OmaMehiläinen Service Privacy Statement
Last updated: January 1, 2024
Mehiläinen Oy
Business ID 1927556-5
Arkadiankatu 6
00100 Helsinki, Finland
Switchboard: 010 414 0112 (local network rate/mobile charge)
OmaMehiläinen
The OmaMehiläinen service (hereinafter also 'the service') is primarily aimed at Mehiläinen's customers, but anyone with the personal online banking credentials required for registration can use it.
The processing of personal data is primarily based on the contractual relationship between Mehiläinen and the data subject, Mehiläinen's legitimate interest, and legislation. The basis for processing personal data may also be the consent given by the data subject. Mehiläinen's legitimate interest is based on the customer relationship between Mehiläinen and the data subject. A customer relationship between Mehiläinen and the data subject is created when the data subject creates a user account in the OmaMehiläinen service. The processing of health data is based on legislation or the consent of the data subject. For example, when the data subject enters information about their health and well-being into the OmaMehiläinen service, the collection and processing of health data can be based either on the consent given by the data subject or on legislation.
Personal data is processed for the implementation and provision of Mehiläinen's web browser and application-based OmaMehiläinen service, for the implementation of the loyalty program, and for customer relationship management.
Mehiläinen may use personal data for customer history, feedback, satisfaction information, surveys and research, monitoring and analysis, service event verification, quality monitoring, development of operations and services; communication, marketing and targeting of services as well as other service provision, development and supply and profiling purposes as described in more detail in section 10 of this privacy statement. The service may include marketing communication by phone, text message, email or multimedia message, as well as internal marketing and other communication on the website or mobile application.
In addition, the service displays health data about each customer located in the patient record system, for which the processing of personal data is carried out in accordance with the patient data privacy statement.
Processing tasks can be outsourced to Mehiläinen Group companies and/or external service providers in accordance with data protection legislation and within its limits. In this case, Mehiläinen Group companies and external service providers process personal data on behalf of Mehiläinen.
The processing involves, among other things, the following types of information:
- Name, nickname, personal identification number, customer number, gender, language, address, phone number, email address and other necessary contact information;
- Close relative, guardian, dependant, number and ages of children under 18;
- Information about the services the registered person wishes, uses and purchases, and a note about the level and validity period of the current loyalty program. Information about the registered person, such as health data, information about treatment received elsewhere than at Mehiläinen, interests, hobby information or other similar information;
- Health and well-being data about the registered person transferred to the service;
- Information about the person linked to the registered person's family profile;
- Information about people who have treated the data subject. Wishes or notes about professionals, services, units and other matters;
- Information about prohibitions, restrictions, consents and other choices made by the data subject regarding the use of personal data;
- Necessary information related to the use of identification and verification tools and services;
- Information related to data processing, such as the date of storage and the source of information;
- The content of messages between the data subject and Mehiläinen's professional, the content of chat discussions held at Mehiläinen's Digital Clinic, files possibly uploaded by the registered person, log information, information about the parties and sending times of messages;
- Other information related to the purpose of the register, such as information that can be linked to the data subject, collected during the use of the service, such as the user's IP address, identification information related to the user's terminal device and operating system, time of visit, visited pages, used browser type (e.g. Internet Explorer, Firefox), web address from which the user has come to the website and the server from which the user has come to the website.
The OmaMehiläinen service only offers the data subject a limited viewing right to their patient data. Data stored in the OmaMehiläinen service is not transferred to the patient record system unless the data subject has separately agreed on this with the professional treating the data subject. Information that the data subject themselves has stored in the OmaMehiläinen service, for example information about the data subject’s health or treatments or examinations done elsewhere, is not visible to Mehiläinen's professionals unless the data subject separately agrees with the professional during the treatment event that the information will be used in connection with the treatment. In this case, the professional can store the necessary information in a separate patient record system.
Mehiläinen stores personal data in the OmaMehiläinen service as long as the data subject uses the OmaMehiläinen service, i.e. they have a user account in the service. Mehiläinen may also delete the data earlier if it is clear that the user no longer uses the service and their customer relationship with Mehiläinen has also otherwise ended. We store personal data in OmaMehiläinen for a maximum of ten (10) years from the last use of OmaMehiläinen or transaction at Mehiläinen.
Information is primarily obtained from the following sources:
- The data subjects themselves, and information generated through the use of the OmaMehiläinen service by the data subject;
- Another data subject added to the OmaMehiläinen service family profile with the consent of the data subject;
- Mehiläinen's customer register;
- A party providing identification, verification, address, update, credit information or similar service;
- The register may also include information provided by other cooperation partners of Mehiläinen, such as information received from an insurance company;
- We update contact and other basic information based on information from the Digital and Population Data Services Agency. In addition, contact information can be updated for occupational health customers based on information provided by the customer's employer.
Information may be disclosed to Mehiläinen Group companies for the purposes of use described in section 3 of this privacy statement, as well as to Mehiläinen's customer register and direct marketing register.
As a general rule, personal data is not disclosed to third parties outside Mehiläinen. If it is necessary to disclose personal data, the disclosure can be carried out to third parties based on a contract, consent, or an explicit legal basis provided by law.
Personal data may be transferred outside the European Union or the European Economic Area, including to the United States, in accordance with data protection legislation and within its limits. In such cases, the primary basis for transfer is the European Commission's decision on the adequacy of data protection in the United States. If personal data is transferred to a country for which the Commission has made an adequacy decision on adequate level of data protection (Article 45 of the EU General Data Protection Regulation), the primary basis for transfer is the adequacy decision.
A. Manual material
Any manual material is kept in a locked space, accessible only to individuals who have been granted access rights.
B. Electronically processed data
The OmaMehiläinen service operates online and can be accessed via a secure data communication connection, for example, through a computer, mobile phone, mobile device, or other smart device browser, or through other technical applications offered by Mehiläinen at the time.
Users log into the OmaMehiläinen service using personal online banking credentials or other identification approved by Mehiläinen. Mehiläinen provides the service and its security with appropriate technical solutions.
Access to the material is only available to an employee, professional, or cooperation partner who is authorized and has a personal username and password. There are different levels of access rights, and each user is given access rights that are sufficient for the task at hand but as limited as possible. In addition, the data subject can agree with the professional (see more in the terms of use section 2 "professional") that they will have access to the information stored in the OmaMehiläinen service during the care visit, such as the health data entered by the data subject themselves.
The data subject can also give family members linked to the OmaMehiläinen service family profile the right to view and process information about the data subject stored in the OmaMehiläinen service, as well as the right to have a limited viewing right to the data subject’s patient data, similar to that of the data subject themselves. Only individuals who are themselves users of the OmaMehiläinen service and thus also registered can be linked to the family profile of the OmaMehiläinen service. Adding is done using a personal identification number and requires separate consent from the data subject being added to the family profile. However, the official guardian of a child under 18 can add the child to their family profile without the child's special consent. (Read more in the terms of use section 5.)
When the use of the OmaMehiläinen service is terminated, Mehiläinen will delete all user-entered information in the OmaMehiläinen service and the user's OmaMehiläinen profile, but other service-related information (such as feedback and information used for targeting services) will be transferred and/or remain in Mehiläinen's customer register.
The purpose of the above actions is to ensure the confidentiality, availability, and integrity of the OmaMehiläinen service, as well as the realization of the rights of the data subjects.
As part of the processing activities of personal data stored in the OmaMehiläinen service, Mehiläinen may also use the data for profiling purposes. Profiling is carried out by creating a customer identifier for the data subject, which allows for the combination of various information related to the data subject that arises in connection with the use of the service. The profile created in this way can then be compared, for example, to profiles created from other data subjects.
The purpose of profiling is to determine the demand for services, customer behavior, and to provide recommendations to the customer.
The data subject has the right, related to their personal particular situation, to object to profiling and other processing activities that Mehiläinen directs at the data subject’s personal data to the extent that the basis for the processing is Mehiläinen's legitimate interest, which is based on the customer relationship between Mehiläinen and the data subject. The data subject can submit their objection request in accordance with section 14 of this privacy statement. In connection with the request, the data subject must specify the particular situation on which they base their objection. Mehiläinen may refuse to comply with the objection request on legally stipulated grounds.
The OmaMehiläinen service may include advertisements from Mehiläinen and its cooperation partners. The customer cannot prohibit the appearance of advertisements in the service.
To the extent that personal data is processed for direct marketing purposes, the data subject has the right to object to such processing for marketing purposes at any time. The data subject can give consents or prohibitions regarding external direct marketing in the OmaMehiläinen service, including profiling for direct marketing purposes.
For all matters related to your personal data, you can turn to Mehiläinen's Health Information Management team.
Health Information Management
terveystiedot@mehilainen.fi
Please note that we can only accept requests from data subjects in writing. Your identity will be verified at a Mehiläinen location with a photo ID or alternatively through the OmaMehiläinen online service. This ensures that information is only released to individuals who have the right to it.
You can also submit a data request through the nearest Mehiläinen service points, where your identity will be verified with a photo ID. You can find the nearest Mehiläinen service point on our website at https://www.mehilainen.fi/en/locations.
If you are sending sensitive information by email, you can use Mehiläinen's secure mail if necessary.
Data Protection Officer
The Data Protection Officer at Mehiläinen is Kim Klemetti (tietosuoja@mehilainen.fi).