Data policy



The following describes how Medical Certificates, Thorndyke and Ball, org No. 559046-0084 ("MI" or "we") process your personal data. Although our main business is to issue medical certificates, and not provide care, we follow the same regulations as traditional healthcare providers. In order to issue medical certificates, we need to collect information about your health, both your previous illnesses, medicines and surgeries, as well as current status in the form of physical examination. All this information is particularly sensitive and it is important to us that you have confidence in how we handle this data. We are responsible for our processing of your personal data.






The personal data we collect directly from you includes your name, social security number, contact details and information about your health. We receive this information partly through questions to you and partly through physical examination. Please note that information that appears by email, physical mail or telephone will also be recorded, if it has medical relevance.




There are four scenarios where we can get information about you and your health from another party:

  1. When we order additional medical examinations, such as blood tests, X-rays, ultrasounds, work samples. The results of these surveys we will save in our systems.
  2. When another healthcare provider remits you to us, we will treat and save the referral documentation in our systems.
  3. Since we need additional information about a previous healthcare contact you have had, we will request medical records from this, but always only after your consent.
  4. Since we need information about conditions at your workplace, we will contact your employer for this, but always only after your consent.





The main reason why we process your personal data is in order to be able to issue medically correct certificates and, where applicable, offer or guide you to the right care. A prerequisite for this is that we know your identity and state of health as thoroughly as possible. We should not process particularly sensitive data that does not contribute to safer care, including sexual orientation, religion, political affiliation and criminal history. Please note, however, that within these categories there are exceptions, where medical significance exists. For example, one's religious beliefs can prevent vaccinations and blood transfusions, and some violent, alcohol and drug crimes can be obstacles to certificates. In such cases, this information will be documented, despite the fact that it is extra sensitive in nature.



How we are to and may process your data is statutory in the Patient Data Act (SFS 2008:355) and the National Board of Health and Welfare's regulations and general advice on the record keeping and processing of personal data in healthcare (HSLF-FS 2016:40) and the Accounting Act (SFS – 1999:1078).




In order to administer compensation and accounting related to your contact with us, we must specify the measure in financial documents such as invoices and supporting documents.




In addition to the above, we can also handle information for statistical purposes for marketing purposes based on a balance of interests.




We may disclose your personal data:


  1. To you, if you so request, so that you may then pass them on.
  2. In response to a referral from another healthcare provider.
  3. To another healthcare provider who requests them, but always only after your consent.
  4. For financial administration. We take all available means to minimize the data we need to share for this purpose. This usually includes your name, social security number, type of certificate and type of examination, but never the results of examinations or medical assessments.
  5. External service providers of IT systems, for example, but only to the extent required.
  6. Competent authorities, such as the Swedish Transport Agency when issuing driving licence and maritime certificates.
  7. To your employer, but always only after your consent.




As a general rule, we do not disclose your personal data to parties/data processors located outside the EU/EEA, but should this happen, we guarantee that these parties live up to a high level of protection.




According to the Patient Data Act (SFS 2008:355), we have a legal obligation to keep your medical records for at least 10 years after the last entry in the document. Otherwise, we do not save your personal data for longer than it is needed for each purpose. We only process your personal data for marketing purposes as long as you are registered as a customer with us.




Below is a list of our external data processors, which we use to offer you our services:


Accounting software:

  1. Fortnox AB. Depending on the payment solution, names, social security numbers, type of certificate and type of surveys are stored.

Email provider:

  1. Svenska Domäner Hosting AB. Only if you send us an email. The information you send in the email will be stored.

Booking service:

  1. BokaMera AB. Only if you book your visit via the website. Your name, contact details and type of certificate are stored.

Issue of certificates:

  1. Webcert (Inera AB). Only when issuing driving licence and maritime certificates. The certificates in full are stored.

telephone exchange:

  1. wx3 Telecom AB. Only if you call us. Your phone number is stored.
  2. Kalix TELE 24 Limited liability company.  Only if you leave a message in the telephone exchange. The information you provide orally is stored.

Payment solution:

  1. iZettle AB. Only if you pay by card. Names, type of certificate and type of examination are stored.

Ordering samples and X-rays:

  1. InfoSolutions Sverige AB. Only if we order a lab/X-ray. Names, social security numbers and results of labs and X-rays are stored.


  1. Skandinaviska Enskilda Banken AB. Only if you pay with Swish. Your name and amount are stored.

Secure transmission of sensitive data:

  1. Tellus Talk AB. Only when we need to send you sensitive information, such as medical certificates and other information about your health. The messages are linked to your Social Security number and you must log in with BankID to read them. No one but you can read them.



As a data subject, you have a number of rights, partly to ensure that we process your personal data correctly and partly to ensure that you have access to your personal data. These are the right to:

  1. Get information about what personal data we process and for what purpose.
  2. Get information about who receives the personal data.
  3. Request correction of incorrect or incomplete data. Please note that according to the Patient Data Act (SFS 2008:355), we are not allowed to delete any data.
  4. Withdraw any consent.
  5. Submit a complaint to the Swedish Data Protection Authority.
  6. Oppose direct marketing.



If you have questions about or wish to complain about our processing of your personal data or wish to exercise your rights as a data subject, you are welcome to contact us.


We will receive your questions on weekdays from 08:00 to 16:00.