Privacy Policy for the Mutkaton Online Service User Register

Mehiläinen Oy
Business ID 1927556-5
Arkadiankatu 6, 00100 Helsinki
Switchboard: 010 414 0112 (local network rate/mobile charge) (local network/mobile call charge)

Mehiläinen Oy's Työterveys Online Service User Register

The online service is primarily aimed at contact persons of Mehiläinen's small business clients. Anyone can use it who has the personal online banking credentials required for registration for the service and the right to sign on behalf of the company. The basis for processing personal data is Mehiläinen's legitimate interest arising from the contractual relationship between the company and Mehiläinen and its preparation. The basis for processing may also be the fulfillment of statutory obligations applicable to Mehiläinen.

Personal data is processed for the implementation of the online service. Personal data may be processed for maintenance purposes, such as user management, checking the data recorder, and investigating faults or suspected misuse. Personal data may also be processed for the development of the service. Processing tasks may be outsourced to Mehiläinen Group companies and/or external service providers in accordance with and within the limits set by data protection legislation. Service providers process personal data on behalf of Mehiläinen.

Providing personal data is a prerequisite for using the online service. Registration for the service requires the use of personal online banking credentials for identification and verification of the company's right to sign. If the data subject does not provide the necessary personal data, it is not possible to use the service.

The processing of personal data is based on Mehiläinen's legitimate interest in accordance with Article 6(1)(f) of the EU General Data Protection Regulation.

Legitimate Interest Balancing Test:

Mehiläinen's legitimate interest: Mehiläinen has a legitimate interest in processing the personal data of online service users for the implementation, maintenance, and development of the service, as well as for managing the contractual relationship between Mehiläinen and the client company. The processing of users' personal data is necessary for Mehiläinen to provide its client companies with an online service for managing occupational health care and to ensure the proper functioning of the service.

Necessity of processing: The processing of personal data is necessary for identifying service users, managing access rights, ensuring the operation of the service, and preventing potential misuse. The personal data processed is limited to information essential for the implementation of the service, and the processing cannot be carried out in a manner less restrictive to the data subject's privacy.

Balancing the rights and freedoms of the data subject: The processing does not cause such harm to the rights and freedoms of the data subject that would override Mehiläinen's legitimate interest. The data subject acts in the service as a representative of the client company in their professional role, which means the impact on privacy protection is minor. The data processed is typical contact and identification information. Mehiläinen has implemented appropriate technical and organizational safeguards to protect personal data, and the data subject has the right to object to the processing on grounds relating to their particular situation. The data subject can reasonably anticipate the processing of their personal data in connection with using the service.

The following types of data are subject to processing:

• The data subject's first name, last name, personal identity code, email address, and phone number.
• Data entered by the data subject concerning employees covered by occupational health care, which is recorded in Mehiläinen's occupational health care patient register.
• Log data generated from the use of the service.
• Other customer relationship-related information, such as data collected from website usage that can be linked to the customer, for example, the user's IP address, time of visit, pages visited, browser type used (e.g., Internet Explorer, Firefox), the web address from which the user came to the website, and the server from which the user came to the website.

Data is primarily obtained from the following sources:

• The data subject themselves, and data generated through the data subject's use of the online service;
  • An identification service provider, such as an online bank.
  • A party providing signature right verification, such as the Virre information service provided by the Finnish Patent and Registration Office (PRH), which provides official register information on companies, foundations, and company mortgages.

Personal data is not regularly disclosed to third parties. If it is necessary to disclose personal data, the disclosure may be made to third parties either based on an agreement, consent, or an explicit legal basis provided by law.

Personal data may be transferred outside the European Union or the European Economic Area, including to the United States, in accordance with and within the limits set by data protection legislation. In such cases, the primary basis for transfer is the European Commission's decision on the adequate level of data protection in the United States. If personal data is transferred to a country for which the Commission has issued an adequacy decision regarding the sufficient level of data protection (Article 45 of the EU General Data Protection Regulation), the adequacy decision is the primary basis for transfer.

Mehiläinen retains personal data in the online service as long as the data subject uses the online service, i.e., has a user account in the service. Mehiläinen may also delete the data before this if it is clear that the user no longer uses the service and their customer relationship with Mehiläinen has otherwise ended.

A person registered with the service can request the deletion of their user account at any time by emailing info.terveystiedot@mehilainen.fi. Deleting user data does not delete healthcare customer data (patient data) generated in connection with the occupational health service. Mehiläinen Oy retains online service log data for 12 years from the event.

A. Manual Material Mehiläinen has appropriate technical and organizational safeguards in place to protect personal data. Any manual material is stored in a locked space, accessible only to specifically authorized personnel.

B. Electronically Processed Data The online service can be used via a secure data connection, for example, through a browser on a computer, mobile phone, mobile device, or other smart device, or through any other technical application currently offered by Mehiläinen. The Omatyöterveys online service can be used via a secure data connection, for example, through a browser on a computer, mobile phone, mobile device, or other smart device, or through any other technical application currently offered by Mehiläinen.

The company's authorized signatory or a customer company representative authorized by them logs into the service with strong authentication. Mehiläinen arranges the service and data security with appropriate technical solutions.

9.1 Data Subject's Right to Object to the Processing of Personal Data

The data subject has the right, on grounds relating to their particular situation, to object at any time to the processing of personal data concerning them which is based on Mehiläinen's legitimate interests. The data subject can submit their objection request in accordance with section 10 of this privacy policy. In connection with the request, the data subject must specify the particular situation on which their objection to the processing is based. Mehiläinen may refuse to implement the objection request on grounds provided by law.

9.2 Data Subject's Right to Access Data (Right of Inspection)

The data subject has the right to obtain confirmation from Mehiläinen as to whether or not personal data concerning them is being processed. If their personal data is being processed, data subjects have the right to receive information about the processing of their personal data, for example, the purposes of the processing and the categories of personal data concerned. Mehiläinen informs about the processing of personal data in its privacy policies. The data subject can also contact Mehiläinen regarding the processing of personal data in the manner described in section 10 of this privacy policy. The data subject has the right to inspect what data concerning them is being processed. An inspection request can be made in accordance with section 10 of this privacy policy. The right of inspection may be denied on grounds provided by law. Exercising the right of inspection is generally free of charge. However, under certain conditions, Mehiläinen may charge the data subject a reasonable fee based on administrative costs.

9.3 Data Subject's Right to Demand Rectification, Erasure, or Restriction of Processing

The data subject can update their basic information in the online service. To the extent that the data subject can act independently, they must, without undue delay, upon becoming aware of an error or discovering it themselves, on their own initiative, rectify, erase, or supplement inaccurate, unnecessary, incomplete, or outdated information in the service. Otherwise, the data subject is requested to update the information by notifying as per section 10. Under certain conditions, the data subject has the right to the erasure of their personal data, for example, if the data subject objects to the processing and there is no justified reason for the processing. An erasure request can be made in accordance with section 10 of this privacy policy.

The data subject also has the right to demand Mehiläinen to restrict the processing of their personal data, for example, in a situation where the data subject is awaiting Mehiläinen's response to a request for rectification or erasure of their data. A request for restriction of processing can be made in accordance with section 10 of this privacy policy.

Automated decision-making and profiling
The online service does not perform automated decision-making or profiling as defined in Article 22 of the EU General Data Protection Regulation, which would have legal effects on the data subject or significantly affect them in a similar manner.

9.4 Data Subject's Right to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the competent supervisory authority (in Finland, the Office of the Data Protection Ombudsman) if the controller has not complied with applicable data protection legislation in its operations.

For matters related to the data subject's patient and personal data, you can contact Mehiläinen's Health Information Management team. Health Information Management info.terveystiedot@mehilainen.fi

Please note that we can only accept data subject requests in writing. Your identity will be verified at a Mehiläinen clinic with a photo ID or alternatively through the OmaMehiläinen online service. This ensures that information is only disclosed to individuals who have the right to it.

You can also submit a data request through your nearest Mehiläinen clinic, where your identity will be verified with a photo ID. You can find your nearest Mehiläinen clinic on our website at https://www.mehilainen.fi/haku?k=toimipisteet. If you submit sensitive information by email, you can use Mehiläinen's secure email if necessary.

Data Protection Officer Mehiläinen's Data Protection Officer is Kim Klemetti (tietosuoja@mehilainen.fi).