Information on Dedicare’s processing of personal data
1. Introduction
This Data Protection Policy reviews Dedicare’s management and processes for the collection and processing of personal data. When you provide personal data to Dedicare, you should feel secure. All processing of personal data conforms to the provisions of Swedish data protection legislation, and the EU General Data Protection Regulation (EU 2016/679, “GDPR”).
Dedicare takes a structured approach to processing personal data on an ethical and legally compliant basis. We view data protection and privacy matters as long-term responsibilities. Accordingly, we may update this policy from time to time, so its transparency reflects how we manage personal data about you.
Latest update: 27 September 2023
2. Personal Data Controllers, Personal Data Assistants and contacts
One or more companies in the Dedicare group may be responsible for managing your personal data individually or collectively. When no specific responsibility for personal data is stipulated by law or other statute or affects such information that is equivalent to all group companies, the accountable company in Sweden is Dedicare AB, corp. ID no.: 556516-1501, address: Ringvägen 100, 118 60 Stockholm, Sweden. The basic approach is that Dedicare is the Personal Data Controller (PDC) for the personal data documentation Dedicare manages, and only serves as the Personal Data Processor (PDP) in exceptional cases. If Dedicare assigns a subcontractor or other party to manage personal data, this party should be considered our PDP. The PDP may only deal with personal data in accordance with our instructions, and ultimately, Dedicare remains the PDC for managing your personal data for these purposes.
If you have questions on this Swedish Data Protection Policy or the processing of personal data, you can reach us by email at: dataskydd@dedicare.se
Dedicare has appointed an external Data Protection Officer (DPO). This Officer should support our work on GDPR, and ensure our internal processes include appropriate data protection measures pursuant to data protection legislation. You can email Dedicare’s DPO at: dso@dedicare.se
3. Concepts and definitions
The critical concepts and definitions used in this Policy follow
Cookies: a cookie is a text file that a browser creates when you visit a website.
Data Protection Officer (DPO): the party in the role of verifying compliance with the GDPR in-house by monitoring and consulting on internal data protection work. Serves as a link between the supervisory authority and PDC.
Data subject: the individual whose personal data is processed.
Deletion: implies the destruction of documentation or enabling the removal of data.
Sensitive personal data: personal data whose fundamental nature can be considered especially sensitive, and accordingly subject to more stringent data protection standards, such as health information.
Lawfulness: valid reason, required pursuant to the GDPR to manage personal data; consent, performance of a contract, legal obligation, protecting legitimate interests, exercise of supervisory authority, and information of public interest, as well as legitimate interests.
Legitimate interest: when the PDC’s interests in executing the processing of personal data outweigh those of the data subject’s fundamental rights and freedoms, the interest is considered legitimate.
PDP contract, Personal Data Processor contract: contract between a PDC and PDP designed to formalise responsibilities and ensure that the parties comply with the GDPR over the agreement term.
Personal data: all information applying to an identified or identifiable natural person.
Personal Data Controller (PDC): natural person, legal entity, supervisory authority or other entity responsible for deciding the purpose and means of processing personal data.
Personal Data Processor (PDP): natural person or legal entity, supervisory authority or other entity that has been assigned to wholly or partly manage personal data pursuant to the instructions from said entity from the PDC, or on its behalf.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Protectable information: personal data not considered sensitive, but still classified as personal data sensitive for privacy, such as salary information, criminal records, valuable data, or information affecting personal matters.
Storage: how long the PDC stores personal data.
Third-country transfer: when personal data is transferred to a third country, i.e. outside the EU/EEA.
4. For people applying to Dedicare as external consultants or for direct recruitment
Personal data that is managed, its purpose and lawfulness.
Dedicare manages personal data in its capacity as a PDC for the recruitment and contracting process, when you are employed as a consultant, on direct recruitment, etc. More information on processing, its purposes and the lawfulness processing is based on in different stages of the recruitment process and matching candidates follows.
| Personal data | Purpose of processing—what we do and why | Lawfulness in terms of GDPR | Storage | |
| Enquiry | Name, email or other contact information, job profile, and information provided voluntarily. | We collect and manage this information, so we can contact you about recruitment for potential assignments and offer positions that may be relevant to you. | Legitimate interests (art. 6.1f of the GDPR) to contact potential candidates. Consent (art. 6.1a of the GDPR) to newsletters, which you can withdraw at any time. | If you have participated in a recruitment process with us, we save the recruitment data associated with your application for up to four years. |
| Registering profiles to search for assignments or direct recruitment, and registering consultant profiles in our database from our app or website | Contact information such as your name, email address, phone number, username and password, personal data stated in your CV and other application documentation that you provide voluntarily to us, such as other contact information, personal ID number, information on educational qualifications, job titles and/or previous employment. | So we can provide a contracting and recruitment service for you, create a profile so you appear on recruiter searches, are available for interviews, skills tests, collecting references, and other information with us, and to enable matching with relevant assignments, and other positions that may be relevant to you in the future. | Processing is based on legitimate interests (art. 6.1f of the GDPR) for your first contact with us, and subsequently performance of a contract (art. 6.1b of the GDPR), when you are engaged in an active recruitment process for a specific position. Consent (art. 6.1a of the GDPR) for newsletters, which you can withdraw at any time. | If you have participated in a recruitment process with us, we save the recruitment data associated with your application for up to four years. |
| Background checks during the recruitment process | References, information on skills, professional qualifications and extracts from the Swedish Health & Social Care Inspectorate records, the Swedish National Board of Health & Welfare’s registry of qualified health and medical care professionals (HOSP) and criminal records. For some direct recruitment, we may use external collaborative partners to conduct more in-depth background checks. | We may also request more information from you so we can process your application for an assignment. We do not collect information on candidate health, ethnicity, religion, sexual orientation, or union membership. | Performance of a contract (art. 6.1b of the GDPR) to satisfy the standards our suppliers apply to consultants in the healthcare sector. Consent (art. 6.1a of the GDPR) for some more in-depth background checks when conducted by an external provider. | If you have participated in a recruitment process with us, we save the recruitment data associated with your application for up to four years. Extracts from criminal records are never saved. |
| Conducting interviews, personality and skills tests, and collecting references | Responses to interview questions, information on skills through testing and references from relevant sources. | If you participate in interviews and take skills tests as part of the recruitment process, we collect more information to quality-assure the qualification process of recruitment. | Legitimate interests (art. 6.1f of the GDPR) to qualify consultant profiles for each assignment or job description. Consent (art. 6.1a of the GDPR) for collecting certain references when conducted by an external provider. | If you have participated in a recruitment process with us, we save the recruitment data associated with your application for up to four years. |
Who do we share your data with during the recruitment process?
We may appoint third parties to conduct all or parts of the recruitment process, once we have ensured that such partners follow the guidelines of this Policy, and our instructions. Examples of such parties are supervisory authorities, like the Swedish Police Authority, the Swedish Health & Social Care Inspectorate or Swedish National Board of Health & Welfare or other private third party that conducts background checks or skills or personality tests.
When matching the candidate and assignment, we may provide your personal data to the client that your candidate profile is relevant to. The client then becomes the PDC for processing the personal data provided during the recruitment process, for example in a candidate profile provided. The personal data you have provided as a candidate in your application is never provided to third parties for commercial purposes.
5. For people employed in an internal position or as a consultant
Personal data processed, its purpose and lawfulness
A list of the main personal data that we may process about you, for which purpose(s) and the lawfulness of processing. Dedicare processes personal data in its capacity as PDC. To some extent, processing differs between people employed internally with Dedicare, or as consultants. Generally, however, the processing of the personal data of our employees is of an HR administrative nature, and in most cases, the lawfulness of processing this data is based on whether it is necessary for us to fulfil our obligations in our employment relationship.
| Personal data | The purpose of processing—what we do and why | Lawfulness in terms of GDPR | Storage |
| Basic data on you such as your name, phone number, email address, personal ID number, and where appropriate, passport information (e.g. for business travel). | HR administrative purposes. | Performance of an employment contract (art. 6.1b of the GDPR), and our legitimate interests (art. 6.1f of the GDPR) to conduct HR administration. | Four years for consultants.
During the term of employment for people working in internal functions at Dedicare. |
| Your photographic image | Marketing purposes. Used for publishing your profile on our website, and where appropriate, other marketing communication. | Legitimate interests (art. 6.1f of the GDPR) to enable marketing of our services. | During employment |
| Contact information of relatives | In the event of an accident or absence, to enable us to contact your relatives. | Legitimate interests (art. 6.1f of the GDPR) to contact your relatives. | During employment |
| Health data such as information on illnesses, medical certificates, any associated certification, sickness pay data and information related to rehabilitation, etc. | To fulfil administrative duties linked to employer capacity assessments, rehabilitation liability, adaptation liability, salary and sickness pay liability, in contact with the Swedish Social Insurance Agency and other supervisory authorities on associated matters. | Compliance with a legal obligation (art. 6.1c of the GDPR). | Ten years |
| Information on hours worked, benefits, sickness absence, salaries, taxation levels, vacations, pension, insurance, and information on bank account numbers and similar information. | To administer and fulfil obligations on the disbursement of salary, vacation pay, benefits, occupational pension, etc., or to administer business bank cards, and where appropriate, provide information to the Swedish Tax Agency, Swedish Enforcement Authority or other supervisory authority related to salary. | Fulfilment of an employment contract (art. 6.1b of the GDPR) and fulfilment of legal obligations (art. 6.1c of the GDPR). | Ten years.
Information on pension matters is saved until the employee’s retirement age. |
| Start and finish date of employment | To compute notice periods, determine benefits, seniority list and similar computations. | Fulfilment of employment contract (art. 6.1b of the GDPR) and where appropriate, fulfilment of a legal obligation (art. 6.1c of the GDPR). | Ten years.
Data on pension matters is saved until the employee’s retirement age. |
| Type of employment and terms of employment. | To comply with the Swedish Employment Protection Act. | Compliance with a legal obligation (art. 6.1c of the GDPR). | Ten years |
| CV, information on education, qualifications, previous work experience, previous employment and performance at work, appraisals and training taken during employment. | To rationalise our operations and develop your skills, and where appropriate, to enable us to investigate relocation, offer skills enhancement. | Legitimate interests (art. 6.1f of the GDPR) to rationalise and improve our business, and for skills enhancement, and compliance with a legal obligation (art. 6.1 of the GDPR) to comply with the Swedish Employment Protection Act. | Four years for consultants
During the period of employment for staff working internally within Dedicare. |
| Where appropriate, data on unemployment benefits, position as a union representative and safety representative. | To issue employment certification and undertakings pursuant to the Swedish Work Environment Act and the Swedish Trade Union Representatives (Status at the Workplace) Act. | Compliance with a legal obligation (art. 6.1c of the GDPR). | Four years for consultants
During the term of employment for staff working internally at Dedicare |
| Personal data processing may occur in tandem with checks on IT equipment for internal staff, such as computers, email and mobile phones | To prevent the misuse of services and authorisation management to maintain cybersecurity. | Legitimate interests (art. 6.1f of the GDPR) to prevent misuse of services and to manage cybersecurity within Dedicare. | During the term of employment |
6. Marketing and offers
Events, newsletters, and other mailshots, applications and participation in events or other seminars
We process your personal data to communicate with and send marketing material to you. This includes sending newsletters, information on Dedicare and invitations to events and other seminars we think may interest you. For such marketing purposes, we process Data about your name, email, phone number and professional profile. We send this information to you with your consent (art. 6.1a of the GDPR) once you’ve registered your profile in our candidate database. When we’ve collected personal data by other means, processing is based on legitimate interests (art. 6.1f of the GDPR) to market our services. You can choose to no longer receive marketing material from us at any time by recording this in your profile, or by clicking “unsubscribe” directly in the newsletter.
When attending events or other seminars, we may process the following additional data about you:
- Information on food preferences and allergies in applications. We process this data so we can pre-order food for you with your consent (art. 6.1a of the GDPR).
- We may also collect data about you in the form of images or recorded material, when there is photography or video in during the event. We process this data to market our services, supported by a legitimate interest (art. 6.1f of the GDPR).
When we use images or other materials about you in interviews, etc. for marketing purposes, we create a specific contract between you and Dedicare about the terms & conditions that should apply in that specific case.
7. Data automatically collected by us when you visit our website
We use technology solutions like cookies to collect data about you for various purposes, including functional, statistical and market-related collection.
A cookie is a small text file the website saves on the device you use to visit our website, such as your PC, tablet or mobile phone. Basically, the data in the cookie is based on data necessary for website functionality, and to save information as part of improving our services to you and our stakeholders.
Dedicare collaborates with an external provider that supplies cookie banners on our website and continuously scans our website to keep its data on cookies updated and compliant with relevant legislation in this area. With this function, users can select the collection they consent to, which can be amended at any time. If you want to clear your cookies at the end of the session, you can do so in your browser settings. You can also opt to reject all cookies apart from those necessary easily.
For more detail on the data collected by position, purpose, and expiry date, please refer to our cookie policy, which is under the cookie symbol in the left corner of your browser.
8. For people who contact us for other reasons
Personal data for other stakeholders, suppliers, customers and others
We collect personal data about our contacts for current or potential business relationships between Dedicare and its clients, suppliers and other stakeholders. This includes contact information like names, phone numbers, email addresses and signatures, job, titles/roles, corporate identity, numbers, or other information provided to us voluntarily during contact.
Personal data processing during correspondence with Dedicare
If you communicate with us by email, mail or other means, we may retain such communication and the data it contains to respond to your enquiry, or manage your complaint, question etc.
9. Who can access your personal data
When required, Dedicare may share your personal data with other recipients.
In relation to our clients, we may share personal data with other parties to satisfy the requirements we have for our clients, other Dedicare group companies, and subcontractors that provide services to us for the maintenance and support of our in-house systems, and where appropriate, for marketing activities.
When necessary, your personal data may also be shared with external consultants, auditors, the courts, and other parties such as supervisory authorities, such as the Swedish Police Authority, the Swedish Tax Agency and others if requested from Dedicare and we are obliged to process and fulfil legal requirements, fulfil legal obligations and/or protect employee safety. Then, these parties become independent PDMs when data is shared with them.
Examples of when we share your personal data as above are to administer recruitment processes, conduct HR admin, administer benefits-related data, or data affecting internal communication. This may be sharing data on your pension benefits, sickness pay, contacting relevant supervisory authorities regarding tax and certifying sick leave, payroll management, etc.
10. Transfers to a third country
Our ambition is to store your personal data within the EU, and our main rule is that your personal data is only processed within the EU/EEA. In individual cases, we share personal data about you processed outside the EU/EEA with countries including the USA. In such cases, we will ensure that the transfer is pursuant to articles 44-50 of the GDPR, either by ensuring that processing is in a country that the EU Commission has ruled as having satisfactory data protection standards, or through the EU Commission’s standard clauses jointly with technological and organisational data protection measures within Dedicare (see also point 12 on protecting your personal data).
If you want more information on how transfers to a third country happen for the above processing or in other contexts, or alternatively, which measures we have taken to protect your personal data, you’re welcome to contact us using the contact information in section 2, Personal data manager and contacts.
11. Storage period
We store your personal data in a form enabling individual identification, as long as necessary to fulfil the purpose of processing.
If your personal data is no longer necessary to fulfil the purpose of processing, or the processing is no longer permitted for other reasons, the data is deleted. If only a portion of the data needs storing, our basic approach for storage is that other data is anonymised, and the authorisation to view personal data is strictly limited.
If you terminate employment with us, we only retain such personal data as we are obliged to store pursuant to law or necessary for administrative purposes, such as disbursement of pension, accounting records, and information for the Swedish Tax Agency. We delete contact information for your relatives after employment terminates. The same applies to images of you, and data about you and your position on our website. For more detail on deletion periods for the specific documentation about internal employment, please refer to Dedicare’s Deletion Policy, which is available on our intranet.
See also the tables in sections 4 and 5 for a more detailed review of the storage period for each type of document.
12. Protection of personal data
Dedicare works actively to protect the personal data we process. We have created an information security management system (ISMS) framework based on the ISO 27001 standard, which includes technological and organisational measures, as well as risk and vulnerability analyses, authorisation management, incident management procedures, as well as consequence and risk assessments.
We work continuously on following up and conducting internal and external audits of our data protection efforts to ensure that we satisfy the standards of legislation.
13. Your rights
The party whose personal data is processed by us (the data subject) has several rights.
The right to be informed
You have the right to be informed by us when we process your personal data during collection or otherwise when as a data subject you request such information. The information provided to you should include a disclosure on the purpose the personal data will be processed for, the lawfulness of processing, storage periods, which parties may access parts of the personal data, how it is shared (if relevant), how you can make complaints etc. (read more below or at imy.se).
Right to access your personal data and registry extracts
You have the right to contact us to find out how your personal data is processed within Dedicare. If your personal data is processed by us, you have the right to receive a copy of this information (with certain exceptions). On request, you can receive more detailed information on how your personal data is processed by us (in what is termed a registry extract).
Right to revoke consent or object to processing
At any time, you can object to our processing of your personal data if this processing is based on consent, or revoke consent you have previously given.
Right to have your data erased (the right to be forgotten)
In certain cases, you have the right to request that your personal data is completely deleted. There are some exceptions where we cannot complete such a request, for example, if we have a legal obligation to save data. If you want to make such a request, we make an individual assessment of whether this is justified in your case and provide our reasoning if we are unable to delete any information.
Right to correction
You have the right to get erroneous or incomplete information about you updated.
Right to limitation of processing
At any time, you have the right to object to your personal data being used for direct marketing (newsletters etc.) You also have the right to object to your personal data being processed when the lawfulness of processing is based on legitimate interests. If you wish to make such an objection, we will conduct a dedicated assessment based on your interests in relation to ours in processing your personal data for the specific purpose.
Right to access and transfer personal data (data portability)
To the extent you have given consent or processing is based on a contractual relationship with us, you have the right to have your personal data in a format that enables it to transfer to another PDM (data portability). However, this assumes that this is technically possible for us.
Exercise your rights or get more information
We deal with all enquiries promptly. If you want to know more about your rights in the processing of your personal data, or you want to exercise any of your rights, you’re always welcome to contact us to get help or more information by email: dataskydd@dedicare.se
If you want to reach Dedicare’s external Swedish Data Protection Officer specifically, you can do so by email: dso@dedicare.se
There’s also more information about your rights at the Swedish Authority for Privacy Protection’s website.
Right to make a complaint
If you think Dedicare is processing your personal data incorrectly, you also have the right to report this to the data protection authority in the country where processing is conducted.
The Swedish Authority for Privacy Protection
E-mail: imy@imy.se
Tel: +46 (0)8 657 6100