KRY International AB, company reg. no. 556967-0820 (“KRY International”), the parent company in the KRY group, owns and makes available the ”KRY” technical platform and application (the “App”) and is the data controller of all processing personal data which you register in the App, which is not related to processing of your health data for healthcare purposes. This means that when you commence submitting health data for healthcare purposes, e.g. by submitting health data via a symptom form for the purpose of receiving medical advice and follow-up, it is solely the relevant healthcare provider which is data controller for any processing of personal data which is carried out in the context of providing you with such healthcare services.
In Sweden, it is KRY International’s wholly owned subsidiary, Digital Medical Supply Sweden AB, company reg. No. 559051-2702, which provides healthcare within the Services (the “Healthcare Provider”), unless otherwise clearly communicated to you in connection with your use of the Services.
As provider of the technical platform and App, KRY International will process personal data on behalf of and on the instructions of the Healthcare Provider (and other healthcare providers, if applicable) in capacity of data processor. This may include processing for the purpose of maintenance, debugging and support, for the purpose of assisting the Healthcare Provider in its quality work, to improve its services as well as with regulatory compliance and information security efforts. In the event another healthcare provider would join the KRY platform and process your personal data in connection with your use of the Services, we will inform you when you use the Services so that you always know which Healthcare Provider is the controller of your personal data.
If you have any questions or comments regarding the processing of your personal data related to your use of the Services, you are always welcome to contact us and/or our data protection officer via our website at https://www.kry.se/en/contact/, or by sending an email to email@example.com.
3. Where do we collect your personal data which is processed when you use the Services?
3.1 Personal data which is registered via your user account in the App
KRY International and the Healthcare Provider process personal data about you, which you register via your account such as your name, personal ID number, address and email address when you open your user account with us and, any information which you subsequently register when you use the App. In addition, we may automatically collect and process the following information: (i) technical information, including IP address, login information, type and version of operating system and unit, time settings, language settings, screen settings, etc.; and (ii) information about your use of the App, including which functions you have used and when, etc.
We call these categories of personal data, which are provided when you download and use the App as “User Data” below.
3.2 Personal data to and from the Healthcare Provider
Contacts with the Healthcare Provider
When you seek healthcare from us, you are asked to share data linked to your physical and/or mental health. You do this primarily by filling in the relevant symptoms form in the App. This information may include, but is not limited to, information that you are suffering from an illness, your medical history, or your physiological or biomedical condition. The Healthcare Provider with whom you come into contact by using the Services may also transfer personal data about you for the purpose of providing and following up the healthcare you received within the scope of the Services. (See section 7.3 and 9 below for more information on how your information may be shared with other healthcare providers)
If you activate your Health profile, the Healthcare Provider may collect the information you decide to submit to your Health Profile, such as your weight, length, allergies and nicotine habits. This information is processed as described in section 5.3 below and will be made available for the healthcare staff with which you have a meeting.
Personal data related to your health which is described above in this section 3 and which the Healthcare Provider uses in order to provide healthcare services is referred to below as “Patient Data”.
3.3 Personal data from third parties including other Healthcare Providers
Your personal data may also be updated and processed by us as Patient Data based on the healthcare you have received from other healthcare providers who are not associated with KRY. In the event this data is considered relevant to the provision of healthcare within the scope of the Services, it may be stored and processed by the Healthcare Provider and transferred to your medical records by the treating clinician. This includes, for example, information on your medical history which is received from the Swedish national healthcare database (Sw: Nationell patientöversikt - NPÖ) which will be accessed where we obtain your separate consent and where it is deemed relevant for the purpose of providing you with medical treatment.
In addition, KRY International and the Healthcare Provider will regularly obtain updated information regarding you via the Swedish State Personal Address Register (SPAR) in order to be able to provide the Services, so that correct information about you is available at all times and to facilitate your contacts with the Healthcare Provider. This information includes your name, address, place of residence, country of residence, and whether or not you have a protected identity.
4. Where is your personal data stored?
The App is a technical platform developed by KRY International and is also owned and controlled by KRY International. Most of your personal data which we collect when you use the Services is not stored in your smartphone or tablet. Instead, this personal data is stored by KRY International, in infrastructure provided by one of KRY International’s subcontracted suppliers. The personal data is processed and stored primarily within the EU/EEA. The Healthcare Provider is obligated to maintain medical records when performing the Services and relevant patient data is filed and stored in a medical record system (specifically developed in order to fulfil the requirements of the applicable legislation) at the request of the Healthcare Provider. Your personal data in your medical record is processed and stored within the EU/EEA.
5. Which personal data is processed when you use KRY and why?
5.1 KRY Intational’s processing of your User Data
KRY International processes your User Data (as described above in section 3.1) for the following purposes:
(i) to allow you to register or to terminate your user account in the App;
(ii) to allow you to login and use your user account;
(iii) to verify your identity and age;
(iv) to maintain correct and updated information about you, and to enable and facilitate contacts with the Healthcare Provider;
(v) to handle your choice of settings and information about payment;
(vi) to help you with queries, requests and claims; and
(vii) to otherwise be able to provide the Services to you according to our General Terms and Conditions.
The lawful basis for the processing of your personal data is our “contractual performance” (Article 6.1(b) of the General Data Protection Regulation, “GDPR”), which constitutes our General Terms and Conditions, for the purpose of being able to offer the services, including making possible the Healthcare Provider’s provision of good healthcare when you use the Services
5.2 The Healthcare Provider’s provision of healthcare services
The Healthcare Provider processes Patient Data (as described above in section 3.2) for the purpose of providing the Services to you in the form of healthcare and other necessary treatment or advice within the scope of providing the healthcare.
As a Healthcare Provider, our operations are governed by national legislation. We therefore process your personal data based on applicable law (primarily the Patient Data Act (2008:355) (Sw: Patientdatalagen). The processing of Patient Data regarding you needed to provide the Services occasionally also takes place based on your separate consent (Article 7 of the GDPR) and, where applicable, in order to fulfil other legal obligations of the Healthcare Provider (Article 6.1 c of the GDPR). This includes that our clinicians keep medical records, which the Healthcare Provider is obligated to save for a particular period of time.
The Healthcare Provider also retains KRY International in order to ensure the quality of, and develop, the Services. Through this, KRY International may process (technically work on and technically store) sensitive personal data about you for the purpose of ensuring the quality and developing the healthcare within the scope of the Services in accordance with applicable legislation. This processing of your sensitive personal data takes place independent of KRY International and in accordance with the Healthcare Provider’s instructions.
Anonymized data which does not constitute personal data may be shared by the Healthcare Provider with KRY International for the purpose of developing the Services and developing our business.
5.3 Provision of support services related to your use of the Services
KRY International and the Healthcare Provider may communicate with you, in your capacity as a user of the Services. This includes, among other things, responding to inquiries and investigating complaints and support matters (including technical support) through our support service by telephone or via our digital channels. Depending on your matter, you may share additional User Data and Patient Data which we then process to be able to help you use the Services in the best possible manner. Healthcare Provider may also contact you with advice and recommendations via telephone or notices where deemed relevant from a medical perspective. For example to find out how you respond to your treatment, to recommend additional contacts with the Healthcare Provider or under similar circumstances.
KRY International and the Healthcare Provider provide support as set forth above as a part of the Services (i.e. to be able to perform the contract with you and KRY International). To the extent the support services are related to healthcare or processing of Patient Data (or sensitive personal data about you), the processing takes place based on healthcare providers right to process personal data in connection with the administration of healthcare matters according to the Patient Data Act. The processing of your personal data related to support services may also take place in order for the Healthcare Provider to be able to perform its legal obligations under applicable legislation in the field of healthcare (see also section 5.5 below).
5.4 To be able to market products and services and improve your user experience
KRY International processes some of your User Data (as described above in section 3.1) for the purposes of direct marketing to you by email and text messages, or other similar electronic channels of communications, for example in the event of campaigns and offers in cooperation with KRY International’s partners. This includes processing of certain personal data, including your name, contact details, gender, age, place of residence and whether or not you have children. Processing of your personal data for direct marketing is carried out based on your consent which you can withdraw at any time.
KRY International also processes you User Data (i.e. not your Patient Data) for the purpose of understanding how the App is used and to improving the user experience and functionality of the App. Information about you as a user is also used for marketing purposes. Such processing is based on our legitimate interest to analyse and improve the Service (Article 6.1 f of the GDPR).
5.5 To be able to evaluate, develop and improve the quality of Services
The Healthcare Provider may process your personal data for the purpose of understanding usage of the Services and to developing and improving the healthcare services provided as part of the Services. For example by improving the user interface and functionality. The Healthcare Provider also processes your information as part of its quality assurance work for the purpose of improving safety, medical quality, efficiency and availability of the Services. Processing of your information for the above mentioned purposes is based on healthcare providers right to process personal data for quality assurance and service development purposes according to the Patient Data Act.
5.6 To perform legal obligations
KRY International and the Healthcare Provider may process your User Data and Patient Data (as described above in sections 3.1 – 3.2) on the lawful basis referring to a legal obligation (Article 6.1(c) of the GDPR) in order to fulfil legal obligations as set forth in statutes, court judgments, or decisions by public authorities (for example regarding requirements imposed by the Swedish Health and Social Care Inspectorate or the Swedish National Board of Health and Welfare).
We otherwise store and process your personal data to the extent necessary to be able to fulfil our legal obligations and requirements.
6. How long do we store your personal data?
We only process your personal data as long as is necessary for the purposes according to section 5 above. This means as long as it is necessary in order to be able to provide good healthcare or otherwise be able to provide the Services, or in order to fulfil the legal obligations applicable to us. The Healthcare Provider has an obligation to store medical records connected to healthcare meetings with you for a specific period of time. We otherwise have routines for how we store or anonymize personal data in order to regularly ensure that your personal data is always adequate and relevant for our continued provision of the Services. Your User Data is erased or de-identified not later than three (3) months from the time at which you close your user account with us, provided it is not necessary to store the personal data in order for us to fulfil our legal obligations or where the information is otherwise necessary for the establishment, exercise or defence of legal claims.
All information that is no longer needed for the performance and development of the Services, or quality assurance, is anonymized, or erased automatically. User Data which is stored on the basis of your consent is erased by us if you withdraw your consent. You can read more in section 10 about how you exercise your right to withdraw your consent. In this respect, we ask you to please note that KRY International and the Healthcare Provider process your personal data for different purposes (both as a technical supplier of the App but also as a Healthcare Provider). Withdrawal of your consent will not affect the Healthcare Provider’s obligation to keep medical records, or to process your personal data in accordance with applicable law.
7. Third parties with whom your personal data may be shared when you use the Services
7.1 Subcontractors of KRY International
In order for us to be able to offer you the Services, we use a number of external suppliers that process personal data in certain cases. Our service providers, such as operating, support and hosting providers, only work at the request of KRY International and according to KRY International’s instructions in its capacity as a processor of personal data.
7.2 Subcontractors of Healthcare Provider
The Healthcare Provider keep medical records in accordance with applicable law in connection with the provision of healthcare within the scope of the Services. The medical records are stored in a medical record systems outside of the App provided by a third party, at the request of the Healthcare Provider and according to the Healthcare Provider’s instructions. The Healthcare Provider is responsible for any personal data (Patient Data) which is stored in medical records.
7.3 Employers and insurance companies
If you have been referred to us by your employer, we act as data controller for personal data we receive from your employer (such as your name and your employer) as well as any processing of such information and information we collect when you use the Services. We do not disclose any personal data to your employer, i.e. information regarding your health, including whether you have used the Services.
8. Transfers to third countries
KRY International and the Healthcare Provider use suppliers for hosting, support and operating services with operations outside of Sweden. Where such suppliers are engaged, we always strive to make sure that the processing of personal data takes place on servers located within the EU/EEA. However, in certain cases your information may be transferred and processed outside the EU/EEA, currently to the United States, where the laws protecting your information may be less restrictive.
Such transfers of personal data only takes place in exceptional cases and only provided that legal mechanisms making such transfers lawful are in place. These include entering into EU Commission Standard Contractual Clauses with the supplier and/or (in case of suppliers located in the US) ensuring that the supplier is certified under the EU-US Privacy Shield Framework.
9. Your rights as a data subject in relation to the App and as a user of the Services
You have the right to receive information regarding what personal information about you that we are processing, for what purpose it is being processed, whether such personal data has been transferred to a third country, and which parties have received your personal data.
In order to clarify this and your other rights as a data subject, you may at any time to contact us in order to:
- request access to, and information about, the personal data which is being processed when you use the App and/or the Services;
- ask us to correct any incorrect information about you;
- request that your personal data be erased (however, note that Healthcare Providers have certain obligations to store certain personal data, particularly related to Patient Data, including keeping medical records in relation to your use of the Services). At your request, all personal data which we do not have a legal obligation to retain will be erased;
- ask us to restrict the processing of your personal data;
- withdraw any specific consent provided when you have used the Services, for example in respect of the Health profile
- object to the processing of your personal data and thereby also requesting writing that the data ceases to be used for direct marketing purposes; or
- request that your personal data be moved to another controller of personal data by receiving your personal data, to the extent it has been provided by you, in an electronic format which is generally used in order to be able to transfer it to another party (the right to data portability).
As a patient you normally also have the right to block access to your medical records between different units of a healthcare provider, e.g. between different clinics or specialist units within the same healthcare provider or hospital. However, for availability and patient safety reasons, and in contrast to traditional healthcare, the Healthcare Provider is not organized into different units. Instead, the Healthcare Provider operates as one big primary care clinic. You can therefore not block access to your medical records at the Healthcare provider.
Should you wish to contact us regarding any of these bullets above, we encourage you to contact us via our website at https://www.kry.se/en/contact/, or by sending an email to firstname.lastname@example.org. or by sending an email to email@example.com.
10. Right to file a complaint with the supervisory authority