Apply now

Privacy policy

medflow AS (hereinafter “we” or “medflow AS”) is committed to protecting and respecting the privacy of those who use our services. We consider it a priority that the handling of personal data complies with applicable laws and best practices.

The processing of personal data is carried out in accordance with the Norwegian Personal Data Act (personopplysningsloven) and the General Data Protection Regulation (GDPR).

This statement outlines how we collect, manage, and store personal data, and it applies to our two main activities:

Recruitment and staffing services

Clinical healthcare services

It also explains your rights as a data subject and how we work to protect your data.

medflow AS is the data controller responsible for the personal data processing activities described in this privacy statement.

1 – About medflow AS
medflow AS is headquartered at: Storgata 23, 2815 Gjøvik, Norway. Company registration number: 932 456 680.

Our services include the recruitment of doctors, nurses, and other healthcare professionals for permanent positions in Norway, as well as short- and long-term staffing services in the healthcare sector.

As a data controller, we are responsible for the proper management of your personal data.

2 – Processing of Personal Data at medflow AS
2.1 – How We Use Personal Data
2.1.1 – Recruitment and Staffing
We collect and process personal data as necessary for the following purposes:

Employment and recruitment administration: To manage employment and staffing matters.

Task and qualification assessment: To assess qualifications and suitability for specific positions or assignments, and to provide training or consultancy, or to establish employment or engagement.

Management and administration: To manage business risks, comply with legal obligations, and handle employment administration (e.g. payroll, tax information, performance monitoring).

Surveys and client contact: To conduct surveys, competitions, and other activities aimed at improving our services.

Profile records and updates: Information related to recruitment and staffing is stored in our CRM system (Webtemp). When a candidate registers, an approval form is sent, developed by our system provider, Websystemer AS (see also §5.3 – Data Processors).

Website data: We collect aggregated data from our website visitors (e.g. traffic data, location data) to improve the user experience and analyze site performance.

2.1.2 – Health Data and Medical Treatment
In the context of healthcare-related tasks, we may process personal data necessary to provide appropriate healthcare by our employees. This includes information obtained from you, other healthcare institutions, or medical examinations.

Legal basis for processing:

Performance of a contract (GDPR Art. 6(1)(b))

Legal obligations (GDPR Art. 6(1)(c))

Provision of healthcare services (GDPR Art. 9(2)(h))

We ensure that your personal data is processed in accordance with applicable laws and only retained for as long as necessary for the relevant purpose or as legally required.

3 – Why Do We Need Your Information?
To provide our services and fulfill our obligations to you as an employee, candidate, client, or patient, we process the following personal data:

Contact information: Name, address, email, phone number

Personal data: Date of birth, gender, nationality

Employment data (for employees and candidates): CV, work experience, education, qualifications, references

Employment-related data (for employees): Salary, tax information, absences, vacations, and other administrative details

Health information (for patients): Medical history, diagnoses, treatment records, medications, and examination results

Other data: Any additional information needed to provide services, such as contract history, inquiries, communications, and information provided by you relevant to a specific job profile or contract, as well as for marketing, events, surveys, invitations, client/supplier relationships, and legal compliance

All data is processed only to the extent necessary to achieve the relevant purpose and in accordance with GDPR and applicable health regulations.

4 – How We Protect Your Data
medflow AS implements technical and organizational measures to safeguard personal data from loss, theft, or unauthorized access. These measures include:

Data encryption

Access control

Regular security audits

5 – With Whom Do We Share Information?
5.1 – Healthcare Institutions and Workers
We may be contacted by healthcare institutions or professionals involved in your care who request access to your data. These professionals are subject to the same confidentiality obligations as our employees. Data will only be shared when necessary to ensure safe and appropriate healthcare and in compliance with healthcare regulations. As a patient, you have the right to object to such data sharing. Any shared data will be strictly limited to what is necessary and only shared upon clear and specific request.

5.2 – Authorities
We may disclose personal data to authorities if required by law or if there is suspicion of illegal activity related to our services.

Additionally, information may be shared with public health registries such as the Vaccination Register (Vaksineregisteret) or Cancer Registry (Kreftregisteret) as legally required.

5.3 – Data Processors
We use data processors to ensure secure and effective handling of personal data. A data processor is an external organization processing data on our behalf under strict legal agreements.

We use the EG Pasientsky system for logging and patient records, integrated with our website for appointment booking. EG Pasientsky ensures compliance with regulations, including GDPR, using encryption and access control.

We may also use other processors for system operations and development, all subject to strict privacy and security requirements.

Our website uses Google Analytics to collect traffic data such as page views, time spent on site, and visitor behavior, to improve content and understand visitor interests.

We also use:

Google Ads

Meta (Facebook)

Microsoft Clarity

These tools help analyze and optimize user experience and targeted marketing. Collected data is handled confidentially under data protection agreements.

The data collected via Google Analytics and other tools is accessible to:

Marketing Astro Kft.
Address: Kossuth Lajos utca 79, 2161 Csomád, Hungary
Tax number: 25149205213
Phone: +36 (30) 370 3411

Websystemer AS / Visma Real Estate
Address: Postboks 2454, Drotningsvik, 5834 Bergen, Norway
Company number: 915343716
Phone: +47 56 09 02 00

5.4 – Our Clients
Sharing of personal data may be necessary for the execution and administration of assignments or services for our clients.

5.5 – Our Candidates
Sharing of personal data may be required to ensure our candidates’ rights are upheld in accordance with data protection regulations.

5.6 – Third-party Providers, Subcontractors, and Partners
Data sharing may be necessary for tasks such as payroll, technical support, IT system operations, and similar services.

All personal data processing by medflow AS is conducted in accordance with this privacy policy, including any transfer of data outside the EU.

Where data is transferred outside the EU, we ensure appropriate safeguards are in place, including recognizing countries deemed adequate by the European Commission.

6 – How Long Do We Store Your Data?
The retention period depends on the type of data and the purpose of processing. We do not retain personal data longer than necessary, unless legally required.

Retention and deletion policies:

Recruitment data: Retained until the end of the year and for three (3) additional years following the last activity

Client and supplier contracts: Retained for ten (10) years after contract termination

Patient records: Retained as long as necessary for care purposes; may be transferred to the Norwegian Health Archive (Norsk Helsearkiv) as required by archiving regulations

We implement technical and organizational measures to securely and professionally delete personal data when no longer needed.

7 – Use of Cookies
We use cookies (information files) to collect non-personal data about user behavior and to analyze usage patterns on our website.

A cookie is a small data file placed in your browser to track visit activity and recognize your device on future visits. Cookies are not programs, do not contain viruses, and cannot be used to personally identify you.

8 – What Are Your Rights?
If medflow AS processes your personal data, you have several rights under data protection laws, including:

Right of access: To see what personal data we process and receive a copy

Right to rectification: To correct inaccurate or incomplete data

Right to erasure: To request deletion unless retention is legally required

Right to restriction: To request limited processing instead of deletion

Right to object: To oppose processing based on legitimate interests

Right to data portability: To receive your data in a structured, machine-readable format or request its transfer to another controller

personalized job opportunities in the Norwegian healthcare sector

Facebook Linkedin

Menu

Opening Hours

Monday
08:00 - 16:00
Tuesday
08:00 - 16:00
Wednesday
08:00 - 16:00
Thursday
08:00 - 16:00
Friday
08:00 - 16:00
Saturday
Closed
Sunday
Closed

© 2025, medflow AS. All rights reserved.