Pohjola Health's privacy notice

1. Overview

This Privacy Notice contains information required by the EU General Data Protection Regu-lation (hereinafter the General Data Protection Regulation) and national law for data sub-jects, i.e. the controller's customers, and for the supervisory authority.

This document explains how Pohjola Health Ltd processes personal data.

2. Controller and controller’s contact information

Pohjola Health Ltd
Address: Puutarhurinkuja 2, FI-00300 HELSINKI, FINLAND
Controller’s contact person: Olli Savola 
Telephone: +358 (0)10 257 8100

Email address: feedback form available at http://www.pohjolaterveys.fi/esittely/palaute (only in Finnish)

3. Data Protection Officer's contact information

Person in charge of the patient register

Chief Physician Olli Savola 
Postal address: Puutarhurinkuja 2, FI-00300 HELSINKI, FINLAND
Email address: olli.savola@pohjolasairaala.fi

Data Protection Officer

Data Protection Officer Hanna Lankinen
Postal address: Puutarhurinkuja 2, FI-00300 HELSINKI, FINLAND
Email address: hanna.lankinen@pohjolasairaala.fi

4. Data subjects

The data subjects consists of Pohjola Health Ltd’s wellbeing and health care service cus-tomers, patients and stakeholders.

5. Purpose of personal data processing and legal basis for processing

Pohjola Health’s personal data processing is regulated by various laws, and all processing complies with legal requirements. The purpose of personal data processing is always de-termined in accordance with the data subject category in question. 

Patient data are only ever processed for the purposes specified by law. Data are processed in order to arrange medical examinations and treatment for patients and to plan and manage operations and compile statistics on the same.  Data can also be used for busi-ness development purposes when permitted by law or with the data subject’s consent. 

Pohjola Health uses personal data for the following purposes, in particular:

  • patients’ examination and treatment planning, implementation and monitoring, and referral to treatment
  • processing of information concerning statutory and preventive services for occupa-tional health care customers
  • adherence to and implementation of obligations referred to in the Finnish Private Health Care Act (152/1990), other legislation and regulations issued by the authori-ties
  • provision, development and quality assurance of services
  • statistics and planning as well as billing and debt collection
  • ensuring the security of services and investigating abuses, as well as risk manage-ment
  • customer service, customer relationship management and development, including customer communications, and customer reporting
  • monitoring and analysis of digital services, and customer segmentation in order for the controller to be able to offer, for example, personalised products and services to users
  • business development
  • opinion polls and market surveys
  • direct marketing
  • targeted marketing and advertising

Pohjola Health Ltd’s offices and health care professionals and/or service providers working on behalf of it have access to a joint data file, the technical maintenance of which is Poh-jola Health Ltd’s responsibility.

Occupational health care information is kept separate from patient information so that occupational health care patients can prevent the use of any data recorded by Pohjola Health Ltd’s occupational health care services for the purposes of the controller’s other health care services. 

Processing of personal data within the scope of the data file may include profiling, if per-mitted by law. Profiling means automated processing of personal data where certain as-pects relating to a natural person are evaluated by utilising this data. 

Personal data held in the data file are processed on the following legal bases:

  • statutory obligation (e.g. treatment planning and implementation, log keeping, disclo-sure of information to the authorities)
  • consent (e.g. disclosures to other health care units and insurance companies, direct marketing)
  • contractual relationship (e.g. providing treatment, invoicing)
  • legitimate interest (service provision, direct marketing)

6 Personal data categories and data file content

The data file is used to process the following personal data categories:

Basic information

  • Patient’s/customer’s name, personal identity code and contact information
  • Named next of kin of the patient/customer, and guardian or legal representative of a minor


  • Consents given and restrictions imposed by the patient/customer concerning data processing and disclosure

Patient records

  • Data necessary for the patient’s treatment

Examination results

  • Laboratory, imaging and other examination results

Data covered by the occupational health care agreement

  • Information about the patient’s employer
  • Department data and start date of employment
  • Information about absences due to sickness 
  • Information related to the employer: surveys of the workplace, minutes of occupa-tional health care negotiation meetings, minutes of supervisor / work community meetings, number of staff
  • Reports and assessments related to employee wellbeing
  • Any information concerning risks to fitness for work

Customer activity data

  • Appointment details
  • Invoicing details
  • Customer visit

Contract information 

  • Corporate customers’ (occupational health care) contract details

Recordings and content of communication

  • Parties to the discussion, time and communication 

Information on the use of online and mobile services 

  • Information concerning the use of online and mobile services 

7 Recipients of personal data and recipient categories

Patient data are confidential personal data. Staff are bound by confidentiality with regard to all information obtained in connection with treatment, even after the end of their em-ployment.

Patient information may be disclosed: 

  • by explicit consent given by the data subject. If the patient is not in a position to un-derstand the significance of such consent, data may be disclosed by consent of the patient’s legal representative.
  • by right, referred to specifically in the law, to the disclosure and receipt of data

Data subjects may at any time make changes to any consents given or restrictions im-posed by them concerning the disclosure of their data. 

Other personal data may be disclosed with the data subject’s consent or when permitted by law.

Transmitting of personal data

The controller may use suppliers in data processing but no data will be transmitted outside of the EU or the EEA.

8. Personal data retention period or criteria for determining the period

Patient documents and other patient data related to treatment are kept for a period pre-scribed by law.

Personal data other than patient data are processed while the contractual relationship / customer relationship exists. Once the contractual relationship / customer relationship has ended, the data are deleted or anonymised when there are no longer any grounds for keeping the personal data on the basis of, for example, a contractual relationship. The in-formation will be deleted in accordance with the processes specified by the controller.

9. Personal data sources and updates

Personal data are collected primarily from the data subjects themselves.

Data may also be collected from the data subject’s guardian or legal representative and from other care and rehabilitation units with the permission of the patient, his/her guardi-an or legal representative. 

The data file’s regular sources of data also include data created during examinations and treatment, reports, statements and consultation answers and data submitted by an em-ployer covered by a occupational health care contract.

Personal data are updated primarily manually, requesting the data from the data subject personally. 

Personal data may also be collected when the data subject uses certain services of the controller, such as online services.

Personal data may also be collected and updated by using data from third-party data files, such as those maintained by the authorities.

10. Data subjects’ rights

Data subjects have the right to receive confirmation from the controller as to whether or not their personal data will be, or have been, processed.

If the controller processes the data subject’s personal data, the data subject has the right, as a rule, to inspect the data. 

The controller may charge a reasonable administrative fee for any additional copies re-quested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their per-sonal data and prohibit the processing of their personal data for marketing purposes, if the data are being used for such purposes.

In certain circumstances, the data subject also has the right to request the controller to re-strict the processing of their personal data or to otherwise object to processing. In addition, the data subject has the right, under certain circumstances, to have their data, apart from patient data, transferred, for example, to himself/herself in a machine-readable format.

Data subjects can address requests for exercising their rights directly to Pohjola Health Ltd’s customer service.

If the data subject considers that their personal data are not being processed legally, they have the right to file a complaint with the supervisory authority.

11. Right to withdraw prior consent

If the controller processes the data subject’s personal data on the basis of consent, the da-ta subject has the right to withdraw their consent at any time. Such withdrawal may, how-ever, have an effect on the usability and functionalities of the services.

12. Safeguards for the protection of the data file

The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected by, for example, the following means:

  • Protection of hardware and files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires of its suppliers appropriate protection of any personal data to be processed.