Privacy Statement for the User Register of the CorporateMehiläinen Online Service

Mehiläinen Oy
Business ID 1927556-5
Pohjoinen Hesperiankatu 17 C, 00260 Helsinki, Finland
Telephone exchange: +358 10 414 0112

Mehiläinen Oy's CorporateMehiläinen online service user register

The CorporateMehiläinen online service is primarily aimed at contact persons of Mehiläinen's occupational health customers, but it can be used by anyone who has the personal online banking credentials required to register for the service. The basis for processing personal data is Mehiläinen's legitimate interest, particularly the user management of the CorporateMehiläinen online service. The basis for processing may also be the fulfillment of legal obligations applicable to Mehiläinen.

Personal data is processed for the implementation of the CorporateMehiläinen online service. Personal data may be processed for maintenance purposes, such as user management, verification of the information recorder, and checking for faults or suspected misuse. Personal data may also be processed for the development of the service.

Processing tasks may be outsourced to Mehiläinen's group companies and/or external service providers in accordance with data protection legislation and within its limits. Service providers process personal data on behalf of Mehiläinen.

By linking a CorporateMehiläinen account to a company (customer number), the user's name becomes visible to other users who have the same customer number linked to their account.

The following types of information are processed:

• First name, last name, personal identification number, email address, phone number, username, and password;
• Content produced by the registered user themselves, such as saved reports and reporting groups;
• Information related to data processing, such as the recording date of sick leave or modifications to the personal register;
• Other customer-related information, such as data collected from the use of the website that can be associated with the customer, such as the user's IP address, time of visit, pages visited, browser type used (e.g., Internet Explorer, Firefox), the web address from which the user came to the website, and the server from which the user accessed the website.

Data is primarily obtained from the following sources:

• The data subject themselves, and information generated through the use of the CorporateMehiläinen online service by the registered user;
• The party providing the identification service, such as an online bank.

Personal data is not regularly disclosed to third parties. If it is necessary to disclose personal data, the transfer can be carried out to third parties either based on a contract, consent, or an explicit legal basis provided in the law.

Personal data may be transferred outside the European Union or the European Economic Area, including to the United States, in accordance with data protection legislation and within its limits. In such cases, the primary basis for transfer is the European Commission's decision on the adequacy of data protection in the United States. If personal data is transferred to a country for which the Commission has made an adequacy decision regarding the adequate level of data protection (Article 45 of the EU General Data Protection Regulation), the primary basis for transfer is the adequacy decision.

Mehiläinen retains personal data in the CorporateMehiläinen online service as long as the data subject uses the CorporateMehiläinen online service, i.e., they have a user account in the service. Mehiläinen may also delete the data earlier if it is clear that the user no longer uses the service and their customer relationship with Mehiläinen has otherwise ended. The user can request the deletion of their account at any time by emailing yritysmehilainen@mehilainen.fi. Mehiläinen Oy retains the log data of the YritysMehiläinen online service for 12 years from the event.

A. Manual Material

Mehiläinen has appropriate technical and organizational security measures in place to protect personal data. Any manual material is kept in a locked space, accessible only to individuals who have been granted access.

B. Electronically Processed Data

The CorporateMehiläinen online service can be used via a secure data communication connection through a computer, mobile phone, mobile device, or other smart device browser, or through any other technical application provided by Mehiläinen at the time. The CorporateMehiläinen online service can be accessed using personal online banking credentials or other identification methods approved by Mehiläinen. Mehiläinen organizes the service and security with appropriate technical solutions.

Access to the material is limited to employees or cooperation partners who have personal user IDs and passwords. There are different levels of access rights, and each user is given a sufficient but as limited access right as possible for the performance of their duties.

More information on protection is available in the service's security appendix.

9.1 Right of the Data Subject to Object to the Processing of Personal Data

The data subject has the right, on grounds relating to their particular situation, to object at any time to the processing of personal data concerning them, which is based on Mehiläinen's legitimate interests. The data subject can submit their objection in accordance with section 10 of this privacy policy. In their request, the data subject must specify the particular situation on which they base their objection. Mehiläinen may refuse to comply with the request for objection on legally prescribed grounds.

9.2 Right of Access by the Data Subject (Right to Inspect)

The data subject has the right to obtain confirmation from Mehiläinen as to whether or not personal data concerning them is being processed. If their personal data is being processed, data subjects have the right to receive information about the processing of their personal data, such as the purposes of the processing and the categories of personal data concerned. Mehiläinen informs about the processing of personal data in its privacy policies. The data subject can also contact Mehiläinen regarding the processing of personal data in the manner described in section 10 of this privacy policy.

The data subject has the right to inspect the personal data concerning them. An inspection request can be made in accordance with section 10 of this privacy policy. The right of access can be denied on legally prescribed grounds. The exercise of the right of access is generally free of charge. However, Mehiläinen may charge a reasonable fee based on administrative costs under certain conditions.

9.3 Right of the Data Subject to Request Rectification, Deletion, or Restriction of the Processing

The data subject can update their basic information in the CorporateMehiläinen online service. To the extent that the data subject can act on their own, they must, without undue delay, upon learning of an error or upon discovering it themselves, proactively rectify, delete, or complete the incorrect, unnecessary, incomplete, or outdated information in the service. Otherwise, the data subject is asked to update the information by reporting changes via email to yritysmehilainen@mehilainen.fi. The data subject has the right, under certain conditions, to have their personal data deleted, for example, if the data subject objects to the processing and there is no justified reason for the processing. A deletion request can be made in accordance with section 10 of this privacy policy.

The data subject also has the right to request Mehiläinen to restrict the processing of their personal data, for example, when the data subject is awaiting Mehiläinen's response to their request for rectification or deletion of data. A request for restriction of processing can be made in accordance with section 10 of this privacy policy.

9.4 Right of the Data Subject to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the competent supervisory authority (in Finland, the Office of the Data Protection Ombudsman) if the data controller has not complied with applicable data protection legislation in its operations.

For issues related to registered patient and personal data, one can turn to Mehiläinen's Health Information Management team.

Health Information Management
info.terveystiedot@mehilainen.fi

Please note that we can only accept requests from data subjects in writing. Your identity will be verified at a Mehiläinen service point with a photo ID or alternatively through the OmaMehiläinen online service. This ensures that information is only released to individuals who have the right to it.

You can also submit a data request through the nearest Mehiläinen service points, where your identity will be verified with a photo ID. You can find the nearest Mehiläinen service point on our website at https://www.mehilainen.fi/en/locations.

If you are sending sensitive information by email, you can use Mehiläinen's secure mail if necessary.

Data Protection Officer

The Data Protection Officer at Mehiläinen is Kim Klemetti (tietosuoja@mehilainen.fi).