Mehiläinen Customer Register Privacy Statement

Mehiläinen Oy
Business ID 1927556-5
Arkadiankatu 6
00100 Helsinki, Finland

Mehiläinen Customer Register

The primary basis for processing personal data is Mehiläinen's legitimate interest, which arises from the customer relationship or other relevant connection between the customer and Mehiläinen. Mehiläinen's legitimate interests include managing, implementing, and developing the customer relationship, customer service, and related communication and marketing. Additionally, the processing of personal data may be based on the consent of the data subject or on a contract. The processing basis may also be legislation applicable to social and healthcare services if personal data are processed as part of patient care or health services provided by Mehiläinen. For health data of the data subject, processing is based either on legislation or on the consent of the data subject.

Personal data may be processed for the following purposes:

• Managing, implementing, developing, researching, and monitoring customer relationships, customer service, and related communication and marketing;
• Analyzing, grouping, and reporting on customer relationships, implementing loyalty programs, and other purposes related to the overall customer relationship and the development of Mehiläinen's business;
• Collecting and processing customer feedback and satisfaction data;
• Conducting market and other surveys and opinion polls;
• Recording customer service center calls to verify service transactions, ensure legal protection and security, and develop customer service staff skills and service quality;
• Profiling purposes described in more detail in section 9 of this privacy statement;
• Implementing, developing, and maintaining services and communication.

Processing tasks may be outsourced to Mehiläinen group companies and/or external service providers in accordance with data protection legislation and within its limits.

The data subjects are customers, former customers, and potential customers.

• The processing involves, among other things, the following types of information about the data subjects:
• Name, given name, personal identification number, customer number, gender, language, address, phone number, email address, and other necessary contact details;
• Next of kin, guardian, dependant, number and ages of children under 18, living arrangements, household size;
• Service usage and purchase information, current level and validity period of the loyalty program, and marketing and communication implementation details across different channels, including online services and automated services, including the recording of customer service center calls;
• Content produced by the data subject, such as customer feedback, and additional information provided by themselves, such as wishes related to the customer relationship, satisfaction data, interests, hobbies, or other similar information;
• Information possibly related to the data subject's insurance, occupational health services and contracts, sports clubs, and similar matters;
• Services desired and used by the data subject, including payment information;
• Information about the persons who have treated the data subject. Other wishes or notes related to professional personnel, services, operational units, and other matters;
• Prohibitions, restrictions, consents, and other choices;
• Other information related to the customer relationship, such as information collected from website usage that can be associated with the customer, such as the user's IP address, time of visit, pages visited, browser type (e.g., Internet Explorer, Firefox), the web address from which the user came to the website, and the server from which the user accessed the website;
• Necessary information related to the use of identification and authentication tools and services;
• Information related to data processing, such as the date of storage and the source of information.

Mehiläinen retains personal data until the customer relationship between the data subject and Mehiläinen can be considered to have ended. The end time is determined based on the data subject's most recent service contact and Mehiläinen's key business figures. After the end of the customer relationship, Mehiläinen may continue to retain the data if there is a specific reason for doing so, such as for the preparation, presentation, or defense of legal claims. The determination of the retention period is influenced, among other things, by the general statutes of limitations for damages based on legislation.

Information is primarily obtained from the following sources:

• The data subject himself and the events related to the data subject's membership, use of services, communication, and transactions;
• A party providing identification, verification, address, update, credit information, or similar service;
• The Population Register Center's population information system and other systems.

The register may also include information provided by other partners of Mehiläinen, such as an insurance company or a sports club.

Personal data may be disclosed to Mehiläinen's group companies for the purposes described in section 3 of this privacy statement.

As a rule, personal data is not disclosed to third parties outside Mehiläinen. If it is necessary to disclose personal data, the disclosure can be made to third parties on the basis of a contract, consent, or legislation.

Mehiläinen may transfer personal data and outsource processing operations to Mehiläinen's group companies and external service providers who process personal data on behalf of Mehiläinen.

Personal data may be transferred outside the European Union or the European Economic Area, including to the United States, in accordance with data protection legislation and within its limits. In this case, the primary basis for the transfer is the European Commission's decision on the adequacy of data protection in the United States. If personal data is transferred to a country for which the Commission has issued an adequacy decision on adequate level of data protection (Article 45 of the EU General Data Protection Regulation), the primary basis for the transfer is the adequacy decision.

Mehiläinen has appropriate technical and organizational protection measures in place to protect personal data. Any manual material is stored in a locked space, which is only accessible to individuals who have been specifically authorized. Access to digital material is only available to an authorized employee, professional, or partner with a personal username and password.

There are different levels of access rights and each user is given a sufficient but as limited as possible access right to perform the task.

As part of the processing operations of personal data stored in the customer register, Mehiläinen may also use the data for profiling purposes. Profiling is carried out by creating a customer identifier for the data subject, which allows various information about the data subject generated in connection with the use of the service to be combined. The profile created in this way can then, for example, be compared to profiles created from other data subjects.

The purpose of profiling is to determine the demand for services and customer behavior.

Personal data is not used for automated decision-making.

The data subject has the right, on grounds relating to his or her particular situation, to object at any time to profiling and other processing operations that Mehiläinen targets at the data subject's personal data to the extent that the basis for the processing of personal data is Mehiläinen's legitimate interest. The data subject may submit his or her objection in accordance with section 12 of this privacy statement. In connection with the request, the data subject must specify the particular situation on the basis of which he or she objects to the processing. Mehiläinen may refuse to comply with the request to object on the grounds provided for by law.

To the extent that personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing for such marketing.

The data subject may give Mehiläinen consents or prohibitions relating to direct marketing, including profiling for direct marketing purposes.

11.1 Right of Access by the Data Subject (Right to inspect)

The data subject has the right to obtain confirmation from Mehiläinen as to whether or not personal data concerning him or her is being processed. If his or her personal data is being processed, the data subject has the right to receive information about the processing of his or her personal data, for example, the purposes of the processing and the categories of personal data concerned. Mehiläinen informs about the processing of personal data in its privacy statements. The data subject can also contact Mehiläinen regarding the processing of personal data in the manner described in section 12 of this privacy statement.

The data subject has the right to check what information about him or her has been stored in Mehiläinen's customer register. The inspection request must be made in accordance with section 12 of this privacy statement. The right of inspection may be denied on the grounds provided for by law. The use of the right of inspection is primarily free of charge. However, Mehiläinen may, under certain conditions, charge the data subject a reasonable fee based on administrative costs.

11.2 The Right of the Data Subject to Request the Rectification, Deletion, or Restriction of the Data Processing

If the data subject is also a user of the OmaMehiläinen service, he or she can update his or her basic information in the OmaMehiläinen service. To the extent that the data subject or user can act himself or herself, he or she must, without undue delay, upon receiving information about the error or, having noticed the error himself or herself, on his or her own initiative correct, delete or supplement the incorrect, unnecessary, incomplete or outdated information. The data subject can also make a request to Mehiläinen to correct personal data in accordance with section 12 of this privacy statement.

The data subject also has the right to require the controller to restrict the processing of his or her personal data, for example, in a situation where the data subject is waiting for Mehiläinen's response to his or her request for correction or deletion of data.

The data subject has, under certain conditions, the right to have his or her personal data deleted, for example, if the processing is based on the data subject's consent and the data subject withdraws his or her consent, and there is no other legal basis for the processing, or if the data subject objects to the processing and there is no justified reason for the processing. The deletion request can be made in accordance with section 12 of this privacy statement.

11.3 Right to Data Portability

To the extent that the data subject has provided Mehiläinen with data that is processed on the basis of the data subject's consent or a contract and the processing is carried out automatically, the data subject has the right to receive such data in a structured, commonly used and machine-readable format and the right to transfer these data to another controller.

11.4 Right of the Data Subject to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the competent supervisory authority (in Finland, the Office of the Data Protection Ombudsman) if the controller has not complied with the applicable data protection legislation in its operations.

11.5 Other Rights

If personal data is processed on the basis of the data subject's consent, the data subject has the right to withdraw his or her consent at any time by notifying Mehiläinen in accordance with section 12 of this privacy statement. However, the withdrawal of consent does not affect the legality of the consent-based processing carried out before its withdrawal.

For issues related to registered patient and personal data, one can turn to Mehiläinen's Health Information Management team.

Health Information Management
info.terveystiedot@mehilainen.fi

Please note that we can only accept requests from data subjects in writing. Your identity will be checked at a Mehiläinen office from a photo ID or alternatively through the OmaMehiläinen online service. This ensures that information is only released to individuals who have the right to it.

You can also submit a data request through the nearest Mehiläinen service points, where your identity will be verified with a photo ID. You can find the nearest Mehiläinen service point on our website at https://www.mehilainen.fi/en/locations.

If you are sending sensitive information by email, you can use Mehiläinen's secure mail if necessary.

Data Protection Officer

The Data Protection Officer at Mehiläinen is Kim Klemetti (tietosuoja@mehilainen.fi).