6.10.2023
DATA CONTROLLER
Painoklinikka.fi/ Suomen Painoklinikka Oy
P.O. Box 5, 20321 Turku
Business ID 3165173-8
Contact person for data protection matters
André Heikius, info@painoklinikka.fi
REGISTER NAME AND DATA CONTENT
Painoklinikka.fi’s marketing and customer register
OUR BASIC PRINCIPLES REGARDING PERSONAL DATA
We collect personal data from our private customers only based on the information they provide; we do not purchase registers from any source. In other words, the personal data accumulated by Painoklinikka.fi is always provided by customers to us so that we can carry out the actions requested by customers, such as sending newsletters and enabling access to training or appointments. Regarding the data collected, we apply the data minimization principle, which practically means that we only collect data that is essential for providing the service requested by the customer. For example, for newsletters, we only collect the first and last name and email address. For customer data, we also collect a phone number and address for service provision and related communication.
Since the individuals providing the services are healthcare professionals, it is natural that privacy protection, confidentiality, and the extremely careful processing of personal data are considered in all operations and maintained at an exceptionally high standard.
Our technical partners in service provision have been selected to ensure that our basic principles described above are met. We have particularly emphasized the domestic origin of service providers involved in processing customer and patient data, and in our selections, we have stressed the secure processing of personal data.
WHAT DATA DO WE COLLECT AND FOR WHAT PURPOSE?
Painoklinikka.fi/ Suomen Painoklinikka Oy acts as the data controller for three different types of personal data.
- personal data related to marketing
- newsletter subscriber
- this data is managed using an email sending program, MailChimp
- personal data includes first and last name, and email address
- https://mailchimp.com/legal/privacy/
- newsletter subscriber
- personal data related to customer relationship
- person who participated in a webinar or coaching
- this data is managed using the software we use for appointments
- personal data includes first and last name, email address, and phone number
- person who participated in a webinar or coaching
- personal data related to patient relationship
- patient data generated during a doctor’s visit
- this data is managed using our Class A Sote information system for patient data
- patient data generated during a doctor’s visit
LEGAL BASIS FOR PROCESSING PERSONAL DATA / WHY DO WE COLLECT YOUR DATA?
3.1 General information on the processing of personal data
To the extent that the marketing and customer register contains personal data, its processing complies with the Data Protection Act and other currently valid laws, regulations, orders, and official guidelines concerning the processing of personal data. Personal data refers to information that can be linked to a specific person. This privacy policy describes in more detail the procedures for collecting, processing, and disclosing personal data, as well as the rights of the customer, i.e., the data subject.
3.2 Purpose of personal data collection
Customer relationship or other comparable relationship. The purpose of the customer register is to enable contacts required for customer service and to maintain the customer relationship.
Data storage based on consent. The Customer is separately asked for consent to store, process, and retain personal data. Newsletters offer the possibility to unsubscribe from the mailing list, in which case personal data is removed from the mailing system. Customer data is not automatically deleted even if the person unsubscribes from the newsletter mailing list. Data contained in patient records is retained in accordance with patient record system regulations.
3.3 Purpose of data use
The data in the register may be used for the following primary purposes:
– managing and developing customer relationships
– producing, offering, developing, and improving services
– invoicing
– targeting advertising
– analysis and statistics concerning services
– customer communication, marketing, and advertising
3.4 Consequences of not providing data
If the data controller does not receive the data referred to in section 3.2, a customer relationship cannot be initiated or continued, nor can any other agreement be entered into or legal action participated in with the Customer.
DATA RETENTION PERIOD
Personal data is generally processed for as long as the customer agreement, for the management of which we need the data, is valid. We record the data in the register as we receive it from the data subject themselves, and it is updated according to what the data subject informs the data controller.
If the collection and retention of personal data has been based solely on the Customer’s consent, e.g., permission to send a newsletter, the personal data will be deleted upon their request.
REGULAR DATA SOURCES / WHERE IS DATA COLLECTED FROM?
Data is obtained with the individual’s consent through active actions taken during a website visit, e.g., by subscribing to a newsletter.
DATA DISCLOSURE / WHERE CAN DATA BE PROVIDED?
Data is not disclosed for marketing purposes outside Painoklinikka.fi. We have ensured that all our service providers comply with data protection legislation.
MailChimp
Data is not regularly transferred outside the European Union or the European Economic Area. However, data may be transferred or disclosed outside the European Union or the European Economic Area in ways permitted by law, if the data is transferred to a country where the European Commission has deemed the level of data protection adequate, or if an adequate level of data protection can be guaranteed through contractual arrangements. Transfers outside the EU may also temporarily occur when using various cloud services, such as OneDrive, Google Analytics, iCloud, or Dropbox.
Data is disclosed to authorities in cases required by law.
PRINCIPLES OF REGISTER PROTECTION / HOW DO WE PROTECT YOUR PERSONAL DATA?
Access to the register requires a user ID granted by the Customer Register’s main administrator. The main administrator also defines the access level granted to other users. Only those employees of the data controller and employees of subcontractors who require access for work-related tasks have access to the data. The data is collected into service databases that are protected by firewalls, passwords, and other technical means. The databases are located in locked and guarded premises, and only certain predefined individuals have access to the data.
To the extent that personal data is processed by a subcontractor on behalf of the data controller, agreements between the data controller and the subcontractor have ensured the implementation of appropriate safeguards and confirmed that the processing of personal data meets the requirements of data protection legislation.
Patient data is processed only by healthcare professionals such as doctors. Every person processing patient data possesses the competence required by law and regulations regarding operating procedures, data security, and the highest possible diligence.
CUSTOMER RIGHTS / HOW CAN I ACT TO ENSURE LAWFUL PROCESSING?
Accessing, obtaining, and transferring data
The Customer has the right to inspect what data concerning them has been stored in the Customer Register. The Customer must submit an inspection request to the data controller in writing, either in a personally signed form or a similarly verified document, or via email.
The data controller will provide the aforementioned data to the Customer within 30 days of submitting the inspection request.
Rectification of incorrect data
The Customer has the right to rectify personal data concerning them stored in the personal register to the extent that it is incorrect.
Objecting to or restricting data processing and data erasure
The Customer has the right to object to the processing of their data for direct advertising, distance selling, and other direct marketing, as well as for market and opinion research and the development of the data controller’s business, and to restrict the processing of their data, as well as the right to have their already registered personal data stored for the aforementioned purpose erased, even if there would otherwise be a basis for data processing.
To be removed from the marketing register, notify the data controller via the link in the newsletter. Newsletters cannot be received unless subscribed to by the individual. This newsletter subscriber data is managed in MailChimp. Customer data is generated only as a result of the customer’s own actions, such as participating in a webinar, training, or booking an appointment for a service offered by Painoklinikka.fi.
Withdrawal of consent
If the data in the register is based on the Customer’s consent, consent can be withdrawn at any time by notifying the data controller’s representative mentioned in this policy. Based on the request, all data that does not need to be retained, or cannot be retained, by law or other grounds mentioned in this privacy policy, will be deleted. In the request, the customer must specify whether they wish to delete their data only from the marketing register or also from the customer register. For patient data, retention grounds related to patient data are followed.
Procedure for exercising rights
An inspection, rectification, or other request can be submitted by contacting the data controller’s customer service using the contact information provided in this policy.
Disputes
The Customer has the right to refer the matter to the Data Protection Ombudsman if the data controller does not comply with the Customer’s rectification or other request.
