Mehiläinen processes customers' personal data with care, ensuring as a responsible social and healthcare provider that it fulfills its obligations related to data protection. In our operations, we comply with the EU's General Data Protection Regulation, special legislation for social and healthcare, other applicable laws relevant to Mehiläinen's activities, and guidelines from authorities on the processing of personal data. In addition, we pay special attention to the careful and secure processing of personal data and adhere to and develop common good data protection practices in the industry.
This page provides a summary of the key matters related to the processing of personal data. More detailed function- and service-specific information can be found in the privacy statements at the bottom of the page.
General Information on the Processing of Personal Data
For Mehiläinen's medical center services, the controller for patient data and other personal data is Mehiläinen Oy, its subsidiaries, and private practitioners operating in Mehiläinen's facilities.
Visiting a Private Practice
Mehiläinen and the practitioner act as joint controllers when the practitioner holds a private practice in Mehiläinen's facilities and uses Mehiläinen's information systems. Each party is responsible for ensuring that the processing of personal data in its operations is carried out in accordance with applicable legislation, including that the creation of patient record entries and the use of patient data are lawful and that there is always a legal basis for the processing.
Mehiläinen acts as the primary contact point for requests related to the exercise of data subjects' rights. However, data subjects may exercise their rights in relation to both joint controllers.
Other Services
For other services produced by Mehiläinen, such as occupational health and the OmaMehiläinen service, Mehiläinen is an independent controller.
For publicly funded social services and public health services, the data controller is typically the public purchaser, such as a wellbeing services county. In these cases, Mehiläinen acts as a processor when processing personal data to implement services according to the contract with the public purchaser. However, Mehiläinen also acts as a controller to the extent that it processes personal data to fulfill legal obligations and requirements imposed on Mehiläinen.
For more detailed information, please refer to the function-specific privacy statements at the bottom of the page.
In Mehiläinen's operations, mainly health and social care customer data (patient data and social care client data) are processed. In addition, other personal data related to customer interactions may be processed.
Patient data is primarily processed for the implementation, organization, planning, monitoring, and other purposes regulated by legislation governing patient records and data. Additionally, patient data may be used for information management, operational development, monitoring, statistics, and research purposes in accordance with applicable data protection regulations. The primary legal basis for processing patient data is legislation regulating the processing of patient data or, in some cases, the patient's consent.
Read more in Mehiläinen Patient Data Privacy Statement.
Customer data that does not concern the customer's health is processed for purposes such as managing, monitoring, and developing customer relationships, customer service, and customer satisfaction. The primary legal basis for processing customer data is the contractual relationship between Mehiläinen and the customer or Mehiläinen's legitimate interest. If such data is processed together with patient data or social care client data, the processing is primarily based on applicable legislation.
Read more in Mehiläinen Customer Register Privacy statement.
Social care client data is processed, in particular, for the planning, implementation, organization, monitoring, supervision, and evaluation of the client's care, as well as other purposes in accordance with legislation related to social care.
Read more in Mehiläinen Care and Social Services Privacy Statement.
In public health services, Mehiläinen processes customer data in relation to which the public purchaser is the controller.
Please note that for publicly funded social services and public health services, the controller is typically the public purchaser, such as a wellbeing services county, and the public purchaser informs about the processing of personal data in its own privacy statements/practices. Some of our facilities use video surveillance, the purpose of which is to ensure the safety of customers, patients, and staff. Surveillance is conducted only in public customer areas, not in consultation or resident rooms. Data recorded by video surveillance is retained for a maximum of 180 days. Areas under video surveillance are clearly marked. A more detailed facility-specific statement is available and can be obtained from each unit using video surveillance.
For more information on the purposes of use, please refer to the function-specific privacy statements.
Patient data, for which Mehiläinen acts as the controller, is retained in accordance with the patient record regulation set by the Ministry of Social Affairs and Health (STM), mainly for at least 12 years after the patient's death or 120 years from the patient's birth.
For other customer data besides patient data and social care client data, we retain personal data in the customer register, as a main rule for as long as there is a relationship between the data subject and Mehiläinen.
Data recorded by video surveillance is retained for a maximum of 180 days. For more information on retention periods, please refer to the function-specific privacy statements.
For the retention periods of social services and public health services data, please refer to the privacy statements of each public purchaser acting as the controller.
The categories of personal data processed depend on the service, the nature of the operation, and the context. Read about the categories of personal data in the function-specific privacy statements, which can be found at the bottom of the page.
At Mehiläinen, we use a wide range of organizational and technical security measures to ensure the security of personal data processing. Typical security measures include access control, strong authentication, security arrangements for device spaces and information system environments, and modern firewall and encryption technologies. We instruct and train our staff in the secure handling of information systems and personal data. We continuously monitor and develop the security of our information systems. The security measures used vary from service to service and function to function based on assessed needs.
We process personal data primarily within the EU/EEA. Personal data may also be transferred outside the EU/EEA. For more detailed information, please refer to the privacy statements at the bottom of the page for each function.
Use of Data Among Service Providers Operating in Mehiläinen
When you visit Mehiläinen, the processing of your patient data is primarily based on the national social and healthcare legislation in force at the time. To provide you with the best possible care, healthcare professionals need information about your health status and necessary information about your previous visits, which have been recorded by other professionals. However, you can influence whether the healthcare professionals treating you use information about you recorded by other professionals operating in Mehiläinen by expressing your will for the use of your data in OmaMehiläinen or in a privacy form at our location. More information can be found in Mehiläinen's patient data privacy statement.
Data Transfers to Cooperation Partners
We use cooperation partners in our operations to whom we transfer necessary data, for example, for the analysis of laboratory samples. We use subcontractors for healthcare information systems and diagnostics, among other things. Such partners process personal data on behalf of Mehiläinen as processors, in accordance with instructions and regulations provided by Mehiläinen.
Disclosures of Data Outside Mehiläinen
Patient data is sensitive personal data that is processed confidentially. Patient data may be disclosed to third parties only with your consent or based on legislation.
Regular disclosures based on legislation include, for example, the National Prescription Centre of Kela (the Social Insurance Institution of Finland), the Finnish Institute for Health and Welfare (THL), and insurance companies for statutory and voluntary insurance purposes. In addition, data may be disclosed for research use and for development and innovation activities in accordance with legislation governing patient data.
We disclose patient data outside Mehiläinen to other social and healthcare service providers either based on applicable legislation or with your consent. You can manage the disclosure of your data between different social and healthcare service providers by giving consent to patient data sharing in the Kanta service. More information can be found at www.kanta.fi.
For social services and public health services, the public purchaser acting as the controller decides on data disclosures.
Checking Your Own Data
The data subject has the right to obtain confirmation from Mehiläinen as to whether personal data concerning them is being processed. If their personal data is being processed, the data subject has the right to receive information about the processing of their personal data, such as the purposes of the processing and the categories of personal data involved. Mehiläinen informs about the processing of personal data in its privacy statements. The data subject can also contact Mehiläinen regarding the processing of personal data in the manner described in Mehiläinen's privacy statements.
As our customer, you have the right to check your own patient and other personal data. The quickest and easiest way to verify the accuracy of your key patient data is through the OmaMehiläinen online service at https://oma.mehilainen.fi/ or via the mobile app.
If you wish, you can also order the data in paper form by post to your home. More information and instructions for ordering data can be found here.
Regarding personal data related to the operation of publicly funded social services or public healthcare services provided by Mehiläinen, we ask you to contact the social and health department of the respective public client, which acts as the controller for such information.
If you are a self-paying client in Mehiläinen's care units, you can check your information with a free-form written request to the respective care service unit.
Checking Log Data
Customers have the right to check the log data on the processing of patient data. Checking is free of charge once a year. Based on the log data, it is possible to see who has processed the data, the time of the processing, and the reason for the processing. Instructions for ordering log information can be found here.
Regarding the National Patient Data Archive, log information is available on the kanta.fi online service.
Request a clarification or report an incident
If you suspect misuse of patient data, you can ask us to investigate the matter by submitting a free-form written request for clarification. The request must specify your personal identification number and the date or other event related to the request for clarification. When ordering log information, we will provide instructions for making a request for clarification along with the log information.
You can find more detailed instructions for making a request for clarification here.
Rectification of Incorrect Information
Customers have the right to demand the correction of incorrect personal data. For contact details, you can correct the data through the OmaMehiläinen online service. For other data and patient data, you can find more detailed instructions here. Any correction to patient data will be made so that the original entry can be investigated if necessary.
If the data subject disputes the accuracy of personal data, they have the right to request the restriction of the processing of personal data while the matter is being clarified. During this restriction, other dealings with Mehiläinen will be prevented.
For publicly funded social services or public healthcare services provided by Mehiläinen, we ask you to submit a correction request to the social or health department of the respective public client, which acts as the controller for such information.
Deletion of Personal Data
Under the General Data Protection Regulation, the data subject has the right to be forgotten, i.e., to demand the deletion of personal data concerning themselves. The right to deletion applies to personal data that we process based on for example Mehiläinen’s legitimate interest (based on the customer relationship) or the consent given by the data subject.
As a rule, there is no right to delete patient data because there is a statutory obligation binding the healthcare unit to retain patient data generated in its operations.
Right to Object or Restrict the Processing of Personal Data
The data subject has the right to object to the processing of their personal data to the extent that the data is processed based on Mehiläinen's legitimate interest, which it has for example due to the customer relationship. The processing of patient data cannot be stopped because there is a statutory obligation binding the healthcare unit to process and archive patient data. However, the data subject has the right to object to the processing of patient data for information management, scientific research, or statistical purposes based on a particular situation.
The data subject also has the right to request the restriction of the processing of personal data, for example, during the verification of the accuracy of personal data. The data subject has the right to object to the use of their personal data for direct marketing, in which case we will not use the data for direct marketing purposes.
For publicly funded social services or public healthcare services provided by Mehiläinen, we ask you to submit any demands to the social or health department of the respective public client, which acts as the controller for such information.
Right to Data Portability
As a rule, the right to transmit patient data from one system to another does not apply. The data subject has the right to transfer personal data from one system to another when the processing of personal data is based on the consent given by the data subject or a contract with the data subject. You can find more information in the specific statements for each operation.
Right to Lodge a Complaint with a Data Protection Authority
If the data subject believes that Mehiläinen has violated data protection legislation or made an incorrect decision, the data subject has the right to lodge a complaint with the office of the Data Protection Ombudsman, which acts as the data protection authority. You can find the complaint instructions on the website of the Data Protection Ombudsman's office.
For issues related to registered patient and personal data, one can turn to Mehiläinen's Health Information Management team.
Health Information Management
info.terveystiedot@mehilainen.fi
Please note that we can only accept requests related to ordering, correcting, and log data in writing. Your identity will be verified at a Mehiläinen location with a photo ID or alternatively through the OmaMehiläinen online service.
This ensures that information is only disclosed to individuals who have the right to it. You can also submit a request for information through the nearest Mehiläinen location, where your identity will be verified with a photo ID. You can find the nearest Mehiläinen location on our website at https://www.mehilainen.fi/en/locations.
If you are sending sensitive information by email, you can use Mehiläinen's secure mail if necessary.
For public social and health services, we ask that inquiries and requests related to the processing of personal data be directed to the health or social services department of each public contracting entity in accordance with the practices instructed by each public contracting entity (such as the wellbeing services county).
Data Protection Officer
Data Protection Officer at Mehiläinen is (tietosuoja@mehilainen.fi).
Forms
You can find the forms related to patient information here.
Read more in the function-specific privacy statements
- Mehiläinen Customer Register Privacy Statement
- Mehiläinen Care and Social Services Privacy Statement
- Mehiläinen Patient Data Privacy Statement
- Mehiläinen Recruitment Privacy Statement
- Mehiläinen Direct Marketing Register Privacy Statement
- Mehiläinen Corporate Customer and Marketing Register Privacy Statement
- OmaMehiläinen Service Privacy Statement
- Privacy Statement for the User Register of the CorporateMehiläinen Online Service
- Privacy Statement for the Processing of Personal Data in Events Organized by Mehiläinen
- Familar Foster Family Register Privacy Statement
- Mehiläinen Länsi-Pohja's operational units' patient register and privacy statements
- The privacy statements of the operational units in the Päijät-Häme region (Harju Health) (in Finnish)
- Puhti's privacy policy (in Finnish)
- Data protection description of Mehiläinen Oy’s customer register
- Data protection description of Mehiläinen Oy nursing and social services
- Mehiläinen Patient Data Privacy Statement
- Mehiläinen recruitment privacy statement
- Data protection description of Mehiläinen Oy's direct marketing register
- Mehiläinen's corporate client and marketing register privacy statement (in Finnish)
- Data protection description of OmaMehiläinen service
- CorporateMehiläinen online service user register (in Finnish)
- Processing of personal data in events organised by Mehiläinen
- Familar foster family register privacy statement (in Finnish)
- Privacy statements of the operational units in the Sea-Lapland region (in Finnish)
- The privacy statements of the operational units in the Päijät-Häme region (Harju Health) (in Finnish)