1. Overview
This privacy policy has been prepared by Oslo Psykologsenter / Kognito AS (or "we") to provide you with information about how, why and on what basis we and independent specialists based with us process your personal data. In addition, the privacy policy describes which rights you as a registered person have according to the EU's privacy regulation 2016/679 ("GDPR") and the Norwegian privacy legislation (collectively the "Privacy Act").
Oslo Psykologsenter and its independent specialists are responsible for the processing of personal data described in this declaration. It is the data controller who is responsible for safeguarding your rights in accordance with the Personal Data Protection Act, including your right to receive information about how your personal data is processed.
2. Contact details
If you have questions or want more information about which personal data we process about you, or want to exercise one of your rights, you can contact us via the contact details below.
Cognito AS
Rosenkrantz' gate 7, 0159 Oslo
E-mail: mail@oslopsykologsenter.no
We ask you not to send personally sensitive information (such as health information) by e-mail. Feel free to use Digipost for personal information and health information.
3. What is personal data
Personal information is information and assessments that can be linked to you as an individual. It can be your name, your contact information, your health information or medical assessments. Privacy legislation determines how we and our specialists will process your personal data. The privacy legislation sets a number of requirements for the processing of what are called special categories of personal data (among other things health data) which specialists at Oslo Psychiatric Center are required to follow. As specialists in private practice, we at Oslo Psykologsenter must also comply with the Norwegian Health Act's rules for the processing of personal data. Relevant health laws that deal with the processing of personal data are the Specialist Health Services Act, the Health Personnel Act, the Patient Records Act (incl. the Patient Records Regulations), the Patient and User Rights Act, the Health Archives Act etc. All laws and regulations can be read at www.lovdata.no.
By "processing" of personal data, we mean any use of personal data, for example collection, registration, storage, compilation, disclosure, deletion, etc. All processing of personal data is, as a general rule, subject to the Personal Data Protection Act.
4. About whom we process personal data
This privacy policy covers our processing of personal data about the following categories of people:
- Patients (people who use our specialists' healthcare services)
- Visitors to our website
5. How we use personal data
5.1. Health care and registration in patient records
Our main purpose for processing your personal data is to provide proper health care, as well as offer our medical services. The personal information that we collect about you is information that we consider relevant to provide you with proper health care. We have received the information we process from you, from other health institutions where you have received treatment, from medical tests we take, etc.
When you are diagnosed, receive health care or medical treatment from a specialist at Oslo Psychiatric Center, we are obliged to register all the information necessary to provide the health care in our systems for patient records. What information must be registered is specified in law. The journal can, for example, contain contact information, next of kin, disease history, previous treatments, which medicines you use, diagnoses, etc.
The legal basis for our processing of your personal data in connection with the provision of healthcare and registration in patient records is that the processing is necessary to fulfill a legal obligation (GDPR Article 6 (1) letter c), and that it is necessary to provide healthcare services (GDPR article 9 (2) letter h).
5.2. Contact form
On our website, you have the opportunity to get in touch with us via a contact form. When you submit the form, we process your personal data such as name, e-mail, mobile number and any other information that is included in your message.
The message is transmitted in an encrypted state from the online solution to Oslo Psykologsenter. Your information will only be available to a small number of employees who have signed a declaration of confidentiality.
The legal basis for our processing of personal data in connection with the contact form is that it is necessary to be able to answer your inquiry and provide healthcare services to you (GDPR article 6 (1) letter c and GDPR article 9 (2) letter h).
6. Who can we share your personal data with
We are careful to ensure that your health information is safe with us and is not shared with anyone. We are of course bound by confidentiality. However, there are a few exceptions to this as noted below:
6.1. Healthcare organizations and other healthcare personnel
It happens that we are contacted by healthcare organizations or other healthcare personnel who also provide you with medical treatment and who ask for your patient information to be handed over.
Healthcare personnel have the opportunity to hand over your confidential information to cooperating healthcare personnel who are subject to the same duty of confidentiality as our employees. This is only done to the extent that it is considered necessary to provide you with proper health care and the rules follow from §25 of the Health Personnel Act. As a patient, you have the right to object to such disclosure. The information that is possibly shared is limited to what is necessary. We only share such information if it is requested by collaborating healthcare personnel.
6.2. Public authorities
If it is required by law or there is a suspicion that an offense has been committed in connection with the use of our services, the information we have stored about you may be disclosed to public authorities.
Furthermore, information can be shared with public health registers to which we are required by legislation to share information, such as the Vaccine Register or the Cancer Register.
6.3. Data processors
A data processor is an independent company or legal entity that processes personal data on behalf of the controller. A data processor can, for example, be a supplier of a system for electronic patient records.
Specialists at Oslo Psykologsenter ensure that all data processors are subject to the same duty of confidentiality as specialists at Oslo Psykologsenter, and that agreements on the use of data processors meet the requirements of the Personal Protection Act for the use of data processors/content of data processor agreements.
Specialists at Oslo Psykologsenter use data processors who process personal data within the EU/EEA. This means that these data processors are subject to the same regulations when it comes to processing personal data.
7. How long do we store your personal data
In principle, we will not store personal data longer than is necessary to fulfill the purpose of the processing and the statutory obligations we have. When it comes to personal data stored in patient records, i.e. for the information that we process to provide healthcare, other rules/laws apply regarding the storage of patient records.
The main rule is that the records must be kept until, due to the nature of the health care, it is no longer assumed that they will be used. Therapists at the Oslo Psychiatric Center may then be obliged to hand over medical records to the Norwegian Health Archive in accordance with the health archive regulations.
Payment information is kept for a minimum of five years in accordance with the rules in the Bookkeeping Act.
8. What do we do to protect your personal data
As the controller for your personal data, we have the overall responsibility for ensuring that your personal data is processed and stored in a secure manner. This means that we have implemented technical and organizational measures that ensure satisfactory information security.
All specialists who process health information about you are subject to a duty of confidentiality. The same applies to others who process personal data on our behalf.
9. What rights do you have
If we and our specialists process your personal data, you have a number of rights under the Personal Data Protection Act which you can assert against us.
You have the right to access the personal data we process/store about you, including the right to receive a copy of this. If you believe that the information we have registered about you is incorrect, you have the right to request that it be corrected. You have the right to request that your information be deleted from our systems, which we are required to comply with provided that further storage is not strictly necessary or required by law. If you have objections to our processing of your data, but do not want them to be deleted due to ongoing processes, you can request a restriction of the processing. In such cases, our processing will be limited to only necessary storage. Where our processing of your information is based on legitimate interests (see point 7 above), you have the right to object to the processing. If you object, we must stop the processing in question, unless there are compelling legitimate reasons for continuing the processing. Where our processing of your information is based on your consent or our agreement with you, you have the right to have this information provided in a structured, commonly used and machine-readable format, either to yourself or directly to another third party.
We point out that exceptions and further conditions apply to the rights described above, and that not all rights will be relevant to all our connections. You can read more about your rights on the website of the Norwegian Data Protection Authority, here.
For the record, we would also like to make you aware that when it comes to personal information in patient records, the right to have information deleted or corrected is limited by rules in the Health Personnel Act §§ 42, 43 and 44. Furthermore, the main part of the clinic's and our specialists' treatment has of personal data is based on legal obligations to provide healthcare and is thus not subject to the right to data portability. It is only if the processing of your personal data has a legal basis in fulfillment of an agreement or your consent that you can request that the data be handed over to you or that we send it directly to your new medical practitioner/supplier. However, the right to data portability does not affect our obligations to store your patient record.
If you wish to make use of one of your rights vis-à-vis us, please contact us as indicated in point 2 above. We ask that you do not provide sensitive personal information when contacting us. Please note that we may need to ask you to identify yourself, as we may need to ensure that you are who you claim to be.
10. Cookies (Information capsules)
Oslo Psykologsenter's website uses cookies to be able to analyze visitor behavior for use in the development and improvement of the website and our services, technical purposes to ensure that the website works and for optimization of the pages.
11. The Norwegian Data Protection Authority and appeal possibilities
The Norwegian Data Protection Authority is responsible for monitoring the Personal Data Protection Act and supervising Norwegian companies' processing of personal data. You can contact us whenever you want if you have complaints related to our processing of your personal data. You can also complain to the Norwegian Data Protection Authority, as well as to a data supervisory authority in an EU/EEA member state where you live, have your place of work or where the alleged violation of the Personal Protection Act took place.
Contact information for the Norwegian Data Protection Authority can be found on their website, here. On the website you will also find further information about our obligations according to the current Personal Protection Act.
If we refuse a request for correction or deletion of your record information, you can complain about this to the State Administrator. You will find more information about how you can complain to the State Administrator on the State Administrator's website, here.
12. Changes
From time to time we may revise this privacy policy, for example as a result of our processing of personal data changing or as a result of changes in the Personal Protection Act. When the privacy policy changes, an updated version will be published on our website. This privacy policy is valid from 9 January 2023.