Last updated: [30.03.2022]
Please contact us if you have any questionsSend e-mail
For emergencies, call 113
If you are in a crisis or have life-threatening injuries, you should call 113.
This privacy notice is prepared by Dr.Dropin AS ("Dr.Dropin" or "we", or "us") to ensure that you receive the information we are required to provide to you, and which is necessary for you to exercise your rights under the General Data Protection Regulation (the "GDPR") and Norwegian data protection legislation (together "data protection legislation").
This privacy notice describes how we process personal data about you, the purpose of our processing activities, and the legal basis for our processing activities. Furthermore, this privacy notice provides you with information about your rights under applicable data protection legislation and other relevant information relating to our processing of your personal data.
2. Contact information
If you have any questions about this privacy notice, including how we process your personal data or would like to submit a request to exercise your rights, please contact us at:
Phone number: 24077701
Bogstadveien 30, 0355 Oslo
Dr.Dropin has designated a data protection officer ("DPO") (Norwegian: personvernombud) to advise and monitor our compliance with the data protection legislation. The contact information for our DPO is firstname.lastname@example.org.
We kindly ask you not to send sensitive personal data (such as information concerning health) by e-mail.
3. Personal data
Personal data means any information relating to an identified or identifiable natural person (a "data subject"). Your name, contact information, health information and medical assessments are examples of information which is generally regarded as personal data.
Our processing of your personal data is governed by data protection legislation. The data protection legislation inter alia sets forth several requirements regarding the processing of special categories of personal data (including data concerning health) that Dr.Dropin is required to comply with.
As a private healthcare provider, Dr.Dropin must also comply with the following healthcare legislation relating to the processing of personal data: the Norwegian Act relating to specialist health services (Norwegian: Spesialisthelsetjenesteloven), the Norwegian Act relating to healthcare personnel (Norwegian: Helsepersonelloven), the Norwegian Act relating to patient records (including associated administrative regulations) (Norwegian: Pasientjournalloven, inkl. Pasientjournalforskriften), the Norwegian Act relating to patient and user rights (Norwegian: Pasient- og brukerrettighetsloven), the Norwegian Act relating to health archives (Norwegian: Helsearkivloven) etc. All laws and regulations are available at www.lovdata.no.
The term "processing" of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. Who's personal data we process
We collect and process personal data as described in Section 5 about the following categories of persons:
- Patients (persons who receive healthcare services from us)
- Users of the Dr.Dropin App
- Visitors to our website
- Recipients of our newsletters
5. Our processing of personal data
5.1. Healthcare and registration of patient records
The main purpose of our processing of your personal data is to provide adequate healthcare services, as well as to offer our medical services. We do not process more personal data than we consider to be necessary in order for us to provide you with adequate healthcare services. We collect the personal data that we process from you, from other healthcare providers which you have previously received healthcare services from, from medical test results etc.
We are required to register all information that is necessary to provide the healthcare services in our patient records system, when we diagnose, provide healthcare services and/or medical consultations to you. The type of information that we are required to register, is specified in the legislation. For instance, the patient records may contain your contact information, next of kin, medical history, previous consultations, which medications you use, diagnoses etc.
The legal basis for our processing of your personal data in connection with the provision of healthcare services and registration of patient records is that it is necessary to fulfil a legal obligation (Article 6 (1) c of the GDPR) and that it is necessary to provide healthcare services (Article 9 (2) h of the GDPR).
5.2. Digital prescription services
Dr.Dropin allows you to order your prescriptions without having to show up for a physical consultation. When using such services, Dr.Dropin will process your personal data. We need to collect your contact details (name and telephone number) in order to be able to contact you for medical reasons and to confirm your order. We use Vipps and your personal identification number to confirm your identity. Additionally, you must provide health data that are necessary and required by the healthcare personnel at Dr.Dropin in order to assess and approve your request. The personal data concerning your health is registered in our patient record system (as described in section 5.1 above).
The legal basis for our processing of your personal data in connection with digital prescription services is that it is necessary for the fulfilment of a contract (Article 6 (1) b of the GDPR) and that it is necessary to provide healthcare services (Article 9 (2) h of the GDPR).
You may book an appointment with us, both through our website and by using the Dr.Dropin App. When you book an appointment through our website we ask you to provide us with your name, phone number and date of birth, as well as write a short message to the healthcare personnel that will provide the consultation. These personal data will be stored in our booking system.
Alternatively, you may book an appointment by using the Dr.Dropin App. You log in to the app by using your BankID. Your personal data in the app is not accessible to our healthcare personnel before you book an appointment. When you do register a booking, the health care personnel that will provide your consultation will obtain access to your name, date of birth and any other information that you have provided in your booking registration.
The legal basis for our processing of your personal data in connection with booking registrations is that it is necessary for the fulfilment of a contract (Article 6 (1) b of the GDPR) and that it is necessary to provide healthcare services (Article 9 (2) h of the GDPR).
5.4. Video consultation
Dr.Dropin offers video consultation to patients who prefer it, or who, for various reasons, do not have the opportunity to show up for a physical consultation. Our video consultations are provided through the Dr.Dropin App.
You log into the app by using your BankID. Furthermore, we register necessary information from the consultation in our patient record system in the same way as with any physical consultation. All of our video consultations are live and we do not store a recording of the call.
The healthcare personnel that you will be talking to during the video consultation, are required to identify themselves via a separate login system before they are given access to your video call. None but the attending physician, psychologist etc. has access to the information provided by you during the consultation.
The legal basis for our processing of your personal data in connection with video consultations is that it is necessary to fulfil a legal obligation (Article 6 (1) c of the GDPR) and that it is necessary to provide healthcare services (Article 9 (2) h of the GDPR).
5.5. Dr.Dropin App
In addition to booking registration and video consultation, we offer further services in the Dr.Dropin App. The purpose of these services is to contribute to the improvement of our patient's health, including by providing personalized advice and offering you the opportunity to follow the development of your health over time. If you wish to receive such services, you may add personal data, such as your weight and height, under the "My Health" (Norwegian: Min Helse) tab in the app. You decide which categories of personal data you wish to add. The legal basis for our processing of your personal data is your consent (Article 6 (1) a of the GDPR, and Article 9 (2) a of the GDPR). You may choose to withdraw your consent at any time, either by using the "Data Protection" tab in the app or by deleting the information from the app.
If you have created a user profile in the Dr.Dropin App, we may also process data relating to your use of the app including which pages you use the most, which services you choose and whether you experience technical issues. The information we collect in this regard is anonymous. The purpose of the processing is to improve our services, such as the functionality and design of the app. The legal basis for our processing of your personal data is your consent (Article 6 (1) a of the GDPR), and you may choose to withdraw your consent at any time.
5.6. Contact form
You may contact us by using a contact form available on our websites. When you submit the form, we process your personal data such as name, e-mail, phone number and any other information that you have included in your message.
Your message is transferred in an encrypted format from the web solution of Dr.Dropin. Additionally, we apply access control, which means that your personal data is only available to selected personnel at Dr.Dropin.
The legal basis for our processing of your personal data included in the contact form is that it is necessary to answer your inquiry and to provide healthcare services (Article 6 (1) c and Article 9 (2) h of the GDPR).
We will process your payment information when you pay for our services. Information on how much you have paid for the consultation is transferred to Verifone (supplier of payment terminals), or to Vipps if you prefer to pay via your mobile phone.
The legal basis for our processing of payment information is that it is necessary to fulfil the contract with you (Article 6 (1) b of the GDPR).
We wish to inform our customers about developments in our business, for instance, that we have established a new clinic or that we have launched a new service or offer. Such information is communicated through our newsletter. If you receive newsletters from us, we process your personal data such as your name and the e-mail address registered in your profile on the Dr.Dropin App. The legal basis for the processing is your consent (Article 6 (1) a of the GDPR). You may choose to withdraw your consent at any time by unsubscribing from the newsletter. To do this, you click the unsubscribe link included in the e-mail you have received or by deleting your e-mail address from your profile in the app.
We wish to be available for our customers and potential customers via social media platforms. We have therefore created profiles/pages at platforms such as Facebook and Instagram. The purpose of these pages is to make our services, contact information and opening hours easily available to our customers and potential customers. We process your personal data if you add a comment on our pages, like our pages or if you write a message to us. If you have a question that involves sharing sensitive personal data (such as data concerning health), please contact us by phone or through our website so that we are able to assist you.
5.9. Temporary test stations
We established temporary test stations in connection with the Covid-19 pandemic, at the request of the Norwegian public authorities. For instance, we operated a test station at Oslo Airport Gardermoen.
If you used this offer, we process your personal data such as your name, contact information, gender, date of birth, personal identification number, information about your travel, as well as whether you have travelled with children under the age of six or with animals. We also process that you have taken a Covid-19 test, as well as the result of the test.
The legal basis for our processing of personal data in connection with testing is that it is necessary to fulfil a legal obligation (Article 6 (1) c of the GDPR) and that it is necessary to provide healthcare services (Article 9 (2) h of the GDPR).
6. Disclosure of personal data to third parties
6.1. Healthcare providers and other healthcare personnel
We may occasionally be contacted by other healthcare providers or other healthcare personnel who also provide healthcare services to you, and who request to receive your patient information.
Healthcare professionals may share confidential information with cooperating healthcare personnel, provided that such healthcare personnel are subject to the same confidentiality obligations as our own personnel. We only share your personal data to the extent necessary for the provisioning of adequate healthcare services and in compliance with the applicable requirements set forth in the Norwegian Act relating to healthcare personnel. As a patient, you have the right to object to the disclosure. Dr.Dropin will only share the personal data if the disclosure has been requested by cooperating healthcare personnel, and not without having received such an inquiry.
6.2. Public authorities
If required by law or upon suspicion that a criminal offence has been committed in relation to the use of our services, we may be obliged to disclose your personal data to public authorities.
We are furthermore required to disclose your personal data to certain public health registries, such as the Norwegian Vaccine Registry (Norwegian: Vaksineregisterert) or the Norwegian Cancer Registry (Norwegian: Kreftregisteret).
6.3. Data processors
A data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For instance, the suppliers of our booking system or our patient record system are our data processors.
Dr.Dropin ensures that all of our data processors are subject to the same confidentiality obligations as the personnel employed by Dr.Dropin, and that our data processing agreements comply with the requirements set forth in the applicable data protection legislation.
Dr.Dropin primarily uses data processors that process personal data within the EU/EEA (i.e. the data processors are subject to equivalent data protection regulations as Dr. Dropin). Exceptionally, we may use data processors located outside of the EU/EEA. In such cases, Dr.Dropin ensures that these data processors are subject to legislation that ensures an adequate level of protection pursuant to Article 45 of the GDPR, or that the transfer is subject to appropriate safeguards pursuant to Article 46 of the GDPR (for instance by use of the EU Commission's Standard Contractual Clauses).
7. Data retention
In principle, we do not store personal data longer than necessary to fulfil the purposes for which it was collected or otherwise processed. With regard to personal data stored in inpatient records, i.e. the information we process to provide healthcare services, separate requirements apply.
Information registered in inpatient records will generally be retained until it is no longer assumed that the information is necessary for the provisioning of healthcare services. Additionally, Dr.Dropin may be required to submit patient records to the Norwegian Health Archives in accordance with the Norwegian Administrative Regulation relating to health archives.
We will otherwise delete or anonymize personal data in accordance with the following deletion routines:
- Personal data that are stored in our booking system is anonymised by the supplier of the booking system seven days after the consultation.
- Payment information is stored for a minimum of five years in accordance with the regulations set forth in the Norwegian Accounting Act. We will only store payment information for a longer period if the information has been anonymised.
- Personal data that are used for sending newsletters is deleted if you withdraw your consent or if you delete your profile in the Dr.Dropin App.
As the controller of your personal data, Dr.Dropin has the overall responsibility to ensure that your personal data is processed and stored in a secure manner. This entails that we have implemented appropriate technical and organisational measures to ensure an appropriate level of security relating to our processing of personal data. We have inter alia implemented access control mechanisms, which means that access to your personal data is provided to our personnel on a need-to-know basis. Additionally, all communication with servers is encrypted via HTTPS, and all of our databases use encryption "at rest" mechanisms.
All of our personnel that process your health data are subject to confidentiality obligations. Such confidentiality obligations also apply to any third party who processes personal data on our behalf.
9. Your data protection rights
Under the data protection legislation, you have the following rights in connection with our processing of your personal data:
- You have the right to obtain confirmation with respect to whether or not we are processing your personal data, as well as access to further information regarding our processing of your personal data. You may also request a copy of the personal data we are processing about you.
- You have the right to rectify and/or complete inaccurate or incomplete personal data.
- You have the right to request that we delete your personal data. We will respect and comply with your request insofar as there are no other legal obligations or overriding legitimate interests requiring further retention, or the personal data is necessary for the establishment, exercise or defence of legal claims.
- You have the right to request the restriction of our processing of your personal data in accordance with data protection legislation. If the processing has been restricted, such personal data will, with the exception of storage, only be processed with your consent, for the exercise or defence of legal claims, the protection of the rights of another person, or for reasons of important public interest.
- You have the right to object to certain processing activities. You are furthermore, on grounds relating to your particular situation, entitled to object to the processing of personal data based on legitimate interests, which we will comply with unless there exist compelling legitimate grounds for the processing which override your interest, or if our processing is necessary for the establishment, exercise or defence of legal claims.
- If we process your personal data based on consent or based on our performance of a contract, and the processing is carried out by automated means, you have the right to request us to transfer the personal data to you or another healthcare provider, in a structured, commonly used and machine-readable format.
Please note that certain limitations exist with respect to the rights provided by the data protection legislation, and the rights available to you will depend on the particular circumstances of the processing. You can find more information on this topic on Norwegian Data Protection Authority's website, which is linked here.
For the sake of good order, we wish to call your attention to the fact that with regard to personal data included in your patient records, your right to request deletion or correction of your personal data is limited by regulations set forth in sections 42,43 and 44 of the Norwegian Act relating to health care personnel. Furthermore, please note that most of our processing activities are based on legal obligations to provide healthcare services. The right to data portability does not apply to personal data processed on the basis of a legal obligation. As described above, the right to data portability only applies when our processing of your personal data is based on consent or based on the performance of a contract. Additionally, the right to data portability does not affect our obligations to register information in patient records.
Please contact us as described in Section 2 above if you wish to invoke your rights. Please do not provide sensitive personal information when contacting us. Please also note that we may request additional information from you if such information is necessary to confirm your identity.
11. Questions and complaints
You may contact us at any time if you have any questions or complaints regarding our processing of your personal data. You may also file a complaint to the Norwegian Data Protection Authority, or a data protection authority in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged data protection infringement. The Norwegian Data Protection Authority is responsible for supervising Norwegian organizations' processing of personal data.
You can obtain the contact details of the Norwegian Data Protection Authority on the following website: www.datatilsynet.no. You will also find more information on your rights and the data protection legislation on this website.
If we reject a claim for correction or deletion of personal data included in your patient record, you may complain to the County Governor (Norwegian: Statsforvalteren). You can find more information on how to complain on the following website: www.statsforvalteren.no/nb/portal/
We may, from time to time, update this privacy notice, for example, due to changes in our processing activities, applicable data protection legislation or other legislation which may affect our processing of personal data. An updated version of this privacy notice will be published on our website if any revisions to the privacy notice are made. This privacy notice is effective from the date stated initially.