POLICY FOR HANDLING PATIENT INFORMATION

On this day, 24/04/2024, the following policy has been drawn up for A3P Biomedical AB (publ.) (559252-9100) and its subsidiaries (“the company”).

Introduction
A3P Lab AB is a registered healthcare provider and thus the controller under EU data protection laws regarding the processing of personal data that is conducted in connection within the framework of our healthcare provider activities. For the purposes of this Privacy Policy, “EU data protection laws” means all laws and regulations relating to the protection of personal data applicable in the EU, including e.g. Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).

Adhering to this policy will enable the laboratory to protect patient privacy, ensure the secure handling of personal data, and maintain compliance with the General Data Protection Regulation.

Scope
This policy sets forth the procedures and guidelines governing the handling of patient information in accordance with the General Data Protection Regulation (GDPR). Our commitment to compliance ensures the protection of patient privacy and the secure management of personal data throughout its lifecycle.

This policy applies to all employees, contractors, and third parties who handle patient information.

Guidelines

Definitions
Personal data: Any information relating to an identified or identifiable natural person (data subject).
Data controller: The entity responsible for determining the purposes and means of processing personal data. Data processor: The entity responsible for processing personal data on behalf of the data controller.

Data collection
The data collected encompasses both paper and digital referrals, and may include the following information:

  1. Referral ID - mandatory

  2. Birth year - mandatory

  3. Birth date – optional

  4. Patient ID - optional

  5. First name - optional

  6. Last name - optional

  7. Address, postal code, city, country - optional

  8. Biological sex at birth - optional

  9. Phone - optional

  10. Email-optional

This collection is based on consent. Upon receiving the referral and blood/plasma samples, we process the collected data to fulfill our contractual obligations.

Principles of data protection

  • Lawfulness, fairness, and transparency. Patient information must be processed lawfully, fairly, and transparently.

  • Purpose limitation. Patient information should only be collected and processed for specific, explicit, and legitimate purposes. Any further processing should be compatible with those purposes.

  • Data minimization. Only the minimum necessary patient information should be collected and processed to fulfill the intended purpose.

  • Accuracy. Patient information must be accurate, and reasonable steps should be taken to ensure its timely correction or deletion.

  • Storage limitation. Patient information must be retained in a manner that allows for the identification of data subjects only for the duration necessary to fulfill the intended purpose.

  • Integrity and confidentiality. Patient information should be processed securely to maintain its integrity and confidentiality.

    Lawful bases for processing

  • Consent. Patient consent should be obtained for processing their personal data, with clear information about the processing activities.

  • Legal obligation. Processing patient information may be necessary to comply with legal obligations imposed on the laboratory.

  • Vital interests. Processing patient information may be necessary to protect the vital interests of the data subject or another individual.

  • Contractual necessity. Processing patient information may be necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject before entering into a contract.

  • Legitimate interests. Processing patient information may be necessary for the legitimate interests pursued by the laboratory or a third party, provided that such interests are not overridden by the data subject's rights and freedoms.

    Patient rights

  • Right to access. Patients have the right to access their personal data and obtain information about how it is processed.

  • Right to rectification. Patients have the right to request the correction of inaccurate or incomplete personal data.

  • Right to erasure. Patients have the right to request the erasure of their personal data under certain circumstances.

  • Right to restriction of processing. Patients have the right to request the restriction of processing their personal data in certain situations.

  • Right to data portability. Patients have the right to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another data controller.

  • Right to object. Patients have the right to object to the processing of their personal data based on legitimate interests or for direct marketing purposes.

Data Security

Technical and organizational measures are implemented to ensure the security of patient information, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.

A personal data incident is a security breach that results in the accidental or unlawful destruction, loss, or alteration of personal data. It can also lead to unauthorized disclosure or access to personal data.

In case of suspected or detected data breaches, the laboratory promptly notifies the VP Operations, Quality Assurance & Regulatory Affairs, who then convenes the incident response team and activates the response plan.

It is our responsibility to report certain types of personal data incidents. A report should be made if there is a risk to the rights and freedoms of individuals. Therefore, it is important to carefully assess the incident to determine whether it should be reported. The assessment is done by the incident response team.

Please note that the report to IMY must be made within 72 hours of discovering the incident.

Data sharing and third parties

Data Processing Agreements. When sharing patient information with third parties, Data Processing Agreements are established to ensure compliance with data protection regulations.

As part of our policy, we conduct due diligence and implement controls to ensure compliance with data protection regulations and standards to assess their ability to protect patient information.
This process involves verifying the customer's adherence to data protection principles, assessing their data handling practices, and establishing contractual agreements outlining responsibilities and obligations regarding the handling and transfer of personal data.

Data retention

Retention period: Patient information should be retained for the minimum period necessary to fulfill the intended purpose or as required by legal or regulatory obligations.

Secure disposal: When patient information is no longer required, it should be securely disposed of, following the discard process, to prevent unauthorized access or disclosure.

Training and Awareness

Training: All employees, contractors, and third parties handling patient information receive appropriate training on data protection and privacy practices.

Awareness: Annual GDPR training is conducted to reinforce the importance of protecting patient information and to update individuals on any changes to data protection policies.

Confidentiality. A Confidentiality document is signed by all employees handling patient samples.

How you get in touch with us
If you have any questions or comments regarding the processing of your personal data, you can contact A3P or our Data Protection Officer at: privacy@a3p.com

Responsibility

This policy will be reviewed annually by the Board of Directors to ensure its ongoing suitability, effectiveness, and compliance with applicable data protection laws and regulations.