Drafted 16 May 2018 Updated 28 June 2023
1. DATA CONTROLLER AND CONTACT INFORMATION FOR MATTERS CONCERNING THE FILING SYSTEM
Business ID: 2123094-8
Äyritie 12 C, 01530 Vantaa, Finland
Telephone +358 09 3158 9800 (weekdays 8 a.m. – 4 p.m.)
Contact person for matters concerning the filing system:
Telephone +358 (0)407606632
2. FILING SYSTEM NAME
Oiva Health customer filing system based on customer relationships and other factual connections (“Oiva Health customer filing system”)
3. PURPOSE OF THE PROCESSING OF PERSONAL DATA AND THE MARKETING FILING SYSTEM
We only process and use personal data for predefined purposes, which include:
- Maintaining and analysing customer relationships and other relationships based on factual connections
- Producing and personalising services
- Offering and providing services and managing customer relationships
- Collecting feedback
- Developing customer services and business activities
- Maintaining and developing customer relationships
- Content and content personalisation
- Marketing and communication in relation to services
- Analysis and compilation of statistics
- Opinion and market surveys
- Fulfilling statutory obligations
Personal data may be processed as stipulated by relevant legislation for the marketing purposes, including direct marketing, distance selling and opinion and market surveys, of any companies belonging to Oiva Health and partners carefully selected by Oiva Health. Personal data may generally only be disclosed to partners for purposes that are consistent with the filing system’s mission statement and in which data is only processed for purposes consistent with Oiva Health’s purpose of use.
Oiva Health may use the location data of the user’s device for all purposes described above in this section, unless otherwise agreed with the customer. Personal data is primarily used to offer services based on the user’s location or to enable internal analysis of the user’s use of a service, provided that the user or customer has given Oiva Health express consent for the use of their location data, that consent for the use of location data is unambiguously present in the context of the user’s relationship with Oiva Health or that the location data is anonymous.
General prerequisites for processing personal data: Personal Data Act, section 8, subsection 1, items 1, 2, 5, 6 and 7.
4. DATA CONTENT OF THE FILING SYSTEM
The filing system may contain the following data:
4.1 Data that has been provided by the user and personally identifiable information
- Contact information, such as name, address, telephone numbers and email addresses
- Demographic information, such as age or date of birth, gender, profession and language
- Employer’s company name, address and business ID
- Data concerning the customer relationship, such as product and order information, customer feedback, customer communications and lottery and competition response data
- Data related to communication with the user and data related to the use of services, such as browsing data, search data and login information
- Any permissions and consent
- Transaction and user analysis data
- Any profiling data or data regarding the user’s interests provided by the user
- Any other data collected with the customer’s consent
4.2 Data produced by the use of services
- Customer number
- Billing and charging data
- Identifying information of the used device, such as model, device ID, serial number, software version, warranty information, used devices
- Mobile telecommunications service provider and cooperation ID
- Instrument and registration information used in healthcare monitoring received from the services of an external service provider approved by the customer, as well as related measurement data
- Other data that is essential or useful for healthcare purposes
- Any other data collected with the user or customer’s consent
4.3 Identifiable information of data subjects that have acquired a device and/or service
- Data concerning online activity on Oiva Health’s website or services (e.g., used video service connections, calendar entries, support service requests)
- With the customer’s consent, location data, such as coordinates determined by GPS, WLAN connection or mobile network base stations. Please note that services based on location data can only be provided if the user allows the use of their location data.
- Viewed content and data regarding what the user has clicked on
- The page from which the user was redirected to our website, device model, unique device and/or cookie ID, data collection channel (web browser, email newsletter, mobile browser, application), browser version, IP address, session ID, session time and duration, screen resolution and operating system
- Identified users are typically identified by a random number sequence or other similar identifier that does not provide any personally identifiable information.
- Unidentified users are typically identified by a cookie or other similar identifier.
4.4 Identifiable information of data subjects that have opened a customer account and/or registered for services (in addition to the information above)
- User ID
- Service-related data of identified users, such as data regarding the use of service features
- The data is stored in the system in an anonymised or heavily encrypted form.
4.5 Data derived from the use of services
Derived data refers to data that has been extrapolated by analytics or AI from the use of a service and/or the data provided by the customer themselves. Such data may include, for example, interests, placement of the user into a user category or data collected by sensors and instruments used by health services or in health monitoring.
5. REGULAR DATA SOURCES
The data subject’s personal data is collected from the data subject themselves and from various services the data subject indicates they use (such as Oiva Health’s online and mobile services and the registration and contact information related to instrument data from partners connected to the Oiva Health service). Personal data may also be collected and updated from the Oiva Health group’s other filing systems, filing systems of contracting parties and authorities and companies that offer services related to personal data.
6. AUTOMATED DECISION-MAKING AND PROFILING
We monitor and profile users’ activity in our digital services to allow us to provide them with content that corresponds to their interests, needs and profession as well as possible.
7. COOKIES AND MONITORING
We collect data concerning users’ devices using cookies and other corresponding technologies, such as automated marketing. Web browsers save data concerning the user’s device as a cookie, which contains the device’s unique ID and allows us to anonymously identify visitors and activity on our website. Measurement and monitoring services may store cookies on users’ devices when they visit our services. We are not responsible for the content or privacy protection practices of these services.
8. DATA DISCLOSURE AND TRANSFER
The data controller may, at their discretion, disclose data to parties such as Oiva Health’s partners as permitted or required by current legislation unless the data subject has restricted disclosure of the data. Generally, personal data may only be disclosed for purposes that are consistent with the filing system’s mission statement and in which data is only processed for purposes consistent with Oiva Health’s purpose of use. Data may also be disclosed in ways required to respond to demands issued by competent authorities or other parties and consistent with current legislation, or, if the data has been anonymised, for historical or scientific research or the compilation of statistics.
If Oiva Health’s business is the subject of a sale or other transaction, data may be disclosed to the party that acquires the business. The data controller may transfer personal data to any partner who, on the basis of a cooperation agreement between the two parties, processes data on behalf of the data controller. In such cases, the data processor shall not process the transferred data in their own filing systems for their own purposes.
Personal data is generally not transferred outside European Union member nations or the European Economic Area unless it is necessary for the purposes of processing the data, in the vital interest of the data subject or required for the technical implementation of data processing, in which case the data will be transferred according to the requirements of the Personal Data Act.
Stricter conditions, such as prohibitions on processing data outside Finland, may also be agreed upon with individual customers. Oiva Health may transfer data in the filing system to other filing systems it administers after the customer relationship or other factual connection has ended.
The data controller stores the customer’s personal data until the customer requests to have the data erased or the data is no longer needed for the original processing purpose.
9. FILING SYSTEM SECURITY
Electronically processed data stored in the filing system is protected using firewalls, passwords and other security solutions generally accepted by the data security industry.
Manually maintained materials are stored in spaces to which unauthorised entry is restricted.
Only identified personnel employed by the data controller or a company commissioned by them or acting on their behalf have access to the data stored in the filing system with the data controller’s authorisation.
10. RIGHT TO ACCESS, RESTRICT PROCESSING AND RECTIFICATION
The data subject has the right, under the Personal Data Act, to access any of their personal data stored in the filing system. Upon request from the data subject, we will make any necessary rectifications or completions of personal data or erase any data that is incorrect, unnecessary, incomplete or out of date for the purposes of processing.
If you wish to access or update your personal data, please contact our customer service. The request must be submitted in writing and signed. Data is regularly disclosed using machine-reading. The data subject has the right to restrict the processing and disclosure of data concerning them for the purposes of direct advertising, other direct marketing and market and opinion surveys by contacting our customer service.
The data subject also has the right to have their personal data erased from the filing system (“right to be forgotten”). Likewise, the data subject has all other rights granted under the General Data Protection Regulation, such as the right to have the processing of their personal data restricted under certain circumstances. Please send any requests to the data controller in writing. If necessary, the data controller may require the person submitting the request to prove their identity. The data controller shall respond to the customer within the timeframe prescribed by the General Data Protection Regulation (generally within one month).