DATA PROTECTION DESCRIPTION OF THE OMAMEHILÄINEN SERVICE
Date: 22 October 2019
1 Controller
Mehiläinen Oy
Business ID: 1927556-5
Pohjoinen Hesperiankatu 17 C, 00260 Helsinki, Finland
Switchboard: +358 10 414 0112
2 Contact person for register queries
Data Protection Officer Kim Klemetti
Pohjoinen Hesperiankatu 17 C, 00260 Helsinki, Finland
3 Name of register
OmaMehiläinen
4 Purpose of processing the personal data
The OmaMehiläinen service (also referred to as service) is directed especially to the Mehiläinen customers, but a service user can be any person who has access to personal online banking credentials which are required in order to register for the service.
The processing of personal data is primarily based on the customer relationship between Mehiläinen and the data subject formed when the data subject creates a user account for the OmaMehiläinen service, and, e.g., insofar as the data subject enters information on his or her state of health or earlier treatment history in the OmaMehiläinen service, on the consent given by the data subject.
Personal data is processed for the implementation and provision of the browser and application-based OmaMehiläinen service offered by Mehiläinen, for the implementation of the customer loyalty programme, and for managing the customer relationship.
Mehiläinen can use personal data for the purpose of creating, monitoring and analysing customer history, feedback, satisfaction data, surveys and research; for allocating communications, marketing and services and organising, developing and offering other services, and for purposes of profiling as described in more detail in Section 11 of this data protection description. The service can contain marketing communications via phone, text message, e-mail or a multimedia message, and service-internal marketing and other communications on the website or mobile application.
Processing tasks can be outsourced to Mehiläinen’s group companies and/or external service providers in accordance with and within the limits set by the data protection legislation.
5 Register's data content
Information stored on the data subject may include, for example, the following:
Name, nickname, identity code, customer number, sex, language, address, telephone number, e-mail address, and other necessary contact information.
Next of kin, guardian(s), dependant(s), number and ages of children under the age of 18 years, residential information, and size of household.
Information on the services desired, used or purchased by the data subject, as well as an entry concerning the level and validity of the currently applicable customer benefit programme for loyal customers.
The information stored by the data subject him or herself, such as health information, information on treatment carried out elsewhere than Mehiläinen, areas of interest, information on hobbies, or other equivalent data.
The information on a person linked to the data subject’s family profile stored by the data subject.
Information on the staff who have treated the data subject. Wishes or notes related to professionals, services, clinics, and other issues.
Information on prohibitions, restrictions, consents and other choices made by the data subject regarding the use of personal data.
Information necessary for the use of authentication and verification tools and services.
Information on the processing of data, such as the storage date and the information source.
Information on the communications between the data subject and Mehiläinen’s professional in the OmaMehiläinen service, such as the content of messages and their sending times.
Other information related to the purpose of the register, e.g., the data that can be connected to the data subject gathered on the use of the webpages during use of a service, such as the user’s IP address, the time of visit, the pages viewed, the browser used (such as Internet Explorer or Firefox), and the URL and server from which the user accessed the site.
The OmaMehiläinen register does not contain any patient data, and the data subject is only granted a limited access right to his or her patient data. The data stored in the OmaMehiläinen service are not transferred into the patient data system, unless the data subject has agreed upon this separately with the professional treating him or her. The information stored in the OmaMehiläinen service by the data subject him or herself, such as health information or information on treatment or examinations carried out elsewhere than Mehiläinen, are not accessible by a Mehiläinen professional unless, during a treatment appointment, the data subject separately agrees with the professional that such data is to be used during his or her treatment. The professional will then save the data to be used during the treatment from the OmaMehiläinen service to the separate patient data system.
6 Storage time of personal data
Mehiläinen will store the personal data in the OmaMehiläinen service for as long as the data subject uses the OmaMehiläinen service, i.e., for as long as the data subject has a user account in the service. Mehiläinen may also erase the data before this, if it becomes clear that the user no longer uses the service and his or her customer relationship with Mehiläinen has also otherwise come to an end.
7 Regular sources of information
Information is received mainly from the following sources:
The data subject him or herself, and the information generated by the data subject’s use of the OmaMehiläinen service.
Another data subject linked to the family profile in the OmaMehiläinen service with the data subject’s consent.
Mehiläinen’s customer register.
Parties offering services related to authentication, verification, address data, updates, credit information, or similar services.
Also information provided by Mehiläinen’s other partners, such as insurance companies, can be added to the register.
The population register system of the Population Register Centre and other known systems.
8 Regular disclosure of data and the recipient groups
Information is submitted to the Mehiläinen Group companies for the purposes described in Section 4 of this data protection description, and for Mehiläinen’s customer register and direct marketing register.
Data will not be disclosed to parties other than those participating in the production, development, or maintenance of services or communications of Mehiläinen or on its behalf, except when based on an agreement, separate consent, and/or explicit regulations.
9 Transfer of data outside the EU or the EEA
Personal information can be transferred outside the European union or the European Economic Area, for example, to the United States, in accordance with the data protection legislation and the restrictions set therein.
10 Principles in accordance with which the data file has been protected
A Physical material
Any physical material is stored in a locked space to which only people with particular rights have access.
B Electronically processed data
The OmaMehiläinen service operates via the internet and can be used via protected data-communication media, such as those used with a browser on a computer, mobile phone, mobile device or other smart device, or with another technical application provided by Mehiläinen at any given time.
The user logs in to the OmaMehiläinen service by using personal online banking credentials or another authentication method approved of by Mehiläinen. Mehiläinen provides the service and its information security by means of appropriate technical solutions.
Material can only be accessed by employees, practitioners or co-operation partners specifically entitled to do so with a personal user ID and password. There are different levels of access rights, and each user is issued sufficient rights, though as limited as possible, to complete his or her work tasks. In addition, the data subject can agree with the professional (read more on Professional under Section 2 of the terms of use) that during the treatment appointment, the professional will have access to the data subject’s data stored in the OmaMehiläinen service, such as health information stored by the data subject him or herself.
Also the data subject him/herself can grant the persons linked to the family profile in the OmaMehiläinen service the right to view and process data on the data subject stored in the OmaMehiläinen service, and the right to receive an equivalent restricted access right to the data subject’s patient data as the data subject him/herself has. Only persons who themselves are users of the OmaMehiläinen service, and thus also data subjects, can be linked to the family profile in the OmaMehiläinen service. Linking is performed by using personal identity codes, and requires a separate consent from the data subject to be added to the family profile. However, the legal guardian of a child under 18 years of age can add that minor to his or her family profile without the child's express consent. (Read more under Section 5 of the terms of use.)
When a user terminates his or her OmaMehiläinen account, Mehiläinen will remove all information related to OmaMehiläinen that the user has saved personally and also the user's OmaMehiläinen profile, but information related to other services (such as feedback and information used for allocation of services) will be transferred to and/or will remain in Mehiläinen's customer register.
The purpose of the measures described above is to ensure the confidentiality of the OmaMehiläinen service and the availability and integrity of its data, and the fulfilment of the rights of the data subjects.
11 Profiling
As part of the processing activities of personal information saved in the OmaMehiläinen service, Mehiläinen can also utilise the information for purposes of profiling. Profiling is implemented by creating a customer ID for the data subject for the purpose of combining various data on the data subject created during the use of the service. After this, a profile created as described above can be, e.g., compared to profiles created on other data subjects.
The purpose of profiling is to determine customer behaviour and the demand for services.
12 The data subject’s right to prohibit the processing of personal data
With regard to a personal special situation, a data subject has the right to prohibit his or her profiling and other processing activities which Mehiläinen may direct on the data subject’s personal data to the extent that the grounds for the processing of information is the customer relationship between Mehiläinen and the data subject. The data subject may present his or her demand regarding the prohibition in accordance with Section 15 of this data protection description. In connection with the request, the data subject must identify the special situation on the basis of which he or she objects to the processing of data. Mehiläinen may refuse to implement the request for prohibition on statutory grounds.
13 The data subject’s right to prohibit direct marketing
The OmaMehiläinen service may contain adverts by Mehiläinen or its partners. The customer cannot prohibit the occurrence of adverts in the service.
The data subject may give channel-specific consent or prohibitions in the OmaMehiläinen service regarding service-external direct marketing, including profiling for direct marketing purposes.
14 Other rights of the data subject regarding the processing of personal data
The data subject’s right of access to the data (inspection right)
When logging in to the OmaMehiläinen service, the data subject can view most of the data included on him or her in the OmaMehiläinen service.
The data subject also has the right to inspect what other information on him or her has been stored in the OmaMehiläinen service. Such an inspection request must be made in accordance with Section 15 of this data protection description. The right to inspection may be declined on statutory grounds. In principal, there shall be no charge for exercising the right to inspect.
The data subject’s right to demand rectification or erasing of data or a restriction on processing data
The data subject can also update his or her basic information contained in the OmaMehiläinen service. Insofar as the data subject can act him or herself, after having been informed of an error in the data or having detected such an error him or herself, he or she must, without undue delay, on his or her own initiative, rectify, erase, or supplement the erroneous, unnecessary, incomplete or obsolete personal data or the data contrary to the purpose of OmaMehiläinen.
Insofar as the data subject cannot rectify the data him/herself, the rectification request shall be made in accordance with Section 15 of this data protection description.
The data subject also has the right to demand the controller to restrict the processing of his or her personal data, for example, in a situation where the data subject is waiting for Mehiläinen’s response to his or her request to rectify or erase data.
A data subject’s right to transfer data from one system to another
Insofar as the data subject him/herself has provided information in the OmaMehiläinen service for processing on the basis of the data subject’s consent, the data subject has the right to access such data mainly in machine-readable format and the right to transfer such data to another controller. In practice, such information includes the data on the data subject’s health or previous treatment history stored in the OmaMehiläinen service by the data subject him/herself.
A data subject’s right to make a complaint to the supervising authorities
A data subject has the right to make a complaint to the competent supervising authorities if the controller has not followed the applicable data-protection regulations in its operations.
Other rights
If the personal data is being processed on the basis of the data subject’s consent, the data subject has the right to cancel the consent by notifying Mehiläinen of this in accordance with Section 15 of this data protection description.
15 Contacts
In all matters related to the processing of personal data and all situations regarding the exercising of one’s own rights, the data subject should contact Mehiläinen via the OmaMehiläinen service, in person at a Mehiläinen clinic, or by post at the address: Mehiläinen Oy / OmaMehiläinen, Pohjoinen Hesperiankatu 17 C, 00260 Helsinki, Finland. When required, Mehiläinen can request the data subject to further define their request in writing, and, if needed, the identity of the data subject can be authenticated before initiating any other measures.