This privacy policy informs you about how Babyscreen Sweden AB (also referred to as “us,” “we,” and “our”) processes your personal data and what rights you have in relation to our processing of personal data.

This privacy policy is intended for you if you are undergoing an ultrasound or prenatal diagnostic test, allowing us to perform analysis of your samples in a laboratory, or otherwise coming into contact with us.

In short, we process your personal data for the following purposes:

• Administration of the services you book and purchase from us and handling the rights and obligations arising from this;
• Performing our services and conducting analysis of your samples where applicable, as well as maintaining records and fulfilling our legal obligations as a healthcare provider;
• To be able to communicate with you and answer your questions if you contact us; and
• To handle any complaints and claims.

Below and on the links above, you will find more detailed information on how we process your personal data.

Who is responsible for the processing of your personal data

Babyscreen Sweden AB with organization number 559328-3418 (“Babyscreen”) is the data controller for the processing of your personal data as described in this privacy policy.

If you would like to know more about our processing of your personal data, you are always welcome to contact us, for example, at our address c/o iDr-Kliniken, Kungsgatan 32, 411 19 Gothenburg or via our email address info@babyscreen.se.

How we collect your personal data

The personal data that we process about you is primarily collected directly from you in connection with your contact with us regarding our services or when we perform our services.

We must process the personal data that we request in connection with your purchase and the performance of our services. Which personal data you must provide to us is detailed below where the legal basis is stated to be the performance of the agreement we have with you or the fulfillment of the legal obligations that we must follow. If you do not provide us with such personal data, we will not be able to complete your purchase or perform our services.

What personal data we process, purposes, and legal basis for processing

To administer your booking and purchase of our services

Babyscreen processes your name, contact details (email address, address, phone number) to manage your booking and your name, contact details, and booking information to fulfill the agreement regarding your purchase of our services. The processing is necessary for us to enter into and fulfill agreements with you according to Article 6.1(b) of the GDPR, i.e., to receive, process, and perform purchased services, including communication with you regarding the services you have purchased, as well as other customary activities such as sending booking confirmations and, where applicable, handling payment information.

To perform our services; analyze your samples where applicable, and maintain records

We process your name, personal identification number or date of birth (if you do not have a Swedish personal identification number), contact details, date of performing ultrasound or prenatal diagnostic tests, and results of our services to maintain records in connection with your care and fulfill our obligations as a healthcare provider. We may also update and process your personal data based on healthcare services you have received from other providers than Babyscreen if deemed necessary to provide you with care. This includes, for example, information about your medical history that our healthcare staff accesses via the National Patient Overview (NPÖ), a national system for integrated record-keeping, to the extent it is deemed relevant to assist you with your healthcare case or if you have consented to it. You have the right to object to integrated record-keeping.

The processing is necessary to fulfill legal obligations for us as healthcare providers according to the Patient Data Act (SFS 2008:355), the Patient Safety Act (SFS 2010:659), and the Health and Medical Services Act (SFS 2017:30) as well as for reasons related to medical diagnoses, the provision of healthcare, and record-keeping, according to Article 6.1(c) and 9.2(h) of the GDPR. We keep digital records which are stored in date files. How we should and may process your data for record-keeping is regulated by the Patient Data Act and the National Board of Health and Welfare’s regulations and general advice on record-keeping and the processing of personal data in healthcare (HSLF-FS 2016:40).

We process your personal identification number to ensure secure identification and because it is necessary for us to comply with the law.

To be able to communicate with you and answer your questions if you contact us

Babyscreen processes your name, email address, phone number, and other personal data you provide when you contact us.

We process your personal data to communicate with you and answer your questions based on a balancing of interests according to Article 6.1(f) of the GDPR, where our legitimate interest is to be able to communicate with you when you contact us.

To handle any complaints and claims

BabyScreen processes your name and contact details to handle any complaints from you or other claims or to initiate any claims. If necessary, we also process other personal data about you, e.g., from our communication with you regarding the complaint or claim.

We process your personal data for this purpose based on a balancing of interests according to Article 6.1(f) of the GDPR, where our legitimate interest is to be able to handle and defend ourselves against any legal complaints or claims.

How long we store your personal data

Babyscreen stores your personal data in accordance with the following:

• We have a legal obligation according to the Accounting Act (SFS 1999:1078) to store your personal data needed for accounting purposes, such as name, payment history, and other information that constitutes accounting material, until the end of the seventh year after the end of the calendar year when the financial year ended.
• We have a legal obligation under the Patient Data Act (SFS 2008:355) to keep your medical records for at least ten (10) years after the last entry was made in the record.
• In addition to the above, we store your personal data as long as necessary to provide good care in accordance with our legal obligations as a healthcare provider.
• Furthermore, we store the personal data we have received when we have been in contact with you for one (1) year after the end of contact.

If you have a complaint or claim against Babyscreen or we initiate a claim, we may need to store personal data for a longer period to establish, exercise, or defend legal claims. We then store your personal data as long as the process regarding the claim is ongoing.

Who has access to your personal data?

We share your personal data with our partners and suppliers in the manner described below.

• Head of Search: email provider, web hosting, and IT systems – sees data in our IT systems in connection with programming and updating them.
• Svea Finans: Payment service provider, receives information about your payment.
• iXSy AB: IT systems provider – sees data in our IT systems in connection with programming and updating them.
• Mazars SET Revisionsbyrå AB: Our auditor who processes personal data to the extent necessary to perform their services.
• Partners and subcontractors: Partners and subcontractors for medical testing – process personal data as our data processor.
• iLab Medical AB: Laboratory that processes personal data as our data processor to the extent necessary to provide analysis results.
• Other healthcare providers: Babyscreen is connected to the National Patient Overview (NPÖ), which means that if you seek care from another provider, they may access your record provided that the record is relevant for that provider to provide you with care or if you have consented to it. You have the right to object to integrated record-keeping.

Transfer of your personal data outside the EU/EEA

Information processed in connection with your care will not be transferred outside the EU/EEA.

Otherwise, our partners and suppliers, as our data processors, may transfer your personal data outside the EU/EEA. This is done if there is support for the transfer according to the General Data Protection Regulation (GDPR). This means that the transfer can be based on, for example, the EU Commission’s decision that a country offers an equivalent level of protection for personal data as within the EU or standard contractual clauses with supplementary security measures when necessary.

If you would like more information on how your personal data is transferred outside the EU/EEA or if you want a copy of the standard contractual clauses we have entered into, you are welcome to contact us at the contact details provided at the beginning of this privacy policy.

Your rights

What rights do you have?

In accordance with the GDPR, you have certain rights concerning our processing of your personal data. Below you can read more about what these rights are.

If you have any questions about the rights or wish to exercise any of your rights, you are welcome to contact us. Our contact details are provided at the beginning of this privacy policy.

Right to object to processing

You have the right to object at any time to the processing of your personal data based on a balancing of interests. In some cases, we may continue to process your personal data even if you object to the processing. This can happen if we can show legitimate reasons for the processing that outweigh your interests, rights, and freedoms, or if it is done for the establishment, exercise, or defense of legal claims.

Right of access

You have the right to receive confirmation as to whether we are processing your personal data. If we process your personal data, you also have the right to receive information about how we process it and receive a copy of your personal data.

Right to rectification

You have the right to the rectification of any incorrect personal data concerning you and to have incomplete personal data completed.

Right to erasure (right to be forgotten) and restriction of processing

You have, under certain conditions, the right to request the erasure of your personal data. Such conditions exist if, for example, the personal data are no longer necessary for the purposes for which they were collected or processed, or if you withdraw your consent on which the processing is based and there is no other legal basis for the processing.

You also have the right to request that we restrict our processing of your personal data. Such conditions exist if, for example, you contest the accuracy of the personal data or if the processing is unlawful and you object to the erasure of the personal data and instead want us to restrict how we process your personal data.

Right to data portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format from us. You also have the right to have your personal data transferred to another data controller when technically feasible (“data portability”).

The right to data portability applies to personal data that you have provided to us in a structured, commonly used, and machine-readable format if the processing is based on an agreement and the processing is carried out automatically.

Right to lodge a complaint

You always have the right to lodge a complaint with a competent supervisory authority. The competent supervisory authority in Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten).

Balancing of interests

As stated above, we process some of your personal data based on a balancing of interests as the legal basis for the processing. Balancing of interests means that we have assessed that our legitimate interest in performing the processing outweighs your interest and fundamental rights not to have your personal data processed. What constitutes our legitimate interest is stated above.

If you want to know more about how we have made these assessments, you are welcome to contact us. Our contact details can be found at the beginning of this privacy policy.

Changes to this privacy policy

We reserve the right to change this privacy policy as needed, for example, to comply with changes in laws and regulations. Such changes will be published on our website. When required by law, we will contact you to inform you of the change.