Business area: Public care
Who is responsible for your personal data?
The ApoEx AB Group, corp. ID no. 556633-4149, of the address Hammarby Fabriksväg 29-31, 4th floor, 120 30 Stockholm, telephone +46 (0)10-10 10 222, email firstname.lastname@example.org, is the Controller for the processing of your personal data.
What personal data does ApoEx process and why?
We process personal data about patients and prescribers, for example in conjunction with dispensing prescriptions, in order to deal with and supply pharmaceuticals in conjunction with dose dispensation and the manufacture of extemporaneous pharmaceuticals.
We may process names and personal identity (ID) numbers, information about any representatives, prescription information (e.g. what pharmaceutical you have been prescribed and how it should be taken) and dispensing information (e.g. what has been dispensed) for individual patients. We also process this personal data to ensure and develop the quality and administration of our operation.
The legal basis applicable for ApoEx’s processing of your personal data in pharmacy operations is that we have statutory obligations to document the dispensing of prescriptions and requisitions in conjunction with delivery and also to submit information to the Swedish e-Health Agency.
The legal basis when we process personal data for quality and administration purposes is that this processing is necessary with regard to ApoEx’s legitimate interest in such activities. In the case of such processing, we do not report any data that could be attributed to an individual person.
Specific information about identity searches
ApoEx may only search for the identity of patients when we dispense prescriptions or if we need to follow up anything in conjunction with dispensing or, in some cases, only if you have consented to this.
The legal basis applicable for ApoEx’s processing of your personal data relating to prescribers/persons authorised to place orders in conjunction with the dispensation of pharmaceuticals is that we have statutory obligations to document the dispensation of 2/6 prescriptions and requisitions and sometimes provide information to the Health and Social Care Inspectorate, the Swedish e-Health Agency and the Medical Products Agency
The legal basis when we process personal data for quality and administration purposes is that the processing is necessary with regard to ApoEx’s legitimate interest in such activities. In the case of such processing, we do not report any data that could be attributed to an individual person.
Specific information about identity searches
ApoEx may only search for a prescriber’s identity in order to report information to the Health and Social Care Inspectorate, to the Medical Products Agency (in conjunction with supervision) and in conjunction with reporting generic exchange.
We do not process any personal data in some of our pharmacy operations.
We do not process any personal data about individual patients or prescribers in some of ApoEx’s pharmacy operations. This applies to such operations that comprise the provision of pharmaceuticals to the medical services, but where the pharmaceuticals or other goods in question have not yet been prescribed to individual patients, which may be the case, for example, when ApoEx conducts operations as a dispensary.
What are the legal bases for us processing your personal data?
ApoEx bases the processing of your personal data on a number of legal bases which are described below.
Performance of contracts
We process some of your personal data to be able to perform our contract with you as a customer, for example to be able to implement purchases, maintain our customer relationship and also to simplify administration and order history.
Balance of interests
Some processing of personal data performed by us is based on a ‘balance of interests’. This applies to, for example, the personal data that we process to enable us to send you information about our products or other news about us. The personal data we process to develop our operation also has a balance of interests as its legal basis.
In some cases, ApoEx has a legal obligation to process your personal data. This applies, for example, to the processing of personal data that we perform to fulfill the requirements of the Bookkeeping Act.
Who can have access to your personal data?
As a point of departure, your personal data is only processed by us, although we might share your information with a third party, such as ApoEx’s group companies and providers we engage to enhance the efficiency of our business operation. Such companies are referred to as ‘processors’. Our processors only process your personal data to the extent that this is necessary to perform their commitments in their relationship to us. Before such processing is performed, ApoEx always concludes a written processor agreement, regulating what rights and obligations ApoEx and the processor should have when the processor is processing personal data on behalf of ApoEx, in order to guarantee security and secrecy
We take the necessary technical, organisational and legal security measures to ensure that your personal data is processed in a secure way during its transfer to processors or another third party.
Duty of confidentiality
The duty of confidentiality for pharmacies basically applies as for the health and medical care services. The main rule is that personal data about patients is encompassed by a duty of confidentiality. Only staff who need access to your personal data for their work tasks may have access to such data. ApoEx’s employees may not disclose personal data to anyone else except as required or permitted by law.
Where is your personal data processed?
We and our processors only process your personal data within the EU/EEA.
For how long do we save your personal data?
ApoEx normally processes your personal data for as long as is necessary considering the purpose of the processing in question and for a reasonable time thereafter. This may, for 4/6 example, be for as long as it is necessary to perform our agreed commitments in relation to you as a customer. When we process your personal data for other purposes, for example, to meet the requirements of bookkeeping or consumer law legislation, we process the data for as long as it is necessary for the respective purpose. ApoEx has internal procedures to ensure that personal data that no longer needs to be processed is deleted.
In the event that ApoEx processes your data pursuant to a balance of interests, you are entitled to object to this processing.
ApoEx processes your personal data for a reasonable period after your purchase or after our contract has expired. We may send you marketing during this period. You are entitled to object to us processing your personal data in order to send you marketing.
You are welcome to contact our Controller if you wish to object to processing, both in respect of a balance of interests and marketing, or if you have any questions about the length of time for which we will be saving your personal data. Contact details are provided at the end of the Policy.
What are your rights?
It is important that you are aware of your rights and understand how we collect, process and use your personal data, to whom we disclose it and for how long we save it. We have summarised your rights below.
You are entitled to find out what personal data we process about you and can request a copy of this.
You are entitled to have inaccurate personal data about you rectified and can, in certain cases, ask for us to erase your personal data (e.g. if the personal data is no longer necessary for the purpose or if you revoke your consent, if such consent had been provided).
You are also entitled to object to certain processing of your personal data and ask for the processing of your personal data to be restricted. Please note that we do not always have the possibility of restricting or erasing personal data, e.g. if we have a legal obligation to preserve the data. In certain cases, a restriction or erasure of your personal data also means that we are unable to fulfill our commitments.
You are also entitled to receive your personal data in a machine-readable format and to transfer this data to another controller (this is referred to as ‘right to data portability’).
You may also be entitled to damages if we have processed personal data in violation of legislation and this has resulted in you suffering a loss.
ApoEx will do its utmost to protect your personal privacy. You are welcome to contact our Controller to present your complaints or your views if, despite this, you have any complaints or views relating to our processing of your personal data. Contact details are provided at the end of the Policy. If you do not wish to present your complaint directly to us, you are also able to submit a complaint to the Swedish Data Protection Authority/the Swedish Privacy Protection Authority. Contact details are available here: https://www.imy.se/.
102 32 Stockholm
Telephone: +46 (0)10-10 10 222
Request for a register extract or data portability
The request must be made in writing and signed by the applicant and also include details relating to name, personal identity (ID) number and address. The request must be sent to the Dataskyddsombud (Data Protection Officer).