GDPR and personal data management

GDPR and the Processing of Personal Data

The General Data Protection Regulation (GDPR) is a law that has applied throughout the EU since May 25, 2018. Its purpose is to give individuals greater control over how their personal data is handled and to increase the security of personal data processing. Personal data refers to any information that can directly or indirectly be linked to an individual. GDPR is supplemented by other regulations, such as those governing patient records (the Patient Data Act) and laws concerning confidentiality and professional secrecy.

The following information aims to explain how de Plaa Psykologi processes your personal data.

If you have any questions regarding de Plaa Psykologi’s handling of personal data, you are welcome to contact us at info@deplaapsykologi.com.

Purpose and Legal Basis for Processing
de Plaa Psykologi uses the information you provide in order to offer safe and effective care. This data is also used in the systematic and ongoing work of ensuring patient safety. Information is continuously entered into the journal system during your care. The data also serves as a source of information for you as a client.

The legal basis for processing your personal data is that healthcare is considered a task carried out in the public interest—an essential service for the functioning of society. Licensed psychologists are legally required to document care by keeping records (as per the Patient Data Act, among others). Like all healthcare providers, de Plaa Psykologi is subject to supervision by the Health and Social Care Inspectorate (IVO), and in the event of an inspection, patient data plays an important role.

Data Retention Period
de Plaa Psykologi will delete your personal data in accordance with the rules set out in the Patient Data Act—that is, no earlier than ten years after the last journal entry.

Your Rights
You have the right to receive information about how your personal data is being processed. Subject to the limitations of the Patient Data Act, you also have the right to have your data corrected, deleted, to request restricted processing in certain cases, and to object to processing in certain cases.

Recipients of Data
Your data will only be shared with third parties if you give specific consent in an individual case. In certain situations, de Plaa Psykologi may be legally obligated to disclose information. Such obligations are regulated by:

The Social Services Act, in cases where a child may be at risk
The Social Insurance Code, for matters involving social insurance decisions

Confidentiality and Data Security
All patient data—whether provided by you or recorded by de Plaa Psykologi in your journal—is subject to the confidentiality provisions outlined in the Patient Safety Act.

Right to File a Complaint
You have the right to file a complaint with the Swedish Authority for Privacy Protection (IMY) regarding de Plaa Psykologi’s processing of your personal data.

Data Required by Law
According to the Patient Data Act and the regulations of the National Board of Health and Welfare, certain information must be included in patient records. This includes your identity, relevant background information for the care provided, the assessments made by de Plaa Psykologi, treatment plans, and actions taken. Additionally, records must document the information provided to you as a patient, choices of treatment options, any certificates or referrals issued, and both incoming and outgoing correspondence.

Journal System
de Plaa Psykologi uses Kaddio AB for its journal system, appointment scheduling, and video consultations. Kaddio AB is responsible for processing the personal data collected through its system. Kaddio complies with the General Data Protection Regulation (GDPR), and all data storage involving medical records is conducted within the EU.

If you provide personal data (such as your email address or phone number) to de Plaa Psykologi without attending a session, your information will be deleted after approximately 3–6 months.