Privacy Statement for the Processing of Personal Data in Events Organized by Mehiläinen

Mehiläinen Oy
Business ID 1927556-5
Pohjoinen Hesperiankatu 17 C
00260 Helsinki, Finland

Mehiläinen's event participant register.

Mehiläinen may organize various physical or virtual events, in connection with which Mehiläinen processes the personal data necessary for organizing the event.

Personal data is processed especially for the following purposes:

• To facilitate registration and participation
• To implement and develop events and communications
• To collect possible surveys, such as feedback
• To ensure the safety of the events
• For other purposes necessary for organizing the event.

The basis for the processing personal data is the legitimate interest of the controller, which arises when a participant registers for an event or when the data subject contacts Mehiläinen in relation to an event. The legitimate interest is based on the relevant relationship between Mehiläinen and the data subject. With the data subject's separate consent, the data may also be used for electronic direct marketing.

If recruitment activities are carried out at the event, personal data will be processed in accordance with Mehiläinen's recruitment privacy policy, which we ask you to review when participating in recruitment.

Personal data may be transferred and processing tasks may be outsourced to Mehiläinen's group companies and/or external service providers in accordance with data protection legislation and within its limits. In such cases, Mehiläinen's group companies and external service providers process personal data on behalf of Mehiläinen.

The following information may be processed about the data subject:

• Name
• Email address
• Other necessary contact details, such as street address
• Profession, if necessary
• Information related to language or diet, if necessary
• Information related to the technical processing of collected data, such as the date of storage and the source of information
• Other information necessary for organizing the event

Mehiläinen retains personal data related to events until the event and related arrangements and other actions have been completed. Mehiläinen may continue to process personal data for a defined period if there is a special reason for it, such as for the preparation, presentation, or defense of legal claims. The determination of the retention period is influenced by, among other things, the general limitation periods for damages based on legislation.

If personal data has been collected for recruitment activities at the event, such data will be retained in accordance with Mehiläinen's Recruitment Privacy Statement.

The processed data are the details provided by the data subject themselves.

Data may be disclosed to Mehiläinen's group companies for the purposes described in section 3 of this privacy policy. Personal data is not regularly disclosed outside Mehiläinen to third parties. If it is necessary to disclose personal data, the transfer can be carried out to third parties based on a contract, consent, or an explicit legal basis provided by law. Personal data may be transferred outside the European Union or the European Economic Area, including to the United States, in accordance with data protection legislation and within its limits.

Personal data may be transferred outside the European Union or the European Economic Area, including to the United States, in accordance with data protection legislation and within its limits.

In such cases, the primary basis for transfer is the European Commission's decision on the adequacy of data protection in the United States. If personal data is transferred to a country for which the Commission has made an adequacy decision regarding the adequate level of data protection (Article 45 of the EU General Data Protection Regulation), the primary basis for transfer is the adequacy decision.

Mehiläinen has appropriate technical and organizational security measures in place to protect personal data. Any manual material is kept in a locked space, accessible only to individuals who have been granted access. Access to digital material is limited to employees, professionals, or cooperation partners who have personal user IDs and passwords. There are different levels of access rights, and each user is given a sufficient but as limited access right as possible for the performance of their duties.

The personal data is not used for profiling or automated decision-making.

The data subject has the right, on grounds relating to their particular situation, to object at any time to the processing of personal data concerning them, to the extent that the processing is based on the legitimate interest of Mehiläinen. The data subject can submit their objection in accordance with section 12 of this privacy policy. In their request, the data subject must specify the particular situation on which they base their objection. Mehiläinen may refuse to comply with the request for objection on legally prescribed grounds.

To the extent that personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing for such marketing and to prohibit the processing of personal data for direct marketing purposes.

The data subject may give consents or prohibitions to Mehiläinen regarding direct marketing, including profiling for direct marketing purposes.

11.1 Right of Access by the Data Subject (Right to Inspect)

The data subject has the right to obtain confirmation from Mehiläinen as to whether or not personal data concerning them is being processed. If their personal data is being processed, data subjects have the right to receive information about the processing of their personal data, such as the purposes of the processing and the categories of personal data concerned. Mehiläinen informs about the processing of personal data in its privacy statements. The data subject can also contact Mehiläinen regarding the processing of personal data in the manner described in section 12 of this privacy statement.

The data subject has the right to inspect the personal data concerning them. An inspection request can be made in accordance with section 12 of this privacy policy. The right of access can be denied on legally prescribed grounds. The exercise of the right of access is generally free of charge. However, Mehiläinen may charge a reasonable fee based on administrative costs under certain conditions.

11.2 Data Subject's Right to Request Rectification, Deletion, or Restriction of the Processing

The data subject has the right to request the rectification of incorrect data concerning them. The data subject can make a rectification request to Mehiläinen in accordance with section 12 of this privacy policy.

The data subject has the right, under certain conditions, to have their personal data deleted, for example, if the data subject objects to the processing and there is no justified reason for the processing. A deletion request can be made in accordance with section 12 of this privacy policy.

The data subject also has the right to request the data controller to restrict the processing of their personal data, for example, when the data subject is awaiting Mehiläinen's response to their request for rectification or deletion of data.

11.3 Data Subject's Right to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the competent supervisory authority (in Finland, the Office of the Data Protection Ombudsman) if the controller has not complied with applicable data protection legislation in its operations.

For issues related to registered patient and personal data, one can turn to Mehiläinen's Health Information Management team.

Health Information Management
info.terveystiedot@mehilainen.fi

Please note that we can only accept requests from data subjects in writing. Your identity will be checked at a Mehiläinen office from a photo ID or alternatively through the OmaMehiläinen online service. This ensures that information is only released to individuals who have the right to it.

You can also submit a data request through the nearest Mehiläinen service points, where your identity will be verified with a photo ID. You can find the nearest Mehiläinen service point on our website at https://www.mehilainen.fi/en/locations.

If you are sending sensitive information by email, you can use Mehiläinen's secure mail if necessary.

Data Protection Officer

The Data Protection Officer at Mehiläinen is Kim Klemetti (tietosuoja@mehilainen.fi).