Mehiläinen Patient Data Privacy Statement

In terms of health services provided by Mehiläinen, where Mehiläinen is the controller (e.g., occupational health services), the controller is Mehiläinen Oy, or another company belonging to the Mehiläinen Group, such as Fysios Oy or Tutoris Oy. All data controllers can be reached through Mehiläinen Oy:

Mehiläinen Oy
Pohjoinen Hesperiankatu 17
00260 Helsinki
Business ID 1927556-5

Health services provided by a private practitioner operating in Mehiläinen (or a company for which the practitioner operates):

Mehiläinen and the practitioner act as joint controllers in accordance with Article 26 of the EU General Data Protection Regulation when the practitioner holds a private practice in Mehiläinen's premises and uses Mehiläinen's information systems. Each party is responsible for ensuring that the processing of personal data is carried out in accordance with applicable legislation. Mehiläinen takes care of the maintenance and data security of the healthcare information systems it has adopted, as well as the compliance of the systems it has developed. Mehiläinen also takes care of, for example, the preparation and maintenance of the statutory data protection documentation concerning it, covering also the practitioner's processing operations for the implementation of patient care in Mehiläinen's medical centers. The practitioner is responsible for implementing good data protection and data security practices in their operations. The practitioner also ensures, among other things, that the preparation of patient record entries and the use of patient data in its operations is lawful and that there is always a basis for processing.

Mehiläinen acts as the primary contact point for requests concerning the exercise of data subjects' rights. However, data subjects can exercise their rights in relation to both joint controllers. Each joint controller ensures on their part that the rights of data subjects are properly implemented.

Other services

For other services produced in Mehiläinen, such as occupational health and the OmaMehiläinen service, Mehiläinen is an independent controller.

In the case of publicly funded social services and public health services, the controller is usually the public procurer, for example, a welfare region. In this case, Mehiläinen acts as a processor when processing personal data for the implementation of services in accordance with a contract made with the public procurer. However, Mehiläinen also acts as a controller to the extent that it processes personal data to implement tasks and requirements imposed by law on Mehiläinen.

When dealing with Mehiläinen, the processing of your patient data is primarily based on the national social and health care legislation in force at the time, such as the Patient Act (785/1992), the Customer Data Act (703/2023), the Ministry of Social Affairs and Health's Decree on Patient Records (94/2022), and the Secondary Use Act (552/2019). The legislation applicable to the processing of patient data contains several legal provisions on the basis of which patient data is processed. Mehiläinen has, among other things, an obligation to record customer data, as according to section 17 of the Customer Data Act, a social and health care professional and an assisting person involved in providing the service must record necessary and sufficient information in customer records to ensure the organization, planning, implementation, monitoring, and supervision of the customer's service and patient's care. In some cases, processing is based on the patient's consent. In addition to the special legislation on social and health care, general data protection regulations, such as the EU General Data Protection Regulation (2016/679, GDPR) and the Data Protection Act (1050/2018), are followed in the processing of patient data.

Patient data is used especially for the organization, planning, implementation, and monitoring of patient care, patient administration, and other purposes of use in accordance with legislation and consents.

Occupational health patient data is stored separately from private practice patient data in accordance with the legislation. The customer has the opportunity to influence the use of the data through expressions of will and consents. Administrative patient records are kept separately from patient records as prescribed by law.

In accordance with the Secondary Use Act, patient data is used for information management. In addition, patient data can be used for development and innovation activities and possible scientific research with separate permission in accordance with the Secondary Use Act.

The processing particularly involves the following types of personal data:

Patient's name, personal identification number, contact details.

Patient's named next of kin, guardian of a minor patient, legal representative of the patient.

Information necessary to ensure the organization, planning, implementation, and monitoring of the patient's care, such as health data generated in examination and treatment, and background information.

Other information necessary for care, e.g., information prepared by a nurse, public health nurse, dental hygienist, nutrition therapist, psychologist, etc.

Possible information concerning the disclosure of the data and the basis for disclosures.

In the occupational health patient register, also information related to work ability, the patient's employer, and possible health risks related to the workplace.

Expressions of will given by the patient, such as:

• information on whether the patient allows other healthcare professionals treating him/her in Mehiläinen to see the entries made by another service provider when it is necessary for his/her care.
• information on whether the patient allows other private doctors treating him/her in Mehiläinen to see any entries possibly in Mehiläinen's occupational health register when it is necessary for his/her care.
• Patient's consents to data sharing provided in Kanta services.

Information related to customer identification.

Information related to customer service events, such as appointments and customer contacts.

Information related to billing and payments.

Information about the healthcare personnel involved in the patient's care and the patient's appointment information is stored as a sub-register of the patient register.

Similarly, the results of laboratory, X-ray, and heart examinations generated in the patient's examination and treatment are stored in the patient register as its sub-register. A separate register is also maintained for laboratory examinations in the laboratory system, separate from the patient register.

In addition to the electronic register, a separate basic information register on paper may be maintained as a sub-register if necessary, which may also include information on consents and prohibitions given by the patient for the disclosure of patient data.

3.1 Regular Sources of Information

Personal data is regularly obtained from the following sources:

• Patient, patient's guardian, patient's legal representative, or close relative.
• Nursing staff and healthcare professionals.
• With the patient's consent, information can also be obtained from other healthcare units or professionals, for example, through the national health archive (KANTA).
• Other social and health care service providers who submit patient data to Mehiläinen, for example, for referral for further treatment.

3.2 Use of Patient data Among Service Providers Operating in Mehiläinen

When you visit a private practice, Mehiläinen and the practitioner treating you ("service providers") act as joint controllers. For other services produced in Mehiläinen, such as occupational health services and the OmaMehiläinen service, Mehiläinen is an independent controller.

When you visit Mehiläinen, the processing of your patient data is primarily based on the national social and health care legislation in force at the time. In order for the healthcare professionals treating you to provide the best possible care, they need information about your health status and also necessary information about your previous visits, which have been recorded by other professionals. However, you can influence whether the healthcare professionals treating you use data about you recorded by other professionals operating in Mehiläinen by giving expressions of will for the use of your information in OmaMehiläinen or with a data protection form at our premises. Your occupational health data is separate from your private practice data, but you can also influence their visibility and use on the private practice side. In addition, you can request the concealment of the information from a particular visit during or after the visit, thereby limiting the visibility of your information. Regardless of the expressions of will you provide, patient data in Felicitas, psychiatry, and genetic medicine is specially protected, with access to such data by professionals in other fields being particularly restricted.

Please note that the use and review of your data among professionals may also be based on consent to data sharing provided in Kanta services. Consent to data sharing provided in Kanta services is therefore different from the expressions of will you give to Mehiläinen. The expressions of will you provide to Mehiläinen do not affect how your data appears through the Kanta service. More information here: https://www.kanta.fi/en/consent-to-sharing-patient-data

3.3 Retention Period

The retention periods for patient data comply with the regulations on the retention periods for patient data in force at the time.The retention period for patient records is set by the Ministry of Social Affairs and Health's decree on patient records (94/2022). The retention period is generally 12 years from the patient's death or, if this is not known, 120 years from birth.

Patient data is confidential and the staff are under an obligation of secrecy.

Patient data can be disclosed:

• With the consent of the patient or their legal representative.
• Under the explicit provision of the law.

4.1 Routine Disclosure of Patient data/Recipient Groups

Patient data may only be disclosed with the consent of the data subject or based on legislation. Routine recipients of such disclosures include, among others:

• Health authorities that have a legal right to obtain health data for the performance of their official duties. Such authorities include, for example, the Finnish Institute for Health and Welfare (THL), the Finnish Medicines Agency (Fimea), the Finnish Social and Health Data Permit Authority Findata, and the Social Insurance Institution of Finland (Kela);
• With the patient's consent or consent to data sharing, patient data can be disclosed to another healthcare service provider, for example, in a situation requiring follow-up care;
• If a patient, due to memory disease, mental health disorder, developmental disability, or a similar reason, is not capable of assessing the significance of the given consent to data sharing and does not have a legal representative, or if a consent to data sharing cannot be obtained due to the patient's unconsciousness or a similar reason, the service provider has the right, notwithstanding confidentiality provisions, to obtain and use necessary patient data from other healthcare service providers to arrange or provide essential health services without the patient's consent to data sharing;
• Necessary information for arranging or providing a patient's health service can be disclosed to another healthcare unit or healthcare professional, both Finnish and foreign, without the patient's consent to data sharing, if the patient, due to memory disease, mental health disorder, developmental disability, or a similar reason, is not capable of assessing the significance of the given consent to data sharing and does not have a legal representative, or if a consent to data sharing cannot be obtained due to the patient's unconsciousness or a similar reason;
• The National Prescription Centre (Kanta archive);
• With the patient's written consent or based on an explicit provision of law, data can be disclosed to an insurance company;
• The patient's guardian, other legal representative, and close relatives, if the patient has given consent for this. However, if a minor patient is capable of deciding on their treatment in relation to their age and level of development, they have the right to prohibit the disclosure of data concerning their health and treatment to their guardian or other legal representative;
• Information about the person and health status of a patient who is being treated due to unconsciousness or a similar reason can be given to the patient's close relative or another person close to them, unless there is reason to assume that the patient would prohibit such action.

We primarily process all patient data within the European Union or the European Economic Area.

Personal data may be transferred outside the European Union or the European Economic Area, including to the United States, in accordance with data protection legislation and within its limits. In such cases, the primary basis for transfer is the European Commission's decision on the adequacy of data protection in the United States. If personal data is transferred to a country for which the Commission has made an adequacy decision on the level of data protection (Article 45 of the EU General Data Protection Regulation), the primary basis for transfer is the adequacy decision.

Personal data may be transferred outside the European Union or the European Economic Area in accordance with data protection legislation if necessary, for example, to obtain research services. The data subject has the possibility to inquire about the specific location of the research analysis of the sample before the test from the healthcare professional issuing the referral.

Data transferred to research institutions outside the European Union and the European Economic Area are, where possible, transferred in such a way that the individual patient is not identifiable by the research institution.

During the Covid-19 pandemic, the capacity for analyzing Covid-19 samples in Finland and Europe was limited, which led to the analysis of Covid-19 samples in research institutions outside the European Union and the European Economic Area. You can inquire about the research institutions we use and their locations from the professional issuing the referral. For Covid-19 studies, the research institution used is not selectable by the patient, as we direct samples to be analyzed by the most appropriate institution for the situation at hand.

5.1 Subcontractors

We use cooperation partners as subcontractors in our operations, to whom we transfer necessary information, for example, for diagnostic studies. Such partners process personal data as processors on behalf of Mehiläinen, in accordance with the instructions and regulations provided by Mehiläinen. We also use IT suppliers' services. In addition, personal data may be transferred between Mehiläinen group companies, where the group company processes personal data on behalf of another group company. We strive to primarily use partners operating within the EU/EEA area.

Patient data is required to be kept confidential. Patient data is not disclosed to third parties without a legal basis.

Patient data may only be used by individuals involved in the patient's care or related tasks, or otherwise in accordance with applicable legislation. The controller decides on organizational solutions and grants access rights to employees to patient registry information to the extent required by job duties and regulations.

Old paper records that may be created alongside the electronic patient data system are kept in locked and monitored premises.

Access to electronically processed information is only available with the personal username and password of the authorized employee. The use of patient data is monitored by following log data.

As part of occupational health services, Mehiläinen may utilize patient data recorded during occupational health visits to assess the need for support for a person's work ability and to promote work ability and health in accordance with the legislation applicable to occupational health care. We analyze information generated during occupational health visits automatically to identify the need for support. The results of the analysis are only for the use of occupational health care and are not disclosed forward, for example, to the employer. Any follow-up actions are agreed upon with the data subject.

8.1 Right of access by the data subject (right to inspect)

The data subject has the right to obtain confirmation from Mehiläinen as to whether or not personal data concerning them is being processed. If their personal data is being processed, data subjects have the right to receive information about the processing of their personal data, such as the purposes of the processing and the categories of personal data involved. Mehiläinen informs about the processing of personal data in its privacy statements. The data subject may also contact Mehiläinen regarding the processing of personal data in the manner set out in section 9 of this privacy statement.

The patient has the right to inspect their own patient data. An inspection request can be made in accordance with section 9 of this privacy statement. The right to inspect can be denied on grounds provided by law.

8.2 The right of the data subject to demand rectification, deletion, or restriction of the processing

The controller must, without undue delay, on its own initiative or at the request of the patient, correct, delete, or complete any personal data in the patient registry that is incorrect, unnecessary, incomplete, or outdated in relation to the purpose of the processing (purpose of use of the patient registry). The data subject may also make a request for correction to Mehiläinen in accordance with section 9 of this privacy statement.

Personal data cannot generally be deleted because their processing is based on legislation and they are subject to a statutory retention obligation. For other data, the data subject has the right to have their personal data deleted under certain conditions, for example, if the processing is based on the data subject's consent and the data subject withdraws their consent, and there is no other legal basis for the processing. The data subject also has the right to require the data controller to restrict the processing of their personal data, for example, when the data subject is waiting for Mehiläinen's response to their request for correction or deletion of data. Data subjects have the right to refuse profiling activities directed at themselves.

Implementation and organization of data correction and processing restriction.

A request for correction and a request for processing restriction must be made in writing and addressed to the data controller in accordance with section 9 of this privacy statement. The patient’s identity is verified in a reliable manner.

If the patient's request is justified, the data will be corrected and any necessary actions to restrict processing will be implemented.

Any incorrect entries are corrected so that both the original and corrected entries can be read later. The name, official position, and date of correction by the person making the correction. If data unnecessary for care is removed, patient records are marked with information about the corrector and the time of removal in accordance with applicable legislation.

8.3 The right of the data subject to object to the processing of personal data

The data subject has the right, on grounds relating to their particular personal situation, to object at any time to the processing of personal data concerning them when the basis for processing is the public interest. For example, the data subject has the right to object to the processing of their personal data for information management purposes. The data subject can submit their objection in accordance with section 9 of this privacy statement. In connection with the request, the data subject must specify the particular situation on which they base their objection to the processing. Mehiläinen may refuse to comply with the request for objection on grounds provided by law.

8.4 The right of the data subject to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the competent supervisory authority (in Finland, the Office of the Data Protection Ombudsman) if the controller has not complied with applicable data protection legislation in its operations.

8.5 Kanta archive

Mehiläinen joined the Kanta archive on April 21, 2016, and patient data generated thereafter are stored in the Kanta archive, and the patient must manage these data through the MyKanta (OmaKanta) system.

For patient data stored in Kanta services, Kela and the service provider (such as Mehiläinen) are joint controllers. The basis for processing personal data is legislation.

The Social Insurance Institution of Finland (hereinafter Kela) and social and health care service providers are joint controllers for social and health care disclosure log data, the expression of will service, and the information management service. Procedures related to joint controllership for implementing the rights of the data subject and other obligations of the controllers are defined in the arrangement between the parties.

Joint controllers act as controllers within the meaning of the EU General Data Protection Regulation and are independently responsible for the correctness of the personal data processing activities they perform in accordance with the division of responsibility stipulated in the Act on the Status and Rights of Patients and the Prescription Act. Joint controllers are responsible for the correctness of the personal data processing activities they perform in accordance with applicable data protection legislation. The joint controllers are:

• Information management service: social and health care service providers and Kela.
• Expression of will service: social and health care service providers and Kela.
• Disclosure logs generated in social and health care: social and health care service providers and Kela.
• Prescription Centre (including Prescription Centre disclosure logs): social and health care service providers, independent prescribers, pharmacies, and Kela.

The data subject has the right to exercise their rights under the data protection regulation in relation to each controller and against each controller.

Kela acts as the contact point in relation to the data subjects in accordance with Article 26 of the data protection regulation under the Act on the Status and Rights of Patients and the Prescription Act. Kela is responsible as the contact point for fulfilling and implementing the information obligation imposed on controllers by data protection legislation. More information is available on Kela's website (www.kanta.fi).

For issues related to registered patient and personal data, one can turn to Mehiläinen's Health Information Management team.

Health Information Management
info.terveystiedot@mehilainen.fi

Please note that we can only accept requests related to ordering, correcting, and log data in writing. Your identity will be verified at a Mehiläinen location with a photo ID or alternatively through the OmaMehiläinen online service.

This ensures that information is only disclosed to individuals who have the right to it. You can also submit a request for information through the nearest Mehiläinen location, where your identity will be verified with a photo ID. You can find the nearest Mehiläinen location on our website at https://www.mehilainen.fi/en/locations.

If you are sending sensitive information by email, you can use Mehiläinen's secure mail if necessary.

For public social and health services, we ask that inquiries and requests related to the processing of personal data be directed to the health or social services department of each public contracting entity in accordance with the practices instructed by each public contracting entity (such as the wellbeing services county).

Data Protection Officer

Data Protection Officer at Mehiläinen is Kim Klemetti (tietosuoja@mehilainen.fi).