Privacy Policy

What is personal data and who is responsible for it?

Personal data

Personal data encompasses information and assessments that can be linked to you as an individual. This may include your name, contact details, medical records or medical assessments. The Norwegian Data Protection Act regulates the way in which we process your personal data. The Data Protection Act specifies how certain categories of personal data (including health-related data) must be handled. Aleris has a legal duty to comply with these regulations. Since Aleris is a private healthcare provider, we must also comply with the regulations for personal data set out in Norway’s healthcare legislation. Health-related laws that deal with the processing of personal data are: The Specialist Heath Services Act, the Health Personnel Act, the Medical Records Act (including the Medical Records Regulations), the Patient and User Rights Act, the Health Archives Act, etc. The full text (in Norwegian) of all laws and regulations may be viewed at www.lovdata.no     

Processing of personal data

The processing of personal data means any use of personal data, e.g. collection, registration, storage, collation, transfer, deletion, etc. As a rule, any processing of personal data is subject to the provisions of Norway’s Data Protection Act.

The data controller

The entity or individual who decides the purpose for which personal data is to be processed is called the data controller. It is the data controller’s task to ensure that personal data is processed in accordance with the prevailing regulations.

Aleris Helse is the data controller

Contact information
Telephone no.: 22 54 10 00
E-mail: dpo@aleris.no
Frederik Stangs gate 11–13, 0264 Oslo

How we use personal data

We collect personal data only to the extent necessary to enable us to offer our services to you. Our primary objective when processing your personal data is to provide appropriate medical assistance, as well as offer our healthcare services. Apart from this, we sometimes process personal data for marketing purposes. You can read more about this in the section on marketing.

The personal data that we collect is data that we consider relevant in order to provide you with appropriate medical assistance. The data we process is obtained from you yourself, other medical or healthcare institutions from which you have received treatment, tests we have performed, samples taken, etc.

When you are diagnosed, receive medical treatment or assistance from Aleris, we are duty bound to record all the information necessary to provide such help in our medical records systems. The way medical records are kept and the information they contain is regulated by law. Your medical records may, for example, contain contact details for your next of kin, your medical history, previous treatments, details of medications you are taking, diagnoses, X-ray images, etc.

We delete personal data when it is no longer necessary to fulfil the purpose for which it was originally collected. Other rules apply to personal data stored in your medical records. For further details, see the section on deleting personal data.

Every employee who processes health-related information about you is bound by a duty of confidentiality. The same applies to anyone else who processes personal data on our behalf.

Who can we share your personal data with?

• Healthcare institutions and other healthcare personnel

We are sometimes contacted by healthcare institutions, the doctor who referred you to us or other healthcare personnel who are also treating you and who ask for a copy of your medical records.

Healthcare personnel are entitled to pass confidential information about you to collaborating healthcare personnel who are bound by the same duty of confidentiality as our own staff. This is done only to the extent necessary to provide you with appropriate medical assistance. The rules governing this are set out in section 25 of the Health Personnel Act.  You are entitled to object to your medical records being passed on in this way. Only necessary information is shared. We share such information only with your referring doctor or if it is requested by collaborating healthcare personnel.

• Public authorities

Information that we have recorded about you may be handed over to the public authorities only when there is a statutory duty to do so or if it is suspected that a criminal offence has been committed in connection with the use of our services.

• Data processors

A data processor is an independent company or legal entity which processes personal data on behalf of a data controller, In other words, when Aleris employs a subcontractor, such as the supplier of a digital medical records system or an X-ray machine.

Aleris ensures that all data processors are subject to the same duty of confidentiality as Aleris’s own staff, and that agreements regarding the use of data processors comply with the Data Protection Act's provisions relating to the use of data processors / contents of data processor agreements.

Aleris generally employs data processors who process personal data within the EU/EEA area. This means that the data processors are subject to the same regulations with respect to the processing of personal data. Only in exceptional cases does Aleris use data processors located outside the EU/EEA area. In such cases, Aleris has made sure that the levels of protection with respect to the processing of personal data to which these data processors are subject comply with Article 45 et seq. of the GDPR.

• Public health registers with which we have a statutory duty to share information, such as the Norwegian Arthroplasty Register and the Cancer Registry of Norway.

Your rights

Access

You are entitled to access your own personal data. If you wish to know what kind of personal data has been recorded about you in our systems, you can contact the hospital or X-ray department that treated you, or you can send us an enquiry.  However, please do not disclose any sensitive personal information.

Correcting and deleting data

Correcting data
It is important that the information we hold about you is correct and up to date. If you discover an error, please contact us so that your data can be corrected. The provisions of the Health Personnel Act place constraints on the possibility of correcting information contained in medical records.

Deleting data
If you wish information to be deleted, please contact us. The provisions of the Health Personnel Act place strict constraints on the possibility of deleting information contained in medical records.

Storing data
In principle, we will not store personal data for longer than is necessary to fulfil the purpose for which it is being processed and our statutory obligations. Other rules apply to the storing of personal data in medical records.

In principle, medical records must be stored until (given the nature of the medical assistance) they are assumed to no longer be of use. Under the provisions of the Health Archive Regulations, Aleris has a duty to pass medical records on to the Norwegian Health Archive after that point in time.

Right to request restricted processing of personal data

You are entitled to request that we restrict the way in which your personal data is processed. Methods for restricting such data processing include moving data to another processing system, making selected data inaccessible or removing publicly available data from the website. You are entitled to request this in the following situations:

• If you believe that the personal data we hold about you is inaccurate. In this case, processing may be restricted during the time it takes to verify whether the data is correct.

• If you believe our processing of your personal data is unlawful.

• If Aleris no longer has any need for the personal data, but you need it to verify or assert a legal claim.

Right to data portability

You are entitled to have the personal data Aleris holds on you transferred to another, corresponding entity. This is called data portability. You are entitled to do this only if your personal data is being processed based on your own consent or in connection with the fulfilment of a contract between you and Aleris. Please note that the legal grounds for which the majority of personal data is processed by Aleris relate to its obligations to provide medical assistance. As such, it is not subject to the right to data portability.

If the legal grounds for processing of your personal data relate to the performance of a contract or your consent, you can choose whether you wish to have the data transferred to yourself or have us send it directly to your new medical treatment provider.

Please note that the right to data portability has no impact on our duty to store your medical records.

Right to complain to the Norwegian Data Protection Authority

If you disagree with the way we are processing your personal data, you are entitled to submit a complaint to the Norwegian Data Protection Authority. You can read more about this on the Norwegian Data Protection Authority’s website.

https://www.datatilsynet.no/om-datatilsynet/kontakt-oss/hvordan-kan-jeg-klage-til-datatilsynet/

Privacy ombudsman

Privacy ombudsman for Aleris Helse: Cecilie Gundersen
Telephone no.: 930 87 563
E-mail: dpo@aleris.no 

If you have any questions about the way we process your personal data, you would like your data to be corrected or deleted, or you have any other concerns, please contact our privacy ombudsman by phone or e-mail. We will answer your query as soon as possible. Please do not send any sensitive personal information by e-mail.

Use of patient surveys

We invite our patients to answer questionnaires to monitor their satisfaction with the medical treatment they have received at Aleris. No personal data may be processed without legal grounds. In this case, a balance of interests constitutes the legal grounds. A balance of interests may be used as the legal grounds for data processing when such processing is necessary in order for the data controller to pursue his legitimate interests, unless the data subject’s interests or fundamental rights and liberties take precedence and require the protection of personal data. 

Marketing and newsletters

Social media

We want to be accessible to existing and potential customers on social media. Therefore we maintain profiles on Facebook, Instagram, Snapchat, LinkedIn and YouTube. The purpose of these pages is to make our services, contact details and opening hours known to customers/patients and potential patients. If you wish to contact us by means of these channels, please do not disclose any personal data on them. If you have a question that requires you to share sensitive personal data (e.g. information about your state of health), we recommend that you contact us by telephone so that we can assist you.

Newsletter

Aleris’s newsletter is distributed by e-mail. In the newsletter, we wish to provide you with good, quality-assured information about health-related topics, answers to medical questions and give useful advice on how to stay healthy. You will also find information about campaigns and health tips from Aleris Helse’s professional team.

To sign up for Aleris Helse’s newsletter, you must register your e-mail address and consent to our terms and conditions. You can also elect to disclose your name and register your nearest Aleris clinic.  You can subscribe here.

To ensure that the right person receives our newsletters, an automated e-mail will be sent to the specified e-mail address asking you to confirm your subscription. If you choose not to confirm this e-mail, your e-mail address will not be registered with us and you will not receive our newsletter.

When you sign up to receive our newsletter, you consent to us sending you 1–2 e-mails a month with free information about our health services. You also consent to us measuring the extent to which you open and click on links in the newsletter after each edition. This is done by means of a “web beacon”, a pixel-sized file that opens when the newsletter is opened. You can read more about how we use cookies/web beacons here.

Aleris uses the e-mail service Mailchimp to distribute its newsletter. Your e-mail address, IP address and details of whether you open the newsletter and click on links will therefore be processed and stored by Mailchimp in the USA. Your e-mail address and, if provided, name will also be visible to those working in Aleris Helse AS’s communications department and Geta AS.

You can unsubscribe from the newsletter at any time. To do so, just open up the latest edition of the newsletter and click on the unsubscribe link. If you choose, you can also let us know why you do not wish to receive our newsletter. This is voluntary and you will be removed from the subscribers list whether you choose to give a reason or not. If you choose to unsubscribe from the newsletter, all the data we have on you will be deleted from our systems and our account with Mailchimp.

Aleris Helse AS will not use your data for any marketing purposes or services other than the distribution of this newsletter.

Contact form on our website

On our website, there are many ways to get in touch with us or send us a query. This includes contact forms. When you send a contact form to us, your personal data will be processed by Aleris’s healthcare personnel.

Your personal data will be encrypted and stored on our website for 10 days. The operation of our website is based on Episerver DxC technology, which places great emphasis on security and complies with security industry best practice. The solution runs on Azure data centres, and complies with industry standards (including ISO 27001) for physical security and accessibility. Episerver’s employees are permitted to access data only for authorised purposes, such as archiving, backup, restoration and the collection of anonymised user statistics.

The solution uses TLS and SSL encryption, which secures data during its transfer from the online solution to Aleris’s Customer Service Centre, where the data is decrypted. Your details will be accessible only to selected employees at Aleris Helse AS.

Chat

Our X-ray related web pages offer a chat service. This makes it easy for you to get in touch with the customer service centre that deals with queries relating to our X-ray services. During a chat, we can answer simple queries about opening hours and the locations of our departments, as well as general questions about X-rays and our examination procedures. Please do not disclose sensitive information or personal details through this channel. If you have any questions about your health or treatments you are receiving, please contact us by telephone.

Messages you send via the chat are processed by members of staff at Aleris’s X-ray customer service centre. Messages are processed and stored by Zisson AS on Norwegian servers. The chat log is kept for 24 hours before being deleted.

Appointment booking form for Aleris Røntgen (X-ray)

If you wish to make an appointment for an X-ray at Aleris Røntgen, you will find a booking form at https://bestille.alerisrontgen.no/. Here, you can fill out your personal details and request an X-ray. All radiological examinations require a referral from your doctor. You can upload your letter of referral directly to us on this page.

The information you send us via this page is stored for 30 days in a database operated by Fete Typer AS, which, in this case, acts as data processor for Aleris. The server is located in Norway and the link is encrypted using SSL/https. The information is then transferred by Aleris’s customer service operators to our medical records system. See the section on the storage of personal data in medical records.

Ask a specialist

“Ask a specialist” is an online service developed and operated by Aleris Helse AS. Here, you can ask questions about plastic surgery and get answers directly from one of our specialists.

To use the service, you must create an account at www.plastisk-kirurgi.no. To create an account, you must provide the following personal details:

• E-mail address
• User name (Aleris Helse AS recommends that you register using an alias rather than your real name).
• Login password

On the “Ask a specialist” service, you can type in the questions you want to ask one of our specialists in a separate message field. The service also contains a subject field, where you can specify the topic for your query. Your questions and the information you provide will be visible only to selected employees of Aleris Helse AS, and will not be accessible by other users of the service. The people who have access to your information are the responding doctor, staff in Aleris Helse AS's marketing department and Attend IT, which hosts the solution on servers in Norway, as well as the technical developer at OMG AS, who provides technical support for the solution.

By using the “Ask a specialist” service, you also consent to your question potentially being anonymised and published on our website along with the doctor's reply. Any information relating to you as an individual will in such case be removed.   

Aleris Helse AS will send an e-mail to your specified e-mail address, notifying you that your question has been answered. Your e-mail address will not be used for any other purpose than this. You may withdraw your consent at any time by closing your account at www.plastisk-kirurgi.no. You can do this under “My profile” once you have logged in. If you choose to close your account, your profile and all recorded conversations with our specialists will be deleted. 

Aleris Helse AS strongly recommends that you do not share sensitive personal and health-related information via the “Ask a specialist” service. If your questions require you to disclose sensitive information, we recommend that you contact us by phone instead, or book an appointment for a consultation with one of our plastic surgeons. You will find details of your nearest department here: https://www.aleris.no/plastisk-kirurgi/

Patient stories

We have published certain stories that our patients have chosen to share with us and have consented to us publishing on our website and on social media. Only stories from patients who have expressly and freely consented to publication are shown on our pages.

If you have chosen to share your story, you can withdraw your consent to publication at any time. To delete your patient story, send a letter by ordinary post to Aleris Helse AS attn: Marketing Dept., Frederik Stangs gate 11-13, 0264 Oslo, Norway, an e-mail to minhistorie@aleris.no or call 22 54 10 00. We will ensure that your story and any accompanying images are deleted from our website and social media accounts as quickly as possible and no later than 30 days after receipt of your instructions.

Cookies

Aleris employs cookies to help us analyse how visitors use our website. We use this information to develop and improve our website and our products, for technical purposes to ensure our website is operating properly and to optimise the site and for marketing purposes, such as measuring the effectiveness of our online marketing activities or for targeted advertising. For more information about which cookies we use, the type of data processed, who processes the data and why, please see our cookie policy. 

Amendment of this policy

We will, at regular intervals, update this privacy policy to reflect any changes in our website or in the way we process personal data.

Last updated: June 2019