Why have a Privacy Policy?

ApoEx AB ('ApoEx', 'we' or 'us') protects your personal privacy. Therefore we always strive to process your personal data to the best of our ability and comply with all of the laws and rules relating to data protection and privacy applicable at any given time. This Privacy Policy explains how ApoEx collects and uses your personal data, what rights you have and also how you exercise your rights. It is important that you read and understand this Privacy Policy and also know how you can influence the use of your personal data. Please contact our Data Protection Officer (Dataskyddsombud) if you have any questions about ApoEx's privacy or data protection work. You will find contact details at the end of this Policy.

This Privacy Policy applies, among other things, when ApoEx provides services and products in conjunction with purchases, when service matters are implemented and when we are contacted for other reasons. ApoEx’s General Terms and Conditions applicable at any given time and contracts that you have entered into with us also apply in addition to the Privacy Policy

This Privacy Policy applies, among other things, when ApoEx processes medical prescriptions for individual patients, dispenses doses of pharmaceuticals or manufactures extemporaneous pharmaceuticals.

Who is responsible for your personal data?

The ApoEx AB Group, corp. ID no. 556633-4149, of the address Hammarby Fabriksväg 29-31, 4th floor, 120 30 Stockholm, telephone +46 (0)10-10 10 222, email support@apoex.se, is the Controller for the processing of your personal data.

What personal data does ApoEx process and why?

We process personal data about patients and prescribers, for example in conjunction with dispensing prescriptions, in order to deal with and supply pharmaceuticals in conjunction with dose dispensation and the manufacture of extemporaneous pharmaceuticals.

Patients

We may process names and personal identity (ID) numbers, information about any representatives, prescription information (e.g. what pharmaceutical you have been prescribed and how it should be taken) and dispensing information (e.g. what has been dispensed) for individual patients. We also process this personal data to ensure and develop the quality and administration of our operation.

Legal basis

The legal basis applicable for ApoEx’s processing of your personal data in pharmacy operations is that we have statutory obligations to document the dispensing of prescriptions and requisitions in conjunction with delivery and also to submit information to the Swedish e-Health Agency.

The legal basis when we process personal data for quality and administration purposes is that this processing is necessary with regard to ApoEx’s legitimate interest in such activities. In the case of such processing, we do not report any data that could be attributed to an individual person.

Specific information about identity searches

ApoEx may only search for the identity of patients when we dispense prescriptions or if we need to follow up anything in conjunction with dispensing or, in some cases, only if you have consented to this.

Prescriber/Persons authorised to place orders

ApoEx registers personal data in conjunction with dispensation for prescribers who order prescriptions or requisitions for pharmaceuticals or other goods or alternatively persons authorised to place orders who requisition pharmaceuticals. The personal data that we then process is name and, when applicable, prescriber code, workplace code and contact details.

Legal basis

The legal basis applicable for ApoEx’s processing of your personal data relating to prescribers/persons authorised to place orders in conjunction with the dispensation of pharmaceuticals is that we have statutory obligations to document the dispensation of 2/6 prescriptions and requisitions and sometimes provide information to the Health and Social Care Inspectorate, the Swedish e-Health Agency and the Medical Products Agency

The legal basis when we process personal data for quality and administration purposes is that the processing is necessary with regard to ApoEx’s legitimate interest in such activities. In the case of such processing, we do not report any data that could be attributed to an individual person.

Specific information about identity searches

ApoEx may only search for a prescriber’s identity in order to report information to the Health and Social Care Inspectorate, to the Medical Products Agency (in conjunction with supervision) and in conjunction with reporting generic exchange.

We do not process any personal data in some of our pharmacy operations.

We do not process any personal data about individual patients or prescribers in some of ApoEx’s pharmacy operations. This applies to such operations that comprise the provision of pharmaceuticals to the medical services, but where the pharmaceuticals or other goods in question have not yet been prescribed to individual patients, which may be the case, for example, when ApoEx conducts operations as a dispensary.

What are the legal bases for us processing your personal data?

ApoEx bases the processing of your personal data on a number of legal bases which are described below.

Performance of contracts

We process some of your personal data to be able to perform our contract with you as a customer, for example to be able to implement purchases, maintain our customer relationship and also to simplify administration and order history.

Balance of interests

Some processing of personal data performed by us is based on a 'balance of interests'. This applies to, for example, the personal data that we process to enable us to send you information about our products or other news about us. The personal data we process to develop our operation also has a balance of interests as its legal basis.

Legal obligation

In some cases, ApoEx has a legal obligation to process your personal data. This applies, for example, to the processing of personal data that we perform to fulfill the requirements of the Bookkeeping Act.

Who can have access to your personal data?

As a point of departure, your personal data is only processed by us, although we might share your information with a third party, such as ApoEx's group companies and providers we engage to enhance the efficiency of our business operation. Such companies are referred to as 'processors'. Our processors only process your personal data to the extent that this is necessary to perform their commitments in their relationship to us. Before such processing is performed, ApoEx always concludes a written processor agreement, regulating what rights and obligations ApoEx and the processor should have when the processor is processing personal data on behalf of ApoEx, in order to guarantee security and secrecy

We take the necessary technical, organisational and legal security measures to ensure that your personal data is processed in a secure way during its transfer to processors or another third party.

Public authorities

We are obliged to disclose personal data about patients and prescribers to, for example, the Swedish e-Health Agency, the Medical Products Agency, the Health and Social Care Inspectorate and the National Board of Health and Welfare in accordance with applicable legislation if so required pursuant to an official decision. We also have an obligation to inform the Swedish Police Authority if a crime is suspected.

Duty of confidentiality

The duty of confidentiality for pharmacies basically applies as for the health and medical care services. The main rule is that personal data about patients is encompassed by a duty of confidentiality. Only staff who need access to your personal data for their work tasks may have access to such data. ApoEx’s employees may not disclose personal data to anyone else except as required or permitted by law.

Where is your personal data processed?

We and our processors only process your personal data within the EU/EEA.

For how long do we save your personal data?

ApoEx normally processes your personal data for as long as is necessary considering the purpose of the processing in question and for a reasonable time thereafter. This may, for 4/6 example, be for as long as it is necessary to perform our agreed commitments in relation to you as a customer. When we process your personal data for other purposes, for example, to meet the requirements of bookkeeping or consumer law legislation, we process the data for as long as it is necessary for the respective purpose. ApoEx has internal procedures to ensure that personal data that no longer needs to be processed is deleted.

In the event that ApoEx processes your data pursuant to a balance of interests, you are entitled to object to this processing.

ApoEx processes your personal data for a reasonable period after your purchase or after our contract has expired. We may send you marketing during this period. You are entitled to object to us processing your personal data in order to send you marketing.

You are welcome to contact our Controller if you wish to object to processing, both in respect of a balance of interests and marketing, or if you have any questions about the length of time for which we will be saving your personal data. Contact details are provided at the end of the Policy.

What are your rights?

It is important that you are aware of your rights and understand how we collect, process and use your personal data, to whom we disclose it and for how long we save it. We have summarised your rights below.

You are entitled to find out what personal data we process about you and can request a copy of this.

You are entitled to have inaccurate personal data about you rectified and can, in certain cases, ask for us to erase your personal data (e.g. if the personal data is no longer necessary for the purpose or if you revoke your consent, if such consent had been provided).

You are also entitled to object to certain processing of your personal data and ask for the processing of your personal data to be restricted. Please note that we do not always have the possibility of restricting or erasing personal data, e.g. if we have a legal obligation to preserve the data. In certain cases, a restriction or erasure of your personal data also means that we are unable to fulfill our commitments.

You are also entitled to receive your personal data in a machine-readable format and to transfer this data to another controller (this is referred to as ‘right to data portability’).

You may also be entitled to damages if we have processed personal data in violation of legislation and this has resulted in you suffering a loss.

ApoEx will do its utmost to protect your personal privacy. You are welcome to contact our Controller to present your complaints or your views if, despite this, you have any complaints or views relating to our processing of your personal data. Contact details are provided at the end of the Policy. If you do not wish to present your complaint directly to us, you are also able to submit a complaint to the Swedish Data Protection Authority/the Swedish Privacy Protection Authority. Contact details are available here: https://www.imy.se/.

Amendment of the Privacy Policy?

ApoEx reserves the right to make amendments to the Privacy Policy. In the case of amendments of the Policy, we will inform you about the amendments on our websites within a reasonable period before they enter into force.

Contact information

If you have any questions about this Privacy Policy, how we process personal data or if you wish to exercise any of your rights, such as requesting register extracts or rectifications, you are welcome to contact us on the following contact details.

ApoEx AB
Dataskyddsombud
Box 6079
102 32 Stockholm
Telephone: +46 (0)10-10 10 222
dpo@apoex.se

Request for a register extract or data portability

The request must be made in writing and signed by the applicant and also include details relating to name, personal identity (ID) number and address. The request must be sent to the Dataskyddsombud (Data Protection Officer).

This version of ApoEx’s Privacy Policy applies from 7 January 2021.