Privacy statement

Personal data is processed for the following purposes:

• the provision of health care services on the basis of a legal obligation
• the provision of occupational health care services on the basis of a legal obligation
• the assessment of a need for work ability and well-being services and for the purpose of targeting services on the basis of a service agreement between the customer and Terveystalo or a legal obligation
• the supervision of health care professionals’ operations and the quality of their work on the basis of a legal obligation
• marketing and/or communications on the basis of the customer’s consent, an agreement and/or Terveystalo’s legitimate interest
• the planning, development, management, monitoring and reporting of Terveystalo’s own operations as well as for quality assurance and knowledge management on the basis of a legal obligation and Terveystalo’s legitimate interest
• research and the compiling of statistics on the basis of consent, a legal obligation, public interest and/or Terveystalo’s legitimate interest
• the handling of feedback, clarification requests from authorities, and incidents on the basis of a legal obligation and Terveystalo’s legitimate interest
• invoicing and collection on the basis of an agreement between the customer and Terveystalo
• the verification of abuses and usage monitoring on the basis of Terveystalo’s legal obligation and legitimate interest

Read more about the purposes of the processing

We process the following personal data:

• Basic information
• Health information
• Information related to work ability
• Information related to well-being
• Gene test data
• Screening data
• Employer information
• Appointment information
• Recordings of customer service events
• Invoicing information
• Oma Terveys and My Health Plan information
• Information on feedback, clarification requests from the authorities, and incidents
• Data related to the use of our website and online services
• Data related to the use of identification and authentication devices and services
• Data related to the online behavior and analytics

Read more about the categories of personal data

In accordance with the Decree of the Ministry of Social Affairs and Health on Patient Records, data related to a patient’s medical care must be stored for a period of 12 years after the patient’s death or, if there is no information about the patient’s death, for 120 years after the patient’s date of birth.

If the information entered in a data subject’s My Health Plan has not been included in the patient records, the information is stored for as long as the data subject themselves deletes the information from their My Health Plan. A request to erase a My Health Plan template prepared by a health care professional must be addressed to the clinic.

Recordings of customer service events are stored for a period of three months.

With respect to other personal data, we regularly assess the necessity of the personal data in relation to the purposes of the processing and their achievement. If we are able to conclude that the data is not necessary for the purposes of the processing, and that the law does not obligate us to store the data, the data is erased.

The personal data to be processed is primarily collected from the patient themselves. If the patient is underaged, the data may also be collected from their guardians. Personal data is also collected from the medical staff in connection to research and medical care.

In terms of occupational healthcare, a patient’s basic information, the workplace’s contact information and any changes to the aforementioned are collected from the employer as per the occupational health care agreement.

Personal data is also obtained from third party health care units or healthcare professionals with the patient’s consent.

In addition, the data for invitations to screening are collected from a mass screening register, the data of which comes from the Population Register Centre.

In some situations, data is also received from insurance companies or pension insurance companies.

Terveystalo’s health care professionals and specialists process personal data on the basis of joint register consent. In terms of occupational health care services, personal data is processed by the professionals involved in the occupational health care.

The processing of personal data is outsourced to Group companies and/or external service providers who process the personal data on behalf of Terveystalo. Patient data is not transferred outside the EU or the EEA. Customer data may be transferred outside the EU or the EEA to a limited degree and within the confines of legislation.  In such cases, the transfer takes place in accordance with the EU Commision’s standard contractual clauses or some other transfer mechanism permitted by data protection legislation.

Personal data is not disclosed to the following parties:

Kela’s Prescription Centre

• Electronic prescriptions are saved in the Prescription Centre, the controller of which is Kela. Further information https://www.kanta.fi/en/citizens.

Kanta Patient Data Repository

• Health information is archived in the Kanta Patient Data Repository maintained by Kela under the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare. Further information https://www.kanta.fi/en/citizens.

In addition, patient data is disclosed to the following parties on the basis of consent or the law:

Third party health care unit/organization/treatment facility or health care professional

• Information required for the arrangement and provision of medical care may be disclosed to another health care unit in accordance with a patient’s oral or written consent or other approval otherwise apparent by the context and recorded in the patient record.

Insurance companies

• Data necessary in respect of statutory insurance is disclosed to insurance companies on the basis of the law, without consent.
• Data necessary in respect of voluntary insurance is disclosed on the basis of the patient’s consent.

Employers

• When the patient is an occupational health care patient, data can be disclosed on the basis of the patient’s separate and explicit consent, provided that the employer uses the electronic transmission service for A certificates to Terveystalo’s Sirius HR system.

Authorities and/or entities

• Data is disclosed to courts of law and to other authorities and entities with a right to information pursuant to the law on the basis of a written and specified request and in the format and scope required by the matter.

Patient’s next of kin

• In the event that the patient is unconscious or under medical care for some equivalent reason, data can be disclosed to next of kin or to another person close to them, unless there is reason to believe that the patient has prohibited the disclosure of the data.

Research organizations

• The disclosure of data included in patient records for scientific research is subject to what is provided in section 13 (4) of the Patients Act.
• Anonymized and/or statistical data can be processed for research and statistical purposes without consent.

In the event of a patient’s death, the secrecy obligation and need for privacy protection remains in force, meaning that data cannot be disclosed without a legal basis.

Right of access

• Data subjects have the right to obtain information on the processing of personal data and access data concerning themselves (request for access).

Right to rectification

• Data subjects have the right to request the rectification of erroneous or incomplete data.

Right to erasure

• Data subjects have the right to request the erasure of their personal data. Requests for erasure are implemented within the confines permitted by the law. In respect of information concerning a data subject’s health, Terveystalo has a legal obligation to store the data pursuant to the Decree on Patient Records.

Right to restriction of processing

• A data subject has the right to request the restriction of the processing of their personal data if the data subject contests the accuracy of their personal data. In such cases, the processing of the personal data is restricted for the duration of the investigation.

Right to data portability

• A data subject has the right to request that their data be transmitted from one system to another if the data has been provided by the data subject themselves and if the processing of the personal data is based on consent or an agreement. The right to data portability does not apply to patient information.
• Regarding patient information, another health care provider may view the health data via the Kanta service in accordance with the customer’s personal consents and refusals. You may update your consents and refusals through the Omakanta service (https://www.kanta.fi/en/citizens).

Withdrawal of consent

• Where the processing of personal data is based on consent, the customer can withdraw their consent at any time.  The consent can be withdrawn by contacting Terveystalo’s customer service.

Right to lodge a complaint with a supervisory authority

• A data subject has the right to lodge a complaint with the supervisory authority if the customer is of the opinion that the processing of personal data has infringed data protection legislation

Requests pertaining to the rights of data subjects must be made in writing to a clinic. The requests must be delivered to the clinic in person. The data subject’s identity is verified in a reliable way in connection to the request’s submission.

Terveystalo applies the appropriate physical, technical, and administrative protection measures to protect data from misuse. These measures include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to staff participating in personal data processing, and risk management related to the planning, implementation, and maintenance of our services. Terveystalo chooses its subcontractors carefully and uses agreements and other arrangements to ensure that they also process data in compliance with the law and good privacy practices.

Data Protection Officer

Data Protection Officer
email tietosuoja@terveystalo.com

Patient Ombudsman

The national Patient Ombudsmen of Suomen Terveystalo Oy are
Sanna Sarin, Johanna Toivonen ja Riitta-Liisa Karhunen

e-mail potilasasiamies@terveystalo.com
phone 030 633 1655

The task of the patient ombudsman is

• to provide advice and, where necessary, assist with matters related to the application of the Patients Act, such as submitting an objection and/or a notification of patient injury
• to inform patients of their rights and to act also otherwise for the promotion of patients' rights.

Changes to the privacy statement

Terveystalo reserves the right to amend this privacy statement without prior notification. The amendments take effect once Terveystalo publishes the revised privacy statement on its website. Terveystalo advises its customers and patients to check the privacy statement on a regular basis.