Privacy Policy
1. Introduction
At Kry, healthcare professionals work together with engineers and technicians towards a common goal: to develop and improve healthcare and provide our patients with the best possible healthcare experience.
We take your privacy very seriously and it is important to us that you as a patient always feel comfortable and safe when using our services and entrusting us with your information. We therefore provide you with this privacy notice (the "Privacy Notice") which describes our handling of your personal data in connection using our Healthcare Services or our Platform (both defined below and collectively referred as the “Services” in this Privacy Notice).
In this Privacy Notice, we explain who is responsible for the personal data processing taking place in connection with your use of the Services. We also describe which personal data about you is processed, how we process the personal data and why. You also get information on which legal basis we justify our processing of your data, in which situations your personal data may be shared with others, as well as which rights you have regarding your personal data and how you can exercise these rights.
Certain special provisions apply to occupational health care, see section 5 below.
2. Who’s responsible for our data processing?
Kry International AB ("Kry International"), parent company of the Kry group, owns and provides the Kry app as well as the technical platform, web pages and other digital tools through which we provide our Healthcare Services and other services (the "Platform"). Kry International is the personal data controller for the processing of the personal data that you register or that is collected when you use the Platform without interacting with the Healthcare Provider (as defined below) or managing a specific healthcare matter. In practice, this means that for all processing of data related to registration, change, termination and login to an account as well as use of the Platform to, for example, read general information or marketing, Kry International is responsible for use of your information. When you initiate a care contact and start providing or receiving information about your health, for example by filling in forms for an appointment booking, ordering a test or listing yourself with one of our care providers, as well as for all subsequent handling of your care and care-related information for care, administration, statistics, quality assurance and similar (the “Healthcare Services”) the Healthcare Provider is responsible for use of your information.
In Sweden, it is primarily Kry International's wholly-owned subsidiary, Kry Primärvård AB (“Kry Primärvård”) that provides the Healthcare Services. You can find full company and contact details for Kry International and Kry Primärvård at the end of this Privacy Notice. Other healthcare providers in the Kry group may also provide Healthcare Services to you. In that case, this will be communicated to you along with relevant company and contact details before the care relationship with such healthcare provider is initiated. You can also find company and contact details to all our healthcare providers on our website. Kry Primärvård or the other healthcare provider who provides care to you as above is referred to below as the "Healthcare Provider").
If you have questions or comments about the processing of your personal data, you are always welcome to contact us or our data protection officer via our website at www.kry.se/kontakt, or by emailing privacy@kry.se.
3. Which categories of personal data do we collect?
3.1 Account, profile, contact information, etc
When you register an account and/or use the Platform, Kry International collects the following categories of information:
Profile information: Name, social security number, gender, citizenship, guardian status and whether you have protected identity.
Contact information: Address, e-mail and phone number. Phone numbers and e-mails are collected directly from you. Other information stated above is collected via the Swedish SPAR register (Statens personadressregister). In connection with logins to the Platform, the information from SPAR may be collected again and updated. Profile information and Contact information are mandatory for you to be able to use the Services.
Device Information: When you use the Platform, we collect information about your device, browser, and operating system, such as browser screen settings, time zone, type and version of operating system and device, IP address, and device ID, as well as your settings and personal account preferences.
Usage information: When you use the Platform, information is collected about how you use and access the Services, functions, communication you receive, the types of meetings and interactions you have with the Healthcare Provider along with login information, and internal identifiers regarding you as a user and your meetings. We also collect technical information in connection with this such as page response time and download errors.
Feedback: Information collected directly from you through, among other things, surveys, interviews and tests about how you experience the Services, new functions or different types of communication.
3.2 Personal data collected by the Healthcare Provider
In connection with you seeking care, listing yourself with Kry, or otherwise using the Platform in connection with a care matter, the Healthcare Provider collects information in order to be able to provide you with the best possible care (if you seek care for or list a child, the same information is collected about the child). This includes:
Medical information: This includes information about your physical and/or mental health that you provide before or in connection with an, such as reason for seeking care, symptoms, allergies, medical history, as well as information that the healthcare staff registers in connection with the appointment and follow-up such as journal entries, referrals, medical certificates, prescriptions and administrative notes
Third party medical information: In connection with your care, the Healthcare Provider may obtain information from an external party, e.g. Information from referrals from other healthcare providers. With your consent, we can also retrieve information from national or regional systems such as the NPÖ (Nationell patientöversikt), which allows us to read the medical records of other healthcare providers who are connected to the same system. Other examples include NLL (Nationella läkemedelslistan), which is a nationwide source of information that gives the healthcare system access to information about the patient's prescribed and collected medicines and other goods (e.g. consumables). Healthcare meeting information: The care provider also collects information about the interactions you have with the Healthcare Provider and the Healthcare Services, such as appointment times, information about your booking and the choices you made during the booking process, waiting time, type of meeting, type of action that an encounter resulted in, as well as internal identifiers regarding encounters and patients. Depending on your type of contact with Kry, we may also collect chat conversations and transcripts, i.e. text files that reproduce your meeting with the healthcare staff. Audio and images from video or telephone meetings are not stored.
Payment information: Information about your purchases, payments, payment method, card details, free card, receipts, invoices and similar.
Support information: Information about your cases with our customer service team, including correspondence and administrative documentation regarding questions, complaints, requests and similar.
Listing information: If you choose to list yourself with a health center operated by the Healthcare Provider, information about your choice of healthcare center, as well as your name, national id, address and contact details will be processed to administer the listing.
3.3 Your Health and other Add-on services
If you activate the service Your health, the Healthcare Provider will collect the data that you choose to register, such as weight, height, allergies and tobacco habits. Kry may also offer other services such as health screenings, medication reminders, and calendar invitations. You will receive more information about which data these services process in connection with activating such service.
4. Which categories of information are processed for which purposes and on which legal basis?
Below, we first describe how Kry uses your data on a more general level. In the table below, you can find more detailed information about which categories of data we process for which purposes, on which legal basis and how long we store the current information. Please note that when you register for the Platform, and at any time thereafter, via your settings in the Platform, you can make a number of choices about what information is collected about you and used for various purposes such as marketing, statistics, product development and add-on services. You can also withdraw consents you have given to Kry.
4.1 Use of the Platform
In order to provide the Platform to you in a reliable and secure manner, Kry International uses your data for the following purposes:
To make the Platform available in accordance with your choices and settings, by allowing you to register an account, log in, adjust settings and preferences, and otherwise allow you to use the service in accordance with the Terms of Use,
To establish your identity, age and guardian status to enable and facilitate contact with the Healthcare Provider,
To understand and analyze how technical solutions perform and to ensure stability, availability, security and performance as well as to be able to troubleshoot and solve problems,
To provide you with technical support, and
To exercise Kry International's rights and obligations under the Terms of Use, such as matters relating to error correction, unauthorized use and account termination.
4.2 Product improvements
Kry International uses your data to better understand how the Platform is used, as well as to be able to improve it. This includes the following:
Generating statistics and analyzes to understand the use of the Platform, problems and areas of improvement; and
Improvement of user experience and user interface, as well as development of new functions and features.
Use of your data for these purposes normally takes place in pseudonymised form, which means that data that directly identifies you, such as name, social security number, telephone number, address and the like, is removed before use.
4.3 Information and marketing
As a user of our Services, Kry International and the Healthcare Provider use your data for different types of communication and campaigns. This includes:
To provide you with information that is important for you to be able to use the Platform and/or the Services, e.g. security-related information, changes to terms, or other important changes or updates;
Confirmations and reminders regarding bookings, meetings, treatment and the like, e.g. via notifications, inbox messages or SMS;
To provide marketing about the Platform and/or the Services and offers via email, letter, notices, inbox message or SMS. However, direct marketing is only provided if you have actively opted in.
Targeted advertising on other websites and services, as well as analysis of interaction and effectiveness of advertising and communication. However, targeted advertisements and such analysis as described in this bullet point will only occur if we have obtained your prior specific consent via our website (via our “cookie banner”) or via your settings in the Kry app.
4.4 Healthcare
When you seek healthcare from us, we may use your data for the following purposes:
To handle and triage your case or your booking to the appropriate staff,
To provide healthcare via video, chat, phone or face-to-face meetings, including to assess your condition, give you medical advice, prescribe medication, issue medical certificates and referrals, and perform necessary administration and follow-up such as handling lab tests, payments and free card (frikort) management,
To communicate with you with advice and recommendations via telephone, notices, email or post, as part of your treatment or when we assess that you need or may be interested in such information for medical or health preventive reasons. For example, to find out how you respond to your treatment, recommend new contact with care, new treatment methods or in similar circumstances;
To obtain medical information about you from external parties in order to provide you with good and safe care, for example via national and regional systems for viewing medical records (e.g. Nationell patientöversikt, NPÖ) or medication lists (e.g. Nationella läkemedlslistan, NLL) and to make your information available in these systems. We only collect information about you if we first obtain your consent and you can object to us entering information about you into these systems at any time by contacting us in accordance with what is set out below in this Privacy Notice,
To provide patient-related support, including investigating complaints, inquiries, medical discrepancies and incidents;
To manage your listing and/or delisting at Kry, and
To manage payments, refunds, free cards and other payment issues.
4.5 Quality assurance, quality development and statistics at the Healthcare Provider
We strive to maintain the highest possible quality of the care we deliver and to constantly improve the tools we use through systematic quality assurance and quality improvement work. This includes:
To produce statistics on the use of Healthcare Services and the care delivered to patients for the purpose of planning, organizing and streamlining operations,
To analyze statistics and feedback from patients to follow up, identify improvement areas and to secure and develop quality in processes, systems and functions and thereby continuously improve medical quality, customer satisfaction, accessibility, safety and user experience for our patients.
Audio and video meetings with Kry are never recorded. However, chat conversations and so-called transcripts, or text files that reproduce the conversation between you and healthcare professionals, can be stored and used by our systems to streamline and automate our administrative work. For example, to generate summaries of symptoms and claims to speed up the process to find the right staff for you as a patient, or to facilitate the staff's administrative tasks such as by providing draft documents and notes, which gives the staff more time for you as a patient. We also use an automatic chat system in order to collect information about your questions, reasons for getting in touch and similar in order to shorten waiting times and provide you with care faster. If you chat with the digital assistant or similar automatic systems, you will receive information about it beforehand. We do not allow our systems to influence or make decisions that affect your treatment. Our staff always do. You can read more about our work with automation and so-called artificial intelligence here.
4.6 Add-on services
The Healthcare Provider offers a number of optional services with the aim of improving your experience of the care we provide. For example, the service Your health, which gives you the opportunity to register data to keep track of your health, receive customized recommendations and tips via, for example, notifications, more customized health forms in connection with seeking care, as well as better prepared medical personnel who’s able to familiarize themselves with your health profile before meeting with you. As a user of the Kry app, you are also offered other services to facilitate and keep track of your health and treatment, such as medication reminders, calendar invitations for appointments and health screenings. Activation of such services normally requires that you give us separate and explicit consent to process your data in connection with such services, and you will receive more information about the processing in question before providing such consent.
4.7 Contacts with regions, authorities and legal obligations
As healthcare providers, we sometimes must collaborate and share information with authorities. This includes the following:
To handle compensation matters for visits, listings and other actions for which we are entitled to compensation vis-à-vis healthcare authorities such as regions,
To cooperate with authorities in connection with supervision of our operations,
To fulfill obligations according to law, authority decisions and other obligations towards authorities and public authorities (e.g. towards Inspektionen för vård och omsorg (IVO), Socialstyrelsen and the healthcare regions). This can for example include compiling and sharing information about vaccinations, the spread of infection and other information, but only in cases where we have a legal obligation to do so.
4.8 Mergers, acquisitions, re-structures, etc
If Kry International or the Healthcare Provider is acquired, merged with another company or split, the acquiring company will continue to save and use your personal data in accordance with this Privacy Notice, unless you receive different information in connection with the transfer. However, in connection with such major changes to our operations, you will always receive information that is important for you to continue to receive the best care possible, such as changes to conditions, the responsible care provider, and to what extent you can object to your data used by the acquiring organization.
If Kry International or the Healthcare Provider ceases to exist, e.g. through liquidation, we will delete your personal data as long as we do not need to save them to meet legal requirements or transfer the assets, including customer data to a possible acquirer.
4.8 Detailed information on Kry’s use of personal information
Purpose of processing | Data or categories of data processed | Legal basis | Retention time? | Data Controller |
Use of the Platform | ||||
To provide you with the Platform in accordance with your choices, settings and preferences, including registering and closure of account, log-ins, management of settings, maintaining correct and up to date information, and to validate identity, age, guardian status for the purpose of make available and facilitate interactions with the Healthcare Provider. | Profile information, Contact information, Device information | Performance of contract (art 6.1 b GDPR) | As long as you have an active account and for an additional period of up to 3 months in order to secure removal Information from SPAR is collected and updated each time you log in | Kry International |
To understand how our systems perform for the purpose of ensuring stability, availability, security and performance, and to allow for troubleshooting, resolutions and technical support | Profile information, Device information, Usage information | Performance of contract (art 6.1 b GDPR). To the extent cookies or similar technology is used for collection of data, the legal basis is consent (art 6.1 a GDPR) | As long as you have an active account and for an additional period of up to 3 months in order to secure removal Device and Usage information is used 6 months from collection for quality, support and troubleshooting purposes and 12 months for security purposes | Kry International |
To exercise our rights and obligations in accordance with our terms of service. | Profile information, Contact information, Device information, Usage information | Performance of contract (art 6.1 b GDPR) | Information used as part of a decision about you is stored as long as the matter is ongoing and thereafter for up to 5 years for management of legal claims and obligations. | Kry International and the Healthcare Provider respectively |
Product improvement | ||||
To understand how our systems, user interfaces and communication channels perform in order to allow for improving user experience and developing new functionality. | Profile information, Device information, Usage information, Feedback | Legitimate interest (art 6.1 f GDPR) to continuously improve the Platform and/or the Services. To the extent cookies or similar technology is used for collection of data, the legal basis is consent (art 6.1 a GDPR) | As long as you have an active account and for an additional period of up to 3 months in order to secure removal Usage information and Feedback is used for 3 years from collection, or until the earlier point in time when you object to further processing or withdraw your consent | Kry International |
Information and marketing | ||||
To provide you with relevant information about the Services, changes and important updates, e.g. via email, notifications and inbox messages, and to help us understand how such information is received and consumed by the recipient. | Profile information, Contact information, Device information, Usage information, Listing information | Performance of contract (art 6.1 b GDPR) . To the extent cookies or similar technoIogy is used for collection of data, the legal basis is consent (art 6.1 a GDPR) | As long as you have an active account and for an additional period of up to 3 months in order to secure removal Usage information is used for 3 years from collection, or until the earlier point in time when you withdraw your consent | Kry International and the Healthcare Provider respectively |
To provide you with relevant marketing, e.g. via email, sms, normal mail, inbox messages, ads or similar channels. For example in connection with campaigns or new offerings, and to help us understand how these are received and consumed by the recipient. | Profile information, Contact information, Device information, Usage information, Listing information | Legitimate interest (art 6.1 f GDPR) to market the Services. If the communication qualifies as direct marketing we apply opt-in. To the extent cookies or similar technology is used for collection of data, the legal basis is consent (art 6.1 a GDPR) | As long as you have an active account and for an additional period of up to 3 months in order to secure removal, or the earlier point in time when you opt-out from such processing | Kry International and the Healthcare Provider respectively |
Healthcare | ||||
To provide you with healthcare, including medical assessments, medical advice, prescribe medicine, provide sick notes and referrals and carry our necessary administration such as follow-ups, management of lab analysis and similar | Profile information, Contact information, Medical information, 3rd party medical information, Healthcare meeting information | Public interest (art 6.1 e GDPR). For special categories of data in healthcare (art 9.2 h (GDPR) and 2 ch 4§ Patient Data Act (Patientdatalagen) applies | Medical records are stored for 10 years following the last entry into the records | Healthcare Provider |
To communicate with you regarding advice and recommendations via phone, notices, email, post as part of your treatment or when we assess that you need or is likely to be interested in such information given for preventive or proactive medical reasons. For example, to learn how you respond to treatment, to recommend additional meetings, new treatments methods or similar, and to better understand how such communication is received and consumed by the recipient. | Profile information, Contact information, Medical information, Healthcare meeting information, Listing information, Usage information | Public interest (art 6.1 e GDPR). For special categories of data in healthcare (art 9.2 h (GDPR) and 2 ch 4§ Patient Data Act (Patientdatalagen) applies. To the extent cookies or similar technoIogy is used for collection of data, the legal basis is consent (art 6.1 a GDPR) | As long as you have an active account and for an additional period of up to 3 months in order to secure removal, and only longer if necessary for an ongoing healthcare matter Medical records are stored for 10 years following the last entry into the records Usage information is stored for 3 years from collection, or until the earlier point in time when you object to further processing | Healthcare Provider |
To provide you with patient-oriented support, including to investigate and respond to complaints, requests, incidents and medical deviations related to patients, their treatment and use of the Services | Profile information, Contact information, Support information, Medical information, Healthcare meeting information | Public interest (art 6.1 e GDPR). For special categories of data in healthcare (art 9.2 h (GDPR) and 2 ch 4§ Patient Data Act (Patientdatalagen) applies. | Information about support matters is used for 3 years from collection for follow up and statistical purposes | Healthcare Provider |
To collect medical information about you from external parties for the purpose of delivering good and safe healthcare, for example via national and regional systems for cohesive record keeping (e.g. NPÖ) or the National medication list (NLL) | Profile information, 3rd party medical information | Consent (art 6.1 a GDPR). For special categories of personal data (art 9.2 a GDPR) | As long as your matter is ongoing. 3rd party medical information is not stored. | Healthcare Provider |
To handle your listing and/or delisting with Kry | Listing information | Public interest (art 6.1 e GDPR). For special categories of data in healthcare (art 9.2 h (GDPR) and 2 ch 4§ Patient Data Act (Patientdatalagen) applies | As long as you are listed with us and up to 10 years thereafter in accordance with statutory limitations in order to allow for managing of legal claims. | Healthcare Provider |
To handle payments, free cards, refunds, and similar payment related issues | Profile information, Contact information, Support information, Payment information, Healthcare meeting information | Public interest (art 6.1 e GDPR). For special categories of data in healthcare (art 9.2 h (GDPR) and 2 ch 4§ Patient Data Act (Patientdatalagen) applies | As long as you have an active account and for an additional period of up to 3 months in order to secure removal In accordance with applicable law on accounting, information about transactions, receipts, and similar is stored 7 years following the expiry of the financial year during which the transaction occurred. | Healthcare Provider |
Quality assurance, quality development and statistics | ||||
To generate statistics about the healthcare we deliver to patients for the purpose of understanding trends and to plan and organise the business | Medical information, Healthcare meeting information, Listing information, Support information, Feedback | Public interest (art 6.1 e GDPR). | 5 years from collection Support information and Feedback is used for 3 years following closure of your matter/ collection. | Healthcare Provider |
To secure and develop the quality of care in processes, systems and functions in order to allow for continuous improvement of medical quality, efficiency, availability, security and user experience | Medical information, Healthcare meeting information, Support information, Feedback | Public interest (art 6.1 e GDPR). | Medical records (encompassing Medical information and Healthcare Meeting information) are used for this purpose during the time it is stored, i.e. up to 10 years. Support information and Feedback is used for 3 years following closure of your matter/ collection. | Healthcare Provider |
Your health and other add-on services | ||||
To allow for activation and provision of the service Your health | Profile information, Device information, Medical information, Healthcare meeting information | Consent (art 6.1 a GDPR). For special categories of personal data (art 9.2 a GDPR) applies | Until you withdraw your consent or no longer have an active account | Healthcare Provider |
To allow for activation and provision of add-on services such as reminders, calendar invites, and health checks | Profile information, Device information, Medical information, Healthcare meeting information | Consent (art 6.1 a GDPR). For special categories of personal data (art 9.2 a GDPR) applies | Until you withdraw your consent or no longer have an active account | Healthcare Provider |
Contact with regions, public authorities and legal obligations | ||||
To manage reimbursement matters regarding the healthcare we deliver under contract wsith regions and other partners | Profile information, Contact information, Medical information,Healthcare meeting information | Public interest (art 6.1 e GDPR). | Copies of information which are reported to regions/other payers are stored up to 10 years from the reporting according to statutory limitation rules to allow for management of legal claims | Healthcare Provider |
To comply with legal requirements, orders and decisions from courts and public authforities and other obligations towards public authorities and bodies (e.g. IVO, Social Welfare Agency and regions) | All categories mentioned above | Legal obligations (art 6.1 c GDPR). For special categories of personal data in healthcare (art 9.2 h (GDPR) and 2 ch 4§ Patient Data Act (Patientdatalagen) applies | Copies of information which are reported according to requirements fro relevant authorities are stored up to 10 years from the reporting according to statutory limitation rules to allow for management of legal claims | Kry International and the Healthcare Provider respectively |
Omorganisation, disputes and claims | ||||
To administer reorganizations or restructurings, such as company acquisitions, transfer of assets and mergers. | All categories mentioned above | Legitimate interest (art 6.1 f GDPR) to optimize group structure and efficiency. For special categories of personal data in healthcare (art 9.2 h (GDPR) and 2 ch 4§ Patient Data Act (Patientdatalagen) applies | As long as the matter i songoing. | Kry International and the Healthcare Provider respectively |
To manage, bring forward and defend against legal claims (including from 3rd parties) | All categories mentioned above | Legitimate interest (art 6.1 f GDPR) to exercise our rights and defend against claims and lawsuits. For special categories of personal data in healthcare (art 9.2 f (GDPR) and 2 ch 4§ Patient Data Act (Patientdatalagen) applies | During the time your matter is ongoing and/or until it has received legal effect. | Kry International and the Healthcare Provider respectively |
5. Occupational Health Services
In connection with the provision of occupational health services where employer initiates contact with Kry and typically handle certain administrative aspects of the case, the following applies: When contacted or upon request from the employer, information is collected about the employer's representatives, including name, contact details, role, information about the employer, and a description of the matter. This information is collected in order to administer and deliver healthcare services to the employer in accordance with the agreement. Our legal basis for processing this data is our legitimate interest (ART.6.1(f) GDPR and Chapter 2, Section 4 of the Swedish Patient Data Act (patientdatalagen). This privacy policy otherwise applies to data collection with occupational health services. The data controller for occupational health services is Kry Företag AB, reg.no. 556364-3681, Torsgatan 21, 113 21 Stockholm.
6. How long do we store your information?
We will only process your personal data for as long as necessary to achieve the purposes for which it was collected or during the time we have a legal obligation to keep it as further described in section 4 above. This normally means the time required to provide you with good healthcare services, the Services you have requested, to comply with our legal obligations and to exercise our rights. For more detailed retention periods, see section 4 above. In particular, please note the following:
For health and medical care, there are legal requirements to store data. For example, medical records such as your patient records must be stored for a period of at least 10 years from the time of the last entry. Furthermore, information that is needed for accounting purposes, such as information about payments, invoices, receipts and similar, need to be stored at least 7 years from the end of the financial year in which the payment was made.
If there is a legal requirement for storage, this means that we cannot delete your data even if you request to have it deleted as described below.
Data which is stored and used based on your consent or processing which you object to, is stored and used to until you withdraw your consent/raise an objection which is deemed applicable.
You can read more about how to exercise your right to withdraw your consent/object to certain processing in section 9 below. Please note, that the same information is sometimes used for different purposes. For example, withdrawing consent for the Your Health service does not affect the Healthcare Provider's obligation to continue to store the same data if it is also part of your medical record.
7. Sharing with external parties as part of delivering the Services
In order to provide the Services, Kry needs to share information with certain external parties as further described below. These external parties are mainly data processors who are only allowed to use your data to help Kry provide the Services to you and who are not allowed to use your data for other purposes. However, there are external parties who need to use your information for their own purposes, such as different types of payment providers who need your data to comply with legal requirements and provide their products, other healthcare providers who need it to be able to continue to assist you in the healthcare chain, and authorities who need it for the exercise of their public authority. A detailed description of the categories of data shared, for what purposes and on what legal basis can be found in section 7.5 below.
7.1 Suppliers
In order to deliver the Services, we engage external subcontractors, such as platforms for IT infrastructure, marketing, data analysis and statistics, and customer support. The Healthcare Provider also uses external suppliers of medical record systems, deviation reporting and other administration of the healthcare activities. In cases where these suppliers process personal data, these suppliers normally act as data processors for Kry. This means that they only process the data to deliver the above-mentioned services in accordance with our instructions and are not allowed to use it for their own purposes. Kry also engages subcontractors which to a limited extent need to use personal data for their own purposes. This applies in particular to different types of payment services, which often have far-reaching obligations to handle and store their customers' personal data under financial sector laws. When these providers use your data for such own purposes, their respective privacy policies apply, and not this Privacy Notice. All our suppliers are carefully vetted before they are engaged to ensure that they take adequate measures to protect the personal data which they receive, and are bound by agreements that govern the way in which they may use it.
7.2 Other healthcare providers, national and regional systems, etc.
In the event that you are referred to another healthcare provider with, your medical records and/or other relevant information about your health condition may be shared with such healthcare provider in order for them to be able to be take responsibility for your continued care. However, we always discuss referrals with you and inform you before this happens. The majority of healthcare provider in the Kry group is also connected to regional and national systems for cohesive record keeping (sammanhållen journalföring), such as the Nationell patientöversikt (NPÖ). This means that if you seek care from a healthcare provider other than Kry, they can read your medical records provided they obtain your consent to do so. The purpose of cohesive record keeping is to provide you with good and safe care by sharing your care history with other healthcare providers. You can always oppose cohesive record keeping and blocking your medical record information from being included in cohesive record keeping by contacting the Healthcare Provider. Additionally, your patient record is also made available in the national e-service "Journalen" so that you can access it via 1177.se. Read more about the Journalen and cohesive record keeping, as well as how you can object to such use of your medical record in our help center. The Healthcare Provider also collects information about your prescribed and collected medication via the National List of Medicines (Nationella läkemedelslistan, NLL) administered by the Swedish eHealth Agency. Via the NLL, healthcare professionals have direct access to such data in order to safely prescribe medicines and other goods for you as a patient, to prepare care or treatment, or to supplement your medical record. The healthcare provider will only have access to your data via NLL if it has previously obtained your consent.
You can use your free card (frikort) for healthcare appointments with the Healthcare Provider if you are eligible for high-cost protection. The Healthcare Provider is connected to the digital e-free card service. This means that your free card is registered automatically if you reside in a region that is connected to the digital e-free card service. We register your e-free card details in order to administer correct patient fees in accordance with healthcare legislation. If you have a free card in paper format, you can register the card by filling in your exemption card number manually. In order for the Healthcare Provider to be able to answer questions and take part in other healthcare providers' reported visits for achieved high-cost protection in the e-free card service, your consent is required. In such cases, we will ask for your consent before we receive such data. If you are registered but no longer wish to be part of the digital e-free card service, you have the right to request withdrawal by emailing us at support@kry.se.
7.3 Healthcare regions and public authorities
We may share some of your personal data with the region in which you have sought healthcare and which are responsible for the healthcare you have received, as well as to certain public authorities in order to comply with legal obligations applicable to the Healthcare Provider. For example, information is reported to the regions we have agreements with about the type of meetings we have had, time and date of these, diagnoses and outcome of meetings, as well as which patients who register or delist from our healthcare centers so that the regions can calculate reimbursement. We may also respond to requests from courts and law enforcement authorities about our operations or patients that we believe we should respond to and have the legal right to do so.
7.4 Employers and insurance companies
If you have been referred to us by your insurer or employer, we will not disclose information about your use of the Services, your state of health or your medical records to your insurer/employer unless you have given prior separate consent for us to do so. Please note that this Privacy Notice does not apply to personal data processing that takes place at your insurer or employer. Therefore, always check how your employer/insurer use your personal data before you use Kry through your insurer or employer.
7.5 Duty of confidentiality, duty to report, etc.
Healthcare professionals are subject to a duty of confidentiality, which means that they are not allowed to disclose information about an individual's state of health or other personal circumstances which they have received in the course of their activities (Swedish Patient Safety Act (PSA), ch 6, sec 12). However, there are certain exceptions to this confidentiality obligation (PSA, ch 6, sec 15). For example, if we find out that a child has been or are at risk of being harmed we need to disclose this to social authorities. We may also be required to disclose certain information to law enforcement, enforcement, tax authorities and the security police if (PSA, ch 6, sec 15).
7.6 Detailed description of recipients
Recipient | Purpose | Categories of information | Legal basis |
Other healthcare providers | Healthcare (e.g. in connection with referrals) | Profile information, Contact information, Medical information | Public interest (art 6.1 e GDPR). For special categories of data in healthcare, art 9.2 h (GDPR) and 2 ch 4 § Patient data act (Patientdatalagen) applies |
Healthcare regions | Administration of contract, Reimbursement matters | Profile information, Contact information, Medical information, Healthcare meeting information | Legal obligation (art 6.1 c GDPR). For special categories of data in healthcare art 9.2 h GDPR applies along with 2 ch 4 § Patient data act (Patientdatalagen) |
National and regional healthcare systems (e.g. NPÖ, NLL) | Healthcare | Profile information, Medical information | Public interest (art 6.1 e GDPR). For special categories of data in healthcare, art 9.2 h (GDPR) and 2 ch 4 § Patient data act (patientdatalagen) applies along with special legislation for each individual system |
Public authorities | Supervisory activities, criminal investigations, legal process and other legal obligations | Profile information, Contact information, Medical information, Healthcare meeting information, Listing information, Support information | Legal obligation (art 6.1 c GDPR) or vital interest art 6.1 d GDPR. For special categories of data in healthcare art 9.2 h GDPR applies along with 2 ch 4 § Patient data act (Patientdatalagen) |
Invoicing supplier | Handling invoices | Payment information | Performance of contract (Art 6.1 b GDPR) |
Payment platform suppliers | Handling payments | Payment information | Performance of contract (Art 6.1 b GDPR) |
Payment terminal suppliers | Handling payments | Payment information | Performance of contract (Art 6.1 b GDPR) |
Employers and insurance companies | Administration of contract, Reimbursement matters | Profile information, Contact information, Medical information, Healthcare meeting information | Consent (art 6.1 a GDPR). For special categories of data in healthcare, art 9.2 a GDPR) applies |
8. Transfer to third countries
Kry International and the Healthcare Provider use suppliers which have operations outside of Sweden. When working with such suppliers, Kry International and the Healthcare Provider strive to make sure that they only store and process personal data within the EU/EEA. However, in some cases, Kry International and the Healthcare Provider may transfer your personal data to countries outside the EU/EEA, currently to the USA and the UK, where the level of protection under the laws of the recipient country may be lower than within the EU/EEA area. The transfer mechanisms we use are:
the European Commission's adequacy decisions regarding the United Kingdom and the United States respectively, and
Standard Contractual Clauses available here.
Your medical records will always be stored within the EU/EEA.
9. Your rights
You have a number of rights that you can exercise by contacting us. These rights include:
(I) The right to know what data we process about you and to receive a copy of such data, including your medical records and who had access to these; (II) The right to ask us to correct any inaccurate or incomplete information about you;
(III) Right to request the erasure of your personal data. Please note that there are situations where we cannot delete your data. For example when it is still necessary to process the data for the purpose for which it was collected, when we have a legal obligation to continue to store your data or when the data is needed to pursue legal claims;
(IV) The right to withdraw consents you have given to Kry International or the Healthcare Provider, for example in relation to the processing of your data in Your Health;
(V) Right to object to processing of your data which we use on the basis of legitimate or public interest. You can also always object to processing that takes place for the purpose of direct marketing;
(VI) The right to request access to personal data, which we have obtained from you, in a machine-readable format so that you can transfer your data to another data controller (right to data portability);
(VII) The right to request that we restrict our processing of your data in the event that you believe that the data we hold about you is inaccurate, that our processing is unlawful or that we do not need the data for a specific purpose;
(VIII) The right to request blocking of data in your medical record (i) vis-à-vis other healthcare providers, meaning that no other healthcare provider can access it via NPÖ or similar systems (Please note, however, that you as a guardian cannot request such a block for your child ) and (ii) vis-à-vis other units within the Healthcare Provider, meaning that such units do not have access to your medical record. You can read more about the rights above on the Swedish Authority for Privacy Protection's (IMY) website.
If you wish to get in touch with us regarding any of these points, you can contact us by email to privacy@kry.se or via the contact details listed below.
10. How we protect your personal information?
You should always feel safe when entrusting us with your personal data and we therefore always take adequate security measures to protect your personal data against unauthorized access, alteration, deletion and loss. If there are security incidents that may affect you or your personal data in a more significant way, such as when there is a risk of fraud or identity theft, we will contact you to inform you of what has happened, what measures we have taken and what you can do to reduce the risk. Your information is protected by a confidentiality according to the Swedish Patient Safety Act (2010:659).
11. How we use cookies and other tracking technology?
In order to provide you with a better and more customized experience, and to better understand and personalize content and ads, we use cookies and similar tracking technologies in our apps, websites, and communication channels such as email. You can find information about the tracking technologies we use, what data is collected and why, as well as information on how to accept or decline tracking technologies, in our Cookie Policy as well as in the various apps, websites, etc.
12. Right to lodge complaints
We hope that this this Privacy Notice has clarified how we handle your personal data, but if anything is unclear, we are grateful to receive your feedback and answer your questions so that we can improve our communication around this. If you are not satisfied with any aspect of our processing of personal data, you can file a complain with the Swedish Authority for Privacy Protection (IMY). You can find IMY's contact information on www.imy.se.
13. How to contact us?
If you have any questions or comments, or if you wish to exercise any of the rights described above, you are always welcome to contact us or our Data Protection Officer using the contact details provided on our contact page kry.se/kontakta or by emailing privacy@kry.se. You can also use the contact details below.
Kry International AB
Org no: 556967-0820
Torsgatan 21
113 21 Stockholm
Kry Primärvård AB
Org no: 556665-8364
Torsgatan 21
113 21 Stockholm
If it becomes necessary for you to meet another healthcare provider in the Kry group, you will be notified before the contact is initiated, as well as receive all necessary information and contact details about this healthcare provider. You can find the details and contact details of other healthcare providers on our website.
14. Changes
We may update this Privacy Notice from time to time. If we make material changes that require us to inform you or obtain your consent by law, you will be notified or given the opportunity to give your consent.
Last updated: June 24, 2025.