Data Privacy at StemMedical®
Purpose
This privacy policy contains information about how StemMedical A/S and the company’s brand Stemform® ensures that your personal data is processed in accordance with appliable law.
StemMedical respects the right of individuals to have their data processed lawfully, and our data processing will always be in accordance with the applicable legislation and follow our vision of providing services of the highest quality.
Data Controller
StemMedical A/S (alias Stemform), company registration number 35852808 with address at Gyngemose Parkvej 50, 2860 Søborg is the data controller for the processing of your personal data.
Our contact information is info@stemform.com
If you have any questions regarding the processing of your personal data, you are welcome to contact us personaldata@stemform.com.
StemMedical’s processing of personal data
We process the following data when you have chosen a treatment with one of StemMedical’s products:
- General data: Name, address information, email, telephone numbers
- Civil registration (CPR) number
- Health data
- Pre-imaging and post-imaging in connection with cosmetic treatment
- Experiences with the product/treatment
The purpose of processing your personal data is to enable us to provide you with the best possible treatment. We collect relevant information about you through the certified healthcare professional that you have decided for your treatment with one of StemMedical’s product to be able to identify you and to secure and safeguard your treatment.
Your personal data is processed securely, and health data is processed in accordance with the “Danish Tissues and Cells Directive” and with the ‘Executive Order on Authorised Healthcare Professionals’ Patient Case Notes and Records’. Photo documentation in connection with cosmetic treatment/surgery is done in accordance with the ‘Executive Order on Cosmetic Treatment and special terms and conditions under StemMedical’s Tissue Establishment permit.
The legal framework for processing your personal information
We process your personal data to comply with our legal obligations, including our obligations to create a patient record to collect and store all relevant data concerning your treatment with our product.
According to the Danish Health Act § 15 we must not proceed with a treatment before you have given an informed consent. You can always withdraw your consent in full or in part.
If you decide to withdraw your consent, we will delete all personal information that we are not required to store by law.
The legal framework for processing your ordinary contact information and your clinical photos pre- and post-treatment is in line with our obligations and legitimate interests according to the General Data Protection Regulation article 6, part 1, litra c and f. including specific conditions in StemMedical’s Tissue Establishment permit issued by the Danish Health Authorities.
The legal framework for processing your health information is according to the Danish Health Act’s rules around electronic health information, including §§ 42a-42d and General Data Protection Regulation article 9, part 2 litra a og h and the Danish Tissue Act.
The legal framework to process your civil registration information (CVR number) is to establish a unique personal identification, which is demanded by the law according to General Data Protection Regulation § 11, part 2, nr 1.
Employees at StemMedical are subject to a duty of confidentiality. This means that as a rule, they must not exchange data about your health with other parties without your consent. Your consent to exchange of data relates to your current course of treatment. Exchange of health data is often essential for successful treatment and a consistent course of treatment. Data may only be obtained/disclosed to the extent necessary. Therefore, our staff will always assess the relevance of data that is to be disclosed.
Only relevant employees have access to relevant parts of your personal information and health data if it is deemed necessary for your treatment and/or contribute to the documentation and invoicing of your treatment.
To safeguard our legitimate long-term patient follow-up obligations, we may employ agencies specialised in patient searches and only in the cases where this does not violate any legislation in your country. The legal framework for exchanging ordinary personal data with such agencies is in line with the General Data Protection Regulation §6, litra f.
Exchange of personal data
StemMedical will exchange your personal data and experiences with our certified partner for example private hospitals, clinics and surgeons who have offered you one of our products during your treatment.
During your treatment it may be necessary to collect and transfer relevant health information to other health care professionals or health authorities in line with national health acts.
StemMedical may exchange your personal data such as name, email, address, and phone number with patient search agencies in the rare cases where we have a legitimate reason to get in contact with you but finding ourselves unable to locate you based on the information you would have provided us.
Precautionary measures
StemMedical protects your personal data and have internal procedures covering IT security with precautionary measures protecting your personal information against unauthorized access, usage, and publication. StemMedical has instructions covering the access rights of our employees who are treating your personal data. We control this via logging and oversight. To avoid the loss of data, we regularly perform back-ups. We also safeguard your sensitive personal information using encryption when sending data outside of our network.
In case of a data breach resulting in a high risk of discrimination, identity theft, economical loss, loss of reputation and other severe disadvantages, we will inform you about the security breach as fast as possible and within the statutory deadlines.
Our data processor of your personal information is Regenerative Medicine LLC with address at 16192 Coastal Highway, Lewes, Delaware 19958, U.S.A. In connection with data processing, Stemform will transfer data outside EU. This transfer takes place on the back of a data processing agreement between Stemform and Regenerative Medicine LLC using the necessary safety assurances provided by the European data protection legislation that have been secured by using the European Commission’s standard contract terms.
Data Storage Period
All patient data will be stored pursuant to the European Tissue and Cells Directives and derived Danish Tissue Act and legislation. Pursuant to the said legislation, StemMedical shall keep the data necessary to ensure traceability at all stages, including identifiable information, for at least 30 years after clinical use. Personal data and journals will be deleted or anonymized 30 years after the last data point has been registered unless a legitimate purpose requires us to retain the patient journal after this deadline. Patient data and journals important for processing a complaint, oversight or compensation claim will be stored for as long as the specific case is ongoing even 30 years after the last data point has been entered into the patient journal.
In the event your consent is withdrawn before we initiate your Stemform treatment or your Stemform treatment is not initiated 12 months after your consent to your Stemform treatment, we will delete all your personal data stored with us.
Pursuant to national legislation we are prohibited from deleting your personal data if your consent is withdrawn after we have initiated your Stemform treatment.
Invoices must be deleted after 5 years plus the current year.
Our website
We place cookies on our websites. Please find our cookie policy here:
Your rights
You have the right to know which personal data points we process and store concerning your treatment.
You have a right to correct and update any personal data we have recorded.
You have a right to request us to delete all personal data we have on your record. If you wish to do so, we will delete all personal data, which we are not obligated by law to retain.
You have a right to withdraw your consent fully or partially at any time. In the event your consent is withdrawn before we initiate your treatment or your treatment is not initiated 12 months after your consent to the treatment, we will delete all your personal data stored with us. Pursuant to national legislation we are prohibited from deleting your personal data if your consent is withdrawn after we have initiated your Stemform treatment.
Complaints
You may file a complaint about our processing of your personal data to the Danish Data Protection Agency. Please see contact details and more about how to complain: www.datatilsynet.dk
You can also contact us at personaldata@stemform.com