Personal Data Protection


Privacy Policy for patients at Medical Office – GDPR


Handling of data

In connection with our examination, diagnosis and treatment of you as a patient, Medical Office ApS collects and handles a number of your personal data.

This Privacy Policy describes how Medical Office handles, uses, and shares your personal data.

Types of data                                    

Medical Office ApS collects and treats the following types of your personal data (when relevant for you):

General personal data:

  • Name, address, e-mail address, telephone number, personal identification number, gender, family and social relations, professional relations and education.

Special categories of personal data (“sensitive personal data”):

  • Medical data (e.g. medical files, test results, tests, x-rays, scan results, etc.), sexual relations, racial or ethnic origin as well as religious affiliation.


We handle your personal data for the following purposes:

  • Our examination, diagnostic and treatment of you
  • Preparation of medical certificates/reports
  • Preparation and issuing of certificates for the use of employers, authorities, organizations, insurance companies etc.
  • Communication with or reference to other healthcare professionals, doctors, hospitals or hospital laboratories.
  • Medicine prescription, including the issue of prescriptions
  • Payment purposes
  • To be in compliance with our obligations under applicable legislation, including the EU Data Protection Directive, the Data Protection Act and other relevant health legislation, such as:
    • Obligation to provide documentation
    • Compliance with basic principles for handling personal data and legal basis for the treatment
    • Implementation and maintenance of technical and organizational security measures, including but not limited to prevent unauthorized access to systems and data, to prevent receiving or distributing malicious code, to stop denial-of-service attacks and damage to computer systems and electronic communication
    • Investigation of suspicion or knowledge of security breaches and reporting to individuals and authorities.
    • Handling of queries and complaints from others.
    • Handling of inspections and queries from regulatory authorities.
    • Handling of disputes with third parties.
    • Statistical studies and scientific research.

Principle of voluntary action

When we collect personal data directly from you, you provide us with the data voluntarily. You are not required to provide us with your personal data. The consequence of not providing us with your personal data is that we cannot meet the above mentioned objectives which in some cases will mean that we cannot examine, diagnose or treat you.


In some cases, we collect personal data about you from other healthcare professionals, such as hospitals, referring doctor or by consulting electronic journal systems. We handle the received data in accordance with this Privacy Policy.

Sharing/transmittance of personal data

If required for the specific examination, diagnosis or treatment of you, your personal data will be shared with the following healthcare professionals/authorities:

  • Information is provided to other healthcare professionals if necessary for an ongoing treatment course.
  • Information is transmitted to other authorities, clinical quality databases, the Danish Vaccination Register, the Patient Safety Board, the Joint Medicine Card, the Police, Social Authorities, the Occupational Safety and Health Administration, in so far as may be required under applicable legislation.
  • As a patient you have access to your own data (self-access)
  • Upon referral of patients, data are transmitted to the healthcare professionals to whom the referral has been sent.
  • When reporting laboratory tests, the tests are transmitted to the hospital laboratories.
  • When payment for our services is paid by your company, your organization or an external company we pass on the relevant information to the relevant third party.
  • When issuing prescriptions, data are passed on to the Danish pharmacies and the Danish Medicines Agency via the prescription server.
  • In other cases, data are communicated to relatives or insurance companies.

Legal basis for handling and sharing of personal data

The legal basis for collecting, handling and sharing your personal data is:

  • For the purposes of ordinary patient treatment, personal data are collected, handled and transmitted pursuant to Article 6 (1) (c) and (d) of the Data Protection Regulation, while the sensitive personal data are collected, processed and transmitted pursuant to Article 9 (2) of the Data Protection Regulation ( c) and (h).
  • In addition, we are obliged to treat a number of personal data about you in the ordinary patient treatment in accordance with Chapter 6 of the Authorization Act, Executive Order on Healthcare Professionals’ records, especially sections 5-10, and Chapter 9 of the Health Act.
  • Health information for the use for further treatment upon referral of patients is shared in accordance with the rules of the Medical Care Act section 20-23 and the Health Act.
  • Reporting of laboratory tests to hospital laboratories is done in accordance with the guidelines in the Danish Health Authority’s guidance regarding handling of para clinical examinations pursuant to the Authorization Act.
  • Information for the use for settlement for patient treatment is sent once per month to the region’s clearings office in accordance with the provisions of the Agreement on Specialized Medical Assistance Section 49 and the Health Act.
  • Medicine orders on prescriptions are sent via the IT service recipient server in accordance with the provisions of the Health Act chapter 42 and the Order on Prescriptions and Dose Dispensing of Medicinal Products, Chapter 3 in particular.
  • Your personal data are transmitted only to insurance companies with your prior consent, cf. Article 6 (1) (a) and 9 (2) (a) of the Data Protection Act.
  • Your personal data are shared with your relatives only with your prior consent in accordance with section 43 of the Health Act.
  • In the case of deceased patients, certain personal data may be transferred to the deceased’s closest relatives, deceased general practitioner and the physician who treated the deceased according to the rules in section 45 of the Health Act.

Revocation of consent. If the handling of your personal data is based on your consent, you are entitled to revoke the consent. If you revoke consent, it does not affect your treatmentprior to revocation of consent, including any prior transmission of data based on your consent.

Use of data processors

Your personal data are handled and stored by our data processors, who keep them on behalf of us and in accordance withour instructions.  Our data processors are currently:

  • CompuGroup Medical Danmark A/S
  • Dansk Medicinsk Data Distribution – Webreq
  • Danish Shipping

Retention policy

We keep your personal data as long as needed in order to carry out the above-mentioned purposes. We are however obliged to keep these in minimum 10 years after the latest entry of data to your journal pursuant to Executive order on medical records. In some cases, we need to keep your personal data for a longer time of period e.g. in connection with a complaint or compensation case in which case the data will be kept until the case is finalised.

Your rights

You have – with the restrictions of the law – certain rights, including the right to access personal data, the right to change incorrect information, the right to delete information, the right to have information limited, the right to data portability, the right to object to the handling of personal data, including automatic, individual decision making (“profiling”).

You also have the right to appeal to a competent supervisory authority, including the Danish Data Protection Agency.


If you have questions regarding the handling of your personal data or the use of your rights, please contact us at

Medical Office ApS
Amaliegade 33
DK-1256 København K

1. udg – 23.05.2018