Privacy policy

We at Sydänkeskus (hereinafter referred to as the data controller) process our customers’ personal data carefully in compliance with our data protection obligations. Sydänkeskus’s personal records contain information about patients, business customers, employees, stakeholders and operations that must be protected by law. The processing of personal data is governed by the EU Data Protection Regulation and related local legislation. Patient data relating to health services is subject to specific legislation.

Patient data is confidential information concerning your treatment (Act on the Status and Rights of Patients (785/1992), Section 13 “Patient Act”). Personal data, on the other hand, are related to the management of the client relationship and communication and include, for example, contact details or other general personal data. At the Sydänkeskus, patient and personal data are processed only by persons who are entitled to process them. Health professionals and other staff are bound by confidentiality obligations in respect of all information obtained in connection with the treatment of patients.

You can view your own health and attendance data on the national OmaKanta service at www.kanta.fi. There you can also manage both denials and consents for your data.

This notice applies to the processing of data in all Sydänkeskus offices. It is available on the website and in paper form at all permanent offices.

1. The controller

Oulun Sydänkeskus Oy, business ID 1976798-1
Address: Isokatu 32 C, 3krs. 90100 OULU,
tel: +358 8 333 440
Branches: Rovaniemi, Pori and CT truck

Helsingin Sydänsairaala Oy, business ID 2633306-5
Address: Länsisatamankatu 16, 00180 Helsinki,
tel: +358 9 3747 9700

2. Purpose and basis of the processing of personal data

Personal data means information describing a person (hereinafter referred to as the Data Subject) or his or her characteristics. It is personal information about customers, employees or business contacts, such as name, address, telephone number or any other information that can be associated with a specific individual. The primary basis for the processing of personal data is the customer relationship between the data subject and the controller, the data subject’s consent or an assignment or other factual connection.

3. Principles for the protection of registers

Manual material is kept in a locked room, accessible only to staff. Access to digital material is restricted to authorised employees, professionals or partners. Identification is always done using strong authentication and a logbook entry is left for all processing of personal data.

4. Register description

4.1. Individual customers

4.1.1. Content of the personal register

For example, the following information may be stored about the data subject:

  • Name, personal identification number and other basic information required
  • Contact information such as address, phone number or email
  • Information about insurance, occupational health services or other paying organisation
  • A relative, guardian or other contact person
  • Previous dates of your visit and the doctor or other contact person at the Sydänkeskus
  • Information that the data subject wishes to add to the data, such as customer feedback, customer or appointment requests and any discounted memberships.
  • Payment information
  • Prohibitions, restrictions and consents
  • Information relating to the processing of the data, such as the date of recording and the source of the data
  • The register may also include information about the registrant provided by other partners of Sydänkeskus, such as an insurance company or a paying organisation.

4.1.2. Storage of data in the medical record

  • Health information is archived in the Kanta Services Patient Data Archive maintained by Kela on the basis of the Act on the Electronic Processing of Social and Health Care Customer Data (159/2007) (“Customer Data Act”).
  • Electronic prescriptions are stored in the Prescription Centre, whose controller is Kela.
  • In the context of your treatment, your health data may be accessed by healthcare providers through the Kanta services in accordance with your own consents and prohibitions.
  • Consents and denials can be maintained through the OmaKanta service. More information and management of consents and refusals: www.kanta.fi
  • The staff of the Sydänkeskus may change consents and prohibitions upon request.

4.1.3. When can my data be processed?

  • For appointments and treatment
  • On specific request, for example when a copy of an epigraph is needed.
  • In accordance with an agreement with a health professional (Annex 1).
  • In the context of the planning, development and statistics of the controller’s activities
  • In connection with billing and collection
  • Assessing and informing the data subject of appropriate checks and treatment (with his or her consent)
  • When dealing with feedback, formal requests for clarification and incidents
  • Other obligations of the controller in the performance of its duties

4.1.4. Verification, correction and deletion of data

You can submit a request for verification or correction of personal data in writing to the Sydänkeskus. Request for verification of personal data

  • Data provided by the data subject may be deleted on request. In other respects, the retention period for health data is in accordance with the Regulation of the Ministry of Social Affairs and Health on medical records (298/2009).
  • If the data subject considers that the processing of personal data concerning him or her has infringed the GDPR, he or she has the right to lodge a complaint with a supervisory authority.

There is usually no separate charge for providing information. A fee is only charged if less than one year has passed since the person concerned last had access to the information in the register.

4.2. Organisational customers

The cooperation gives the Controller a legal interest in the maintenance of the personal data file of organisational customers.

  • For organisational customers, information is collected on the contact persons and signatories of contracts and other persons responsible for decision making in the organisation.
  • The name, organisation, position in the organisation, telephone number and e-mail address of the data subject are recorded in the register. This personal data is used to inform you about the services of the Controller or other relevant aspects of the provision of the service.
  • Personal data will not be processed in a way incompatible with these purposes and the data subject has the right to opt-out of e-mails that may contain marketing. In this case, he/she will receive the information relevant for the provision of the service through other channels.
  • The data is stored as long as the person is employed by the client organisation and the cooperation agreement is in force.

5. Data breach

A personal data breach is an event that results in the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed. Unauthorised disclosure of data and unauthorised access to data are also considered a breach of data security. The staff of the Sydänkeskus are instructed to report any breaches of security they detect to the Data Protection Officer.

6. Contact persons for matters concerning the registers

The Data Protection Officer at Sydänkeskus is Olli-Pekka Piira. Olli-Pekka is the contact person for all matters related to the processing of personal data. He can be reached by phone on +35844 505 7494 or you can send her a secure email.

The Data Protection Officer of Helsingin Sydänsairaala Oy is Soile Timberg. Soile is the contact person in matters related to the processing of personal data. She can be reached by phone +35850 5645 462 or you can send her a secure email.

Data controllers have a patient ombudsman. The role of the Patient Ombudsman is to advise and, where necessary, assist in matters relating to the application of the Patient Rights Act, for example in filing a reminder and/or a patient compensation report, and to promote patients’ rights.

 

Annex 1:

Your medical records may be disclosed pursuant to Section 13 of the Patient Act (785/1992) as follows:

  1. For the purpose of providing research or treatment, another health care unit may disclose necessary information to the Sydänkeskus or the Sydänkeskus to another health care unit, in accordance with your oral or written consent or consent in context;
  2. To an authority or body with a statutory right of access;
  3. To a court, other authority or body with a statutory right of access.
  4. To a close relative or other close person. If you are unconscious or being treated for a similar reason, your next of kin or another person close to you may have access to information about you and your medical condition, unless there is reason to believe that you would have refused to do so.
  5. The obligation of confidentiality and the need for privacy continues even after the death of the person. Therefore, information about a deceased person may not be disclosed without a legal basis.