Private customer

Personal data is processed for the following purposes and on the following legal basis:

• The provision of health care services on the basis of the legislation
• The provision of occupational health services on the basis of the legislation
• The assessment of a need for work ability and well-being services and for the purpose of targeting services on the basis of a service agreement between the customer and Terveystalo, the legislation or legitimate interest
• The supervision of health care professionals’ operations and the quality of their work on the basis of the legislation
• marketing and/or communications on the basis of the customer’s consent, an agreement and/or Terveystalo’s legitimate interest
• The planning, development, management, monitoring and reporting of Terveystalo’s own operations as well as for quality assurance and knowledge management on the basis of the legislation and Terveystalo’s legitimate interest
• Research and the compiling of statistics on the basis of consent, the legislation, public interest and/or Terveystalo’s legitimate interest
• The handling of feedback, clarification requests from authorities, and incidents on the basis of the legislation and Terveystalo’s legitimate interest
• The provision of online services targeted at logged in customers on the basis of the legislation and/or a service agreement between the customer and Terveystalo
• Invoicing and collection on the basis of an agreement between the customer and Terveystalo
• The verification of abuses and usage monitoring on the legislation and legitimate interest

We process the following personal data:

• Basic information
• Health information
• Information related to work ability
• Information related to well-being
• Gene test data
• Employer information
• Appointment information
• Recordings of customer service events
• Invoicing information
• Information of the online services for logged in customers (e.g. Oma Terveys and Oma Terveys)
• Information on feedback, clarification requests from the authorities, and incidents
• Data related to the use of our website and online services
• Data related to the use of identification and authentication devices and services
• Data related to online behavior and analytics
• Consents and refusals

In accordance with the Decree of the Ministry of Social Affairs and Health on Patient Records, data related to a patient’s medical care must be stored for a period of 12 years after the patient’s death or, if there is no information about the patient’s death, for 120 years after the patient’s date of birth.

If the information entered in a customer’s Oma Suunnitelma has not been included in the patient records, the information is stored for as long as the customer themselves deletes the information from their Oma Suunnitelma. A request to erase a Oma Suunnitelma template prepared by a health care professional must be addressed to the clinic.

Recordings of customer service events are stored for a period of three months.

With respect to other personal data, we regularly assess the necessity of the personal data in relation to the purposes of the processing and their achievement. If we conclude that the data is not necessary for the purposes of the processing, and that the law does not obligate us to store the data, the data is erased.

The personal data to be processed is primarily collected from the patient himself. If the patient is underaged, the data may also be collected from their guardians. Personal data is also collected from the medical staff in connection to research and medical care.

The basic information of the patient is updated from the Digital and Population Data Services Agency’s population information system.

In terms of occupational healthcare, a patient’s basic information, the workplace’s contact information and any changes to the aforementioned are collected from the employer as per the occupational health care agreement.

Personal data is also obtained from third party health care units or healthcare professionals with the patient’s consent or on the basis of the legislation.

In some situations, data is also received from insurance companies or pension insurance companies.

Terveystalo’s health care professionals and specialists process personal data on the basis of joint register consent. In terms of occupational health care services, personal data is processed by the professionals involved in the occupational health care.

The processing of personal data is outsourced to Group companies and/or external service providers who process the personal data on behalf of Terveystalo. Patient data is not transferred outside the EU or the EEA. Customer data may be transferred outside the EU or the EEA to a limited degree and within the confines of legislation.  In such cases, the transfer takes place in accordance with the European Commission’s standard contractual clauses or some other transfer mechanism permitted by data protection legislation.

Personal data is disclosed to the following parties:

Kela’s Prescription Centre

• Electronic prescriptions are saved in the Prescription Centre, the controller of which is Kela. Further information https://www.kanta.fi/en/citizens.

Kanta Patient Data Repository

• Health information is archived in the Kanta Patient Data Repository maintained by Kela under the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare. Further information https://www.kanta.fi/en/citizens.

In addition, patient data is disclosed to the following parties on the basis of consent or the law:

Third party health care unit/organization/treatment facility or health care professional

• Information required for the arrangement and provision of medical care may be disclosed to another health care unit in accordance with a patient’s oral or written consent or other approval otherwise apparent by the context and recorded in the patient record.

Insurance companies

• Data necessary in respect of statutory insurance is disclosed to insurance companies on the basis of the law, without consent.
• Data necessary in respect of voluntary insurance is disclosed on the basis of the patient’s consent.

Employers

• When the patient is an occupational health care patient, data can be disclosed on the basis of the patient’s separate and explicit consent, provided that the employer uses the electronic transmission service for A certificates to Terveystalo Sirius HR system

Authorities and entities

• Data is disclosed to courts of law and to other authorities and entities with a right to information pursuant to the law on the basis of a written and specified request and in the format and scope required by the matter

Patient’s next of kin

• In the event that the patient is unconscious or under medical care for some equivalent reason, data can be disclosed to next of kin or to another person close to them, unless there is reason to believe that the patient has prohibited the disclosure of the data

Research organizations

• The disclosure of data included in patient records for scientific research is subject to what is provided in the Act on the Secondary Use of Health and Social Data.
• Anonymized and/or statistical data can be processed for research and statistical purposes without consent.

In the event of a patient’s death, the secrecy obligation and need for privacy protection remains in force, meaning that data cannot be disclosed without a legal basis.

Based on the Communicable Diseases Act, any information needed to detect an epidemic, identify the cause and trace-back can be submitted to the Finnish Institute for Health and Welfare and the joint municipal authority for the hospital district.

Right of access

• Data subjects have the right to obtain information on the processing of personal data and access data concerning themselves.
• The data subject can access and review their information primarily in online services targeted at logged in customers (e.g. the Oma Terveys service) and through the My Kanta service (www.kanta.fi/en/citizens).

Right to rectification

• Data subjects have the right to request the rectification of erroneous or incomplete data

Right to erasure

• Data subjects have the right to request the erasure of their personal data. Requests for erasure are implemented within the confines permitted by the law. In respect of information concerning a data subject’s health, Terveystalo has a legal obligation to store the data pursuant to the Decree of the Ministry of Social Affairs and Health on Patient Records.

Right to object or restrict processing

• The data subject has, in certain situations, the right to object to the processing of their personal data on grounds relating to their particular situation at any time.
• A data subject has the right to request the restriction of the processing of their personal data if the data subject contests the accuracy of their personal data. In such cases, the processing of the personal data is restricted for the duration of the investigation.

Right to data portability

• A data subject has the right to request that their data be transmitted from one system to another if the data has been provided by the data subject themselves and if the processing of the personal data is based on consent or an agreement. The right to data portability does not apply to patient information.
• Regarding patient information, another health care provider may view the health information via the Kanta service in accordance with the customer’s personal consents and refusals. The consents and refusals in question can be updated through the My Kanta service (www.kanta.fi/en/citizens).

Right not to be subject to an automated decision-making

• The data subject has the right not to be subject to a decision based solely on automated processing, such as profiling, which produces legal effects concerning them or similarly significantly affects them. However, there are exceptions to this prohibition.

Withdrawal of consent

• Where the processing of personal data is based on consent, the customer can withdraw their consent at any time.  The consent can be withdrawn by contacting Terveystalo’s customer service.

Right to lodge a complaint with a supervisory authority

• A data subject has the right to lodge a complaint with the supervisory authority (Data Protection Ombudsman in Finland) if the customer is of the opinion that the processing of personal data has infringed data protection legislation.

Requests pertaining to the rights of data subjects must be made in writing to a clinic. The requests must be delivered to the clinic in person. The data subject’s identity is verified in a reliable way in connection to the request’s submission.

Terveystalo applies the appropriate physical, technical, and administrative protection measures to protect data from misuse. These measures include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to staff participating in personal data processing and risk management related to the planning, implementation, and maintenance of our services. Terveystalo chooses its subcontractors carefully and uses agreements and other arrangements to ensure that they process data in compliance with the law and good data protection practices.

DATA PROTECTION OFFICER

email tietosuoja@terveystalo.com

Terveystalo’s Data Protection Officer
Suomen Terveystalo Oy
Jaakonkatu 3B,
00100 HELSINKI, FINLAND

PATIENT OMBUDSMAN

e-mail potilasasiamies@terveystalo.com

Additional information is available at: Patient Ombudsman