Mehiläinen Direct Marketing Register Privacy Statement

Html before

Last updated: January 1, 2024

Section

Accordion items

1. Controller

Mehiläinen Oy
Business ID 1927556-5
Pohjoinen Hesperiankatu 17 C
00260 Helsinki, Finland

2. Register name

Mehiläinen's Direct Marketing Register.

3. Purpose and basis of the data processing

The processing of personal data is based on Mehiläinen's legitimate interest (for direct marketing purposes), the contractual relationship between Mehiläinen and the data subject, or the consent given by the data subject. The legitimate interest of Mehiläinen is based on the customer relationship or a similar relationship between Mehiläinen and the data subject.

Personal data is processed for direct marketing by Mehiläinen and its cooperation partners, distance selling, profiling purposes (as described in more detail in section 9), opinion or market research, or other similar address-based mailings. Personal data may also be processed for the development of direct marketing.

Processing tasks may be outsourced to Mehiläinen Group companies and/or external service providers within the limits set by data protection legislation.

4. Categories of personal data

The following groups of data about the data subjects are processed:

Name, title or profession, age or year of birth, gender, mother tongue, address, and other contact details, profile created for the data subject or information about the data subject's family type, preferred methods of communication, channel-specific direct marketing permissions and prohibitions, other identification information related to marketing based on consent or customer relationship, and information on changes to the data.

5. Retention period of personal data

Mehiläinen retains personal data in the direct marketing register unless the data subject has prohibited direct marketing. However, information regarding the prohibition of direct marketing is still retained in the register. Personal data is retained as long as necessary for the purposes of use. Personal data is retained until the data subject prohibits direct marketing or until the customer relationship or similar significant relationship between the data subject and Mehiläinen can be considered to have ended. The end time is determined by the data subject's last service contact with Mehiläinen. After the end of the customer relationship or similar significant relationship, Mehiläinen may continue to retain the data if there is a specific reason for retention, such as for the preparation, presentation, or defense of legal claims. The determination of the retention period is influenced by, among other things, the general limitation periods for damages based on legislation.

6. Regular sources of information

Personal data is collected during various marketing competitions or similar registrations, when registering for Mehiläinen's services, or directly from the data subject.

Personal data may also be collected and updated from the registers of Mehiläinen and its group companies (such as the OmaMehiläinen personal register or customer register), the Population Information System, prohibition registers maintained by the Customer Marketing Association, through Posti's update services, and other sources. Data is not collected from the patient register.

7. Regular disclosures of data and transfer of data outside of the European Union or European Economic Area

Personal data may be disclosed to Mehiläinen Group companies for the purposes described in section 3 of this privacy statement. As a general rule, personal data is not disclosed to third parties outside Mehiläinen. If it is necessary to disclose personal data, the disclosure can be carried out to third parties based on a contract, consent, or legislation.

Mehiläinen may transfer personal data and outsource processing activities to Mehiläinen Group companies and external service providers who process personal data on behalf of Mehiläinen.

Personal data may be transferred outside the European Union or the European Economic Area, including to the United States, in accordance with data protection legislation and within its limits. In such cases, the primary basis for transfer is the European Commission's decision on the adequacy of data protection in the United States. If personal data is transferred to a country for which the Commission has made an adequacy decision on adequate level of data protection (Article 45 of the EU General Data Protection Regulation), the primary basis for transfer is the adequacy decision.

8. Description of the Principles of Register Protection

Mehiläinen has appropriate technical and organizational security measures in place to protect personal data. Any manual material is kept in a locked space, accessible only to individuals who have been granted access rights. Access to digital material is only available to an employee, professional, or partner who is authorized and has a personal username and password. There are different levels of access rights, and each user is given access rights that are sufficient for the task at hand but as limited as possible.

9. Profiling and automated decision-making

As part of the processing activities of personal data stored in the direct marketing register, Mehiläinen may also carry out profiling. Profiling is carried out by creating a customer identifier for the data subject, which allows for the combination of various information related to the data subject that is stored in the direct marketing register. The profile created in this way can then be compared, for example, to profiles created from other data subjects. In addition, profiling information about the data subject may be collected from other sources. The purpose of profiling is to enable better targeting of marketing.

Personal data is not used for automated decision-making.

10. Data Subject's right to object to the Processing of Personal Data and direct marketing (right to opt-out)

To the extent that personal data is processed for direct marketing purposes, the data subject has the right to object at any time to such processing for marketing purposes and to prohibit the processing of personal data for direct marketing purposes.

The data subject can give Mehiläinen consents and prohibitions regarding direct marketing.

The data subject has the right, based on their personal particular situation, to object at any time to profiling and other processing activities that Mehiläinen directs at the data subject's personal data to the extent that the basis for processing is Mehiläinen's legitimate interest. The data subject can submit their objection request in accordance with section 12 of this privacy statement. In connection with the request, the data subject must specify the particular situation on which they base their objection. Mehiläinen may refuse to comply with the objection request on legally stipulated grounds.

11. Other rights related to the Processing of Personal Data of the Data Subject

11.1 Right of Access by the Data Subject (Right to Inspect)

The data subject has the right to obtain confirmation from Mehiläinen as to whether personal data concerning them is being processed or not. If their personal data is being processed, the data subjects have the right to receive information about the processing of their personal data, for example, the purposes of processing and the groups of personal data involved. Mehiläinen informs about the processing of personal data in its privacy statements. The data subject can also contact Mehiläinen regarding the processing of personal data in the manner specified in section 12 of this privacy statement.

The data subject has the right to inspect the information being processed about them in Mehiläinen's direct marketing register. The inspection request can be made in accordance with section 12 of this privacy statement. The right to inspection can be denied on legally stipulated grounds. The exercise of the right to inspection is generally free of charge. However, Mehiläinen may charge the data subject a reasonable fee based on administrative costs under certain conditions.

11.2 Data Subject's Right to Demand Rectification, Deletion, or Restriction of the Data Processing

If the data subject is a user of the OmaMehiläinen service, they can update their basic information and determine whether they want to receive marketing messages in the OmaMehiläinen service. To the extent that the data subject or user can act on their own, they must, without undue delay, upon learning of an error or having detected the error themselves, correct, delete, or supplement incorrect, unnecessary, incomplete, or outdated information on their own initiative.

The data subject can also make a request for correction of personal data to Mehiläinen in accordance with section 12 of this privacy statement.

The data subject has the right, under certain conditions, to have their personal data deleted, for example, if the processing is based on the data subject's consent and the data subject withdraws their consent, and there is no other legal basis for the processing, or if the data subject objects to the processing and there is no justified reason for the processing. The deletion request can be made in accordance with section 12 of this privacy statement.The data subject also has the right to require the controller to restrict the processing of their personal data, for example, when the data subject is waiting for Mehiläinen's response to their request for correction or deletion of data.

11.3 Right to Data Portability

To the extent that the data subject has provided information to Mehiläinen that is processed based on the data subject's consent or a contract and the processing is carried out automatically, the data subject has the right to receive such data in a structured, commonly used, and machine-readable format. The data subject has the right to transfer this data to another controller.

11.4 Data Subject's Right to File a Complaint with the Supervisory Authority

The data subject has the right to lodge a complaint with the competent supervisory authority (in Finland, the Office of the Data Protection Ombudsman) if the data controller has not complied with the applicable data protection legislation in its operations.

11.5 Other Rights

If personal data are processed based on the data subject's consent, the data subject has the right to withdraw their consent at any time by notifying Mehiläinen in accordance with section 12 of this privacy statement. However, the withdrawal of consent does not affect the lawfulness of consent-based processing carried out before its withdrawal.

12. Contacts

For issues related to registered patient and personal data, one can turn to Mehiläinen's Health Information Management team.

Health Information Management
info.terveystiedot@mehilainen.fi

Please note that we can only accept requests from data subjects in writing. Your identity will be verified at a Mehiläinen service point with a photo ID or alternatively through the OmaMehiläinen online service. This ensures that information is only released to individuals who have the right to it.

You can also submit a data request through the nearest Mehiläinen service points, where your identity will be verified with a photo ID. You can find the nearest Mehiläinen service point on our website at https://www.mehilainen.fi/en/locations.

If you are sending sensitive information by email, you can use Mehiläinen's secure mail if necessary.

Data Protection Officer

The Data Protection Officer at Mehiläinen is Kim Klemetti (tietosuoja@mehilainen.fi).

Off

Hero 3.0

Background color

Green

Image horizontal shift

0.00%

Image vertical shift

0.00%

Show breadcrumbs

Show title

Text color

White

Use hero 3.0

With Image

Off

Use mask

Show accessibility overlay

Off