Data protection statement under the EU General Data Protection Regulation


The following information provides an overview about our processing of personal data and our customers’ rights under data protection law. What specific data are processed and how they are used largely depends on the specific services that are utilized.

Please also share the information with current and future authorized representatives and those with financial authority, as well as any others obligated under business relationships with us.

I. Controller for data protection and Data Protection Officer

The controller is:

plus medica Nordic AB

Lövskogsvägen 12

70376 Örebro


Tel.: +46 70 588 70 91


You can reach our Data Protection Officer at:

plus medica Nordic AB

Lövskogsvägen 12

70376 Örebro


Tel.: +46 70 588 70 91



II. Sources and data used

1. Personal data

We process personal data which we receive from our customers in the course of our business relationship. Where necessary, we also process personal data which we have lawfully received from other companies or other third parties (e.g., to carry out orders, satisfy agreements, or based on consent given). In addition, we process personal data which we have lawfully received from publicly available sources (e.g., land registers, commercial registers, business registers, press, media, Internet) and are permitted to process.Relevant personal data may include:
Name, address and other contact information (telephone, e-mail address), date of birth, place of birth, sex, nationality, marital status, legal competence, professional group key, type of partner (dependent/independent), residential status (rent/own, identification information, authentication information, taxpayer ID, SCHUFA score.In addition to the data named above, other personal data may be collected, processed, and stored when concluding agreements and using our products or services. Such data essentially include: …..


2. Anonymized data
For statistical analysis purposes information is collected, stored, and utilized when visiting this website regarding your IP address, time and date of access, the previously visited website (referrer URL), the type and version of browser used, and operating system version. This collected data are anonymized and used exclusively to optimize our website as well as analyzed for statistical purposes. We reserve the right to create pseudonymized usage profiles.

3. Cookies and access data
Cookies are text files that are stored on your hard drive for a certain length of time when visiting a website or accessing a service (such as a plug-in). If you visit the website again, the cookie notifies the server that there was already a connection with that PC, along with other data stored in the cookie (such as a unique cookie ID). The server can exploit the information so obtained. Cookies are intended to control ad displays or improve navigation on the website.We use cookies on our website to optimize presentation and so that we can offer certain services (including from third parties, see item 5). You can restrict or prevent the use of cookies through your browser settings. Please note that some of the website functions will then be limited or no longer be available.By using our website you give your consent for the collection, processing, and utilization of your data in the described manner and for the named purpose, including by the indicated third-party providers.

4. Third-party services and content
It is possible for third-party content to be integrated, for instance videos on YouTube, map information from Google Maps, or graphics from other websites.This always requires that the providers of that content (referred to hereinafter as “third-party providers”) perceive the user’s IP address since without the IP address the content cannot be sent to the particular user’s browser. The IP address is therefore required for presentation of this content. We have no control over whether the third-party providers store your IP address and other information (e.g., for statistical purposes). Please see the data protection information of the various listed third-party providers for this information.Third-party providers may be replaced over the course of time; likewise, third-party providers may be removed or added. The respective published version of the data protection statement applies at all times.

III. Purpose of data processing and legal basis

We process the personal data named above in conformance with the provisions of the EU General Data Protection Regulation (GDPR):

1. To satisfy contractual obligations (GDPR Art. 6 [1] [b])
Personal data are processed in order to provide goods and services in connection with implementing our agreements with our customers or to carry out pre-contractual steps in response to inquiries by our customers.The purpose of the data processing depends on the concrete contractual conditions concerning goods and services, and may include needs analysis, consulting, and performing contractually agreed services, among other things. Further details on the purpose of the data processing can also be found in the particular contractual documents and terms and conditions.

2. In the course of weighing different interests (GDPR Art. 6 [1] [f])

If necessary, we also process data beyond actual fulfillment of the agreement in order to preserve our justified interests or those of third parties.For example:

  • Consultations from and exchange of data with information bureaus
  • Procedures for needs analysis and direct customer messaging
  • Advertising or market and opinion research, unless the customer objects
  • Asserting claims and defense in legal disputes
  • Ensuring IT security and IT operations in our company
  • Preventing criminal activity
  • Building and plant security measures (e.g., access controls)
  • Steps to enforce property rights
  • Steps for business control and further development of services and products
  • Risk control in the corporate group

3. Based on consent given (GDPR Art. 6 [1] [a])

Where we have been given consent to process personal data for certain purposes (e.g., sharing data within the corporate group), the lawfulness of such processing is based on the consent. Once given, consent may be revoked at any time. This also applies to revoking statements of consent given to us before the EU General Data Protection Regulation took effect, i.e., before May 24, 2018. Note that the revocation is only effective for the future. It does not affect processing that occurred before the revocation. A status summary of consent statements given to us can be requested at any time.

4. Based on legal requirements (GDPR Art. 6 [1] [c]) or in the public interest (GDPR Art. 6 [1] [e])
We also process personal data where required by law. This includes such requirements as age and identity verification, fraud and money laundering prevention, fulfilling tax controlling and reporting requirements, and evaluating and controlling risks in our own company.

IV. Data access and sharing

Within our company, offices have access to data that need it in order to satisfy our contractual and legal obligations. Service providers and agents we use may also receive data for these purposes if they conform to our written data protection instructions. These are largely companies in the categories listed below.


We fundamentally treat the data we collect as confidential. We will share information about our customers and their data only if legal regulations require it, the customer has given consent, or commissioned processors we hire guarantee compliance and conformity with the specifications of the EU General Data Protection Regulation.


On these conditions recipients of personal data may, for instance, include:

  • Public offices and institutions such as financial regulatory agencies if there is a legal or regulatory requirement
  • Affiliated enterprises, comparable institutions, and commissioned processors with whom we share personal data to conduct the business relationship with our customers. Specifically: support/maintenance of data processing/IT applications, archiving, document processing, call-center services, compliance services, controlling, data screening, data destruction, purchasing/procurement, collection, customer management, lettershops, marketing, media technology, reporting, research, risk controlling, billing, telephony, website management, financial auditing services, payment processing.


Data recipients may also include offices for which we have received consent to share data.

V. Sending data to third countries or international organizations

Data are transmitted to countries outside the EU or EEA (so-called third countries) only when this is necessary in order to carry out orders we receive, when it is legally required (e.g., tax reporting requirements), when we were given consent, or as part of commissioned data processing. If service providers are used in the third country, they are required to conform to the level of data protection in Europe through agreement of the EU standard contracting clauses in addition to written instructions.

VI. Length of data storage

We process and store personal data as long as necessary for fulfillment of our contractual and legal obligations. That may be a period of several years in case of long-term obligations.


If the data are no longer needed for fulfilling contractual or legal obligations, they are regularly deleted unless it is necessary to continue processing them for a limited time for the following purposes:

  • To satisfy storage requirements under commercial or tax law, for instance the commercial code, fiscal code, money laundering law, etc. The storage and documentation periods specified there range from two to ten years.


VII. Data protection rights of data subjects

Each data subject has a right of information under GDPR Art. 15, the right of correction under GDPR Art. 16, the right of deletion under GDPR Art. 17, the right to restrict processing under GDPR Art. 18, the right to object under GDPR Art. 21, and the right of data portability under GDPR Art. 20.


Once given to us, consent to process personal data may be revoked at any time. This also applies to revoking statements of consent given to us before the EU General Data Protection Regulation took effect, i.e., before May 24, 2018. Note that the revocation is only effective for the future. It does not affect processing that occurred before the revocation.

VIII. Duty to make data available

As part of a business relationship, the customer must make the personal data available which we need to begin and implement a business relationship and meet the associated contractual obligations, or which we are legally required to collect. Without such data we must reserve the right to decline to conclude the agreement and carry out an order, or to stop implementing and possibly terminate an existing agreement.


Particularly under legal regulations to combat money laundering, there may be a requirement to identify our customers and business partners before establishing a business relationship, for instance using the personal ID card, and to collect and record the name, date and place of birth, nationality, and home address. To satisfy this type of legal obligation, our customers are required by Section 4 (6) of the Money Laundering Act to make the necessary information and documents available to us and to promptly notify us of any changes occurring in the course of the business relationship.

IX. Automated decision-making

Pursuant to GDPR Art. 22 we fundamentally do not use a fully automated decision-making process when establishing and implementing the business relationship. If we use such methods in an individual case, we will give separate notice in advance where required by law.

X. Profiling

We process data in a partially automated process with the goal of rating certain personal aspects (profiling).


For instance, we use profiling in the following cases:

  • Based on legal requirements, for instance to combat money laundering and fraud. Data analysis may also be performed in the process (including payment transactions); such steps also serve to protect our customers.
  • We use analysis instruments to provide targeted information about products and for consulting. These allow communication and advertising appropriate for the need, including market and opinion research.


XI. Right of objection under GDPR Art. 21

1. Right of objection for an individual case
You have the right to object, due to reasons resulting from your special situation, to the processing of personal data relating to you that is performed on the basis of GDPR Art. 6 (1) (e) (Data processing in the public interest) and GDPR Art. 6 (1) (f) (Data processing on the basis of weighing different interests); this also applies to profiling based on this provision within the meaning of GDPR Art. 4 (4).If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling reasons requiring protection for the processing that outweigh your interests, rights, and freedoms, or unless the processing serves the purpose of asserting, exercising, or defending legal rights and claims.


2. Right of objection to data processing for advertising purposes
In individual cases we process your personal data in order to conduct direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct advertising.If you object to the processing for direct advertising purposes, we will no longer process your personal data for those purposes.The objection does not require a specific form and should be lodged by telephone if possible at telephone number +46 70 588 70 91, or alternatively may be filed in our offices.