Introduction

Dignio offers software healthcare solutions that require the processing of personal data and sensitive health-related information about patients. Proper protection of the personal data and health data that we process on behalf of our customers is one of our top priorities. Dignio has implemented procedures to ensure that all the rights of the patients and other data subjects are respected.

Dignio is subject to European data protection regulations, including the General Data Protection Regulation (GDPR) as well as local data protection regulations in the countries in which we operate. We observe state of the art information security standards, see the page Security at Dignio for more information about our security measures.

In the following, you will find an overview of our data protection standards and guidance to our customers, pertaining to their role as controllers under the GDPR. If you have any questions after reading this document, feel free to contact us at post@dignio.com.

Dignio’s data protection standards

Dignio has implemented and continuously observes a number of data protection standards to ensure compliance with the GDPR and all other applicable data protection and health data regulations. Our current data protection standards include:

• Privacy by Design: Privacy concerns are taken into account from the beginning when developing new software or considering purchasing new products or services for our operations. When developing new software, we strive to minimise the amount of data processed to what is strictly necessary. We choose suppliers that are able to demonstrate privacy-friendly solutions.
• Adherence to privacy principles: All our privacy procedures are standards are built under the auspices of the six fundamental privacy principles, namely, the principles of (1) purpose limitation, (2) data minimization, (3) storage limitation, (4) accuracy, (5) integrity and confidentiality and (6) lawfulness, fairness and transparency.
• Data subjects rights: We have procedures in place to ensure that the rights of the data subjects are respected, such as the right to information, access to data, correction, deletion and limitation of processing.
• Transparent data processing: We are fully transparent about all our data processing activities. Please read our privacy statements for an exhaustive account of all of our activities.
• Storage of data within the EU/EEA (and UK for our UK customers): Our data is safely stored in Stockholm (for EU customers) and London ( for UK customers).
  Adequate security standards. We have an extensive set of security measures in place to ensure that all personal data is safe in our custody. See the page Security at Dignio for more information.
• Anonymization: We strive to limit the amount of personal data processed on the Dignio platform as far as possible and use anonymized and aggregated data when the processing of personal data is not necessary. This includes the collection of technical security data and user statistics.
• Access Limitations: Access to personal data is strictly limited to employees that need access in order to perform their duties. Access to data processed in our software services is restricted to technical and support personnel. Other Dignio employees will not access customer data unless authorised to do so by the customer.

Privacy Notices

We have developed privacy notices for all our services. In addition, we have a separate privacy notice related to all processing activities that we do in addition to providing our software services, such as customer contact, website operations and social media presence.

Clarification of roles and responsibilities

The GDPR allocates responsibilities to two essential entities, namely, controllers and processors. Controllers are entities that make the decision to process personal data. Controllers are consequently responsible for defining and limiting the purpose of processing and identifying a valid legal basis for the data processing. Processors are entities that controllers entrust to process data on their behalf, in strict accordance with the instructions given by the controller.

Dignio as processor

Our customers include municipalities, hospitals, care homes and other entities offering remote care services. Our customers make the decision to process personal data in order to offer their healthcare services using the Dignio software platform. Accordingly, our customers operate as controllers when using our software services, and are therefore responsible for deciding the purpose, legal processing basis, what types of data that needs to be processed, the storage duration of the data, who the data needs to be shared with, and whether Dignio may be entrusted to process personal data on their behalf.

Dignio operates as a processor on behalf of our customers, which imply that we have been entrusted to process personal data based on the instructions given by our customers. We have entered into valid data processing agreements with all our customers, which requires us to only process data as instructed, and to observe all requirements under the GDPR and other applicable health data regulations.

Dignio as controller

Dignio also operates as a controller for two types of processing activities.

Firstly, Dignio is the controller in relation to administering the customer relationship, which includes invoicing the customers and registering and handling complaints and requests.

Secondly, Dignio operates as the controller for all data related to technical development, maintenance, security logs and user statistics generated from Dignio’s software services. Dignio makes decisions as to which technical development, maintenance and security measures are necessary to provide a secure, reliable and user-friendly software service. Dignio also decides what types of user statistics that are necessary to collect in order to obtain information on how the services are used, and thereby how the services may be improved in the future. The data that is collected by Dignio is aggregated and anonymous, and hence not “personal data” as defined in General Data Protection Regulation (GDPR).