Welcome to Vakresmil AS (hereinafter called VAKRESMIL ) privacy notice. VAKRESMIL respects your privacy and is committed to protecting your personal data. This Privacy Statement explains how we collect and further process your personal data. It also tells you about your privacy rights and how the law protects you. It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and is not intended to override them. We urge all of our patients present and past to read our privacy notice as we are unable to contact all of you as personal details have changed over the years.
1. BRIEF OVERVIEW VAKRESMIL is the controller and responsible for your personal data. VAKRESMIL mainly processes personal data of its patients in relations related to the practice and study of orthodontics. VAKRESMIL comprises of specialists and non-specialists, trainees, International patients. Please also note that VAKRESMIL has a number of affiliated organizations, not limited to the following:- The Royal College of Surgeons (UK), British Orthodontic Society, American Association of Orthodontics, BLOS (British Lingual Orthodontic Society), Norsk Kjeveortopedisk forening, British Dental Association, Norsk Tannlegeforening, ONG (Orthodontic National Group for dental nurses and therapist), the OTA Orthodontic Technicians Association, OPUS, ORMCO, Nisi, BDO, JJ Thomson, 3M,CrediCare, SUS, Offentlig Tannhelsetjeneste, and whilst these organisations are run independently of VAKRESMIL, VAKRESMIL also holds information in respect of patients of these organisations and may send communications to those patients via mail, fax or e-mail. This privacy notice is therefore also issued on behalf of VAKRESMIL.
2. SUMMARY: DATA PROCESSING BY THE VAKRESMIL
VAKRESMIL's core service consists of clinical treatment of patients, disseminating information to its patients and supporting medical personnel and supporting the practice of orthodontics. VAKRESMIL undertakes a variety of services, such as processing registrations, administering patient’s data including images, collection of payments, and participant advertising and information. This also includes sending out newsletters and other information, publishing information leaflets and advice sheets. VAKRESMIL is not responsible for outside agencies or their privacy notices, and you should therefore consult their websites, privacy notices and other sources of information on them. At the same time, VAKRESMIL performs the following data processing of its own:
• VAKRESMIL uses patient’s data to provide information pertaining to the study and practice of orthodontics. Each patient is given the option to adjust their personal data. Please note that patients are required to validate their data if they wish.
3. CONTROLLERS, CONTACT INFORMATION Regarding the collecting and processing of personal data VAKRESMIL acts as controller (particularly, as defined in Art. 4 Section 7 of the European General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP), insofar as the respective provisions apply in the specific case). We have appointed a data protection manager (“DPM”) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights (detailed below), please contact the DPM using the details set out below: Full name of legal entity: Vakresmil a.s.Name and title of DPO: Trine Lowey, Society Administrator E-mail address: trine@Vakresmil.no Postal address: vakresmil, Kirkegata 28, 4006 Stavanger Norway Telephone Number: +47 5186 1844. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) the supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach so please contact us in the first instance.
4. COLLECTING, PROCESSING AND USING PERSONAL DATA
4.1 DATA SUBJECTS VAKRESMIL collects and processes personal data pertaining to:
• Patients (on behalf of VAKRESMIL and where applicable their details will be confirmed and your right to object to their receiving your data);
• Users of the websites and apps or other channels owned by VAKRESMIL
• Recipients of newsletters and marketing mailings (VAKRESMIL)
• Recipients of text messages; e mail messages; faxes and other technologies as applicable, and other services;
• Persons who communicate with the VAKRESMIL via e-mail, telephone or otherwise, such as via a contact form on the website;
• Persons who contribute content for the websites, apps or other channels owned by VAKRESMIL;
• Persons permitted to access patient’s data on behalf VAKRESMIL.
4.2 DATA SOURCES The personal data are generally collected from the respective persons themselves by a patient, parent or family member, guardian or carer, joining the practice for advice or treatment. PLEASE NOTE, we also collect data via certain authorised third parties, for instance when a member registers a family member, friend, or colleague and an entry is established in their name (in which case, VAKRESMIL requests confirmation that these third parties are authorised by the data subject to do this for them). Furthermore, data are exchanged between VAKRESMIL and the data collections of the individual events for which the member has registered (e.g. transfer of master data from VAKRESMIL in connection with advice, treatment or teaching).
4.3 COLLECTED DATA VAKRESMIL collect the following categories of data, including via the VAKRESMIL website:
• Patients’ personal data and contact information (master data), such as salutation, first name, last name, sex, birthday, birth year, address, country, e-mail address, mobile phone number,) • Patients data related to the registration for, participation in and holding of the respective advice or treatment (event data), such as advice or treatment, for which a person has registered.
• Data related to newsletters and promotional offers from third parties and other services, such as opt-ins and opt-outs regarding VAKRESMIL’s newsletters and other communications, as well as opt-ins for promotional offers of third parties and other services; VAKRESMIL collects the following categories of data, in particular, for its own purpose:
• Patients data related to their accounts particularly their user name and password (only in encrypted form), voluntary information provided by patients regarding their occupation and education.
• Data related to the ordering and implementation of additional services via VAKRESMIL the apps and other channels owned by VAKRESMIL.
• Data related to Online Registrations such as patients e-mail address, payment methods (in accordance with PCI standards and information about the payment method requested by the customer), shopping cart (master data and data related to registrations, details regarding products and services purchased by third parties)
• Data related to newsletters, advice sheets and promotional offers from third parties and other services, such as opt-ins and opt-outs regarding VAKRESMIL, as well as opt-ins and opt-outs for promotional offers of third parties and other services
• Data related to linking a VAKRESMIL account with social networks (e.g., Facebook), such as the profile photo and other data in accordance with the settings of the member, the corresponding login details (only in encrypted form) for linking The VAKRESMIL account with the social network, etc. in accordance with the configured settings
• Data pertaining to remote access users of the VAKRESMIL's systems, such as name, e-mail address, login details, Apple/Windows user, language etc.
• Data related to communication, such as records of digital images, radiographic, dental and facial, study models for ongoing communication with other providers such as referring dentists, surgeons, laboratories, teaching establishments, medical publications, dental presentations, hospitals, dental companies, payment authorities overseas and national, related to the use of the websites, marketing, teaching and various other forms of communication both past and present which may arise in relation to the practicing of Orthodontics.
• Data related to communication, such as records of correspondence and communication with VAKRESMIL etc. VAKRESMIL also collects: Data collected autonomously related to the use of the website and the apps or other channels owned by VAKRESMIL, such as access logs and session cookies and permanent cookies, for registered and unregistered users alike.
4.4 CHILDREN If children (under 16 years of age) actively participate in advice and treatments, their data, too, are generally processed to the same extent as the data of other patients and users. These data are normally collected via the parents or legal guardians, as applicable and the consent of their parent or guardian to any processing of their data will be sought in advance
5. PURPOSE OF PROCESSING PERSONAL DATA Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via e-mail or text message. You have the right to withdraw consent to marketing at any time by emailing trine@Vakresmil.no. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
5.1 PURPOSE OF COLLECTING AND PROCESSING OF PERSONAL DATA BY VAKRESMIL Insofar as VAKRESMIL collects and processes personal data as a controller, it does so to the extent permitted by applicable law, particularly (but not exclusively) for the following purposes:
• For purposes of contracting for and providing services for patients, particularly for VAKRESMIL, for the setup, maintenance and updating of the VAKRESMIL account (including data from advice and treatment), for account management and for publishing the VAKRESMIL profile and the associated search feature
• For the linking of patients' VAKRESMIL accounts by the patients themselves to their respective profiles on social media platforms (e.g., Facebook);
• For advertising and marketing, particularly sending out marketing mailings for advertising customers, as well as sending out advertising and newsletters of VAKRESMIL;
• For operating Registration and any associated procedures, including combating fraud and processing orders and payments
• For the operation, security, maintenance and further development of the website, services, products and systems of VAKRESMIL
• For statistical evaluations, teaching, analyses and documentation, reports and public relations work
• For purposes of fulfilling the applicable legal requirements and internal rules of VAKRESMIL, pursuing and implementing various rights, asserting and defending against legal claims and complaints, combating abuse, and for purposes of legal investigations or proceedings related to answering enquiries from the authorities
• For individual communication with users of the VAKRESMIL's services, e.g., enquiries and complaints and responding to same
• The sale or purchase of companies and other corporate transactions and the associated transfer of user data; and
• For other purposes, where a legal duty requires the processing or where these purposes were evident or appropriate based on the circumstances at the time of data collection.
5.2 AUTOMATED INDIVIDUAL DECISIONS Generally, VAKRESMIL does not take any automated individual decisions that have legal or similar significant effects on the data subject.
5.3 LEGAL BASIS OF DATA PROCESSING VAKRESMIL, in its role as controller, processes the aforementioned personal data on the following legal basis:
• Conclusion and fulfilment of VAKRESMIL's agreements with patients and the users of the VAKRESMIL's products and services;
• Conclusion and fulfilment of agreements with third parties made by users of Registration and any associated procedures
• Compliance with legal requirements by VAKRESMIL
• Obtaining consent of the patients regarding opt -outs opt-ins, and any other advice or procedures within VAKRESMIL
• Consent of persons with whom permanent cookies are used;
• Legitimate interests of VAKRESMIL. Operation of the website and other systems of the VAKRESMIL; Implementation, evaluation and documentation of advice or treatment, as well as past or future advice or treatment. Information provided to the public and interested groups; Carrying out advertising, marketing and public relations work. Maintenance and secure and efficient organisation of the organisation, including a secure and effective operation and the successful continuing development, and enhancement of new services, as well as of the website. Sound business management and development . Successful acquisition or sale of companies, as well as corporate transactions; Interest in preventing fraud, abuse, crimes and other offences, as well as in the investigation of such offences and other inappropriate conduct, handling of legal complaints, claims and other actions against VAKRESMIL, involvement in legal proceedings and cooperation with the authorities, and otherwise asserting, exercising and defending legal claims.
6. DATA DISCLOSURE AND DATA TRANSFER ABROAD
6.1 DISCLOSURES OF YOUR PERSONAL DATA The personal data processed by VAKRESMIL may be transferred to the following categories of recipients to the extent permitted by applicable data protection law:
• To VAKRESMIL or the respective event venue, as applicable (mutual exchange of the data kept by both parties, e.g., template for advice treatment or registrations generated from VAKRESMIL, and exchange of patients' data regarding their advice treatment or registrations, which can be administered from within VAKRESMIL, e.g., advice, treatment or event-specific consents)
• Businesses and organisations that offer their products and services via VAKRESMIL's Registration and any associated web shops;
• Photo services and other providers;
• Associations, and other organisations;
• Parents, respectively legal guardians and representatives of the patients;
• Local, national and foreign authorities;
• Media organisations;
• Processors (including IT service providers, payment service providers, providers for the transmission of text messages, providers for combating fraud, advertising partners, website analysis services); • Advertising customers and sponsors;
• Operators of social networks;
• Providers of tools for analysing website usage, which may also use the data for their own purposes;
• The public, including visitors to VAKRESMIL's website and particularly the VAKRESMIL database and the VAKRESMIL search feature
• Other parties to potential or actual legal proceedings. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Whenever we share information with third parties we take steps to ensure there are contractual safeguards in place to require that processing takes place in accordance with the GDPR and other data protection laws. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
6.2 INTERNATIONAL TRANSFERS The information accessible on the VAKRESMIL's website is available worldwide, and as such could involve your data being transferred outside the European Economic Area; furthermore, the recipients of services sent via text messages or app or other channels, may be located anywhere in the world and are not necessarily subject to data privacy laws. PLEASE NOTE: In this case, VAKRESMIL, (including in its role as organiser of VAKRESMIL events, advice , treatment,procedures), does not take any additional precautions regarding data privacy but rely, insofar as an international disclosure of personal data within the meaning of the law has occurred, on the exception of consent, or of the initiation and execution of an agreement, or the justification that the data were published by the data subject themselves.
• If data are sent to a third party provider, then this party, as the client of VAKRESMIL or contractual partner of the customer, as the case may be, has sole responsibility for data privacy. We do not control the websites of third parties and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit
• If data are transferred by VAKRESMIL to a (sub-)processor in a country lacking adequate data protection, VAKRESMIL guarantees adequate protection by using contractual warranties, particularly based on the EU model clauses, or it relies on the exceptions for consent or for initiation and execution of an agreement.
• PLEASE NOTE: If a service provider used by VAKRESMIL is not a processor, e.g., providers of payment services and operators of social media platforms like Facebook, the transfer is made on the basis of the exceptions for consent and for initiation and execution of an agreement, to the extent these providers are located in countries lacking adequate data protection. On occasion transfers of data may be made abroad, including to countries lacking adequate data protection, e.g., in connection with lawsuits, contact with public authorities and media organisations, as well as in cases of emergencies. PLEASE NOTE: If VAKRESMIL cannot ensure adequate protection through the use of contractual warranties, particularly based on the EU model clauses, the transfer is made on the basis of the exceptions for consent, the initiation and execution of an agreement, the determination, exercise or enforcement of legal rights, overriding public interests, the justification that the data were published by the data subject himself or because it is necessary to protect the integrity of these persons. The data subjects may obtain a copy of the contractual warranties from the contact person specified above or be advised by him or her where they may obtain a copy. VAKRESMIL or the event organiser, as the case may be, reserves the right to redact such copies for reasons of data protection or confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. DATA RETENTION Unless otherwise provided by law, VAKRESMIL will only store the personal data processed as part of the service for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, advice, treatment, teaching, accounting, or reporting requirements. Following the new GDPR laws effective May 2018, patients have a right to erasure which is also known as ‘the right to be forgotten’; this is where patients can request to have all data deleted from our database. Information contained within VAKRESMIL member accounts are retained for as long as patientship is maintained. If a member terminates the VAKRESMIL account, all data in the VAKRESMIL are deleted except for the person's master data in VAKRESMIL (DSID, first name, last name, sex, date of birth, birth year), which are likewise deleted ten years after the termination of the account. However, the data included in (otherwise available) starting and ranking lists generally remain available even after the termination of the VAKRESMIL account, unless their deletion is expressly requested by the member to process past or future concerns regarding advice or treatment, teaching, accounting, liason with other concerned parties such as medicolegal advisors, educational authorities. If actual or suspected cases of fraud are discovered and the member in question is blocked, the relevant data are retained for as long as appears reasonable. Serious cases are marked as such and retained for as long as deemed necessary. Business documents, including correspondence, are retained for as long as VAKRESMIL has a legitimate interest in them (particularly an evidentiary interest in the event of claims, documentation of compliance with certain legal or other requirements, an interest in an evaluation of non-personal data) or is obligated to do so (by contract, law or based on other requirements). Data from information made via Online processes or Registration and any associated facilities can generally be retained permanently. Legal duties regarding, for instance, the early deletion or anonymisation or pseudonymisation of the data, are reserved. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
9. RIGHTS OF THE MEMBER, THE USER AND OTHER DATA SUBJECTS A member cannot currently log in to VAKRESMIL website patients’ area and modify personal details including treatments offered, agreeing to opt in to the “Find Treatment” pages on the VAKRESMIL website, agreeing to treat a patient on a pro-bono basis, indicate how some VAKRESMIL publications should be received (post or email) and to confirm that information listed re address details are correct or to amend/add/delete address details. VAKRESMIL members can register to use the VAKRESMIL website as a member at any time. Every data subject has a right to be informed about their data and can request information about them and demand that they be corrected. Moreover, every data subject has the right to request the deletion of all or part and restriction of the use of their personal data by VAKRESMIL and to object to any processing of their personal data set out in this privacy notice. You may also request that your data be transferred to you or to a third party (following which we will provide to you, or your chosen third party, your personal data in a structured, commonly used and machine-readable format). VAKRESMIL also retain the right to transfer data to third parties regarding advice , treatment, procedures or teaching as required.N ote that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. If the processing of the personal data is based on a consent, the consent may be revoked by the data subject at any time. VAKRESMIL, offers patients, as part of their patientship and their participation in an event, a variety of options for selective consents (opt-ins, opt-outs) to various processing of their data or the option to selectively refuse such processing (opt-ins,opt-out). These consents can be administered or provided, as applicable, via VAKRESMIL. If the requested opt-in, opt-out is not specified, a request to opt-out should be addressed to the contact person (see section 3 above). In countries within the EU or the EEA, as applicable, the data subject has, in certain cases, the right to receive the data generated through the use of online services in a structured, common and machine-readable format that permits the further use and transmission of the data. Enquiries concerning these rights should be addressed to the contact person (see section 3 above). VAKRESMIL reserves the right to restrict the rights of the data subject in accordance with applicable law and, e.g., not to issue complete information or not to delete data. If VAKRESMIL takes an automated decision regarding an individual person that has legal or similar significant effects on the data subject, the data subject may speak with a responsible person at VAKRESMIL and request a reconsideration of the decision or that the decision be taken by a person from the outset, to the extent provided by applicable law. In this case, it is possible that the data subject will no longer be able to use certain automated services.
10. CHANGES TO THE PRIVACY STATEMENT VAKRESMIL may modify the present Privacy Statement on its own behalf at any time without prior notice or announcement. The current version published on the website www.Vakresmil.no and available in the practice shall apply. If the Privacy Statement is part of an agreement with patients, users or another data subject, then, in the event of an update, VAKRESMIL may inform them of such update via email, availability in the practice or other appropriate means. If no objection is raised within 30 days, then the new Privacy Statement is deemed accepted. If an objection is raised, VAKRESMIL may terminate the agreement in whole or in part for good cause and without notice or restrict or adjust the services it provides to the data subject in order to appropriately address his withholding of acceptance.
ANNEX Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
© Vakresmil AS May 2018