Processing of personal data
Karolinska University Hospital is a data controller
Karolinska University Hospital is the controller for the personal data that the hospital processes within the scope of the hospital's operations and is responsible for your data being handled in a legal, correct, and transparent way.
Karolinska University Hospital processes your data
- Personal data is only processed for specifically stated and legitimate purposes. Karolinska University Hospital processes your personal data:
- When you contact Karolinska University Hospital by post, e-mail, or via the form on our website, and the processing of personal data takes place with the support of the lawful basis ’Public task’ or as part of the hospital's exercise of authority in order to process your case.
- When you visit Karolinska University Hospital for care and treatment, the processing of personal data takes place with the support of the lawful basis of ‘Public task,’ with the aim of providing good and safe patient care.
- When you participate in a research study at Karolinska University Hospital, with the aim of carrying out the study as part of developing healthcare, the processing of personal data takes place with the support of the lawful basis of ‘Public task.’
- When you are included in one of Karolinska University Hospital's patient registers for the purpose of developing and securing the quality of care, producing statistics, and conducting healthcare research. Processing of personal data takes place with the support of the lawful basis of ‘Public task.’
- When you apply for a job at Karolinska University Hospital, the processing of your personal data takes place with the support of the Lawful basis of ‘Public task’ and as a part of the hospital's exercise of authority, with the aim of reviewing application documents, assessing and evaluating you as a candidate, scheduling and conducting interviews, conducting the necessary tests and analyzing these in order to recruit employees with the right skills.
- When you are employed at Karolinska University Hospital, the processing of personal data takes place with the support of the lawful basis of ‘Legal obligation’ and ‘Contract’ for the purpose of paying wages, planning, and scheduling, registering sick leave and other absences, as well as reporting taxes and social security contributions.
Sensitive personal data
When processing sensitive personal data such as information about health, ethnicity, trade union membership, genetic data, and biometric data, the processing needs a different lawful basis than those mentioned above.
Karolinska University Hospital processes sensitive personal data, among other things, to:
- Provide healthcare
- Make medical diagnoses
- Provide treatment
- Manage healthcare services
- Required for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes
- Due to obligations or rights in labor law
- Establish, exercise, or defense of legal claims
Security in connection with the processing of personal data
The hospital takes several different measures necessary to ensure an appropriate level of security for your data. The hospital has, among other things, control systems and routines to ensure that personal data is handled and protected securely; for example, employees within the hospital only have access to such personal data as is necessary for them to be able to perform their duties.
How long is my data saved?
Personal data must not be saved longer than necessary, which means that when personal data is no longer needed for the purpose it was collected, it must be deleted. However, special rules apply to journal documents, application documents, and the hospital's archives.
As a public authority, Karolinska University Hospital has an obligation to save certain public documents in archives. It is required to satisfy the principle of public access to official documents. This means that if there is personal data in public documents that must be saved in archives, the hospital is obligated to keep these.
Journal documents are preserved in accordance with the Regional Archives' screening plan.
Application documents relating to the person who has not received the position or the person who has appealed the appointment decision are deleted two years after the employment decision has become legally binding.
Can my personal data be disclosed to others?
Personal data may be disclosed in order for the hospital to be able to fulfill the obligation to disclose official documents according to the principle of public access to official documents. However, the right to gain access to public records does not apply if the documents contain information subject to confidentiality according to the Publicity and Secrecy Act. When requesting the release of an official document, the hospital always examines whether the document should be released, a so-called personal data protection test.
The hospital is legally obligated to disclose personal data to other authorities in certain situations.
Your rights
Right of access
The right to access means you have the right to receive information about whether or not your personal data is being processed. If your personal data is processed, you have the right to receive a copy of the data and information about the personal data processing. The right to receive a copy of your personal data does not mean you have the right to obtain the actual document in which the personal data appears.
Right to rectification
The right to correction means that under certain conditions, you may have the right to request that incorrect personal data about you be corrected or supplemented.
Right to erasure
The right to erasure means you may have the right to have data about you deleted. The right to erasure does not apply if the processing of personal data is based on the lawful basis of ‘Public task'.’ The right to erasure also does not apply when the data is in official documents that must be saved in accordance with national legislation.
If you want to know more or make a complaint
Contact the unit or department
If you are dissatisfied or have questions about the handling of your personal data, you can contact the unit or department responsible for handling it. To get in touch with the unit or department, contact the Unit for Registry and Information Management according to the contact information below.
The unit for registry and information management
Norrbacka S3:U1
171 76 Stockholm
Phone: +46 (8)-123 762 72
Contact the data protection officer
You can contact the data protection officer if you are dissatisfied or have comments on the hospital's processing of your personal data. The data protection officer is tasked with checking that the hospital processes your data in accordance with the law. You can contact the data protection officer at karolinska.dataskyddsombud@regionstockholm.se.
Complaints to the Swedish Authority for Privacy Protection
If you believe that Karolinska University Hospital is processing your personal data in an incorrect way, you can file a complaint with the Swedish Authority for Privacy Protection (IMY).