FINNISH MUTUAL PATIENT INSURANCE COMPANY
“Personal data” means any data relating to natural persons (“data subjects”) from which a person can be identified, directly or indirectly, as further defined in the Data Protection Regulation.
2. REGISTRAR INFORMATION
Registrar: Finnish Mutual Patient Insurance Company (hereinafter also ”SKPVY”)
Business ID: 3146137–9
Address: Annankatu 12 A 20, 00120 HELSINKI
Email address: firstname.lastname@example.org
3. PURPOSES AND LEGAL BASIS OF THE PROCESSING OF PERSONAL DATA
The purposes for which personal data are processed are:
- conducting insurance business
- implementation of services, conclusion of customer agreements and handling of orders
- customer service and communication as well as customer satisfaction surveys
- invoicing, credit decisions and debt collection
- stakeholder relations and subcontracting as well as cooperation with service providers
- improving the user experience of our website and other services and tracking user traffic
- management of statutory obligations (e.g. accounting and tax activities) and reporting obligations
- internal reporting and other administrative measures (including the implementation of information management services) and business planning
- handling warranty and defect liability issues, handling complaints and handling legal and regulatory proceedings
- prevention and investigation of misuse, and ensuring the security of information, persons and property
The legal basis for the processing of personal data in order to carry out our services, carry out insurance operations, enter into customer agreements and perform related obligations is the contractual relationship or its preparation.
The processing of personal data may also be based on the legitimate interests of the controller or of a third party. The processing of personal data in connection with customer relationship management, customer communication, reporting and business development, as well as the handling of complaints and legal proceedings are based on a legitimate interest. When we process personal data based on a legitimate interest, we assess the benefits and potential disadvantages of the processing for the data subject and have assessed that the data subject’s rights and interests do not override the legitimate interest. Upon request, we will provide further information on the processing of personal data based on a legitimate interest.
If we process personal data in order to comply with legal requirements, for example in order to conduct insurance business or to perform certain of our reporting obligations, the legal basis for the processing is primarily compliance with a statutory obligation.
4. PERSONAL DATA TO BE PROCESSED AND SOURCES OF DATA
|Data group||Examples of data content|
|Identification and contact information||Name and e-mail address of the customer and/or representative and information related to any stakeholder relationship.|
|Information on products and services and customer communications||Information related to contracts, customer communications and complaints.|
|Information on the use of websites and other electronic services||IP-address, electronic communications identification information, search and browsing information, browser and operating system information, and registration information.|
|Whistleblower channel||The whistleblower channel is anonymous in itself unless the person adds their personal information.|
* Marked information is essential.
We collect personal information directly from the data subject, for example in connection with transactions, or when the data subject uses our services either on his own behalf or on behalf of the organisation he represents, or in connection with registration, when the data subject visits our website or other electronic services, responds to customer satisfactions surveys or otherwise contacts us.
We also receive contact and background information regarding representatives of our customers and partners from other external sources, such as private registry services and registers maintained by government agencies.
Upon request, we will provide more information about the data sources we use to collect personal information.
5. RETENTION OF PERSONAL DATA
Upon request, we will provide more information about our privacy practices.
6. RECIPIENTS OF PERSONAL DATA
Various service providers and other third parties may also be used to process personal data, such as technical solutions or server space providers or accounting and financial management service providers. We take care of the agreements required by data protection legislation with the parties we use to process personal data.
Personal data may be disclosed to third parties in situations required by law or authority or for the purpose of investigating misconduct and ensuring security. In addition, personal data may have to be disclosed in connection with legal proceedings or similar legal proceedings.
If the controller is involved in a merger, business transaction or other corporate arrangement, personal data may be disclosed to the parties to the arrangement or to parties assisting in the arrangement.
Upon request, we will provide more information about the recipients of personal information.
7. TRANSFER OF PERSONAL DATA OUT OF THE EUROPEAN ECONOMIC AREA
We mainly process personal data within the European Economic Area. Personal data may also be processed out of the European Economic Area, and if personal data is transferred out of the European Economic Area, we will ensure the lawfulness of the transfer of personal data through an appropriate safeguard mechanism, such as using the European Commission’s model contract clauses.
Upon request, we will provide further information regarding the transfer of personal data and the protection mechanisms used.
8. PROTECTION OF PERSONAL DATA
Data security and the protection of personal data are of primary importance to us. The controller shall process personal data in a manner that ensures the proper security of the personal data, including protection against unauthorised processing and accidental loss, destruction or damage.
The controller shall use appropriate technical and organisational safeguards to ensure this, including the use of firewalls, encryption techniques, secure equipment facilities, appropriate passage control and access control, guidance to personnel involved in the processing of personal data as well as subcontractors. All parties processing personal data have a duty of confidentiality in matters related to the processing of registered personal data, in accordance with the Employment Contracts Act and the confidentiality provisions of the agreements.
9. RIGHTS OF DATA SUBJECTS
Data subjects have rights to their own personal data in accordance with data protection legislation. However, the application of the rights in each individual situation depends on the purpose and situation of the use of personal data.
- Right of access to personal data. The data subject has the right to receive confirmation as to whether the personal data of the data subject and other data on the processing of personal data in accordance with data protection legislation are processed. The data subject has the right to receive a copy of the personal data.
- Right to rectification of personal data. The data subject has the right, with certain restrictions, to request the correction or deletion of incorrect or inaccurate information.
- Right to delete personal data. The data subject has the right to request the deletion of his or her personal data in accordance with the provisions of data protection legislation. Upon request, we will delete personal information unless we are required by law or any other applicable exception under data protection law to retain personal information.
- Right to restrict processing. In accordance with the conditions of data protection legislation, the data subject has the right to request a restriction on the processing of personal data in certain situations.
- Right to transfer personal data. The data subject has the right to request the transfer of his or her personal data to another data controller. The right of transfer applies in principle to personal data which have been provided by the data subject to the controller in a structured and machine-readable form and which are processed on the basis of the data subject’s consent or agreement and / or for which processing is automatic.
- Right to object to proceedings. The data subject has the right to object to the processing of personal data based on legitimate interests, including profiling, in accordance with the conditions of data protection law. We may refuse a request if the processing is necessary to achieve the overriding and legitimate interests of the controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and for profiling related to direct marketing.
- Right to withdraw consent. If the processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw his or her consent to the processing of personal data concerning him or her. Withdrawal of consent shall not affect any previous processing of the withdrawal.
Exercise of rights
We hope you will contact us if you have any questions regarding the processing of your personal information.
The identity of the applicant will be verified before the request is processed. A request shall be replied to within a reasonable time and, in principle, within one month of the request and the verification of identity. If the request cannot be granted, the refusal shall be notified separately.
10. RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY
The data subject has the right to lodge a complaint with a data protection authority if the data subject considers that the processing of personal data relating to him or her infringes current data protection legislation.
Contact information for the Finnish Data Protection Authority can be found here.