Explanation of GDPR roles for Health Group's services

Link to joint data responsibility agreement

Link to data processing agreement

Under the GDPR (General Data Protection Regulation), it is important to identify and clarify the roles of either controller, processor or joint controller, especially when it comes to processing personal data.

It should be noted that the final assessment of which role applies to the individual services must be based on the specific agreement between Health Group and the customer in question. The following is a general assessment based on the general way in which the services are provided and must be reassessed when adapting the service.

When assessing the general services provided by Health Group, the following grouping can be made:

Health Group as data controller

In this role, the Health Group determines the purposes and means of processing personal data.

If the customer, typically the workplace, chooses to create employees at Health Group via master data, the personal data will be disclosed to Health Group. This may, for example, be a list of names, email addresses, phone numbers, departments and other "tags" of the employees who are to receive the services. This transfer is not considered to be a data processing on your behalf, but a transfer from you as data controller to Health Group as data controller for the purpose of creating correct user accounts for the employees for the services you have ordered.

The legal basis for you as a workplace will be Section 12(1) or (2) of the Danish Data Protection Act if you provide the services to employees as part of a collective agreement or GDPR Art.6(1)(f) "balancing of interests rule" if you provide the services to employees as part of your occupational health and safety program.

Health Group will then carry out the duty of disclosure to the data subject (employee) and ensure a valid legal basis for processing (usually consent).

Here, the following services can fall under this category:

Health check

At Health Group, we offer health checks focused on improving the lifestyle and health of your company's employees.

A Health Group health check includes, among other things

• Health screening containing questions about employee health, well-being and motivation.
• Physiological measurements - including cholesterol, body fat percentage, blood sugar, fitness levels, etc.
• A motivational interview with a focus on personal goals.
• Follow-up via conversation and health portal.
• The company receives a detailed anonymized report of average results.

Health Groups is the data controller as Health Group defines the questions in the health screening and the health consultant together with the employee defines the further course of action.

Health Group is responsible for the IT operation of DigiHealth, including ongoing operation and development of the solution, decisions on what personal data is necessary to process to ensure a good experience, disclosure requirements, obtaining any consent, cyber security, etc.

Psychological crisis counselling

Health Group provides help within 24 hours through our nationwide network of crisis psychologists. Any employee may find themselves in a situation where professional help may be needed to deal with work or family issues.

The service is provided by Health Group, which is responsible for the choice of authorized psychologist, cf. the Psychologist Act.

Health Group is the data controller for the treatment that takes place up to the time of referral to the psychologist (mediation), which takes place through direct contact between the individual employee and the crisis network of psychologists, after which the individual psychologist is the data controller for the further course of treatment, including record keeping, cf. Executive Order on licensed psychologists' duty to keep proper records.

If the employer wants information back, e.g. a report, it is obtained directly from the psychologist based on consent between the workplace and the employee.

Ergonomic review

Health Group ensures that the physical working conditions are organized in a way that gives employees the best conditions to avoid pain and discomfort - and in the worst case scenario, long-term injuries. Our physiotherapist will visit your workplace to go through specific exercises, set up workstations and advise on healthy work and lifestyle habits. The review can also be done online if preferred.

Health Group is the data controller for the treatment that takes place up to the time of the referral to the physiotherapist (dissemination), after which the individual physiotherapist is the data controller as an authorized healthcare professional under the Authorization Act and makes decisions about which personal data that is necessary to process, including any record keeping, cf. Journalføringsbekendtgørelsen.

Health Group is responsible for the IT operation of DigiHealth, including ongoing operation and development of the solution, decisions on what personal data is necessary to process to ensure a good experience, disclosure requirements, obtaining any consent, cyber security, etc.

Online training

Health Group offers competent and energetic trainers who are aligned with your company's training goals. They are trained to guide and scale online exercises so that everyone can participate regardless of level and will put their heart and soul into motivating all employees. The online training takes place through your preferred online communication platform, such as Teams or Zoom, and can be set up as either open links or an invitation in the employee's calendar.

Health Group is the data controller, as it is Health Group's trainers who interact with employees and choose which personal data is necessary to process to ensure a good training program, taking into account each employee's individual needs.

Combination treatment

Health Group's combination therapy involves 4 elements:

• Hands on

Manual therapy. Joint manipulations, physiotherapy massage, acupuncture, kinesiology, etc.

• Information and advice

Information and advice on injury prevention, health and injury insight, as well as a motivational talk with all employees.

• ergonomics

Ergonomic review and adjustment of each workstation to prevent pain and injury.

• Training

Exercise therapy and exercise guidance either at home, in the gym or with your physiotherapist.

Health Group is the data controller for the treatment that takes place up to the time of the referral to the physiotherapist (dissemination), after which the individual physiotherapist is the data controller as an authorized healthcare professional under the Authorization Act and makes decisions about which personal data that is necessary to process, including any record keeping, cf. Journalføringsbekendtgørelsen.

Health Group is responsible for the IT operation of DigiHealth, including ongoing operation and development of the solution, decisions on what personal data is necessary to process to ensure a good experience, disclosure requirements, obtaining any consent, cyber security, etc.

Process consultation

Health Group A/S organizes and implements a wide range of activities and processes aimed at a specific business need. Our process consultant works professionally to balance our customers' business growth with the personal development of managers and employees.

Most often, Health Group's data responsibility will be limited to the time the process consultant starts the assignment. Prior to this, Health Group will, in agreement with the customer, disclose anonymized data in the form of APV or MTU (employee satisfaction survey) results.

Psychomotor therapy - Relaxation treatment

The basic form of treatment performed in Health Group's 'Relaxation Treatment' concept is psychomotor therapy. Psychomotor therapy is an evidence-based treatment concept that ensures better interaction between body, mind and health

Relaxation Treatment should be seen as a counterpart to other therapeutic treatments such as physiotherapy. However, the difference is that the employee does not necessarily have to have musculoskeletal pain to receive Relaxation Treatment. It can be employees who have high levels of stress or need to find calm through relaxation exercises. It can also be employees who experience physical challenges such as muscular tension, recurring headaches or heart palpitations.

Health Group's processors make decisions about which personal data is necessary to ensure a good therapy and thereby Health Group becomes the data controller.

Health Group is responsible for the IT operation of DigiHealth, including ongoing operation and development of the solution, decisions on what personal data is necessary to process to ensure a good experience, disclosure requirements, obtaining any consent, cyber security, etc.

Company Fitness

Health Group offers Company Fitness which includes solutions for all forms of physical activity that can take place in the workplace, i.e. everything from setting up and running new or existing gyms to active breaks, personal training, group classes, etc.

Personal training and classroom sessions are delivered by skilled and energetic trainers who are aligned with your company's training goals. They are trained to guide and scale exercises so that everyone can participate at any level and will put their heart and soul into motivating all employees.

Health Group is the data controller, as it is Health Group's trainers who interact with employees and choose which personal data is necessary to process to ensure a good training program, taking into account each employee's individual needs.

Health Group is responsible for the IT operation of DigiHealth, including ongoing operation and development of the solution, decisions on what personal data is necessary to process to ensure a good experience, disclosure requirements, obtaining any consent, cyber security, etc.

As part of the solution, access to the MyWelness app from Technogym can also be provided, in which case Health Group has entered into a data processing agreement with Technogym.

Company Massage

Health Group's massage therapist decides which personal data is necessary to process in order to ensure a good massage treatment and thereby Health Group becomes the data controller.

Health Group is responsible for the IT operation of DigiHealth, including ongoing operation and development of the solution, decisions on what personal data is necessary to process to ensure a good experience, disclosure requirements, obtaining any consent, cyber security, etc.

Health checks for night workers

The health check must be offered to all employees who perform at least three hours of their daily work between 22:00 and 05:00 or who work at least 300 hours during this time within a 12-month period.

The GDPR assessment is the same as the health check.

Health Group as a data processor

In this role, Health Group only processes personal data on behalf of a data controller who determines the purposes and means of processing personal data.

In this situation, the customer, typically the workplace, will enter into a data processing agreement with Health Group containing precise instructions on the data processing to be carried out. The customer will be responsible for a clear legal basis for the processing and will otherwise have the majority of the obligations under the GDPR.

As a starting point, Heath Group's services do not fall into this category, but special agreements with you may mean that we are a data processor and in these cases we enter into a data processing agreement with you.

Health Group and the customer have joint data responsibility

In this role, both the controller and the processor share responsibility for some aspects of the data processing. A joint data responsibility agreement is signed based on the template from the Danish Data Protection Agency where the responsibilities are divided.

Here, the following services can fall under this category:

Workplace assessment

The starting point for the processing of personal data is a complete solution where Health Group has designed the questionnaire and thus defines which personal data is to be processed and the purposes for which the data is collected, e.g. overall quality assurance of the APV survey.

As the customer participates in the decision to adapt questions, including whether to change the question framework and whether to add extra questions to meet any CSR requirements (e.g. diversity hiring and well-being), it will generally be a joint responsibility between Health Group and the customer.

Health Group is responsible for the IT operation of the IT system DigiHealth, including ongoing operation and development of the solution, decisions on which personal data is necessary to process to ensure a good experience, disclosure requirements, obtaining any consent, cyber security, etc.

In some cases, an alternative IT system Enalyzer may be used. Enalyzer is used in agreement with the customer in the event that DigiHealth is not found to be compatible with the customer's needs.

Well-being survey

A well-being survey will most often be based on Health Group's standard questionnaire, with which Health Group defines which personal data is to be processed and for what purpose. As the customer will assist with customization/addition of questions, the starting point will be a joint data responsibility between Health Group and the customer.

Health Group is responsible for the IT operation of the IT system DigiHealth, including ongoing operation and development of the solution, decisions on which personal data is necessary to process to ensure a good experience, disclosure requirements, obtaining any consent, cyber security, etc.

In some cases, an alternative IT system Enalyzer may be used. Enalyzer is used in agreement with the customer in the event that DigiHealth is not found to be compatible with the customer's needs.