Submitted by ville.vaataine… on
OmaMehiläinen Service Privacy Statement
Html before

Last updated: January 1, 2024

Section
Accordion items
1. Controller

Mehiläinen Oy
Business ID 1927556-5
Pohjoinen Hesperiankatu 17 C, 00260 Helsinki, Finland
Switchboard: 010 414 0112

2. Register name

OmaMehiläinen

3. Purpose and Basis for the Processing Personal Data

The OmaMehiläinen service (hereinafter also 'the service') is primarily aimed at Mehiläinen's customers, but anyone with the personal online banking credentials required for registration can use it.

The processing of personal data is primarily based on the contractual relationship between Mehiläinen and the data subject, Mehiläinen's legitimate interest, and legislation. The basis for processing personal data may also be the consent given by the data subject. Mehiläinen's legitimate interest is based on the customer relationship between Mehiläinen and the data subject. A customer relationship between Mehiläinen and the data subject is created when the data subject creates a user account in the OmaMehiläinen service. The processing of health data is based on legislation or the consent of the data subject. For example, when the data subject enters information about their health and well-being into the OmaMehiläinen service, the collection and processing of health data can be based either on the consent given by the data subject or on legislation.

Personal data is processed for the implementation and provision of Mehiläinen's web browser and application-based OmaMehiläinen service, for the implementation of the loyalty program, and for customer relationship management.

Mehiläinen may use personal data for customer history, feedback, satisfaction information, surveys and research, monitoring and analysis, service event verification, quality monitoring, development of operations and services; communication, marketing and targeting of services as well as other service provision, development and supply and profiling purposes as described in more detail in section 10 of this privacy statement. The service may include marketing communication by phone, text message, email or multimedia message, as well as internal marketing and other communication on the website or mobile application.

In addition, the service displays health data about each customer located in the patient record system, for which the processing of personal data is carried out in accordance with the patient data privacy statement.

Processing tasks can be outsourced to Mehiläinen Group companies and/or external service providers in accordance with data protection legislation and within its limits. In this case, Mehiläinen Group companies and external service providers process personal data on behalf of Mehiläinen.

4. Categories of Personal Data

The processing involves, among other things, the following types of information:

  • Name, nickname, personal identification number, customer number, gender, language, address, phone number, email address and other necessary contact information;
  • Close relative, guardian, dependant, number and ages of children under 18;
  • Information about the services the registered person wishes, uses and purchases, and a note about the level and validity period of the current loyalty program. Information about the registered person, such as health data, information about treatment received elsewhere than at Mehiläinen, interests, hobby information or other similar information;
  • Health and well-being data about the registered person transferred to the service;
  • Information about the person linked to the registered person's family profile;
  • Information about people who have treated the data subject. Wishes or notes about professionals, services, units and other matters;
  • Information about prohibitions, restrictions, consents and other choices made by the data subject regarding the use of personal data;
  • Necessary information related to the use of identification and verification tools and services;
  • Information related to data processing, such as the date of storage and the source of information;
  • The content of messages between the data subject and Mehiläinen's professional, the content of chat discussions held at Mehiläinen's Digital Clinic, files possibly uploaded by the registered person, log information, information about the parties and sending times of messages;
  • Other information related to the purpose of the register, such as information that can be linked to the data subject, collected during the use of the service, such as the user's IP address, identification information related to the user's terminal device and operating system, time of visit, visited pages, used browser type (e.g. Internet Explorer, Firefox), web address from which the user has come to the website and the server from which the user has come to the website.

The OmaMehiläinen service only offers the data subject a limited viewing right to their patient data. Data stored in the OmaMehiläinen service is not transferred to the patient record system unless the data subject has separately agreed on this with the professional treating the data subject. Information that the data subject themselves has stored in the OmaMehiläinen service, for example information about the data subject’s health or treatments or examinations done elsewhere, is not visible to Mehiläinen's professionals unless the data subject separately agrees with the professional during the treatment event that the information will be used in connection with the treatment. In this case, the professional can store the necessary information in a separate patient record system.

5. Retention Period for Personal Data

Mehiläinen stores personal data in the OmaMehiläinen service as long as the data subject uses the OmaMehiläinen service, i.e. they have a user account in the service. Mehiläinen may also delete the data earlier if it is clear that the user no longer uses the service and their customer relationship with Mehiläinen has also otherwise ended. We store personal data in OmaMehiläinen for a maximum of ten (10) years from the last use of OmaMehiläinen or transaction at Mehiläinen.

6. Regular Sources of Information

Information is primarily obtained from the following sources:

  • The data subjects themselves, and information generated through the use of the OmaMehiläinen service by the data subject;
  • Another data subject added to the OmaMehiläinen service family profile with the consent of the data subject;
  • Mehiläinen's customer register;
  • A party providing identification, verification, address, update, credit information or similar service;
  • The register may also include information provided by other cooperation partners of Mehiläinen, such as information received from an insurance company;
  • We update contact and other basic information based on information from the Digital and Population Data Services Agency. In addition, contact information can be updated for occupational health customers based on information provided by the customer's employer.
7. Regular Disclosures of Information and Recipient Groups

Information may be disclosed to Mehiläinen Group companies for the purposes of use described in section 3 of this privacy statement, as well as to Mehiläinen's customer register and direct marketing register.

As a general rule, personal data is not disclosed to third parties outside Mehiläinen. If it is necessary to disclose personal data, the disclosure can be carried out to third parties based on a contract, consent, or an explicit legal basis provided by law.

8. Transfer of Data Outside the EU or EEA

Personal data may be transferred outside the European Union or the European Economic Area, including to the United States, in accordance with data protection legislation and within its limits. In such cases, the primary basis for transfer is the European Commission's decision on the adequacy of data protection in the United States. If personal data is transferred to a country for which the Commission has made an adequacy decision on adequate level of data protection (Article 45 of the EU General Data Protection Regulation), the primary basis for transfer is the adequacy decision.

9. Principles of register protection

A. Manual material

Any manual material is kept in a locked space, accessible only to individuals who have been granted access rights.

B. Electronically processed data

The OmaMehiläinen service operates online and can be accessed via a secure data communication connection, for example, through a computer, mobile phone, mobile device, or other smart device browser, or through other technical applications offered by Mehiläinen at the time.

Users log into the OmaMehiläinen service using personal online banking credentials or other identification approved by Mehiläinen. Mehiläinen provides the service and its security with appropriate technical solutions.

Access to the material is only available to an employee, professional, or cooperation partner who is authorized and has a personal username and password. There are different levels of access rights, and each user is given access rights that are sufficient for the task at hand but as limited as possible. In addition, the data subject can agree with the professional (see more in the terms of use section 2 "professional") that they will have access to the information stored in the OmaMehiläinen service during the care visit, such as the health data entered by the data subject themselves.

The data subject can also give family members linked to the OmaMehiläinen service family profile the right to view and process information about the data subject stored in the OmaMehiläinen service, as well as the right to have a limited viewing right to the data subject’s patient data, similar to that of the data subject themselves. Only individuals who are themselves users of the OmaMehiläinen service and thus also registered can be linked to the family profile of the OmaMehiläinen service. Adding is done using a personal identification number and requires separate consent from the data subject being added to the family profile. However, the official guardian of a child under 18 can add the child to their family profile without the child's special consent. (Read more in the terms of use section 5.)

When the use of the OmaMehiläinen service is terminated, Mehiläinen will delete all user-entered information in the OmaMehiläinen service and the user's OmaMehiläinen profile, but other service-related information (such as feedback and information used for targeting services) will be transferred and/or remain in Mehiläinen's customer register.

The purpose of the above actions is to ensure the confidentiality, availability, and integrity of the OmaMehiläinen service, as well as the realization of the rights of the data subjects.

10. Profiling

As part of the processing activities of personal data stored in the OmaMehiläinen service, Mehiläinen may also use the data for profiling purposes. Profiling is carried out by creating a customer identifier for the data subject, which allows for the combination of various information related to the data subject that arises in connection with the use of the service. The profile created in this way can then be compared, for example, to profiles created from other data subjects.

The purpose of profiling is to determine the demand for services, customer behavior, and to provide recommendations to the customer.

11. The Data Subject's Right to Object to the Processing of the Personal Data

The data subject has the right, related to their personal particular situation, to object to profiling and other processing activities that Mehiläinen directs at the data subject’s personal data to the extent that the basis for the processing is Mehiläinen's legitimate interest, which is based on the customer relationship between Mehiläinen and the data subject. The data subject can submit their objection request in accordance with section 14 of this privacy statement. In connection with the request, the data subject must specify the particular situation on which they base their objection. Mehiläinen may refuse to comply with the objection request on legally stipulated grounds.

12. The Data Subject's Right to Object to Direct Marketing (Right to Opt-Out)

The OmaMehiläinen service may include advertisements from Mehiläinen and its cooperation partners. The customer cannot prohibit the appearance of advertisements in the service.

To the extent that personal data is processed for direct marketing purposes, the data subject has the right to object to such processing for marketing purposes at any time. The data subject can give consents or prohibitions regarding external direct marketing in the OmaMehiläinen service, including profiling for direct marketing purposes.

13. Other Rights Related to the Processing of Personal Data of the Data Subject

13.1 Right of Access by the Data Subject (Right to Inspect)

The data subject has the right to obtain confirmation from Mehiläinen as to whether personal data concerning them is being processed or not. If their personal data is being processed, the data subjects have the right to receive information about the processing of their personal data, for example, the purposes of processing and the groups of personal data involved. Mehiläinen informs about the processing of personal data in its privacy statements. The data subject can also contact Mehiläinen regarding the processing of personal data in the manner specified in section 14 of this privacy statement.

When logging into the OmaMehiläinen service, the data subject can always see most of the information that the OmaMehiläinen service contains about them.

The data subject also has the right to check what other information about them has been stored in the OmaMehiläinen service. The inspection request must be made in accordance with section 14 of this privacy statement. The right to inspection can be denied on legally stipulated grounds. The exercise of the right to inspection is generally free of charge. However, Mehiläinen may charge the data subject a reasonable fee based on administrative costs under certain conditions.

13.2 The Data Subject’s Right to Demand Rectification, Deletion, or Restriction of the Data Processing

The data subject can update their basic information in the OmaMehiläinen service. To the extent that the data subject can act on their own, they must, without undue delay, upon learning of an error or having detected the error themselves, correct, delete, or supplement the service's information that is contrary to the purpose of the OmaMehiläinen service, incorrect, unnecessary, incomplete, or outdated.

To the extent that the data subject cannot correct the data themselves, the correction request is made in accordance with section 14 of this privacy statement. The data subject has the right, under certain conditions, to have their personal data deleted, for example, if the processing is based on the data subject 's consent and the data subject withdraws their consent, and there is no other legal basis for the processing. The deletion request can be made in accordance with section 14 of this privacy statement.

The data subject also has the right to require the controller to restrict the processing of their personal data, for example, when the data subject is waiting for Mehiläinen's response to their request for correction or deletion of information. The request for restriction of processing can be made in accordance with section 14 of this privacy statement.

13.3 The Data Subject's Right to Data Portability

To the extent that the data subject has provided information to the OmaMehiläinen service that is processed based on the data subject’s consent, the data subject has the right to receive such data in a structured, commonly used, and machine-readable format and the right to transfer this data to another controller. In practice, such information may include, for example, health and well-being data entered by the registered individual themselves into the OmaMehiläinen service.

13.4 The Data Subject's Right to File a Complaint with the Supervisory Authority

The data subject has the right to file a complaint with the competent supervisory authority (in Finland, the Office of the Data Protection Ombudsman) if the controller has not complied with applicable data protection legislation in its operations.

13.5 Other Rights

If personal data is processed based on the data subject’s consent, the data subject has the right to withdraw their consent at any time by notifying Mehiläinen in the manner specified in section 14 of this privacy statement. However, the withdrawal of consent does not affect the lawfulness of consent-based processing carried out before its withdrawal.

14. Contacts

For all matters related to your personal data, you can turn to Mehiläinen's Health Information Management team.

Health Information Management
terveystiedot@mehilainen.fi

Please note that we can only accept requests from data subjects in writing. Your identity will be verified at a Mehiläinen location with a photo ID or alternatively through the OmaMehiläinen online service. This ensures that information is only released to individuals who have the right to it.

You can also submit a data request through the nearest Mehiläinen service points, where your identity will be verified with a photo ID. You can find the nearest Mehiläinen service point on our website at https://www.mehilainen.fi/en/locations.

If you are sending sensitive information by email, you can use Mehiläinen's secure mail if necessary.

Data Protection Officer

The Data Protection Officer at Mehiläinen is Kim Klemetti (tietosuoja@mehilainen.fi).

Mehiläinen's Privacy Statements
Off
Off
Hero 3.0
Background color
Green
Image horizontal shift
0.00%
Image vertical shift
0.00%
Show breadcrumbs
On
Show title
On
Text color
White
Use hero 3.0
On
With Image
Off
Use mask
On
Show accessibility overlay
Off