PRIVACY POLICY
FINNISH MUTUAL PATIENT INSURANCE COMPANY
1. GENERAL
This privacy policy describes how the Finnish Mutual Patient Insurance Company (“SKPVY” or “controller”) processes personal data. The privacy policy applies to our website, marketing and customer relationship management, as well as the processing of personal information related to the products and services we offer.
We comply with applicable data protection laws in all processing of personal data. Data protection legislation refers to existing data protection legislation, such as the General Data Protection Regulation of the European Union (2016/679) and the Finnish Data Protection Act (5.12.2018/1050). Data protection terms not defined in this privacy policy will be construed in accordance with data protection law.
Our services and websites may also include links to external websites and services operated by other organisations. This privacy policy is not applicable to their use, so we encourage you to read the privacy policys that apply to them separately.
“Personal data” means any data relating to natural persons (“data subjects”) from which a person can be identified, directly or indirectly, as further defined in the Data Protection Regulation.
2. REGISTRAR INFORMATION
Registrar: Finnish Mutual Patient Insurance Company (hereinafter also ”SKPVY”)
Business ID: 3146137–9
Address: Annankatu 12 A 20, 00120 HELSINKI
Email address: info@skpvy.fi
3. PURPOSES AND LEGAL BASIS OF THE PROCESSING OF PERSONAL DATA
The purposes for which personal data are processed are:
- conducting insurance business
- implementation of services, conclusion of customer agreements and handling of orders
- customer service and communication as well as customer satisfaction surveys
- invoicing, credit decisions and debt collection
- stakeholder relations and subcontracting as well as cooperation with service providers
- improving the user experience of our website and other services and tracking user traffic
- management of statutory obligations (e.g. accounting and tax activities) and reporting obligations
- internal reporting and other administrative measures (including the implementation of information management services) and business planning
- handling warranty and defect liability issues, handling complaints and handling legal and regulatory proceedings
- prevention and investigation of misuse, and ensuring the security of information, persons and property
The legal basis for the processing of personal data in order to carry out our services, carry out insurance operations, enter into customer agreements and perform related obligations is the contractual relationship or its preparation.
The processing of personal data may also be based on the legitimate interests of the controller or of a third party. The processing of personal data in connection with customer relationship management, customer communication, reporting and business development, as well as the handling of complaints and legal proceedings are based on a legitimate interest. When we process personal data based on a legitimate interest, we assess the benefits and potential disadvantages of the processing for the data subject and have assessed that the data subject’s rights and interests do not override the legitimate interest. Upon request, we will provide further information on the processing of personal data based on a legitimate interest.
If we process personal data in order to comply with legal requirements, for example in order to conduct insurance business or to perform certain of our reporting obligations, the legal basis for the processing is primarily compliance with a statutory obligation.
4. PERSONAL DATA TO BE PROCESSED AND SOURCES OF DATA
Data group | Examples of data content |
Identification and contact information | Name and e-mail address of the customer and/or representative and information related to any stakeholder relationship. |
Information on products and services and customer communications | Information related to contracts, customer communications and complaints. |
Information on the use of websites and other electronic services | IP-address, electronic communications identification information, search and browsing information, browser and operating system information, and registration information. |
Whistleblower channel | The whistleblower channel is anonymous in itself unless the person adds their personal information. |
* Marked information is essential.
We collect personal information directly from the data subject, for example in connection with transactions, or when the data subject uses our services either on his own behalf or on behalf of the organisation he represents, or in connection with registration, when the data subject visits our website or other electronic services, responds to customer satisfactions surveys or otherwise contacts us.
We also receive contact and background information regarding representatives of our customers and partners from other external sources, such as private registry services and registers maintained by government agencies.
Upon request, we will provide more information about the data sources we use to collect personal information.
5. RETENTION OF PERSONAL DATA
We retain personal information for as long as necessary to fulfil the purposes set forth in this privacy policy and for as long as required by law (e.g., responsibilities and obligations related to accounting 7 years or obligations related to reporting and all insurance business at least 10 years after the termination of the insurance contract), or for litigation or similar disagreements. Documents related to compensations are in principle retained by the Patient Insurance Centre. Upon termination, the personal data will be deleted or made anonymous within a reasonable time.
Upon request, we will provide more information about our privacy practices.
6. RECIPIENTS OF PERSONAL DATA
Various service providers and other third parties may also be used to process personal data, such as technical solutions or server space providers or accounting and financial management service providers. We take care of the agreements required by data protection legislation with the parties we use to process personal data.
Personal data may be disclosed to third parties in situations required by law or authority or for the purpose of investigating misconduct and ensuring security. In addition, personal data may have to be disclosed in connection with legal proceedings or similar legal proceedings.
If the controller is involved in a merger, business transaction or other corporate arrangement, personal data may be disclosed to the parties to the arrangement or to parties assisting in the arrangement.
Upon request, we will provide more information about the recipients of personal information.
7. TRANSFER OF PERSONAL DATA OUT OF THE EUROPEAN ECONOMIC AREA
We mainly process personal data within the European Economic Area. Personal data may also be processed out of the European Economic Area, and if personal data is transferred out of the European Economic Area, we will ensure the lawfulness of the transfer of personal data through an appropriate safeguard mechanism, such as using the European Commission’s model contract clauses.
Upon request, we will provide further information regarding the transfer of personal data and the protection mechanisms used.
8. PROTECTION OF PERSONAL DATA
Data security and the protection of personal data are of primary importance to us. The controller shall process personal data in a manner that ensures the proper security of the personal data, including protection against unauthorised processing and accidental loss, destruction or damage.
The controller shall use appropriate technical and organisational safeguards to ensure this, including the use of firewalls, encryption techniques, secure equipment facilities, appropriate passage control and access control, guidance to personnel involved in the processing of personal data as well as subcontractors. All parties processing personal data have a duty of confidentiality in matters related to the processing of registered personal data, in accordance with the Employment Contracts Act and the confidentiality provisions of the agreements.
In accordance with this privacy policy, the controller may outsource the processing of personal data to service providers or subcontractors, in which case the controller shall ensure, with adequate contractual obligations, that the personal data are processed properly and lawfully.
9. RIGHTS OF DATA SUBJECTS
Data subjects have rights to their own personal data in accordance with data protection legislation. However, the application of the rights in each individual situation depends on the purpose and situation of the use of personal data.
- Right of access to personal data. The data subject has the right to receive confirmation as to whether the personal data of the data subject and other data on the processing of personal data in accordance with data protection legislation are processed. The data subject has the right to receive a copy of the personal data.
- Right to rectification of personal data. The data subject has the right, with certain restrictions, to request the correction or deletion of incorrect or inaccurate information.
- Right to delete personal data. The data subject has the right to request the deletion of his or her personal data in accordance with the provisions of data protection legislation. Upon request, we will delete personal information unless we are required by law or any other applicable exception under data protection law to retain personal information.
- Right to restrict processing. In accordance with the conditions of data protection legislation, the data subject has the right to request a restriction on the processing of personal data in certain situations.
- Right to transfer personal data. The data subject has the right to request the transfer of his or her personal data to another data controller. The right of transfer applies in principle to personal data which have been provided by the data subject to the controller in a structured and machine-readable form and which are processed on the basis of the data subject’s consent or agreement and / or for which processing is automatic.
- Right to object to proceedings. The data subject has the right to object to the processing of personal data based on legitimate interests, including profiling, in accordance with the conditions of data protection law. We may refuse a request if the processing is necessary to achieve the overriding and legitimate interests of the controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and for profiling related to direct marketing.
- Right to withdraw consent. If the processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw his or her consent to the processing of personal data concerning him or her. Withdrawal of consent shall not affect any previous processing of the withdrawal.
Exercise of rights
We hope you will contact us if you have any questions regarding the processing of your personal information.
You may submit a data subject’s rights request by letter or email using the contact information provided in this privacy policy.
The identity of the applicant will be verified before the request is processed. A request shall be replied to within a reasonable time and, in principle, within one month of the request and the verification of identity. If the request cannot be granted, the refusal shall be notified separately.
10. RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY
The data subject has the right to lodge a complaint with a data protection authority if the data subject considers that the processing of personal data relating to him or her infringes current data protection legislation.
Contact information for the Finnish Data Protection Authority can be found here.
11. CHANGES TO THE PRIVACY POLICY
This privacy policy may need to be amended from time to time. Changes may also be based on changes in data protection legislation. We therefore encourage you to review the privacy policy regularly for any changes. The latest version is available on our website.
This privacy policy was published on 3 June 2022.