Link tothe agreement regarding joint data control
Link tothe Data ProcessingAgreement
Under the GDPR (General Data Protection Regulation), it is important to identify and clarify the roles of data controller, data processor, or joint controller, particularly when it comes to the processing of personal data.
It should be noted that the final determination of the specific role of each service must be based on the specific agreement between Health Group and the customer in question. The following is a general assessment based on the standard manner in which the services are provided and must be reviewed when the service is modified.
When evaluating the standard services offered by Health Group, the following categories can be identified:
In this role, the Health Group determines the purposes and means of processing personal data.
If the customer—typically the workplace—chooses to register employees with Health Group via master data, this will constitute atransfer ofpersonal data to Health Group. This may include, for example, a list containing names, email addresses, phone numbers, departments, and other “tags” for the employees who are to receive the services. Thistransferis not considered data processing on your behalf, but rather a transfer from you, as the data controller, to Health Group, as the data controller, for the purpose of enabling us to create correct user accounts for the employees for the services you have ordered.
The legal basis for you as an employer will be Section 12(1) or (2) of the Data Protection Act, provided that you provide the benefits to employees as part of a collective agreement, or Article 6(1) of the GDPR(f) the “balancing of interests” rule, provided that you provide the services to employees as part of your workplace health and safety program.
Health Group will then fulfill its duty to inform the data subject (the employee) and ensure a valid legal basis for processing (most often consent).
The following services may fall under this category:
Health Check
At Health Group, we offer health screenings designed to improve the lifestyle and health of your company’s employees.
A health checkup at Health Group includes, among other things:
Health Groups is the data controller, as Health Group determines the questions in the health screening, and the health consultant, together with the employee, determines the next steps. Health information from health screenings for night workers is retained for 40 years in accordance with Danish Working Environment Authority Executive Order No. 1165.
Health Group is responsible for the IT operations of DigiHealth, including the day-to-day operation and development of the solution, decisions regarding which personal data must be processed to ensure a positive user experience, privacy notices, obtaining consent where necessary, cybersecurity, and so on.
Psychological crisis support
Through our nationwide network of crisis psychologists, Health Group provides assistance within 24 hours. All employees may find themselves in a situation where they need professional help to cope with work-related or family issues.
The service is provided by Health Group, which is responsible for selecting a licensed psychologist in accordance with the Psychologists Act.
Health Group is the data controller for the processing that takes place up to the point of referral to the psychologist (the referral process), which occurs through direct contact between the individual employee and the crisis network of psychologists; thereafter, the individual psychologist is the data controller for the remainder of the treatment process, including record-keeping, cf. the Executive Order on the Duty of Licensed Psychologists to Maintain Orderly Records.
If the employer requests information, such as a report, it is obtained directly from the psychologist based on an agreement between the workplace and the employee.
Ergonomic Review
Health Group ensures that physical working conditions are designed in such a way that employees are in the best possible position to avoid pain and discomfort—and, in the worst-case scenario, long-term injuries. Our physical therapist will visit your workplace to demonstrate specific exercises, adjust workstations, and provide advice on healthy work and lifestyle habits. The session can also be conducted online if preferred.
Health Group is the data controller for the processing that takes place up until the time of referral to the physical therapist (the referral), after which the individual physical therapist becomes the data controller, as a licensed healthcare professional under the Authorization Act and makes decisions regarding which personal data is necessary to process, including any record-keeping, cf. the Record-Keeping Order.
Health Group is responsible for the IT operations of DigiHealth, including the day-to-day operation and development of the solution, decisions regarding which personal data must be processed to ensure a positive user experience, privacy notices, obtaining consent where necessary, cybersecurity, and so on.
Online training
Health Group provides skilled and energetic instructors who tailor their training to your company’s goals. They are trained to guide and adapt exercises online so that everyone can participate regardless of their fitness level, and they are dedicated to motivating all employees. The online training takes place via your preferred online communication platform, such as Teams or Zoom, and can be set up as either open links or an invitation in employees’ calendars.
Health Group is the data controller, as it is Health Group’s instructors who interact with employees and determine which personal data needs to be processed to ensure a successful training program, taking into account each employee’s individual needs.
Combination therapy
Health Group's combination therapy consists of four elements:
Manual therapy. Joint manipulation, physiotherapy massage, acupuncture, kinesiology, etc.
Information and advice on injury prevention, health, and injury awareness, as well as a motivational discussion with all employees.
Ergonomic assessment and adjustment of each workstation to prevent pain and injuries.
Exercise therapy and exercise guidance, either at home, in the gym, or with a physical therapist.
Health Group is the data controller for the processing that takes place up until the time of referral to the physical therapist (the referral), after which the individual physical therapist becomes the data controller, as a licensed healthcare professional under the Authorization Act and makes decisions regarding which personal data is necessary to process, including any record-keeping, cf. the Record-Keeping Order.
Health Group is responsible for the IT operations of DigiHealth, including the day-to-day operation and development of the solution, decisions regarding which personal data must be processed to ensure a positive user experience, privacy notices, obtaining consent where necessary, cybersecurity, and so on.
Process Consultation
Health Group A/S designs and implements a wide range of activities and processes tailored to the specific needs of each organization. Our process consultant works professionally to strike a balance between our clients’ business growth and the personal development of managers and employees.
In most cases, Health Group’s data responsibility will be limited to the point at which the process consultant begins the assignment. Prior to this, Health Group will, upon agreement with the client, disclose anonymized data in the form of APV or MTU (employee satisfaction survey) results.
Psychomotor therapy – Relaxation therapy
The core treatment method used in Health Group’s “Relaxation Treatment” program is psychomotor therapy. Psychomotor therapy is an evidence-based treatment approach that promotes better harmony between the body, mind, and health
Relaxation Treatment should be viewed as a complement to other therapeutic treatments, such as physical therapy. The difference, however, is that employees do not necessarily need to be experiencing musculoskeletal pain to receive Relaxation Treatment. This may include employees who experience high stress levels or need to find calm through relaxation exercises. It may also include employees who experience physical challenges, such as muscle tension, recurring headaches, or heart palpitations.
Health Group’s practitioners determine which personal data is necessary to ensure effective therapy, and as a result, Health Group acts as the data controller.
Health Group is responsible for the IT operations of DigiHealth, including the day-to-day operation and development of the solution, decisions regarding which personal data must be processed to ensure a positive user experience, privacy notices, obtaining consent where necessary, cybersecurity, and so on.
Corporate Fitness
Health Group offers Corporate Fitness, which includes solutions for all types of physical activity that can take place in the workplace—ranging from the setup and operation of new or existing fitness facilities to active breaks, personal training, group classes, and more.
Personal training and group classes are led by qualified and energetic instructors who tailor the sessions to your company’s fitness goals. They are trained to guide participants and adapt exercises so that everyone can participate, regardless of their fitness level, and they are fully committed to motivating all employees.
Health Group is the data controller, as it is Health Group’s instructors who interact with employees and determine which personal data needs to be processed to ensure a successful training program, taking into account each employee’s individual needs.
Health Group is responsible for the IT operations of DigiHealth, including the day-to-day operation and development of the solution, decisions regarding which personal data must be processed to ensure a positive user experience, privacy notices, obtaining consent where necessary, cybersecurity, and so on.
As part of the solution, access to Technogym’s MyWellness app may also be provided; in this regard, Health Group has entered into a data processing agreement with Technogym.
Corporate Massage
Health Group's massage therapists determine which personal data is necessary to process in order to provide a quality massage treatment, and as a result, Health Group becomes the data controller.
Health Group is responsible for the IT operations of DigiHealth, including the day-to-day operation and development of the solution, decisions regarding which personal data must be processed to ensure a positive user experience, privacy notices, obtaining consent where necessary, cybersecurity, and so on.
Health checkups for night shift workers
Health examinations must be offered to all employees who perform at least three hours of their daily work between 10:00 p.m. and 5:00 a.m., or who work at least 300 hours during this time period within a 12-month period. Health examinations for night workers are required by law, and employees must be offered a free health examination before they begin night work, and thereafter at regular intervals of less than three years.
A health checkup at Health Group includes, among other things:
A health screening that includes questions about employees' health, well-being, and motivation.
The company receives a detailed, anonymized report on average results.
Health Groups is the data controller, as Health Group defines the questions in the health screening, and the health consultant, together with the employee, determines the next steps. Health checkups for night shift workers. Health information from health checkups for night shift workers is retained for 40 years in accordance with the Danish Working Environment Authority’s Executive Order No. 1165.
Health Group is responsible for the IT operations of DigiHealth, including the day-to-day operation and development of the solution, decisions regarding which personal data must be processed to ensure a positive user experience, privacy notices, obtaining consent where necessary, cybersecurity, and so on.
In this role, Health Group processes personal data solely on behalf of a data controller, who determines the purposes and means of processing personal data.
In this situation, the customer—typically the workplace—will enter into a data processing agreement with Health Group that includes precise instructions regarding the data processing to be performed. The customer will be responsible for ensuring a clear legal basis for the processing and will also bear the majority of the obligations under the GDPR.
Generally speaking, Heath Group’s services do not fall into this category; however, specific agreements with you may result in us acting as a data processor, in which case we will enter into a data processing agreement with you.
In this role, both the data controller and the data processor share responsibility for certain aspects of data processing. An agreement on joint data control is entered into based on the template provided by the Danish Data Protection Agency, in which responsibilities are allocated.
The following services may fall under this category:
Workplace Assessment
The basis for the processing of personal data is a comprehensive solution in which Health Group has designed the questionnaire and thus determines what personal data is to be processed and for what purposes the data is collected, such as overall quality assurance of the APV survey.
Since the client is involved in decisions regarding the customization of questions—including whether to modify the questionnaire framework and whether to add additional questions to meet any CSR requirements (e.g., diversity in hiring and workplace well-being)—this will generally be a shared responsibility between Health Group and the client.
Health Group is responsible for the IT operations of the DigiHealth system, including the day-to-day operation and development of the solution, decisions regarding which personal data must be processed to ensure a positive user experience, privacy notices, obtaining consent where necessary, cybersecurity, and so on.
In some cases, an alternative IT system called Enalyzer may be used. Enalyzer is used by agreement with the customer in cases where DigiHealth is not compatible with the customer’s needs.
Employee Satisfaction Survey
A well-being survey will typically be based on Health Group’s standard questionnaire, which Health Group uses to define what personal data is to be processed and for what purpose. Since the client will assist with customizing or adding questions, the starting point will be joint data control between Health Group and the client.
Health Group is responsible for the IT operations of the DigiHealth system, including the day-to-day operation and development of the solution, decisions regarding which personal data must be processed to ensure a positive user experience, privacy notices, obtaining consent where necessary, cybersecurity, and so on.
In some cases, an alternative IT system called Enalyzer may be used. Enalyzer is used by agreement with the customer in cases where DigiHealth is not compatible with the customer’s needs.
