Updated: April 2022
The secure processing of your personal data is of the utmost importance to us and an essential part of our responsible operating principles. Ovumia Fertinova is committed to protecting the rights of patients and to keeping your personal data safe and confidential.
1 Data controller
Biokatu 12, 33520 Tampere, Finland
(hereafter ”We” or ”Ovumia Fertinova”)
2 Data Protection Officer (DPO)
3 Why do We process Your data and what are the legal bases for such processing?
We process Your data in order to provide the best quality of care for our patients. In addition, We need to process Your data for purposes related to the provision of care (e.g., for billing purposes). In some cases the law obliges us to process Your data. The legal bases for each of these processing purposes is as follows:
- Processing of credit information. Upon booking Your first appointment with us We may check your credit information provided to us by Suomen Asiakastieto Oy. We do so in order to protect our legitimate interests of maintaining the financial feasibility of our operations. We do not store or save detailed information about Your credit history, but simply determine whether there are any issues with Your credit history that might be of concern, and in the case of any issues, We make a general mark in our records about this. Should there be a problem with Your credit history, we will notify You of it, and You will still be able to receive services from us by providing advance payment.
- Data processing for provision of care and related tasks. For the purpose of providing the best quality care to You and carrying out related tasks, We process Your data on the basis of law. This includes both the provision of care, follow-up care and monitoring, and tasks related to it. For Ovumia The Finnish Data Protection Act (1050/2018) allows us to process Your data for the purposes of providing health care services to You and for purposes of carrying out tasks related to the provision of care (e.g., quality management, billing, etc.). We may obtain the necessary data either from You directly, from other health care providers, state or local municipality databases, family members, etc. Please See Section 5 below regarding how We obtain necessary data about You.
It is important to understand that providing quality care to You is conditional on You providing all relevant health-related information to us. Should You withhold any information from Us that could be relevant in the context of providing medical care to You, this may affect the quality of care You receive.
- Processing required by law. In certain cases, the law might require us to process Your data. For example, the law requires us to process donor and recipient data in order to ensure traceability of donors and recipients of gametes and other organs, tissues and cells. If Your have further questions about this, please do not hesitate to contact Us.
- Processing for quality management and complaint investigation. Based on art. 6(1)(f) and art. 9(2)(f) GDPR (where there is no relevant legal basis in national legislation), in the pursuit of a legitimate interest to ensure proper quality management at our clinics and to investigate any complaints, our management can access Your data and attend case management discussions and meetings, where and to the extent that this is necessary for quality management and/or investigating any complaints. Our management is subject to a strict obligation of confidentiality and may not disclose Your data to anyone in any form.
- Processing that is necessary for establishing, exercising or defending legal claims. The GDPR allows us to process Your data if this is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. This means that in case of a dispute between You and Us, we may process Your data in order to investigate any complaints and solve any disputes arising from such complaints.
- Processing for statistical or research purposes. Your data might need to be processed for statistical purposes, or be valuable for research purposes in order to contribute to scientific progress in the medical field. For this end, the Finnish Data Protection Act allows us to process Your data for scientific research or statistical purposes.
- Any other processing activity. If the processing of Your data should be necessary for any purposes not described above, and where such processing is not mandated or required by law, such processing will be subject to Your prior informed consent as established under the GDPR. In this case, You will be asked for consent prior to the commencement of such processing, and You can decide whether to give consent or not. Consent is voluntary, and can be withdrawn at any time. For example, We may ask for Your consent to ask for information on family medical history from Your family members that might be relevant or necessary in providing the services to You. It is entirely Your choice, whether You want to give such consent or not.
4 What data do We process?
We only process Your data to the extent necessary for the purposes explained above in the Section 3 of this policy. For these purposes, we need to process the following data:
- Information necessary for identification and contacting You, such as Your name, date of birth, identification number, home address, contact information, information on Your next of kin (where this is necessary).
- Credit information to determine whether to grant credit to You in the form of providing services prior to payment. Should any issues be detected, You will still be able to receive services by paying in advance.
- Data concerning a possible partner and/or marital status, which is necessary in the context of fertility treatments.
- Health-related data obtained for or during the provision of health care services or tasks related to it. This includes all and any data that is necessary for the provision of care and tasks related to it, such as medical history, relevant information provided by You, results of analyses and medical imagining (e.g., ultrasonography images), data recorded by psychologists and psychotherapists (to which only the relevant specialist in question has access, unless otherwise agreed upon with the patient), data about eggs and sperm quantity and quality, pregnancies, miscarriages, terminations, childbirth, health-status of children born etc.
5 From where do We receive data?
The data we process about You, we receive either directly from You or from third parties:
- Data relating to patient administration is collected from the patient.
- Subject to the patient’s consent, information about family medical history may be asked from family members of the patient.
- Data about the patient’s home municipality and address is obtained from the Population Register Centre’s Population Information System.
- Data about the patient’s state of health is also obtained during the examinations, treatments and analyses carried out at our clinic, and, with the patient’s consent, from other treatment units and the patient’s family.
6 To whom do we disclose Your data?
All of our staff and employees, including management, are subject to an obligation of confidentiality. This means that we cannot disclose Your information to third parties outside of our clinic unless this is required or mandated by law, or where You have given explicit consent for Your data to be shared, or where You have requested for Your data to be transerred to another party.
Joining the common patient register requires Your consent, in which case You decide whether those participating in the use of the common register are able to access the Your data. You can withdraw Your consent for this at any time. You can also demand that data about a specific visit be kept secret, in which case the data can be accessed only by the person who entered the data.
The patient’s electronic prescriptions are recorded in the database known as the Prescription Centre. The controller is Kela, www.kanta.fi.
The patient data created at Ovumia Fertinova is not recorded in the Kanta archives maintained by Kela.
Data required by legislation is disclosed annually from Ovumia Fertinova’s register of patients to the National Institute for Health and Welfare’s national register of fertility treatments for research, planning and statistical purposes. This data cannot be attributed to a specific person.
In case You wish for Your gametes or embryos to be transferred to a clinic outside of Finland, we concurrently have to submit Your data to the receiving clinic.
In case of disputes related to the provision or quality of care, we may share Your data with legal advisors where this is necessary for the establishment, exercise or defence of legal claims, but only to the extent strictly necessary.
We may outsource book-keeping, invoicing and debt collection services, in which case Your billing data may be shared with such service providers.
We may outsource laboratory services (e.g., for blood or genetic tests), in which case your name and/or social security/personal ID number is sent to the laboratory with the biosample to be analysed.
All providers of outsourced services are subject to a strict confidentiality obligation and may only process your data to the extent and as long as is necessary to provide the services outsourced to them.
We utilise cookies and other techniques on our website for studying the demographic reachability of our services and for the statistical monitoring of our visitor numbers. We may also use data collected using cookies and other techniques in order to direct contents to our customers. Cookies and other techniques are used to analyse and further develop our services to ensure that we serve our customers as well as possible. Cookies are also used to improve the user experience; for example, cookies store data about the services and settings the customer used on a previous visit.
We use the Google Analytics Display Advertising programme. This is why the users of our website may come across our advertising outside of our website.
With our consent, Google may use first-party cookies (such as those of Google Analytics), which contain anonymous identifier data, together with third-party cookies (such as the DoubleClick cookie) in order to convey and optimise data and show advertisements based on the fact that the customer has visited our website.
We never disclose the personal data of our customers/website visitors to external advertising networks.
You can, at any time, remove the advertisements of the Google Analytics Display Advertising or the tailored advertisements of the Google Display Network, by using the control tool for advertisement selection. If You wish, You can also prevent the use of the Google Analytics measuring tool by installing an add-on in Your Internet browser.
Our website and services have links and connections to third-party websites and social extensions (such as the Facebook community add-on). The add-ons on our website, which are maintained by third parties, are downloaded from these services’ own servers.
8 How do We protect the data and how long do We store it?
All our staff and employees, and others performing their duties on our premises or on our behalf are subject to an obligation of confidentiality and may not disclose any of Your data. This duty of confidentiality remains in force after termination of the employment or service relationship.
The protection of personal data and confidentiality is at the core of our business. We use appropriate technical, organisational and administrative safety measures to protect all the data in our possession from being lost, abused, used illicitly, disclosed, altered or destroyed.
Our staff have access to use the company’s computers via a personal user identifier and password. Our top management decides, which employees should have access to patient data and provides access only to the extent that their duties require it. Only those of our employees, who, in the course of their work, are required to process patient data, are entitled to use a system containing personal data and special categories of personal data. Each user has a personal username and password to the system; in other words, access to personal data or special categories of personal data is granted on the basis of a role-based authorisation concept.
The company’s computers are located on our premises in locked rooms, to which only the company’s staff and authorized persons have access. The rooms are protected with an alarm system.
Hardcopies containing patient data are stored on our premises in locked rooms, and only our staff and authorized persons have access to these. The rooms are protected with an alarm system.
We store Your data as long as it is necessary for the purpose of processing the data and only within the time limits of the applicable laws and regulations.
We regularly estimate the need for data storage, taking into account the applicable legislation. In addition, we aim to ensure that no incompatible, outdated or inaccurate personal data is stored in our filing system, taking into account the purpose of the processing. We correct or erase such data without delay.
9 What are your rights as a data subject?
As a data subject, you have the following rights under the GDPR:
- You have the right to obtain information about the processing of Your data (arts. 13 and 14 GDPR). This policy aims to provide You with all necessary information about the processing of Your personal data by Us, but You are always welcome to contact Us with further inquiries regarding the processing of Your data by e-mailing our DPO at firstname.lastname@example.org
- You have the right to obtain confirmation from Us about whether Your data is being processed and to receive a copy of the personal data undergoing processing (art. 15 GDPR).
- You have the right to request from Us rectification of inaccurate personal data concerning You (art. 16 GDPR).
- You have the right to request Us to erase Your personal data processed by Us, if any of the grounds in art. 17(1) GDPR arise.
- You have the right to request Us to restrict processing activities regarding Your personal data if any of the grounds in art. 18(1) GDPR arise.
- You have the right to data portability (art. 20 GDPR).
- You have the right to object to the processing of Your personal data on grounds relating to Your particular situation if the processing is based on legitimate interests pursued by Us (i.e., on the basis of art. 6(1)(f) GDPR).
- You have the right to withdraw consent at any time, if processing is based on consent (art. 7(3) GDPR).
NB: Please note that none of the rights listed above are absolute. This means that there are exceptions and derogations that might apply in certain circumstances where processing of Your data is necessary for certain purposes. Such exceptions and derogations are stipulated in the GDPR. For example, We will not delete Your data if the law requires Us to store or otherwise process it (art. 17(3)(b)), or if this data is necessary for establishing, exercising or defending legal claims (art. 17(3)(e) GDPR).
If You have any question about Your rights as a data subject, please contact Us or the supervisory authority in Estonia/Finland (contacts listed below).
If You believe there to be a breach of Your rights, please contact Us immediately. You always have the right to bring a claim to court or to submit a complaint to the supervisory authority about any possible breaches of Your data protection rights.
Contacts of the supervisory authority:
Office of the Data Protection Ombudsman
Switchboard: +358 (0)29 566 6700
Registry: +358 (0)29 566 6768
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Management of Ovumia