Skip to content
Cart
Sampling fee?

The sample collection fee is a fixed cost that refers to the visit to the clinic where you submit your sample. The fee is not affected by how many tests you have ordered, but varies depending on the order value:

  • For order values under SEK 350, the sampling fee is SEK 119.
  • For order values between SEK 350 and SEK 1 000, the fee is SEK 49.
Free sampling fee

For purchases over 1 000 SEK, the sampling fee is included.

🐣 10% discount with code: PÅSK2026 🐣
Testmottagningen logo
en
sv
Testmottagningen logo
Search blood tests or MRI scans
Back

Privacy Policy

We prioritize your personal privacy and work actively to ensure the protection of your personal data when you use our services. Our privacy policy below clearly describes how we process, use, and protect your personal data, as well as which rights you have as a data subject.

Protected personal data

For privacy and security reasons, we cannot offer the Services to individuals with protected personal data (confidentiality marking, protected registration, or fictitious personal data). Contact us at [email protected] if you are unsure.

1. General

This privacy policy describes how we, Testmottagningen Sweden AB, reg. no. 556983-2750 (“Testmottagningen”, “us”, “our”, “we”), process your personal data when you use our services (the “Services”). Testmottagningen Sweden AB was previously called 19Plus AB (same registration number).

Testmottagningen Sweden AB is a healthcare provider and the data controller for the processing of your personal data within the healthcare services. Results from diagnostic services, communication with physicians, and patient data are handled via the test results service Zample (app.zample.com), operated by Zample AB. Zample AB processes personal data as a data processor for Testmottagningen when the data is used within the healthcare services. For processing that Zample AB performs as an independent data controller (e.g., certain office-related tasks), please refer to Zample AB’s privacy policy in the test results service.

Testmottagningen.se is an e-commerce service offering healthcare services such as arranging sample collection, laboratory analyses, medical examinations (including diagnostic imaging), and issuing test results and medical opinions (via zample™) with a physician assessment and, when necessary, follow-up calls.

The test results service zample™ presents test results and outcomes from connected laboratories and collaborating healthcare providers and enables you as a user to view your health data over time.

2. Data controller and Data Protection Officer

Testmottagningen Sweden AB is the data controller for the processing of your personal data.

We have appointed a Data Protection Officer (DPO) in accordance with the General Data Protection Regulation (GDPR). If you have questions about how we process your personal data or wish to exercise your rights, you are welcome to contact our DPO via [email protected] or by post to Testmottagningen Sweden AB, Attn: Data Protection Officer, Själagårdsgatan 9, SE-111 31 Stockholm.

3. Purposes of processing, retention period and legal basis

We process personal data that you provide to us in connection with purchases, activation of referrals, and use of zample™, carrying out examinations, or contacting our customer service. We also process technical information when you visit our website.

Complete purchases and administer orders

We process data such as name, personal identity number or coordination number (if needed), contact details, and purchase history to administer orders and payments.

When a referral is activated, we process the personal identity number or coordination number and contact details to link the referral and test results to the correct person and enable service communications/support via zample™.

If you purchase a service to be used by someone else, we process your data related to the purchase (e.g., payment and receipt). To use the service, an account in zample™ is required. When the referral is activated, we process data about the person who will undergo the examination in accordance with the section “Provide healthcare services”.

Legal basis: Article 6(1)(b) GDPR (performance of a contract).

The data is stored as long as necessary to administer your order and perform the contract. Thereafter, data is stored to the extent required under the Swedish Accounting Act or other applicable legislation. Data covered by the Swedish Accounting Act is stored for at least seven (7) years after the end of the financial year in which the transaction was carried out.

For storage of account data in zample™, please refer to Zample AB’s privacy policy.

Provide healthcare services

We process health data such as health declarations, test results, examination results, and medical assessments in order to provide healthcare, document and keep medical records, and, where necessary, follow up on care. We may also offer the possibility to book and conduct medical consultations with a licensed physician, for example for follow-up of test results or advice. Data processed in connection with such consultations, including medical record notes and communication, is processed in accordance with applicable healthcare legislation and the Swedish Patient Data Act.

Legal basis: Article 6(1)(c) GDPR (legal obligation) and Article 9(2)(h) GDPR (provision of health or social care). Where applicable, processing also takes place based on Article 6(1)(b) GDPR (contract).

Medical record data is stored for at least ten (10) years from the last entry in accordance with the Swedish Patient Data Act.

Communication and support

We process contact details to communicate with you, send information about your orders, in the event of medically abnormal results or incidents, and to handle support matters.

Communication relating to your order, your referral, and your test results is service communication. Marketing is sent only if you have provided separate consent in accordance with the section “Marketing, review invitations and market surveys”.

Legal basis: Article 6(1)(b) GDPR (contract) and Article 6(1)(f) GDPR (legitimate interest in providing customer service).

Support cases are stored for up to 24 months after the case is closed, unless longer storage is required by law or the data forms part of medical records.

Marketing, review invitations and market surveys

If you actively consent, we may process your contact details (e.g., email address and phone number) to send marketing via email and SMS and to send invitations for reviews and customer/market surveys. You can withdraw your consent at any time via settings in your account in zample™ and/or via the unsubscribe link in our messages or by contacting us.

If you consent to marketing, we may, on our behalf, use Trustpilot to send a review invitation. In that case, we share your email address with Trustpilot so that they can send the invitation.

Legal basis: Article 6(1)(a) GDPR (consent).

The data is processed for this purpose until you withdraw your consent. We may also store information about your consent (e.g., time and choice) for as long as necessary to be able to demonstrate that consent has been given.

Employer-funded health checks and reporting at group level

If a health check is paid for by your employer, we process personal data to administer the order and deliver the service. We may provide a report to the employer with aggregated results at group level, such as proportions and trends related to health risks based on test results and overall results from supplementary question areas such as sleep, stress, and well-being. The report does not contain individual test results or other information that identifies specific individuals.

The report may, when the groups are sufficiently large, be filtered at department level. To reduce the risk of indirect identification, we apply privacy-protective methods in reporting, such as minimum group size and limitation or suppression of results for smaller groups.

Legal basis: Article 6(1)(b) GDPR (performance of a contract) for administration and delivery of the service. Processing of health data is carried out based on Article 9(2)(h) GDPR (provision of healthcare and treatment) and Article 6(1)(c) GDPR (legal obligation) to the extent required for medical record-keeping and other healthcare-provider obligations.

Group-level reports are stored for as long as necessary for the purpose and in accordance with the agreement with the employer, and are deleted thereafter.

Website, analytics and improvement

When you visit our website, technical information such as IP address, device information, and log data is processed to ensure functionality, security, and to prevent misuse of the service.

Legal basis: Article 6(1)(f) GDPR (legitimate interest).

Log data is normally stored for up to twelve (12) months, unless longer storage is required to investigate security incidents or to fulfill legal obligations.

Non-essential cookies and analytics tools are used only after you have provided consent in accordance with Article 6(1)(a) GDPR. Data processed through cookies is stored in accordance with the retention period stated for each cookie in our cookie policy. You can withdraw your consent at any time via our consent module.

Comply with legal obligations

We process personal data when required by law, for example under the Swedish Patient Data Act, the Swedish Accounting Act, data protection legislation, or decisions by authorities.

Legal basis: Article 6(1)(c) GDPR and, where applicable, Article 9(2)(h) GDPR.

4. Who will have access to my data?

Your personal data is shared only with recipients to the extent necessary to provide our Services or when we are required by law to do so. Only authorized personnel who need the data for their work have access to special categories of personal data, such as health data. Access is role-based and controlled.

Partners and suppliers

We may share personal data with the following categories of recipients:

  • Laboratories, clinics, and healthcare providers that perform sampling, analyses, examinations, or further medical investigation (including receiving healthcare providers in the event of referral and radiology units),
    • a
  • IT suppliers and operations providers for systems, data storage, and technical infrastructure,
  • Providers of communication services (e.g., SMS and email distribution),
  • Payment service providers and financial administration services,
  • Medical consultants and other professional advisors.
  • Providers for reviews and customer surveys (e.g., Trustpilot)

Examples of how sharing takes place in practice:

  • Upon activation of a referral: we send referral and identification data to the chosen laboratory and healthcare provider so that sampling and analysis or examination can be carried out.
  • For referral and test result transmission: data may be transmitted via Infosolution (Labportalen) between registered healthcare providers and connected laboratories.
  • Communication: we use suppliers to send, for example, booking information, status updates, and test result information via SMS/email.

When external suppliers process personal data on our behalf, this takes place under data processing agreements in accordance with Article 28 GDPR. Some recipients, such as laboratories or other healthcare providers, may be independent data controllers for the processing they perform within the scope of their operations.

Employers

If a health check is paid for by your employer, we may disclose a consolidated report with aggregated results at group level. The report does not contain individual test results or other information that identifies specific individuals and can only be filtered at department level when groups are sufficiently large.

The employer may also, if you explicitly approve it, receive information about which individuals have completed the health check (name) to the extent necessary for administration and follow-up of the employer-funded arrangement. The employer may not access individual results.

Authorities

We may disclose personal data to authorities when we are required to do so by law or by decisions of authorities.

Transfer of business

In the event of a restructuring, merger, or transfer of the business, personal data may be transferred to the acquiring party. In such a case, we ensure that the transfer takes place in accordance with applicable data protection legislation and that your rights continue to be respected.

5. How do you protect my personal data?

We implement appropriate technical and organizational security measures in accordance with Article 32 GDPR to protect your personal data against unauthorized access, loss, alteration, or unlawful disclosure.

Our security measures include, among other things:

  • Role-based access control based on job responsibilities,
  • Encryption of personal data in transit and at rest where appropriate,
  • Secure login solutions and authentication mechanisms,
  • Protection through firewalls, intrusion protection, and continuous monitoring of systems,
  • Regular backups and procedures for data recovery,
  • Internal guidelines, training, and confidentiality undertakings for staff,
  • Regular testing and evaluation of our security measures.

We also have procedures to detect, manage, and report personal data breaches in accordance with applicable data protection legislation.

As a registered healthcare provider, we also comply with the Swedish Patient Data Act and applicable regulations on information security within healthcare.

6. Where is my personal data processed?

As a general rule, we process your personal data within the EU/EEA. In some cases, personal data may be transferred to suppliers or partners established outside the EU/EEA (a “third-country transfer”).

When personal data is transferred to a country outside the EU/EEA, we ensure that the transfer takes place in accordance with Chapter V of the GDPR. This means that we use one of the following transfer mechanisms:

  • European Commission adequacy decisions (e.g., the EU–US Data Privacy Framework where applicable),
  • European Commission Standard Contractual Clauses (SCC),
  • or another approved transfer mechanism under the GDPR.

When the transfer is based on Standard Contractual Clauses, we carry out an assessment of the recipient country’s legislation (Transfer Impact Assessment, TIA) and, where necessary, implement supplementary technical and organizational safeguards to ensure a level of protection that essentially corresponds to that within the EU.

You have the right to request information about the safeguards applied for third-country transfers and, where applicable, obtain a copy of the relevant safeguards.

If you have questions about third-country transfers, you are welcome to contact our Data Protection Officer at [email protected].

7. Your rights

Below we describe your rights as a data subject under the General Data Protection Regulation (GDPR). If you wish to exercise any of your rights, you are welcome to contact our Data Protection Officer via [email protected].

We will respond to your request without undue delay and no later than one (1) month from when we received your request. If necessary, the time limit may be extended by a further two months, taking into account the complexity and number of requests. We may request additional information to verify your identity before disclosing any data.

As a data subject, you have the following rights:
  • Right of access (data subject access request): You have the right to receive confirmation as to whether we process personal data about you and, if so, to access that data and information about the processing. A copy is provided free of charge. In the case of repeated or manifestly unfounded requests, we may charge a reasonable administrative fee or refuse to act on the request in accordance with the GDPR.
  • Right to rectification: You have the right to request that inaccurate or incomplete personal data about you be corrected without undue delay.
  • Right to erasure (“right to be forgotten”): You have the right to request erasure of your personal data under certain conditions, for example if:
    • the data is no longer necessary for the purpose for which it was collected,
    • the processing is based on consent and you withdraw your consent,
    • you object to processing based on legitimate interest and there are no overriding legitimate grounds,
    • the personal data has been processed unlawfully,
    • you object to processing for direct marketing.
    The right to erasure does not apply to the extent that we are required to retain data under law, for example under the Swedish Patient Data Act, the Swedish Accounting Act, or other healthcare legislation.
  • Right to restriction of processing: You have the right to request restriction of the processing of your personal data in certain situations, for example while we verify the accuracy of the data or investigate whether the processing is lawful. During a period of restriction, the personal data may, with the exception of storage, only be processed with your consent or for the establishment, exercise, or defense of legal claims.
  • Right to data portability: Where processing is based on consent or contract and is carried out by automated means, you have the right to receive the personal data that you have provided to us in a structured, commonly used, and machine-readable format and, where technically feasible, have it transmitted to another controller.
  • Right to object: You have the right to object to processing based on legitimate interest. If you object, we will make a new assessment of whether we have compelling legitimate grounds to continue the processing. You always have the right to object to the processing of personal data for direct marketing.
  • Right to lodge a complaint: If you believe that we process your personal data in violation of applicable data protection rules, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), www.imy.se.

We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

In particular regarding medical record data (Swedish Patient Data Act)

In addition to the rights under the GDPR, special rules apply to medical record data under the Swedish Patient Data Act. As a general rule, you have the right to access your medical record data and you may also request an access log extract (information about electronic access to your medical record).

Please note that medical record data must generally be retained by law and therefore cannot always be erased. Erasure of data in a patient record (destruction of medical records) can only take place following a decision by the Health and Social Care Inspectorate (IVO).

8. Cookies

We use cookies and similar technologies on our website in accordance with the General Data Protection Regulation (GDPR) and the Swedish Electronic Communications Act.

Technically necessary cookies are used for the website to function correctly and do not require consent. Non-essential cookies, such as analytics and marketing cookies, are used only after you have provided active and voluntary consent via our consent module.

It should be as easy to withdraw consent as to give it. You can change or withdraw your consent at any time via our consent module. For more information, see our cookie policy.

9. Information security

Testmottagningen complies with the General Data Protection Regulation (GDPR), the Swedish Patient Data Act, and applicable healthcare regulations. We conduct systematic, risk-based information security work to ensure that personal data is processed in a secure, lawful, and responsible manner within our services.

10. Changes to this privacy policy

We may update this privacy policy when necessary, for example due to changes in legislation or as our operations evolve. The latest version is always available on our website.

If we make material changes that affect how your personal data is processed, we will inform you in an appropriate manner before the changes take effect.

Updated 2026-03-27