Mehiläinen Care and Social Services Privacy Statement

This privacy statement applies to customers of care and social services provided by Mehiläinen Oy and its subsidiaries, for whom Mehiläinen Oy or its subsidiary acts as the controller.

Mehiläinen Oy
Pohjoinen Hesperiankatu 17
00260 Helsinki, Finland
Business ID 1927556-5

For publicly funded social services and public health services, the controller is typically the public purchaser, such as a wellbeing services county. If the customer relationship is based on a commission by a public purchaser, such as a wellbeing services county, or if the customer has been granted a service voucher by the public purchaser, the respective public purchaser acts as the controller. For these customer data, the controller's privacy statement and the described practices are followed. For the aforementioned registers, please contact the social services of the placing public purchaser directly. In this case, Mehiläinen Oy or its subsidiary acts as a processor of personal data when processing personal data for the implementation of services according to the contract with the public purchaser. However, Mehiläinen Oy or its subsidiary also acts as a controller to the extent that it processes personal data to fulfill statutory tasks and requirements imposed on Mehiläinen.

The processing of customer data is primarily based on legislation. In addition, the processing of personal data, such as the disclosure of personal data, may be based on the customer's consent.

Social welfare client data is processed especially for planning, implementing, organizing, monitoring, supervising, and evaluating the client's care, as well as for other purposes in accordance with the legislation related to social welfare.

The data stored in the customer register are used for planning, implementing, and evaluating the customer's care and rehabilitation, for other purposes in accordance with legislation and consents, and for fulfilling the statutory tasks and requirements of Mehiläinen or its subsidiaries. Additionally, personal data is processed for secondary use in accordance with the Secondary Use Act, where the basis for processing is the public interest.

When the public purchaser is the controller, these customer data are kept separate and are transferred to the controller for archiving at the end of the customer or contract relationship.

• Customer's name, personal identification number, contact details;
• Customer's designated next of kin, guardian of a minor customer, customer's legal representative, and any other contact persons/entities provided by the customer;
• Information necessary to ensure the organization, planning, implementation, and monitoring of the customer's care and rehabilitation, such as data generated in examinations and care, as well as preliminary information;
• Information on the duration of the service, billing information, and billing addresses;
• Other information necessary for care, e.g., records made by nurses, public health nurses, dieticians, psychologists, etc.;
• Possible information on data disclosures and the basis for disclosures;
• Information on the person who has provided the customer's care and rehabilitation;
• In child protection units, basic education certificates and individual plans for organizing education;
• All customer register data form a logical whole. Records made by healthcare professionals involved in the customer's care and rehabilitation are stored in the same register as a sub-register;
• In addition to the electronic register, separate paper-based registers may be maintained as sub-registers, which may include information on consents and prohibitions given by the customer regarding the disclosure of customer data, signed rental and service agreements, medication lists, outdoor activity lists, fluid intake lists, or other similar lists that ensure the implementation of care and rehabilitation.

Personal data are regularly obtained from the following sources:

• Customer, customer's guardian, customer's legal representative, or next of kin;
• Care staff and health and social care professionals.
• With the customer's consent, information can also be obtained from other social welfare or healthcare units or professionals, for example, through the national health archive (KANTA).

The retention periods for personal data stored in the customer register are in accordance with the applicable regulations on data retention periods. Retention periods are determined by applicable legislation. The retention period depends on the type of personal data, among other factors.

Customer data is confidential, and staff have a duty of confidentiality.

Customer data may be disclosed:

• With the explicit, specific consent of the customer or their legal representative;
• Under an explicit provision of law.

When the service is provided under a commissioning contract by a public purchaser, the commissioner acts as the controller. In this case, the public purchaser decides on all data disclosure, even when there is a statutory basis for it.

6.1 Regular Disclosure of Customer Data/ Recipient Groups

To the National Institute for Health and Welfare and the Finnish Medicines Agency Fimea for research, planning, statistics, and supervision tasks, as well as to Fimea for monitoring controlled substances.

Other possible recipients of disclosures:

• In a referral situation, with the customer's verbal consent recorded in the customer records, information can be disclosed to another specified social or healthcare unit or healthcare professional.
• Information necessary for organizing or implementing the customer's examination and care may be disclosed to another Finnish or foreign healthcare unit or healthcare professional without the patient's consent if the patient is unable to assess the significance of the given consent due to a mental disorder, intellectual disability, or similar reason, and does not have a legal representative, or if consent cannot be obtained due to the customer's unconsciousness or a similar reason.
• National health archive (KANTA archive).
• With the customer's written consent or under an explicit provision of law, information may be disclosed to an insurance company.
• Customer's guardian, other legal representative, and the customer's next of kin, if the customer has given explicit, specific consent to this. If a minor customer is capable of deciding on their care according to their age and level of development, they have the right to prohibit the disclosure of information about their health and care to their guardian or other legal representative.
• In addition, information about an unconscious customer or one who is being treated for a similar reason can be given to a close relative or someone close to them about the customer and their health status, unless there is reason to assume that the customer would prohibit such action.

Customer data is confidential and is not disclosed to third parties without a basis in law.

Customer data may be used and only to the extent required by their job duties by persons working in the relevant unit or those involved in related tasks on behalf of the unit. The highest management of the data controller decides on organizational solutions and defines levels of access rights granted to employees. Receipt of user IDs is conditional upon signing a confidentiality commitment.

Old paper card files, which may also be generated alongside the electronic customer information system, are kept in locked and monitored premises.

Access to electronically processed data is only available with the personal user ID and password of the authorized employee. The use of customer data is monitored by following log data.

When the service is based on a commission by a public purchaser or a service voucher granted by them, requests from data subjects should be submitted to the public purchaser. Requests from data subjects are processed by the respective public purchaser. The following sections 8.1 - 8.7 apply only to the processing of personal data under Mehiläinen's controller responsibilities.

8.1 Right of Access by the Data Subject (Right to Inspect)

The customer has the right to obtain confirmation from Mehiläinen as to whether or not personal data concerning them are being processed. If their personal data are being processed, the customer has the right to receive information about the processing of their personal data, such as the purposes of the processing and the categories of personal data involved. Mehiläinen informs about the processing of personal data in its privacy statements. The data subject can also contact Mehiläinen regarding the processing of personal data in accordance with section 9 of this privacy statement.

The data subject has the right to inspect the data concerning them that are being processed. An inspection request can be made in accordance with section 9 of this privacy statement. The right to inspection can be denied on grounds provided by law. The exercise of the right to inspection is generally free of charge. However, Mehiläinen may charge a reasonable fee based on administrative costs under certain conditions.

8.2 Right of the Data Subject to Demand Rectification, Deletion, or Restriction of the Data Processing

The data subject has the right to demand the correction of incorrect data concerning them. A correction request can be made to Mehiläinen in accordance with section 9 of this privacy statement.

Personal data cannot generally be deleted because their processing is based on legislation and they are subject to a statutory retention obligation. For other data, the data subject has the right to have their personal data deleted under certain conditions, for example, if the processing is based on the data subject's consent and the data subject withdraws their consent, and there is no other legal basis for the processing.

The data subject also has the right to demand that the controller restricts the processing of their personal data, for example, when the data subject is waiting for Mehiläinen's response to their request for correction or deletion of data.

Implementation and organization of data correction and restriction of processing

• A request for correction and a request for restriction of processing must be made in writing and addressed to the data controller in accordance with section 9 of this privacy statement.

If the customer's request is justified, the information will be corrected and any measures to restrict processing will be implemented. Any incorrect entries will be crossed out or moved to a background file so that both the incorrect and corrected entries can be read later. The documents will be marked with the name, official position, and date of correction by the person making the correction.

8.3 Right of the Data Subject to Object to the Processing of Personal Data

The data subject has the right, on grounds relating to their particular situation, to object at any time to the processing of personal data concerning them when the processing is based on the public interest. For example, the data subject has the right to object to the processing of their personal data for information management purposes. The data subject can make their objection in accordance with section 9 of this privacy statement. In their request, the data subject must specify the particular situation on which they base their objection. Mehiläinen may refuse to comply with the request for objection on grounds provided by law.

8.4 Right to Data Portability

To the extent that the data subject has provided data to Mehiläinen, which are processed based on the data subject's consent and the processing is carried out automatically, the data subject has the right to receive such data in a structured, commonly used, and machine-readable format and has the right to transfer this data to another controller.

8.5 Right of the Data Subject to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the competent supervisory authority (in Finland, the Office of the Data Protection Ombudsman) if the controller has not complied with the applicable data protection legislation in its operations.

8.6 Other rights

If personal data are processed based on the data subject's consent, the data subject has the right to withdraw their consent at any time by notifying Mehiläinen in accordance with section 9 of this privacy statement. However, withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

8.7 KANTA archive

Mehiläinen joined the KANTA archive on April 21, 2016, for health services. However, customer data for care and social services are not entered into the KANTA archive.

For public social and health services, please direct inquiries and requests related to the processing of personal data to the health or social services of each public purchaser, in accordance with the practices instructed by the public purchaser, such as the wellbeing services county. If the contact concerns the processing of personal data under Mehiläinen's controller responsibilities, for issues related to your own patient and personal data, you can turn to Mehiläinen's Health Information Management team.

Health Information Management
terveystiedot@mehilainen.fi

Please note that we can only accept requests related to ordering, correcting, and log data of patient and personal data in writing. Your identity will be verified at a Mehiläinen location with a photo ID or alternatively through the OmaMehiläinen online service. This ensures that information is only disclosed to individuals who have the right to it.

You can also submit a data request through the nearest Mehiläinen location, where your identity will be verified with a photo ID. You can find the nearest Mehiläinen location on our website at https://www.mehilainen.fi/en/locations.

If you are sending sensitive information by email, you can use Mehiläinen's secure mail if necessary.

Data Protection Officer

The Data Protection Officer at Mehiläinen is Kim Klemetti (tietosuoja@mehilainen.fi).