Date: 28 October 2019
Mehiläinen Oy, Business ID 1927556-5, Pohjoinen Hesperiankatu 17 C, 00260 Helsinki, Finland.
2 CONTACT PERSON FOR REGISTER QUERIES
Data Protection Officer Kim Klemetti
tel. +358 10 414 0112 (switchboard).
3 NAME OF REGISTER
Mehiläinen’s customer register
4 PURPOSE OF PROCESSING THE PERSONAL DATA
The primary grounds for processing the personal data is the customer relationship between Mehiläinen and its customer, the customer’s consent details, the customer’s commission, or another relevant association.
Personal data can be processed for the following purposes:
Managing, implementing, developing, and monitoring a customer relationship, customer service, and re-lated communications and marketing.
Analysing and grouping customer relationships and reporting on them, implementing the customer loyalty programme along with other purposes related to the development of Mehiläinen’s business operations and customer relationships in general.
Collation and processing of customer feedback and customer-satisfaction information.
Implementation of marketing research and opinion surveys.
Maintaining a record of customer service centre calls in order to authenticate service events, ensure legal protection and security, and train customer service staff and improve the quality of customer service.
Profiling purposes described in more detail under Section 10 of this data protection description.
Processing tasks can be outsourced to Mehiläinen’s group companies and/or external service providers in accordance with and within the limits set by the data protection legislation.
5 REGISTER'S DATA CONTENT
Information stored on the data subject may include, for example, the following:
Name, nickname, identity code, customer number, sex, language, address, telephone number, e-mail ad-dress, and other necessary contact information.
Next of kin, guardian(s), dependant(s), number and ages of children under the age of 18 years, residential information, and size of household.
Information on the use and purchase of services, the level and validity of the currently applicable customer benefit programme for loyal customers, and the implementation of marketing and communications in various transaction channels, such as online and automated services, including the recording of customer service centre calls.
The content produced by the data subject him or herself, such as customer feedback, and additional in-formation entered – e.g., wishes related to the customer relationship, satisfaction information, areas of interest, hobby information, and similar information.
Information on the data subject’s insurance (if any), occupational health services and agreement, sports clubs (if any), and similar.
Services desired and used by the data subject, with their price information.
Information on the staff who have treated the data subject. Other wishes or notes related to the profes-sionals, services, clinics, and other issues.
Prohibitions, restrictions, consent, and other choices.
Other information related to the customer relationship, e.g., data gathered on the use of websites that can be connected to the client, such as the user’s IP address, the time of visit, the pages viewed, the browser used (such as Internet Explorer or Firefox), and the URL and server from which the user accessed the site.
Information necessary for the use of authentication and verification tools and services.
Information on the processing of data, such as the storage date and the information source.
6 STORAGE TIME OF PERSONAL DATA
Mehiläinen stores personal data in the customer register until the customer relationship between the data subject and Mehiläinen is considered to have ended. The ending time is determined from the last service contact of the data subject in accordance with Mehiläinen’s key operation figures.
7 REGULAR SOURCES OF INFORMATION
Information is received mainly from the following sources:
The data subject him/herself, and his or her customer relationship, use of services, communications and transactions related to visits.
Parties offering services related to authentication, verification, address data, updates, credit information, or similar services.
The population register system of the Population Register Centre and other known systems.
Also information provided by Mehiläinen’s partners, such as insurance companies or sports clubs, can be added to the register.
8 REGULAR DISCLOSURE OR TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION OR THE EUROPEAN ECONOMIC AREA
Information is submitted to the Mehiläinen Group companies for the purposes described in Section 4 of this data protection description, and to the OmaMehiläinen register, Mehiläinen’s direct marketing regis-ter and possible other user registers of the Mehiläinen Group, but always in accordance with data protec-tion legislation and the restrictions set therein.
Customer data will not be disclosed to parties other than those participating in the production, development, or maintenance of services or communications of Mehiläinen or on its behalf, except when based on an agreement, separate consent, and/or explicit regulations.
Customer information can be transferred outside the European union or the European Economic Area, for example, to the United States, in accordance with the data protection legislation and the restrictions set therein.
9 DESCRIPTION OF THE PRINCIPLES IN ACCORDANCE WITH WHICH THE DATA FILE HAS BEEN PROTECTED
Any physical material is stored in a locked space to which only people with particular rights have access. Digital material can only be accessed by employees, practitioners or co-operation partners specifically enti-tled to do so or private practitioners with a personal user ID and password. There are different levels of access rights, and each user is issued sufficient rights, though as limited as possible, to complete his or her work tasks.
As part of the processing activities of personal information saved in the customer register, Mehiläinen can also utilise the information for purposes of profiling. Profiling is implemented by creating a customer ID for the data subject for the purpose of combining various data on the data subject created during the use of the service. After this, a profile created as described above can be, e.g., compared to profiles created on other data subjects.
The purpose of profiling is to determine customer behaviour and the demand for services.
11 THE DATA SUBJECT’S RIGHT TO PROHIBIT THE PROCESSING OF PERSONAL DATA AND DIRECT MARKETING
With regard to a personal special situation, a data subject has the right to prohibit his or her profiling and other processing activities which Mehiläinen may direct on the data subject’s personal data to the extent that the grounds for the processing of information is the customer relationship between Mehiläinen and the data subject. The data subject may present his or her request for the prohibition in accordance with Section 13 of this data protection description. In connection with the request, the data subject must identify the special situation on the basis of which he or she objects to the processing of data. Mehiläinen may refuse to implement the request for prohibition on statutory grounds.
The data subject may give channel-specific consent or prohibitions to Mehiläinen regarding direct market-ing, including profiling for direct marketing purposes.
12 OTHER RIGHTS OF THE DATA SUBJECT REGARDING THE PROCESSING OF PERSONAL DATA
12.1 The data subject’s right of access to the data (inspection right)
The data subject has the right to inspect Mehiläinen’s customer register with respect to the stored data concerning him or her. Such an inspection request must be made in accordance with Section 13 of this data protection description. The right to inspection may be declined on statutory grounds. In principal, there shall be no charge for exercising the right to inspect.
12.2 The data subject’s right to demand rectification or erasing of data or a re-striction on processing data
If the customer is also a user of the OmaMehiläinen service, he or she can update his or her basic personal data via the OmaMehiläinen online service. Insofar as the data subject or user can act him or herself, after having been informed of an error in the data or having detected such an error him or herself, he or she must, without undue delay, on his or her own initiative, rectify, erase, or supplement the erroneous, un-necessary, incomplete or obsolete personal data.
Insofar as the data subject cannot rectify the data him/herself, the rectification request shall be made in accordance with Section 13 of this data protection description.
The data subject also has the right to demand the controller to restrict the processing of his or her personal data, for example, in a situation where the data subject is waiting for Mehiläinen’s response to his or her request to rectify or erase data.
12.3 A data subject’s right to transfer data from one system to another
Insofar as the data subject him/herself has provided information in the customer register for processing on the basis of the data subject’s consent or commission, the data subject has the right to access such data mainly in machine-readable format and the right to transfer such data to another controller.
12.4 A data subject’s right to make a complaint to the supervising authorities
A data subject has the right to make a complaint to the competent supervising authorities, if the controller in its operations has not followed the applicable data-protection regulations.
12.5 Other rights
If the personal data is being processed on the basis of the data subject’s consent, the data subject has the right to cancel the consent by notifying Mehiläinen of this in accordance with Section 13 of this data protection description.
In all matters related to the processing of personal data and all situations regarding the exercising of one’s own rights, the data subject should contact Mehiläinen via the OmaMehiläinen service, in person at a Mehiläinen clinic, or by post at the address: Mehiläinen Oy / Viestintä, Pohjoinen Hesperiankatu 17 C, 00260 Helsinki, Finland. When required, Mehiläinen can request the data subject to further define their request in writing, and, if needed, the identity of the data subject can be authenticated before initiating any other measures.