Privacy Policy

This statement is intended to explain how Drevelin Nordic collects, stores, and uses personal data. 

Purpose of Processing

The purpose of processing personal data is to receive orders from hospitals and forward these to the manufacturer, so that the ordered products can be produced and delievered in accordance with the order.

Personal Data Process

We only process a limited set of personal data:

  • Patient ID
  • Year of birth
  • In some cases: patient´s name

When the order is forwarded to the manufacturer in Argentina, only the Patient ID is sent. This cannot be tracked to the patient by unauthorized parties. 

Legal Basis for Proccessing

The processing of personal data is based on: 

  • GDPR Article 6(1)(f) – legitimate interest, to enable correct ordering and production.
  • GDPR Article 9(2)(h) – processing is necessary for purposes related to the provision of healthcare services (via hospital´s order).

How the Data is Shared

  • Hospital: Sends the order form to us.
  • Manufacturer in Argentina: Receives only the Patient ID. No directly identifiable information is transferred outside Europe.
  • Technical providers: We use Microsoft 365 for storage and processing of information. Microsoft provides data processing agreements in line with GDPR, including mechanisms for data transfers outside the EEA.

Transfer to Third Countries

The manufacturer is located in Argentina. Transfers of data take place in accordance with GDPR Chapter V. We only transfer pseudonymized data (Patient ID), which cannot be linked to the patient without information held exclusively by the hospital. The risk to patient privacy is therefor considered very low. 

Retention Period

We retain personal data for as long as necessary to fulfill the purpose of processing (administration of the order) and in accordance with applicable legal requirements. Data is deleted or anonymized when no longer needed. 

Your Rights

Patients have rights under the GDPR, including: 

  • Right of access, rectification, and erasure
  • Right to restriction of processing
  • Right to object
  • Right to data portability (where applicable)

Since the data is received from the hospital and pseudonymized before forwarding, in some cases we may refer requests directly to the hospital as the controller of the patient´s health data. 

Information Security

We have implemented technical and organizational measures to protect personal data against unauthorized access, alteration, loss, or disclosure. All processing takes place within secure systems, primarly Microsoft 365, with access control and ecryption.

Contact Us

If you have any questions about how we process personal data, you can contact us at: Info@drevelin.com

If you believe our processing violates data protection law, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or the relevant supervisory authority in your country.