Personal information relevant to the individual patient and stored in Dignio Prevent, such as name, address etc.
The above information is not stored in the MyDignio app, and is only available to the patient if the app is online.
Partners and Suppliers
We process personal information about partners and suppliers for the purposes of service delivery and service exchange. The personal information being processed are names, phone numbers, addresses, e-mail addresses and invoice information.
This information will be stored during the contract period. Moreover, in order to facilitate potential future contact and cooperation, we retain records of current, previous and potential partners and suppliers for 5 years (GDPR Art. 6(1)(f)). We will delete all data upon request.
Newsletter subscribers and information requests
If you wish to contact us or subscribe to our newsletter, we will collect the following data:
- Newsletter: Email address.
- Email: If you contact us by email we will store the correspondence in order to reply to your request.
- Phone: If you contact Dignio support by phone we will store a summary of the correspondence in writing in order to reply to your request.
We need your consent in order to sign you up for our newsletters. You can withdraw your consent at any time, in which case we will delete your email from the email list and stop sending you newsletters.
Email correspondence will be retained for one year in case you should contact us again with a similar request. If you want earlier deletion, this can be arranged by contacting us.
If you are a customer, we reserve the right to keep the email and phone correspondence as long as you are an active customer in order to provide the best customer care possible, and for one year following the end of the customer relationship in case there is a need for further contact. In addition, the information may also be retained for bookkeeping purposes, to arrange returns, handle complaints and for the purposes of handling an ongoing legal claim. You can send us a request to delete all email correspondence. We will then process your request. If we decide to keep your data, we will inform you of the reasoning behind such decision without undue delay.
If you apply for a position in Dignio we will collect and process your CV, application, certificates and references as well as personal details such as name, email address and phone number. The basis of our processing of this personal data is your consent which is freely given by you during the application process. We will keep such data for 3 years following the end of the recruitment process in order to consider you for upcoming positions. You can withdraw your consent at any time. If you would like more information on how we process personal data during our recruitment processes, please click here.
2. Information Security
Dignio has documented technical and organisational measures to ensure that the personal data is processed in a manner which ensures their confidentiality, integrity and availability. We take appropriate measures to ensure that all personal data is kept secure, including security measures to prevent personal data from being accidentally lost, or used or accessed in an unauthorized manner. We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
3. Recipients of personal data and the use of sub-contractors
We will not disclose your personal information to third parties unless such disclosure is necessary as a result of legal obligations.
Dignio uses sub-contractors (data processors) for certain administrative tasks. In cases where we share information with a data processor, the processing of personal data is secured through data processing agreements. The data processing agreements ensure that the personal data is not used for any other purpose and that the processing meets the requirements of the General Data Protection Regulation (GDPR).
Dignio does not process personal data outside the EU/EEA.
4. Your rights as a data subject
You have the right to request:
- access to all the personal data we have stored about you,
- correction of any errors in the personal data we have stored about you, and
- deletion of your personal data
We will respond to your request as soon as possible, and in any case within 30 days. Your personal data will be deleted when the data is no longer needed for the processing purposes specified in Clause 1 above.
If you wish to exercise one of your rights, please contact us by email to firstname.lastname@example.org.
If you have any concerns about how we process your personal data, you are welcome to file a complaint to the Norwegian Data Protection Authority (Datatilsynet).