Last Updated: 15 October 2025
Version: 2.3
At The Health Clinic Stockholm, we are committed to protecting your privacy and ensuring your personal and health data is handled with the highest level of security. This policy explains how we collect, use, and protect your information in compliance with the EU General Data Protection Regulation (GDPR) and the Swedish Patient Data Act (Patientdatalagen).
The Health Clinic Stockholm AB is the “Data Controller” for your personal data.
Organization No: 559385-2618
Address: Kungstensgatan 2, 114 25 Stockholm, Sweden
Email: info@healthclinic.se
Data Protection Officer (DPO): dpo@healthclinic.se
We process the following types of information:
Identity & Contact Info: Name, personal identity number (personnummer), address, phone number, and email.
Medical Records: Diagnoses, clinical notes, test results, medication history, and treatment plans (categorized as “Special Categories of Data” under GDPR).
Administrative Data: Appointment bookings, billing details, and insurance/embassy coverage information.
Technical Data: IP address, browser type, and website interaction data (via cookies).
We only process your data when we have a legal reason to do so:
Healthcare Delivery: To provide medical assessment and treatment. (Legal Basis: Legal obligation under the Patient Data Act).
Patient Safety: To maintain accurate medical records and history. (Legal Basis: Legal obligation).
Contractual Necessity: To manage your bookings, process payments (via Klarna/Medical Finance), and fulfill membership agreements.
Legitimate Interest: For IT security, fraud prevention, and internal quality audits.
Consent: For marketing communications or non-essential website analytics.
Your health data is protected by strict medical confidentiality. We only share data with third parties when necessary for your care or required by law:
Medical Partners: Referral clinics, laboratories (for blood tests), and radiology departments.
Payment Providers: Klarna and Medical Finance for billing and financing.
Authorities: Reporting to IVO (Health and Social Care Inspectorate) or the National Board of Health and Welfare when legally required.
Insurers/Embassies: Only when you have authorized us to bill them directly for your care.
IT Vendors: Secure cloud storage and journal system providers (subject to strict Data Processing Agreements).
Medical Records: Under Swedish law, medical records must be kept for at least 10 years after the last entry.
Financial Records: Billing data is kept for 7 years in accordance with the Swedish Accounting Act (Bokföringslagen).
Marketing Data: Kept until you withdraw your consent or for 12 months after your last interaction.
We implement industry-leading security measures to protect your sensitive health data:
Encryption: Data is encrypted both in transit and at rest.
Access Control: Only authorized medical staff involved in your care can access your health records.
Audit Logging: Every access to a medical record is logged and monitored to prevent unauthorized viewing.
Backups: Secure, redundant backups ensure data is never lost.
Under the GDPR, you have the following rights:
Right to Access: You can request a copy of your medical records and personal data.
Right to Rectification: You can request that we correct inaccurate information. (Note: Medical record corrections follow specific legal procedures).
Right to Erasure: You can request deletion of administrative data. (Note: We cannot delete medical records before the legal 10-year period expires).
Right to Object: You can opt-out of marketing communications at any time.
Withdraw Consent: If processing is based on consent (e.g., cookies), you can withdraw it at any time via our Cookie Settings.
We prioritize keeping your data within the EU/EEA. If data must be transferred to a country outside the EEA (e.g., a specific international specialist consultation), we ensure “Adequate Safeguards” (such as Standard Contractual Clauses) are in place to maintain your privacy.
