Book appointment

Privacy

Privacy Policy for Patients

Last updated: February 2026

Data Controller

  • Yngve Dahl
  • Psykolog Yngve Dahl (sole proprietorship)
  • Nedre Slottsgate 4M, 0157 Oslo
  • Email: yngve+web@psykologdahl.no
  • Phone: +47 911 06 231

I am the data controller for the processing of your personal data in connection with psychological treatment.

What information do I process?

I process the following categories of personal data:

  • Identifying information โ€“ Name, national ID number/D-number, address, phone, email
  • Health-related information โ€“ Clinical notes, diagnostic codes, treatment plans, session content
  • Appointment and payment information โ€“ Appointment times, payment details, invoices

This includes special categories of personal data (health data) under GDPR Article 9.

  • Treatment and clinical records โ€“ Art. 6(1)(e) Public interest (healthcare) + Art. 9(2)(h) Healthcare subject to professional secrecy
  • Appointment booking and reminders โ€“ Art. 6(1)(e) Public interest
  • Payment and invoicing โ€“ Art. 6(1)(b) Performance of contract
  • Contact via phone/SMS โ€“ Art. 6(1)(f) Legitimate interest (logistics only, not clinical content)
  • Contact via email/form โ€“ Art. 6(1)(f) Legitimate interest

Who receives your information?

I use the following data processors to deliver services:

  • Konfidens (Mindcare AS) โ€“ Clinical records, booking, video โ€“ Norway / Germany (AWS Frankfurt)
  • Adyen โ€“ Payment processing โ€“ EEA
  • GatewayAPI โ€“ SMS reminders โ€“ Germany/Finland/Denmark
  • Brevo โ€“ Automated emails โ€“ Germany/Belgium/Ireland
  • Criipto โ€“ BankID login โ€“ Norway
  • ProtonMail โ€“ Email communication โ€“ Switzerland
  • Whereby โ€“ Video consultation โ€“ Norway/Ireland

All data processors are bound by data processing agreements ensuring personal data is handled in accordance with the GDPR.

Transfer to countries outside the EEA

Your personal data is primarily stored within the EEA. For video consultations via Whereby, usage data (metadata about the session) may be processed in the USA, subject to standard contractual clauses.

Email via ProtonMail is processed in Switzerland, which has an adequate level of protection recognized by the European Commission.

How long is data retained?

Patient records

Clinical records are retained as long as they are needed in connection with healthcare, cf. the Norwegian Patient Records Regulation ยง 14.

Practice for private practitioners:

  • Records may as a general rule be deleted 10 years after the last clinical note
  • Before deletion, a specific assessment is made as to whether the records may be needed later
  • Examples of situations where records should be retained longer: potential compensation claims, need for documentation of prior treatment, or the patient’s own request

What this means for you:

  • Your clinical records are retained for at least 10 years after your last consultation
  • I assess before any potential deletion whether there is reason to retain the records longer

Other information

  • Appointment and payment information โ€“ Retained for 10 years after fiscal year (Norwegian Bookkeeping Act)
  • Correspondence (email/form) โ€“ Deleted after 1 year if not relevant to clinical records

Your rights

  • Access (Art. 15) โ€“ You may request information about what data I process about you and receive a copy of your clinical records
  • Rectification (Art. 16) โ€“ You may request correction of inaccurate information
  • Erasure (Art. 17) โ€“ You may request deletion, but clinical health records cannot be deleted while retention requirements apply
  • Restriction (Art. 18) โ€“ You may request restriction of processing in certain cases
  • Objection (Art. 21) โ€“ You may object to processing based on legitimate interest
  • Portability (Art. 20) โ€“ You may request to receive your data in a structured, machine-readable format

Important: deletion and correction of clinical records

Deletion: Clinical health records generally cannot be deleted at the patient’s request. This is because the records serve both the patient’s and the practitioner’s interest in documentation, and because there are statutory retention requirements.

Correction: If the records contain errors, the error is not deleted. Instead, the incorrect information is marked as erroneous, and the correct information is added along with a note of when the correction was made. This ensures the records’ history is preserved, which is important for quality assurance and any future reviews.

Professional secrecy

As a psychologist, I am bound by professional secrecy under the Norwegian Health Personnel Act ยงยง 21โ€“23. This means I cannot share your health information with others without your consent, unless required or permitted by law.

Exceptions to professional secrecy may apply in cases of:

  • Acute danger to life and health
  • Mandatory reporting to authorities (e.g., infectious disease control, serious crime)
  • Collaboration with other healthcare professionals with your consent

Complaints

If you believe the processing of your personal data is in breach of data protection legislation, you may file a complaint with:

The Norwegian Data Protection Authority (Datatilsynet) P.O. Box 458 Sentrum, 0105 Oslo Email: postkasse@datatilsynet.no Website: www.datatilsynet.no

Contact

For questions about the processing of personal data, contact:

Changes

This privacy policy may be updated. Significant changes will be communicated to you.

Change log:

  • February 2026 โ€“ First version