Data Privacy Policy
Updated: 14.8.2025
This privacy policy provides information on the processing of corporate customer data at Euromedfin Oy (hereinafter “Medfin”) in accordance with data protection legislation.
Data controller
Euromedfin Oy / Medical Centre Medfin Itämerenkatu 11 EF, 00180 Helsinki Tel.: +358 10 574 39 70
The Medfin customer register contains data on existing and potential corporate and organisational customers, as well as their contact persons and contract persons.
Medfin complies with the EU General Data Protection Regulation (GDPR), applicable legislation and the instructions of supervisory authorities on the processing of personal data.
The Medfin corporate customer register is jointly used together with service providers operating at Medfin as independent professionals or through separate companies.
Purposes and legal bases for processing corporate and personal data
Corporate and personal data are processed for the following purposes and on the following legal bases:
Provision of occupational health services – based on law or the customer’s consent Assessment of the need for work ability and health promotion services, as well as their provision and personalisation – based on the contract between the customer and Medfin, law or legitimate interest Ensuring the quality of professionals’ work and the proper performance of their duties – based on law Marketing and communication – based on the customer’s consent, a contract or Medfin’s legitimate interest Planning, development, management, monitoring and reporting of Medfin’s operations and services – based on law or Medfin’s legitimate interest Research and statistics – based on consent, law, public interest or legitimate interest Management of customer relationships and customer service, including maintaining data on corporate customers’ contact and contract persons Handling customer contacts, feedback, official requests and incident reports – based on law or Medfin’s legitimate interest Analysis, segmentation and reporting of customer relationships, and other purposes related to the management of overall customer relationships and the development of Medfin’s business Carrying out, developing, personalising and monitoring sales, marketing and communication Provision of digital services for logged-in customers – based on law, contract or the customer’s consent Invoicing, payment processing and debt collection – based on law or contract Investigating and resolving technical failures in IT services or devices – based on legitimate interest Monitoring users’ online behaviour and use of digital services – based on legitimate interest or consent Ensuring the legal protection of Medfin and the customer, fulfilling statutory and regulatory obligations, detecting misuse and monitoring the use of services – based on law or legitimate interest
More detailed information on the purposes of processing
For providing occupational health services:
Planning, provision and monitoring of medical examinations and treatment of employees Assessment of work ability Implementation of individual action plans Appointment management (if a profiling-based booking system is used, profiling is carried out only with the patient’s consent) Invoicing and statutory and/or group-level reporting to customer organisations As part of the provision of services, data generated in connection with the use and provision of services are analysed automatically for occupational health purposes
For providing work ability and health promotion services:
Provision of work ability coaching Provision of services aimed at improving health
For ensuring the quality of professionals’ work:
Ensuring the proper use of personal data and compliance with procedures
For marketing and communication:
Customer relationship management, including reminders (for example, about appointments) Collection, tracking and analysis of customer interests and preferences related to services and service locations, and the development of customer service based on this Registration and promotion of loyalty/benefit programmes and related benefits Taking customer wishes into account and personalising the offering Communicating and marketing products and services Targeting of communication, marketing and services Conducting market research and opinion surveys Analysis, profiling, segmentation and statistical processing of data for the above purposes
Processing of corporate and personal data in connection with contacts, feedback, official requests and incident reports
Processing customer contacts and feedback Processing complaints and claims Processing other official requests Processing notifications of possible incidents Recording interactions between customers and customer service (e.g. telephone calls) in order to verify the service event, ensure the quality of customer service, develop operations and safeguard the rights of all parties
Processing of corporate and personal data in the provision of digital services for registered customers (e.g. Oma Medfin app, web service)
Managing the user’s contact details and consents Managing bookings Using remote services Communication and exchange of information between Medfin and the customer Processing payments Offering and marketing Medfin’s or its partners’ products and services Analysing the interests, preferences and choices of registered users, and profiling based on them, as well as developing customer service
Categories of corporate and personal data processed
The following categories of data are processed:
Basic information Employer data Booking data Customer service interaction data and recordings Invoicing and payment data Data on digital services for registered customers Data on customer contacts, feedback, official requests and incident reports Other service-related data Data on means and services of identification and authentication Data on the use of the website and digital services, behavioural and analytics data Consents, prohibitions and expressions of will
More detailed information on data categories
Basic information
Name, personal identity code, date of birth, contact details, mother tongue or service language, occupation and other identification data (for example, a copy of passport if necessary, description of responsibilities, role in the company as a contract contact person)
Data related to work ability
Customer information used in work ability services
Health and wellbeing data
Answers to surveys, monitoring data and analyses Information on the use of wellbeing services
Booking data
Appointment history
Customer service interaction data and recordings
Communication between Medfin and the customer Caller’s phone number, recipient’s identifier, date and time, and call recording Chat logs Date, participants and content of conversations
Invoicing and payment data
Payment information related to services Payer information (for example, insurance company) Orders and payments related to web services
Data on digital services for registered customers
Payment data Communication between the customer and Medfin Location data of the user’s device (if the user has allowed the processing of location data) to offer service points close to the user Information on means and services of identification and authentication Usage logs and user activity history in digital services
Data on contacts, feedback, official requests and incident reports
Customer contact, feedback or request and the responses given Contact details of the person submitting the contact or feedback Description of the incident and the information provided to the person concerned
Data related to other services
Data on service quality assessments and comments regarding the services User’s wishes and preferences, including desired services Responses to market research and opinion surveys Contact history Data obtained from third-party registers with the user’s consent
Data on the use of the website and digital services, behavioural and analytics data
IP address and data on the network connection Information on the device, browser and operating system Session identifier, timestamps and similar data Data on the use of applications and services (for example, log data, data collected using cookies and similar tracking technologies, web analytics data) User’s behaviour on the website during the session
Consents and prohibitions
Information on consent or prohibition regarding direct marketing and the processing of personal data
Retention periods for personal data
Medfin stores only those corporate and personal data that are necessary for its operations and the purposes of processing, and for which there is a lawful basis. The retention period is determined by the purpose of processing and/or the nature of the data. Retention periods are also affected by statutory obligations and other factors that determine the need for retention (such as limitation periods for legal claims or prosecution).
Customer service interaction recordings/media files are generally retained for six months.
Data that have become unnecessary for the respective purpose, including data related to marketing and the use of web services, are also deleted during the customer relationship. Data that are no longer needed, outdated or lack a legal basis are anonymised or destroyed in a secure manner.
Sources of data
Personal data are primarily collected from the customer themselves. Data may also be obtained in the course of providing services and medical care from healthcare staff and from medical devices/software. Basic information may be updated from the Digital and Population Data Services Agency’s register (Digi- ja väestötietovirasto). In the field of occupational health, data may be obtained from the employer: basic information about the employee and the organisation’s contact details, as well as changes to these. In certain cases, information may be received from other healthcare providers (based on law or the patient’s consent), as well as from insurance or pension companies.
Processing and disclosure of personal data
The Medfin corporate customer register is jointly used with healthcare service providers working at Medfin as independent practitioners or separate legal entities.
Additional information:
Personal data may be transferred outside the EU/EEA only in cases permitted by law, using the European Commission’s standard contractual clauses or another lawful transfer mechanism. Nevertheless, all information systems used by Medfin are located within the EU/EEA.
Data may be transferred to third-party service providers acting as independent data controllers – for example, providers of payment, financial or debt collection services, as well as transport and courier service providers.
Other healthcare providers
Data necessary for providing occupational healthcare services may be disclosed to another healthcare provider.
Kela
Information necessary for payments related to occupational healthcare services may be disclosed to the Social Insurance Institution of Finland (Kela) on a statutory basis without separate consent.
Insurance companies
Data required under statutory insurance may be disclosed to insurance companies on a statutory basis without consent.
Public authorities and organisations
Information may be disclosed to authorities or organisations that have a statutory right of access to data, on the basis of a written and specified request, in the form and scope required, or based on the customer’s consent.
Research organisations
Corporate data may be disclosed to research organisations in accordance with legislation.
Rights of the data subject
Right of access to personal data
The data subject has the right to know whether their personal data are being processed and to access the data concerning themselves. The data subject can view and access their data via digital services intended for registered customers (for example, the Oma Medfin app and Oma Medfin web portal), as well as via the OmaKanta service (www.kanta.fi/omakanta). In addition, the data subject may submit an official request for their personal data.
Right to rectification
The customer has the right to request the rectification of inaccurate or incomplete data.
Right to object to and restrict processing
In certain cases, the customer has the right to object to processing on grounds relating to their particular situation. The customer may also request the temporary restriction of processing, for example while the accuracy of the data is being verified.
Right to lodge a complaint
If the customer considers that their personal data are being processed in violation of legislation, they have the right to lodge a complaint with the Data Protection Ombudsman (tietosuojavaltuutettu).
Protection of personal data
Medfin applies appropriate physical, technical and administrative measures to protect data against misuse. These include monitoring and filtering network traffic, the use of encryption technologies and secure server facilities, locking systems and access control, management and monitoring of access rights, training of personnel who process personal data, and risk management in the design, implementation and maintenance of services. Medfin carefully selects its subcontractors and ensures through contractual and other arrangements that they also process data in accordance with legislation and good data protection practices.
Contact information Euromedfin Oy / Medical Centre Medfin Itämerenkatu 11 EF, 00180 Helsinki Tel.: +358 10 574 39 70 Data Protection Officer: Olga Loginov — olga.loginov@medfin.fi Patient Ombudsman: Marina Meier — marina.maier@medfin.fi
This privacy policy provides information on the processing of personal data of private customers at Euromedfin Oy (hereinafter “Medfin”) in accordance with data protection legislation.
Data controller
Euromedfin Oy / Medical Centre Medfin Itämerenkatu 11 EF, 00180 Helsinki Tel.: +358 10 574 39 70
The Medfin patient register is jointly used both by Medfin itself and by various healthcare service providers working at Medfin as independent professionals or through separate legal entities.
Purposes and legal bases for processing personal data
Personal data are processed for the following purposes and on the following legal bases:
Provision of healthcare services – based on law Provision of occupational health / occupational hygiene services – based on law or the customer’s consent Assessment of the need for work ability and health promotion services, as well as their provision and personalisation – based on the contract between the customer and Medfin, law or legitimate interest Ensuring the quality of healthcare professionals’ work – based on law Carrying out marketing and/or communication activities – based on the customer’s consent, a contract or Medfin’s legitimate interest Planning, development, management, monitoring and reporting of Medfin’s own services and operations, quality assurance and data management – based on law or Medfin’s legitimate interest Research and statistical purposes – based on consent, law, public interest or Medfin’s legitimate interest Processing customer contacts, feedback, official requests and incident reports – based on law or Medfin’s legitimate interest Provision of digital services for registered users – based on law, the contract between the customer and Medfin or the customer’s consent Invoicing, payment processing and debt collection – based on law or the contract between the customer and Medfin Detecting and resolving technical faults in IT services (such as websites, applications) or devices – based on Medfin’s legitimate interest Monitoring users’ behaviour and use of digital services – based on legitimate interest or the customer’s consent Ensuring the legal protection of Medfin and the customer, fulfilling obligations under laws and regulatory provisions/instructions, detecting misuse and monitoring the use of services – based on law or legitimate interest
More detailed information on purposes of processing
Personal data are processed for the provision of healthcare services:
For organising, planning, providing, monitoring and supervising medical examinations and treatment of the patient For managing appointments For invoicing the services provided As part of the provision of healthcare services, data on health status generated in connection with the use of healthcare services are analysed automatically for healthcare purposes, such as health promotion (profiling).
Personal data are processed for the provision of occupational health / occupational hygiene services:
For planning, providing and monitoring occupational health examinations and treatment For assessing work ability For implementing an individual occupational health / occupational hygiene action plan For managing appointments; if the service includes profiling-based booking, profiling is carried out only with the patient’s consent For invoicing and statutory and/or group-level reporting to customer organisations As part of the provision of healthcare services, health data generated in connection with the use of healthcare services are analysed automatically, for example, to assess the need for work ability support and to promote employees’ health (profiling).
Personal data are processed for the provision of work ability and health promotion services:
For providing work ability coaching For providing services aimed at improving health.
Personal data are processed to ensure the quality and proper performance of duties by healthcare professionals:
To ensure the correct use of medical information and compliance with procedures.
Personal data are processed for marketing and communication purposes:
For customer service, such as reminders about visits, renewal of prescriptions and vaccinations For informing about clinical studies with the patient’s consent For collecting, analysing and improving services based on customers’ interests, preferences and choices of services and service locations For registering and promoting loyalty/benefit programmes and related offers For taking into account customer wishes and personalising offers For promoting products and services For targeting communication, marketing and services For conducting market research and opinion surveys For analysis, profiling, segmentation and statistics for the above purposes.
Personal data are processed for handling customer contacts, feedback, official requests and incident reports:
For handling customer contacts and feedback For handling complaints in accordance with the Patient Rights Act For handling other official requests For handling reports of incidents posing a risk For recording communication (such as telephone calls) between customers and customer service in order to verify the interaction, ensure service quality, develop operations and safeguard the rights of the parties.
Personal data are processed for the provision of digital services for registered customers (for example, the Oma Medfin app, web portal):
For managing the user’s own contact details and expressed consents, as well as for viewing medical data For managing appointments For using remote healthcare services For communication and exchange of information between the customer and Medfin For processing payments related to services For offering and marketing services and products of the controller or its partners For sending health-related notifications and recommendations via the service For tracking, analysing and profiling the user’s interests, preferences and choices, and for improving customer service.
Categories of personal data processed
We process the following personal data:
Basic information Medical data Data related to work ability Data related to wellbeing Genetic test data, samples and organ models Employer data Appointment data Customer service interaction data and recordings Invoicing and payment data Data on digital services for registered customers (for example, the Oma Medfin app, Medfin web service) Data on customer contacts, feedback, official requests and incident reports Other service-related data Data on the use of means and services of identification and authentication Data on the use of the website and digital services, online behaviour and analytics Consents, refusals and expressions of will
More detailed information on personal data categories
Basic information
Name, personal identity code, date of birth, contact details, mother tongue or service language, occupation, as well as other identification data (for example, a copy of passport if necessary); the next of kin or other contact person indicated by the patient with their contact details; guardians or other legal representatives of a minor patient with their contact details; information about a minor child for whom the patient is responsible; information on the patient’s role as a carer (omaishoitajuus); the legal representative appointed for the patient and their contact details
Medical data
Information necessary and sufficient for organising, planning, providing, monitoring and supervising the patient’s treatment (for example: medical record entries, photographs, video and audio recordings, referrals, statements, certificates, forms) Health and self-care information provided by the patient (for example, medical history, responses to questionnaires) Laboratory, radiology and other examination results Prescriptions and related notes Data related to physiotherapy and occupational physiotherapy, as well as related employer information (for example, workplace visits)
Data related to work ability
Information related to the assessment of work ability Customer data used in work ability services
Data related to health and wellbeing
Information related to health, such as responses to questionnaires, monitoring data and analyses Measurement data entered or provided by the person themselves Data on the use of health-related services
Employer data
Information about the employer of occupational health customers, such as department/unit, job title, supervisory relationships, membership in a sickness fund, information on the employer’s insurance company
Appointment data
Customer, date, time, place and the professional with whom the appointment is booked, as well as the person who made the booking and the booking date Appointment history
Customer service interaction data and recordings
Communication between Medfin and the customer Caller’s phone number, recipient’s identifier, date and time, and call recording Chat logs Parties to the communication, date and time, and recording of the conversation
Payment and billing data
Information on invoices and payments related to treatment and other services Information on the payer of treatment (for example, insurance company) Orders, payments and payment information related to the use of the online service
Data on digital services for registered customers (for example, the Oma Medfin app)
Information on health status and any mobility limitations, injuries, diseases and other complaints indicated by the user Other information entered by the user concerning their state of health and physical condition Payment data Communication between the customer and Medfin Data necessary for the implementation of remote appointments, such as audio and video, as well as images sent by the user Location data of the user’s device (if the user has allowed the processing) – in order to offer service points close to the user Data on the use of identification and authentication systems and means Usage logs and user actions in digital services
Data on customer contacts, feedback, official requests and incident reports
Customer contact, feedback or request and the responses given Contact details provided by the person submitting the contact or feedback Description of the incident and the information provided to the person concerned
Data related to other services
Name, position and time of entry of the person making an entry in the patient record Client data from social services obtained for organising and providing healthcare services Data on satisfaction and comments on the services of the data controller Information on wishes and preferences, as well as desired services of the user Responses provided in the context of market research and opinion surveys Contact history Data obtained from third-party registers with the explicit consent of the user Loyalty customer information
Data on the use of the website and digital services, online behaviour and analytics
User’s IP address and data on their network connection Information on the user’s device, browser and operating system Session identifier, timestamps and similar data Data on the use of applications and services, including data collected using logs, cookies and other similar technologies, as well as website analytics User’s behaviour on the website during the session
Consents, prohibitions and expressions of will
Permissions, consents and prohibitions related to the disclosure of data via Kanta services Organ donation wishes, living will and other expressions of will of the patient Information on consent or prohibition regarding direct marketing and the processing of personal data
Retention periods for personal data
Medfin stores only those data that are necessary for its operations and the purposes of processing, and for which there is a lawful basis. The retention period depends on the purpose of processing and/or the type of data. Retention periods are also affected by statutory obligations and other factors determining the need for storage (for example, limitation periods for claims or criminal proceedings).
Medical data related to the patient’s treatment are retained in accordance with the Act on the Processing of Client Data in Healthcare and Social Welfare: as a rule, 12 years from the patient’s death or, if the date of death is not known, 120 years from the date of birth. Customer service interaction recordings are generally retained for six months.
Medfin also deletes data that have become unnecessary for the stated purpose, including during the customer relationship (for example, data related to marketing or the use of web services). Data that are outdated, no longer relevant or lack a legal basis are anonymised or destroyed in a secure manner.
Sources of data
Personal data are generally collected from the customer themselves, from the patient’s legal representative or from the parent of a minor. Data are also obtained in the course of examination and treatment – from healthcare staff, medical devices and software.
The healthcare provider may obtain patient data from other healthcare organisations and social services via the Kanta service in accordance with the patient’s permissions (consents) and prohibitions on data disclosure. Data may also be obtained through a shared information system.
Permissions and prohibitions can be managed via the OmaKanta service (www.kanta.fi/omakanta) or through the healthcare provider. If the patient is unable to give informed consent (for example, due to dementia, mental disorder, disability) and has no legal representative, or if the patient is unconscious, the healthcare provider may obtain necessary data from other organisations without consent in order to provide necessary care.
Basic client information may be updated from the Digital and Population Data Services Agency’s register (Digi- ja väestötietovirasto).
In the context of occupational healthcare, data may be obtained from the employer – including contact information and changes to it.
Data may also be obtained from other healthcare organisations with the patient’s consent or on a statutory basis, and in certain cases from insurance or pension companies.
Processing and disclosure of personal data
The Medfin patient register is jointly used with healthcare service providers working at Medfin as independent practitioners or separate companies. The patient may give consent to the disclosure of their medical data between such providers involved in their treatment within Medfin.
Additional information:
Personal data may be transferred outside the EU or EEA within the limits permitted by law. In such cases, the transfer is carried out using the European Commission’s standard contractual clauses or another transfer mechanism permitted by data protection legislation. However, for example, Medfin’s medical data systems are located within the EU/EEA.
In certain situations, personal data may be disclosed to service providers acting as independent data controllers, such as companies providing payment, financial or debt collection services, as well as delivery and courier companies.
Disclosure of personal data
Personal data may be disclosed to third parties on a statutory basis or with the customer’s consent to the following recipients:
Kanta services (Kela)
Patient medical data are stored on a statutory basis in national data system services maintained by Kela, such as the client data repository. The information management service compiles up-to-date summary information from patient records that is essential for providing healthcare. Kela and healthcare providers act as joint controllers of the information management service. Kela acts as the statutory point of contact and is responsible for the disclosure of data. More information on the joint register of the information management service: www.kanta.fi/tietosuojaselosteet. In the expressions-of-will service, records are kept of informing the patient about Kanta services, their consents, prohibitions and expressions of will (for example, living will, organ donation wishes). Electronic prescriptions and, where applicable, information on dispensed medicines are stored in the Prescription Centre. The joint controllers of the Prescription Centre are Kela, pharmacies, healthcare units and independent practitioners.
Kela acts as the statutory controller for the registers assigned to it by law. More information: www.kanta.fi/tietosuojaselosteet.
Other healthcare units
Information necessary for providing healthcare may be disclosed to another healthcare provider with the patient’s consent or in accordance with the permissions and prohibitions recorded in Kanta. If, due to dementia, mental illness, disability or a condition comparable to unconsciousness, the patient is unable to give informed consent and has no legal representative, necessary medical data may be disclosed without consent in order to provide necessary care.
Kela
Information concerning fees for medical services and referrals is disclosed to Kela if the customer requests Medfin to apply for reimbursement on their behalf.
Insurance companies
For statutory insurance, necessary data are disclosed without consent on a statutory basis. For voluntary insurance, data are disclosed only with the patient’s consent.
Employers
In the context of occupational healthcare, information may be disclosed to the employer only with the patient’s separate and explicit consent.
Authorities and institutions
Data may be disclosed in written form and to the extent required by law to authorities or institutions that have a statutory right to receive them, or with the customer’s consent.
Close relatives of the patient
If an adult patient is unable to decide on their treatment, a legal representative, next of kin or other close person has the right to receive necessary information about the patient’s treatment. If the patient is unconscious or in a comparable condition, information may be provided to a close person unless there is reason to believe that the patient has prohibited this.
Research organisations
Data contained in patient records may be disclosed for research purposes with the customer’s consent. After the patient’s death, the data remain protected and may only be disclosed on a statutory basis. In accordance with the Communicable Diseases Act, data may be disclosed to the Finnish Institute for Health and Welfare (THL) and regional health authorities for monitoring epidemics.
Rights of the data subject
Right of access to personal data
The data subject has the right to know whether their personal data are being processed and to access the data concerning themselves. The data subject can view and access their data via digital services intended for registered customers (for example, the Oma Medfin app and Oma Medfin web portal), as well as via the OmaKanta service (www.kanta.fi/omakanta). In addition, the data subject may submit an official request for their personal data.
Right to rectification of data
The data subject has the right to request the rectification of inaccurate or incomplete personal data. The data subject has the right to request the deletion of their personal data. Requests for deletion are fulfilled to the extent permitted by law. With regard to health data, Medfin is legally obliged to retain such information in accordance with the Act on the Processing of Client Data in Healthcare and Social Welfare.
Right to object to processing and to restrict processing
In certain cases, the data subject has the right, at any time, to object to the processing of their personal data on grounds relating to their particular situation. In certain situations, the data subject has the right to request the restriction of the processing of their personal data. For example, if the data subject contests the accuracy of their data, processing is restricted for the duration of the verification.
Right to data portability
The data subject has the right to request the transfer of data they have provided from one system to another when processing is based on consent or a contract. However, this right does not apply to medical data.
Right not to be subject to automated decision-making
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Legislation may, however, provide exceptions to this rule.
Withdrawal of consent
If the processing of personal data is based on consent, the data subject may withdraw their consent at any time. The withdrawal may be carried out in the relevant service or by contacting customer service.
Right to lodge a complaint with a supervisory authority
The data subject has the right to bring the matter before the Data Protection Ombudsman if they consider that the processing of their personal data breaches data protection legislation.
More information can be found on the website of the Office of the Data Protection Ombudsman: www.tietosuoja.fi.
Requests concerning the exercise of data subject rights must generally be submitted in writing directly at a Medfin office. The identity of the person submitting the request is verified in a reliable manner. At the Medfin office, this is done on the basis of an official identity document. In this way, the confidentiality of personal data and the proper handling of requests are ensured.
Protection of personal data
Medfin applies physical, technical and administrative security measures to protect data against misuse: monitoring and filtering of network traffic, use of encryption technologies and secure servers, locking systems and access control, management of access rights and monitoring of their use, staff training, and risk management at all stages from design to maintenance. Medfin’s subcontractors are carefully selected and are required to comply with data protection legislation and good practices as set out in contracts.
Contact information
Medfin / Medical Centre Medfin Itämerenkatu 11 EF, 00180 Helsinki Tel.: +358 10 574 39 70 Data Protection Officer: Olga Loginov — olga.loginov@medfin.fi Patient Ombudsman: Marina Meier — marina.maier@medfin.fi ⚠️ Please do not send medical information or other sensitive personal data (such as a personal identity code) by regular email.