Effective Date: 1st of June 2024
This is the Privacy Notice (“Notice“) for the provision of our services in the Step Care Program by Teladoc Health Denmark ApS, Rønnegade 9, 1., 2100 Copenhagen Ø, CVR no. 41627425 (“Teladoc“) as data controller.
Our Step Care Program (the “Services”) is a virtual care program run by Teladoc for Danica members with working age and who are either on sick-leave or at risk of going into sick-leave. Step Care has been developed as a flexible health and social work offer for you to improve your quality of life and empowerment, and thereby to maintain your connection to the labour market.
To meet your different needs for both social and health professional intervention, the Step Care effort is multidisciplinary. No two offers are alike, and how many sessions you need and with which professionals will depend on your situation.
In order to provide the Services to you, we need to collect and process your personal data (“Personal Data“). This Notice describes the kind of Personal Data we collect about you, why we collect it, how it is collected, how we use it, how we protect it and under what circumstances we share it with third parties. This Notice also describes how you may access your Personal Data and exercise the rights you have concerning your Personal Data. Please review it carefully.
Teladoc is committed to ensure full compliance with all applicable data privacy laws and regulations, including (but not limited to) the General Data Protection Regulation (EU) 206/679 (the GDPR) and the Danish Data Protection Act (collectively Data Protection Laws). As a health care provider, we are also obligated to process your Personal Data as set out in the Danish health legislation.
By requesting or utilizing our Services you are entering into a contractual relationship with Teladoc for the provision of these Services to you, and you accept the privacy practices described below.
Teladoc and your pension- and insurance providers (Danica) are independent data controllers in relation to the Personal Data processed. For more information about how your pension provider handles your data, please reach out to them directly.
What Personal Data is collected and processed by Teladoc?
We will process your Personal Data in the situations described below.
| Types of Personal Data | The purpose of the processing | Legal basis |
|---|---|---|
| Personal Data processed for administrative purposes when you request Teladoc\’s Services through Danica | ||
| We will process your name, address, date of birth, your gender/sex, contact information (email address and phone number) as well as your insurance terms. We will also process your CPR number. | The purpose of our processing of your personal data is to administer your request for our Services and to communicate with you. | We rely on your consent, cf. Article 6 (1) (a) of the GDPR and Section 11 (2) (2) of the Danich Data Protection Act. |
| Personal Data processed when providing our Services | ||
|
Ordinary and sensitive Personal Data, including your name, age, date of birth and your gender/sex. We also process your CPR number as well as health data, e.g. your previous health and medical records, physical and mental performance, characteristics, diseases or disabilities, work ability, and information about your sex life or sexual orientation, occupation and/or other information we collect through our communication with you. |
The purpose for our processing of your personal data is to deliver our Services, i.e. our online medical treatment during our consultation. We are also obligated under applicable health legislation to e.g. report any side effects to the public authorities, to process your data for journaling purposes and for medicine descriptions. |
We process your Personal Data based on our legal obligation when providing health care treatment, cf. Article 6 (1) (c) and Article 9 (2) (h)., cf. Section 7 (3) of the Danish Data Protection Law and the Danish health legislation. Processing of your CPR number is required by law, e.g. under the Danish Executive Order on Medical Records Section 12, cf. the Danish Data Protection Act Section 11 (2) (1). |
| Personal Data obtained through survey forms, calls or text | ||
|
We will collect your Personal Data via survey forms, call or texts directly to you. We will collect your responses which will likely include your health data.
|
Our aim is to better understand our customers’ needs and improve the Services i.e. satisfaction, improvement of working capabilities of customers etc. | Data collected through surveys forms, calls or text messages directly to and from you will be processed based on your consent, cf. Article 6 (1) (a) and Article 9 (2) (a) of the GDPR. The consent for this purpose is not given by agreeing to this document but can instead be given explicitly at a later stage. |
When our processing of your Personal Data is based on your consent, you can withdraw such consent at any time. Your withdrawal will not affect the lawfulness of processing based on consent before its withdrawal, but not consenting can affect our ability to provide the Services to you. You can withdraw your consent at any time by sending an email at stepcare@teladochealth.com or dataprotectionofficer@teladochealth.com.
Personal Data Teladoc Collects About You from other sources
We collect Personal Data directly from you through our communication. Furthermore, we may collect Personal Data from
- your insurance company (Danica) for the purpose of providing you with treatment which are covered by your insurance terms,
- your past or current health care providers. For example, it may be relevant for us to collect your previous health information from online registers, e.g. sundhed.dk, provided this is necessary for our treatment of you cf. the Danish Health Act Section 42a (1), and/or if you have specifically consented, or
- your authorized representatives if it is necessary for providing our Services to you.
Whether it is necessary to collect Personal Data about you from you or third parties will be assessed on a case-by-case basis.
Disclosure of Your Personal Data
We may in some cases share your Personal Data with third parties, as described below:
- Danica: If you consent, cf. Article 6(1)(a) and Article 9(2)(a) of the GDPR, cf. Section 43(1) of the Danish Health Act, we will disclose ordinary and sensitive Personal Data about you to your relevant pension company (Danica) for administrative and case handling purposes according to your insurance terms. The Purpose is to make sure the case handling process can be done in accordance with applicable rules and conditions, and to understand the effects of the Step Care program with respect to customer claims. The Purpose is also to be able to understand and improve the services within the product via the reporting on i.e. satisfaction, improvement of working capabilities.
- The data on patient level and aggregated is:
- (Personal Data) name, phone number, email, case number, occupation, insurance policy terms
- (Sensitive Data) CPR number
- (Health data) health history, illnesses, diagnosis and treatment, work ability, reasons for referral, suggested treatments, medication, private GP information, information from specialist doctors and hospitals, work ability, physical, psychological and relational ability or disability.
- (For report and case handling Purposes) Which service were used. When was the service used. Number of treatments. What kind of treatment was given and how was the progression, the diagnosis and recommendation for future treatment. It will also include the customers™ work status and prognosis for reactivation, either to the current employment or other profession
- (For report Purposes): Satisfaction questions and usage, e.g. average number of sessions (and length of the sessions) per customer per segment per health professional incl. nurse assistance.
- Other health care professionals (external partners) including private hospital: We will disclose ordinary and sensitive Personal Data, including your name, contact details and health data, if we refer you to another relevant health care professional because it is necessary for the current course of your treatment. The legal basis for such transfer is GDPR Article 9 (2) (h) and the Danish Data Protection Act Section 7 (3), and your consent cf. Section 41 (1) of the Danish Health Act.
- Your general practitioner: We will disclose ordinary and sensitive Personal Data, including your name and health information, to ensure that your own doctor is informed about your treatment. The legal basis for such transfer is GDPR Article 9 (2) (h) and the Danish Data Protection Act Section 7 (3), and your consent cf. Section 41(1) of the Danish Health Act.
- Your municipality: We may disclose your ordinary and sensitive data in case this is of relevance to your municipality and based on your consent, cf. Article 6(1)(a) and Article 9(2)(a) of the GDPR, cf. Section 43(1) of the Danish Health Act and the supplementing applicable legislation relevant to your application.
- Public authorities, including health authorities: Teladoc is required by law to report to authorities in certain cases and regarding certain observations, e.g. if it is identified that a child under 18 years of age is in need of social support or in relation to side effects- and pharmacovigilance reporting, cf. Article 6 (1) (c) and Article 9 (2) (h), cf. Section 7 (3) of the Danish Data Protection Law and supplementing health legislation e.g. the Danish Health Act Section § 43 (2) and the Executive Order on Pharmacovigilance.
Finally, we may share your Personal Data with our IT service providers and our company affiliates acting as data processors.
International Transfers of Your Personal Data
In the event of a transfer of your Personal Data to a country not deemed adequate by the European Commission, we will use appropriate safeguards that meet the GDPR requirements such as the standard contractual clauses approved by the European Commission or any other legally recognized mechanisms that ensure the protection of your Personal Data. You can receive a copy of the applied safeguards by contacting us via dataprotectionofficer@teladochealth.com.
Security of Your Personal Data
We safeguard your Personal Data with technical and organizational security controls which are consistent with Data Protection Laws. We educate our staff (e.g.: healthcare professionals) on our Notice as well as all Data Protection Laws.
Data Retention
We will retain your Personal Data for as long as it is needed for the provision of the Services to you and after that, for the statutory periods for the only purpose of attending any statutory responsibilities that might arise from the provisions of the Services and to comply with the Data Protection Laws.
Medical records will be stored for 10 years after the last note made in the records, cf. the Danish Executive Order on Medical Records.
At the end of the relevant retention period, your Personal Data will be securely destroyed or permanently anonymized in accordance with Data Protection Laws and any applicable regulations.
Your data subject rights
Subject to applicable Data Protection Laws, you have the following rights:
- Right of access: right to ask us for copies of your Personal Data.
- Right to rectification: right to ask us to rectify your Personal Data You think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Right to withdraw: your consent to the processing of any of your Personal Data.
- Right to erasure: right to ask us to erase your Personal Data in certain circumstances.
- Right to restriction of processing: right to ask us to restrict the processing of your Personal Data in certain circumstances.
- Right to object to processing: right to object to the processing of your Personal Data in certain circumstances.
- Right to data portability: right to ask that we transfer your Personal Data to another organisation or to you, in certain circumstances.
You may exercise your data subject rights as may be applicable at any time by emailing us at dataprotectionofficer@teladochealth.com. You also have the right to lodge a complaint with the Danish Data Protection Agency.