DATA PROTECTION DESCRIPTION OF THE DIRECT MARKETING REGISTER OF MEHILÄINEN OY

Date: 22 October 2019

1 CONTROLLER

Mehiläinen Oy, Business ID 1927556-5, Pohjoinen Hesperiankatu 17 C, 00260 Helsinki, Finland.

2 CONTACT PERSON FOR REGISTER QUERIES

Data Protection Officer Kim Klemetti
tietosuoja@mehilainen.fi
tel. +358 10 414 0112 (switchboard).

3 NAME OF REGISTER

Mehiläinen’s direct marketing register.

4 PURPOSE OF PROCESSING THE PERSONAL DATA

The processing of personal data is based on Mehiläinen’s legitimate interests (purpose of direct marketing), on the customer relationship between Mehiläinen and the data subject, or on the consent given by the data subject.

Personal data is utilised for the addressed mail of direct marketing, remote marketing, profiling purposes (as described in more detail under Section 10), opinion or marketing surveys, or other equivalent addressed deliveries.

Processing tasks can be outsourced to Mehiläinen’s group companies and/or external service providers in accordance with and within the limits set by the data protection legislation.

5 REGISTER'S DATA CONTENT

The register processes data belonging to the following groups:

Name, title or profession, age or year of birth, sex, mother tongue, address or other contact information, desired contacting methods, channel-specific direct marketing consent and prohibition data, other identi-fication data on the data subject based on consent or customer relationship regarding marketing, and any change data regarding such information.

6 STORAGE TIME OF PERSONAL DATA

Mehiläinen stores all personal data in the direct marketing register, unless the data subject has prohibited direct marketing. In this case, the information on the prohibition of direct marketing will be stored in the direct marketing register.

7 REGULAR SOURCES OF INFORMATION

Personal data is gathered during registration for various marketing contests etc., during registration in Mehiläinen’s services, or otherwise directly from the data subject. Personal data can also be gathered and updated from the registers of Mehiläinen and the companies belonging to the same Group (such as from the OmaMehiläinen user register or the customer register), the population register of the Population Register Centre, prohibition registers maintained by the Finnish Direct Marketing Association, and other equivalent registers. Information is not collected from the patient register.

8 REGULAR DISCLOSURE OR TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION OR THE EUROPEAN ECONOMIC AREA

Information is submitted to the Mehiläinen Group companies for the purposes described in Section 4 of this data protection description.

Personal data will not be disclosed to parties other than those participating in the production, development, or maintenance of services or communications of Mehiläinen or on its behalf, except when based on an agreement, other consent, and regulations.

Personal information can be transferred outside the European union or the European Economic Area, for example, to the United States, in accordance with the data protection legislation and the restrictions set therein.

9 DESCRIPTION OF THE PRINCIPLES IN ACCORDANCE WITH WHICH THE DATA FILE HAS BEEN PROTECTED

Any physical material is stored in a locked space to which only people with particular rights have access. Digital material can only be accessed by employees, practitioners or co-operation partners specifically entitled to do so or private practitioners with a personal user ID and password. There are different levels of access rights, and each user is issued sufficient rights, though as limited as possible, to complete his or her work tasks.

10 PROFILING

As part of the processing activities of personal information saved in the direct marketing register, Me-hiläinen can also implement profiling. Profiling is implemented by creating a customer ID for the data subject for the purpose of combining the information in the direct marketing register on the data subject. After this, a profile created as described above can be, e.g., compared to profiles created on other data subjects.

The purpose of profiling is to enable better allocation of marketing efforts.

11 THE DATA SUBJECT’S RIGHT TO PROHIBIT THE PROCESSING OF PERSONAL DATA AND DIRECT MARKETING

With regard to a personal special situation, a data subject has the right to prohibit his or her profiling and other processing activities which Mehiläinen may direct on the data subject’s personal data to the extent that the grounds for the processing of information is the customer relationship between Mehiläinen and the data subject. The data subject may present his or her request for the prohibition in accordance with Section 13 of this data protection description. In connection with the request, the data subject must identify the special situation on the basis of which he or she objects to the processing of data. Mehiläinen may refuse to implement the request for prohibition on statutory grounds.

A person may give channel-specific consent or prohibitions to Mehiläinen regarding direct marketing.

12 OTHER RIGHTS OF THE DATA SUBJECT REGARDING THE PROCESSING OF PERSONAL DATA

12.1 The data subject’s right of access to the data (inspection right)

The data subject has the right to inspect Mehiläinen’s direct marketing register with respect to the stored data concerning him or her. Such an inspection request must be made in accordance with Section 13 of this data protection description. The right to inspection may be declined on statutory grounds. In principal, there shall be no charge for exercising the right to inspect.

12.2 The data subject’s right to demand rectification or erasing of data or a restriction on processing data

Insofar as the data subject or user can act him or herself, after having been informed of an error in the data or having detected such an error him or herself, he or she must, without undue delay, on his or her own initiative, rectify, erase, or supplement the erroneous, unnecessary, incomplete or obsolete personal data.

Insofar as the data subject cannot rectify the data him/herself, the rectification request shall be made in accordance with Section 13 of this data protection description.

The data subject also has the right to demand the controller to restrict the processing of his or her personal data, for example, in a situation where the data subject is waiting for Mehiläinen’s response to his or her request to rectify or erase data.

12.3 A data subject’s right to transfer data from one system to another

Insofar as the data subject him/herself has provided information to the direct marketing register for processing on the basis of the data subject’s consent, the data subject has the right to access such data mainly in machine-readable format and the right to transfer such data to another controller.

12.4 A data subject’s right to make a complaint to the supervising authorities

A data subject has the right to make a complaint to the competent supervising authorities, if the controller in its operations has not followed the applicable dataprotection regulations.

12.5 Other rights

If the personal data is being processed on the basis of the data subject’s consent, the data subject has the right to cancel the consent by notifying Mehiläinen of this in accordance with Section 13 of this data protection description.

13 CONTACTS

In all matters related to the processing of personal data and all situations regarding the exercising of one’s own rights, the data subject should contact Mehiläinen via the OmaMehiläinen service, in person at a Me-hiläinen clinic, or by post at the address: Mehiläinen Oy / Suoramarkkinointirekisteri, Pohjoinen Hesperiankatu 17 C, 00260 Helsinki, Finland. When required, Mehiläinen can request the data subject to further define their request in writing, and, if needed, the identity of the data subject can be authenticated before initiating any other measures.