Policy and guidelines for the application of the European General Data Protection Regulation (GDPR) when processing personal data.

Fundamental to this policy is that 21st Century Mobile will process personal data legally, correctly and in accordance with good practice, regardless of whether it concerns automated or manual processing of personal data. 21st Century Mobile develops, provides and administers SMS services for Opus dental clinics.

As a provider of the SMS service, 21st Century Mobile functions as a Personal data processor since we, on behalf of Opus Dental and through their patient record system, are limited to the processing of the personal data that in turn every dental clinic control and thus the clinic is the Personal data controller. This policy thus applies to the processing that 21st Century Mobile may perform as a personal data processor.

In order to provide the SMS service, 21st Century Mobile must enter into agreements with other parties involved in the system, such as telecom operators and suppliers of server halls, in which case 21st Century Mobile signs a Personal Data Processing agreement with each party to guarantee compliance with this policy.

Basic concepts used in this privacy policy:

·         Personal data: Any information relating to an identified or identifiable natural person (‘data subject’), such as name and phone number.

·         Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. All processing of personal data is covered by the Personal Data Act and the Swedish Data Inspection authority monitors compliance with the law.

·         Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data and that this is done in accordance with the general data protection regulation 

·         Personal data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

·         Lawfulness of processing: processing is necessary for the performance of a contract to which the data subject is party. The personal data processed and stored under 21st Century Mobile responsibility is handled in a safe and secure manner. We have established and documented routines and procedures to ensure people's integrity, accessibility and confidentiality of data, in accordance with applicable legislation. Personal data is stored by 21st Century Mobile only during the time it is necessary to fulfil the purposes specified in this Privacy Policy or if being required by law or regulation.

         

Privacy Policy 21st Century Mobile

Rights

Below we will highlight some of the rights that persons have under the GDPR. In cases where a person wishes to invoke one of these rights, the person should first contact the Data Controller (the dental clinic). 21st Century Mobiles’ commitment is to, on the request of the Data Controller, ensure compliance with this request.

Necessary processing of personal data and processing based on consent

Personal data processing that is necessary (legal basis) for us to fulfil agreements with our customers as a data processor or for us to comply with a legal obligation is being carried out without the consent of the individual. We therefore assume that the person has given its consent to the processing of personal data when using our customer’s service or product. 

Withdrawal of consent 
A data subject can at any time choose to withdraw a consent by contacting his/her dental clinic or by sending us an email to
gdpr@21st.se. If someone withdraws his/her consent, we will delete the personal data and terminate the processing covered by the consent. It may occur that the same personal data is being processed both with the support of consent and based on necessity or with the support of other rules.

Right to be informed about processed personal data

If the data subject wants information about what kind of data we have, he or she can send a written application.

 In the first place by contacting the Controller.

Secondly by sending an email to gdpr@21st.se, in that case we will contact the Controller and only after written approval send the information to the data subject.

Registry extracts are provided on request and are free of charge once a year. Note that a request must be sent in writing as it must contain the person's signature.

Right to control of personal data

A data subject has the right to have personal data concerning him or her rectified, complemented or erased. The data subject also has the right to request that the processing of personal data should be limited to certain purposes.

Storage period

We save personal data as long as it is required for the purpose of the processing, which usually means as long as the personal data has a purpose for our customer. Unless otherwise stated, data is stored for a maximum of two (2) years if the data subject has not agreed that the data can be stored longer.



Legal obligation or other legal basis

Processing of personal data may also take place to fulfil obligations according to laws and regulations, for example regarding security, accounting, quality registers or patient records. This can be done both as a personal data or as an unidentified data.

 

To whom we disclose data

We may disclose people's data to subcontractors who process data on our behalf. This may mean that they also have access to certain information about the data subject. However, these parties may not use data about the person for any other purpose than to provide the service or on the terms that we specify.

Transfers of personal data to third countries
21st Century Mobile may have a part of its activity in countries outside of Sweden

or EU/EES (so-called “third countries”). If, in order to provide the service to our customer, we transfer data to a supplier in such a third country, we take appropriate precautions and ensure that the transferred data is handled according to the applicable law.

 

There are countries that the European Commission has decided complies with the required level of privacy protection. In addition, we write regularly contracts with our suppliers stating that they must apply the clauses that the EU Commission has approved for the protection of personal privacy.

 

Changes to the policy
All changes in the Policy are communicated via the Website or in some cases via e-mail.

Contact details
Contact us at gdpr@21st.se for questions or other comments in relation to our Policy or our processing of personal data. You can also call at office hours +46 (0) 8 21 21 55

Privacy Policy 21st Century Mobile AM Vers:2018 01 20