Legal

Privacy Policy

Latest updated · March 12, 2025Process owner · Ann Cheng

01 · General

Who is covered by this policy

At ABC Labs AB (“ABC,” “we,” or “us”) we protect the personal integrity of individuals and always strive for a high level of data protection. This privacy policy explains how we collect and use your personal information, both as a customer of ours or as a test subject. It also describes your rights and how you can assert them. It is important that you read and understand this policy and feel safe in our processing of your personal data. You are always welcome to contact us if you have any questions.

This privacy policy applies to you who:

  • Perform a laboratory test (e.g., alcohol or drug test) through us (test person).
  • Book or administer alcohol and drug tests or other tests including test results via our platform (user).
  • Contact us with questions about our services via telephone or our website (interested party).
  • Are employed by or represent a customer, partner, treatment center, or other third party we collaborate with within the framework of our clinical laboratory services (partner).

This policy does not cover privacy or data protection issues regarding data handled by our business partners, external service providers, and resellers. These third parties are responsible for complying with applicable data protection regulations and have their own privacy policies. To understand how these actors use your personal data, we refer to their respective policies.

02 · About us and our services

ABC’s role in personal data processing

ABC is a laboratory and offers diagnostic laboratory services within clinical laboratory medicine such as drug and alcohol tests. Our services also include the development and provision of a digital platform for secure management of the entire test flow, including logistics around the tests, analysis in the laboratory, and communication of test results.

A data controller is the entity that decides for what purposes personal data shall be processed, and how the processing shall be carried out. The data controller may use a so-called data processor — an entity that may only process personal data in accordance with instructions from the data controller and may not use the personal data for its own purposes.

We are data controllers when we process your personal data in accordance with this privacy policy.

03 · What we collect

Personal data and when we collect it

Personal data in this context refers to all information attributable to a natural person that can be used directly or indirectly to identify them (e.g., name, contact details, social security number, location information, employer).

We may collect personal data about you in several different ways. We primarily collect information directly from you — for example, when you create an account with us or perform one of our alcohol or drug tests. However, we may also receive information from other parties, such as your employer, a testing center, or another customer.

We collect the following personal data from you when you

  • Register an account in our digital platform, CareOS (name, username, email, contact details).
  • Order alcohol or drug tests or other laboratory analyses that require identification (name, contact details).
  • Perform our alcohol or drug tests or other laboratory tests (name, social security number, contact details, health information, medical records, human samples — blood, urine, saliva).
  • Pay for our services (payment information, billing address).
  • Apply for a job with us (application, contact details).
  • Contact us by phone, email, or website (name, contact details).

We may also collect information from

  • Your employer for testing (name, social security number, contact details).
  • Treatment center or partner for testing, laboratory analysis, and referrals (name, personal identification number, contact information).
  • Authorities in case of legal requirements.

04 · How we use your data

Purposes and legal grounds

All processing of personal data is carried out in accordance with the GDPR. We ensure only necessary data is processed for the purposes stated below.

Purpose

Create and manage user accounts

To use our services we register your contact and login details — name, username, email, telephone, job title, employer — plus content you upload, such as staff lists.

Legal ground

Necessary to (i) perform our contractual obligations with users (GDPR Article 6(1)(b)), or (ii) pursue our customers’ legitimate interests (GDPR Article 6(1)(f)). For some features we obtain explicit consent (GDPR Article 6(1)(a) or, where relevant, Article 8).

Purpose

Providing testing and laboratory services

We process personal data — including health data, human samples, and test results — to manage bookings, conduct drug and alcohol tests, and ensure quality assurance and reporting.

Legal ground

Necessary for our legitimate interests (GDPR Article 6(1)(f)) and, where applicable, our legal obligation (Article 6(1)(c), 9.2(h), 9.3) under healthcare legislation. For employer testing outside healthcare, we collect explicit consent (Article 6(1)(a) and 9.2(a)).

Purpose

Invoicing and financial management

Processing personal data to handle payments and comply with accounting requirements.

Legal ground

Fulfillment of contract (Article 6(1)(b)) and legal obligation (Article 6(1)(c)), for example the Swedish Accounting Act (1999:1078).

Purpose

Support and customer service

When you contact us for support, we process your contact details and the information you provide in order to answer your request.

Legal ground

Necessary to (i) perform our contractual obligations (Article 6(1)(b)) or (ii) pursue legitimate interests (Article 6(1)(f)).

Purpose

Communication and reminders

Sending service updates, reminders, and important information about our services.

Legal ground

Necessary to (i) perform our contractual obligations (Article 6(1)(b)) or (ii) pursue legitimate interests (Article 6(1)(f)).

Purpose

Marketing and newsletters

If you have given consent, we may use your contact details to send you information about our services.

Legal ground

Consent (GDPR Article 6(1)(a)).

Purpose

Development and improvement of services

We analyze user behavior and collected data in the platform — excluding test results and sensitive data at the person level — to quality-assure and improve our services.

Legal ground

Necessary to fulfill contractual obligations (Article 6(1)(b)) and pursue legitimate interests in improving, upgrading, and securing services (Article 6(1)(f)).

Purpose

Anonymized data for research and product development

We may anonymize personal data for use in research and product development — for example, to improve our tests and platform. Anonymized data is no longer personal data and falls outside the GDPR.

Legal ground

Necessary to fulfill contractual obligations (Article 6(1)(b)) and pursue legitimate interests in improving services (Article 6(1)(f)).

Purpose

Recruitment

We collect personal data from you in connection with your application and interviews. Where relevant, we also collect information from recruitment agencies, previous employers, our employees, publicly available information, social media (e.g., LinkedIn), and references.

Legal ground

Necessary in view of our legitimate interest in administering the recruitment process and evaluating applicants (Article 6(1)(f)).

Our services are aimed at adults only and we do not intend to use personal data linked to children. For children under 16 years of age, consent from guardians is required before we use their personal data.

05 · Automated processing

When you use our services or websites

When you use our services or interact with our web and hosting platforms, we may receive or collect information about your use of them, such as:

  • Details of the online content you have viewed or interacted with — browser software, pages viewed, and what you have clicked on.
  • Service, software, or server logs storing information about your use of our services or websites — IP address, browser information (HTTP user agent), HTTP client request information, time and location of activities, domain, device and application settings, errors, and hardware activity.
  • Information about the physical location of your hardware, geolocation service, or application.
  • Interests and preferences you specify when setting up your browser, account, or other product or service.
  • Information our support staff needs to maintain, protect, or provide the services or websites.

Such information is generally collected through digital identifiers like browser cookies, plugins, or your IP address. These identifiers distinguish information provided through the hardware, browser, or account you use. We may associate the information collected with one of your accounts, for example if you are logged into our services when the information is collected.

06 · Who has access

Access and sharing of personal data

Employees and consultants

Only employees and consultants within ABC Labs who need access to your personal data to perform their duties are authorized to process them.

Sharing of personal data

We do not share your personal data with third parties unless necessary to provide our services in a quality-assured manner:

  • External service providers and subcontractors: We may use external IT, logistics, support, payment, and cybersecurity providers. These actors only process data according to our instructions and signed data processing agreements.
  • Statutory obligations: We may share information with authorities if required by law, court order, or other legal obligation.

A current list of our personal data processors can be provided upon request.

Transfer outside the EU/EEA

In some cases, personal data may be transferred to countries outside the EU/EEA. When this happens, we ensure appropriate safeguards are in place — for example, through agreements that comply with the EU Commission’s standard contractual clauses.

07 · Storage and deletion

How long we keep your data

We only save your personal data for as long as necessary to fulfill the purpose — for our users and customers to utilise our services, including the performance of quality-assured alcohol and drug tests and laboratory services.

Data that is no longer necessary is continuously deleted. We conduct an annual review to identify and delete information that is no longer needed.

  • Data linked to your account in our platform is saved as long as you have an account with us, and up to 12 months thereafter.
  • Sensitive health data and laboratory results are saved for a maximum of 12 months after the ongoing case with the client has been concluded, unless there are special reasons to save the data longer.
  • Human samples (blood, saliva, or urine) are saved for at least 1 month after the sample is submitted and as long as we have an ongoing case linked to the test result, but no longer than 6 months.
  • Payment and invoicing information is saved as long as we have an ongoing customer relationship and as long as we have statutory requirements (for example, the Accounting Act).
  • Marketing information is only saved with your consent and is deleted if you withdraw your consent.
  • Job applications are saved for a maximum of 12 months after employment.

Security measures

We use technical and organizational security measures:

  • Encryption when storing and transferring sensitive information.
  • Limited access to personal information based on the need-to-know principle.
  • Regular security review and risk analysis.
  • Access minimization to sensitive personal information.
  • Training for employees.

08 · Your rights

What you can ask us to do

Regarding personal data for which ABC is the data controller, users have the following rights:

  • Right to access. Upon request, we will confirm whether we are processing your personal data and, if so, provide you with a copy of it, including why we are processing the data.
  • Right to data portability. In certain cases, you have the right to receive your personal data from us in a structured, commonly used, and machine-readable format, which you can then use elsewhere.
  • Right to rectification. If your personal data is inaccurate or incomplete, you have the right to have it corrected or completed. If we have shared your personal data with others, we will, as far as possible, notify them of the corrections.
  • Right to erasure. You can ask us to erase or remove your personal data and we will do so — for example, when it is no longer needed. We may refrain from erasing certain data due to legal requirements under healthcare or accounting legislation.
  • Right to object to processing. You can ask us to stop processing your personal data and we will do so where we base processing on legitimate interests (unless we can demonstrate compelling reasons) or where we process your personal data for direct marketing.
  • Rights regarding automated decision-making and profiling. You have the right not to be subject to decisions based solely on automated processing of your personal data, including profiling, unless such profiling is necessary for entering into or performing a contract.
  • Right to withdraw consent. You can withdraw your consent at any time. This does not affect the lawfulness of processing based on your previous consent.
  • Right to complain to the Swedish Data Protection Authority. If you have any comments about this policy, including how we have handled your personal data, you can report this to the Swedish Data Protection Authority via imy.se.

If you have any comments or questions regarding our compliance with this policy, please contact us using the details below.

09 · Contact

Get in touch

If you have any questions about this policy or wish to exercise your rights, please contact our Data Protection Officer, Ann Cheng.

Emailprivacy@abclabs.se

AddressHagaplan 4, 113 68 Stockholm

Websitewww.abclabs.se

10 · Changes to this policy

Updates

We will update this policy as necessary and will post any changes via our website.