Mehiläinen's Privacy Statements
Read more
Mehiläinen Direct Marketing Register Privacy Statement
Last updated: January 1, 2024
Mehiläinen Oy
Business ID 1927556-5
Arkadiankatu 6
00100 Helsinki, Finland
Mehiläinen's Direct Marketing Register.
The processing of personal data is based on Mehiläinen's legitimate interest (for direct marketing purposes), the contractual relationship between Mehiläinen and the data subject, or the consent given by the data subject. The legitimate interest of Mehiläinen is based on the customer relationship or a similar relationship between Mehiläinen and the data subject.
Personal data is processed for direct marketing by Mehiläinen and its cooperation partners, distance selling, profiling purposes (as described in more detail in section 9), opinion or market research, or other similar address-based mailings. Personal data may also be processed for the development of direct marketing.
Processing tasks may be outsourced to Mehiläinen Group companies and/or external service providers within the limits set by data protection legislation.
The following groups of data about the data subjects are processed:
Name, title or profession, age or year of birth, gender, mother tongue, address, and other contact details, profile created for the data subject or information about the data subject's family type, preferred methods of communication, channel-specific direct marketing permissions and prohibitions, other identification information related to marketing based on consent or customer relationship, and information on changes to the data.
Mehiläinen retains personal data in the direct marketing register unless the data subject has prohibited direct marketing. However, information regarding the prohibition of direct marketing is still retained in the register. Personal data is retained as long as necessary for the purposes of use. Personal data is retained until the data subject prohibits direct marketing or until the customer relationship or similar significant relationship between the data subject and Mehiläinen can be considered to have ended. The end time is determined by the data subject's last service contact with Mehiläinen. After the end of the customer relationship or similar significant relationship, Mehiläinen may continue to retain the data if there is a specific reason for retention, such as for the preparation, presentation, or defense of legal claims. The determination of the retention period is influenced by, among other things, the general limitation periods for damages based on legislation.
Personal data is collected during various marketing competitions or similar registrations, when registering for Mehiläinen's services, or directly from the data subject.
Personal data may also be collected and updated from the registers of Mehiläinen and its group companies (such as the OmaMehiläinen personal register or customer register), the Population Information System, prohibition registers maintained by the Customer Marketing Association, through Posti's update services, and other sources. Data is not collected from the patient register.
Personal data may be disclosed to Mehiläinen Group companies for the purposes described in section 3 of this privacy statement. As a general rule, personal data is not disclosed to third parties outside Mehiläinen. If it is necessary to disclose personal data, the disclosure can be carried out to third parties based on a contract, consent, or legislation.
Mehiläinen may transfer personal data and outsource processing activities to Mehiläinen Group companies and external service providers who process personal data on behalf of Mehiläinen.
Personal data may be transferred outside the European Union or the European Economic Area, including to the United States, in accordance with data protection legislation and within its limits. In such cases, the primary basis for transfer is the European Commission's decision on the adequacy of data protection in the United States. If personal data is transferred to a country for which the Commission has made an adequacy decision on adequate level of data protection (Article 45 of the EU General Data Protection Regulation), the primary basis for transfer is the adequacy decision.
Mehiläinen has appropriate technical and organizational security measures in place to protect personal data. Any manual material is kept in a locked space, accessible only to individuals who have been granted access rights. Access to digital material is only available to an employee, professional, or partner who is authorized and has a personal username and password. There are different levels of access rights, and each user is given access rights that are sufficient for the task at hand but as limited as possible.
As part of the processing activities of personal data stored in the direct marketing register, Mehiläinen may also carry out profiling. Profiling is carried out by creating a customer identifier for the data subject, which allows for the combination of various information related to the data subject that is stored in the direct marketing register. The profile created in this way can then be compared, for example, to profiles created from other data subjects. In addition, profiling information about the data subject may be collected from other sources. The purpose of profiling is to enable better targeting of marketing.
Personal data is not used for automated decision-making.
To the extent that personal data is processed for direct marketing purposes, the data subject has the right to object at any time to such processing for marketing purposes and to prohibit the processing of personal data for direct marketing purposes.
The data subject can give Mehiläinen consents and prohibitions regarding direct marketing.
The data subject has the right, based on their personal particular situation, to object at any time to profiling and other processing activities that Mehiläinen directs at the data subject's personal data to the extent that the basis for processing is Mehiläinen's legitimate interest. The data subject can submit their objection request in accordance with section 12 of this privacy statement. In connection with the request, the data subject must specify the particular situation on which they base their objection. Mehiläinen may refuse to comply with the objection request on legally stipulated grounds.
For issues related to registered patient and personal data, one can turn to Mehiläinen's Health Information Management team.
Health Information Management
info.terveystiedot@mehilainen.fi
Please note that we can only accept requests from data subjects in writing. Your identity will be verified at a Mehiläinen service point with a photo ID or alternatively through the OmaMehiläinen online service. This ensures that information is only released to individuals who have the right to it.
You can also submit a data request through the nearest Mehiläinen service points, where your identity will be verified with a photo ID. You can find the nearest Mehiläinen service point on our website at https://www.mehilainen.fi/en/locations.
If you are sending sensitive information by email, you can use Mehiläinen's secure mail if necessary.
Data Protection Officer
The Data Protection Officer at Mehiläinen is Kim Klemetti (tietosuoja@mehilainen.fi).
