Data Privacy Policy
Updated: 14.8.2025
This privacy policy provides information on the processing of corporate customer data at Euromedfin Oy (hereinafter “Medfin”) in accordance with data protection legislation.
Data controller
Euromedfin Oy / Medical Centre Medfin Itämerenkatu 11 EF, 00180 Helsinki Tel.: +358 10 574 39 70
The Medfin customer register contains data on existing and potential corporate and organisational customers, as well as their contact persons and contract persons.
Medfin complies with the EU General Data Protection Regulation (GDPR), applicable legislation and the instructions of supervisory authorities on the processing of personal data.
The Medfin corporate customer register is jointly used together with service providers operating at Medfin as independent professionals or through separate companies.
Purposes and legal bases for processing corporate and personal data
Corporate and personal data are processed for the following purposes and on the following legal bases:
Provision of occupational health services – based on law or the customer’s consent Assessment of the need for work ability and health promotion services, as well as their provision and personalisation – based on the contract between the customer and Medfin, law or legitimate interest Ensuring the quality of professionals’ work and the proper performance of their duties – based on law Marketing and communication – based on the customer’s consent, a contract or Medfin’s legitimate interest Planning, development, management, monitoring and reporting of Medfin’s operations and services – based on law or Medfin’s legitimate interest Research and statistics – based on consent, law, public interest or legitimate interest Management of customer relationships and customer service, including maintaining data on corporate customers’ contact and contract persons Handling customer contacts, feedback, official requests and incident reports – based on law or Medfin’s legitimate interest Analysis, segmentation and reporting of customer relationships, and other purposes related to the management of overall customer relationships and the development of Medfin’s business Carrying out, developing, personalising and monitoring sales, marketing and communication Provision of digital services for logged-in customers – based on law, contract or the customer’s consent Invoicing, payment processing and debt collection – based on law or contract Investigating and resolving technical failures in IT services or devices – based on legitimate interest Monitoring users’ online behaviour and use of digital services – based on legitimate interest or consent Ensuring the legal protection of Medfin and the customer, fulfilling statutory and regulatory obligations, detecting misuse and monitoring the use of services – based on law or legitimate interest
More detailed information on the purposes of processing
For providing occupational health services:
Planning, provision and monitoring of medical examinations and treatment of employees Assessment of work ability Implementation of individual action plans Appointment management (if a profiling-based booking system is used, profiling is carried out only with the patient’s consent) Invoicing and statutory and/or group-level reporting to customer organisations As part of the provision of services, data generated in connection with the use and provision of services are analysed automatically for occupational health purposes
For providing work ability and health promotion services:
Provision of work ability coaching Provision of services aimed at improving health
For ensuring the quality of professionals’ work:
Ensuring the proper use of personal data and compliance with procedures
For marketing and communication:
Customer relationship management, including reminders (for example, about appointments) Collection, tracking and analysis of customer interests and preferences related to services and service locations, and the development of customer service based on this Registration and promotion of loyalty/benefit programmes and related benefits Taking customer wishes into account and personalising the offering Communicating and marketing products and services Targeting of communication, marketing and services Conducting market research and opinion surveys Analysis, profiling, segmentation and statistical processing of data for the above purposes
Customer relationship management, including reminders (for example, about appointments) Collection, tracking and analysis of customer interests and preferences related to services and service locations, and the development of customer service based on this Registration and promotion of loyalty/benefit programmes and related benefits Taking customer wishes into account and personalising the offering Communicating and marketing products and services Targeting of communication, marketing and services Conducting market research and opinion surveys Analysis, profiling, segmentation and statistical processing of data for the above purposes
Processing of corporate and personal data in connection with contacts, feedback, official requests and incident reports
Processing customer contacts and feedback Processing complaints and claims Processing other official requests Processing notifications of possible incidents Recording interactions between customers and customer service (e.g. telephone calls) in order to verify the service event, ensure the quality of customer service, develop operations and safeguard the rights of all parties
Processing of corporate and personal data in the provision of digital services for registered customers (e.g. Oma Medfin app, web service)
Managing the user’s contact details and consents Managing bookings Using remote services Communication and exchange of information between Medfin and the customer Processing payments Offering and marketing Medfin’s or its partners’ products and services Analysing the interests, preferences and choices of registered users, and profiling based on them, as well as developing customer service
Categories of corporate and personal data processed
The following categories of data are processed:
Basic information Employer data Booking data Customer service interaction data and recordings Invoicing and payment data Data on digital services for registered customers Data on customer contacts, feedback, official requests and incident reports Other service-related data Data on means and services of identification and authentication Data on the use of the website and digital services, behavioural and analytics data Consents, prohibitions and expressions of will
More detailed information on data categories
Basic information
Name, personal identity code, date of birth, contact details, mother tongue or service language, occupation and other identification data (for example, a copy of passport if necessary, description of responsibilities, role in the company as a contract contact person)
Data related to work ability
Customer information used in work ability services
Health and wellbeing data
Answers to surveys, monitoring data and analyses Information on the use of wellbeing services
Booking data
Appointment history
Customer service interaction data and recordings
Communication between Medfin and the customer Caller’s phone number, recipient’s identifier, date and time, and call recording Chat logs Date, participants and content of conversations
Invoicing and payment data
Payment information related to services Payer information (for example, insurance company) Orders and payments related to web services
Data on digital services for registered customers
Payment data Communication between the customer and Medfin Location data of the user’s device (if the user has allowed the processing of location data) to offer service points close to the user Information on means and services of identification and authentication Usage logs and user activity history in digital services
Data on contacts, feedback, official requests and incident reports
Customer contact, feedback or request and the responses given Contact details of the person submitting the contact or feedback Description of the incident and the information provided to the person concerned
Data related to other services
Data on service quality assessments and comments regarding the services User’s wishes and preferences, including desired services Responses to market research and opinion surveys Contact history Data obtained from third-party registers with the user’s consent
Data on the use of the website and digital services, behavioural and analytics data
IP address and data on the network connection Information on the device, browser and operating system Session identifier, timestamps and similar data Data on the use of applications and services (for example, log data, data collected using cookies and similar tracking technologies, web analytics data) User’s behaviour on the website during the session
Consents and prohibitions
Information on consent or prohibition regarding direct marketing and the processing of personal data
Retention periods for personal data
Medfin stores only those corporate and personal data that are necessary for its operations and the purposes of processing, and for which there is a lawful basis. The retention period is determined by the purpose of processing and/or the nature of the data. Retention periods are also affected by statutory obligations and other factors that determine the need for retention (such as limitation periods for legal claims or prosecution).
Customer service interaction recordings/media files are generally retained for six months.
Data that have become unnecessary for the respective purpose, including data related to marketing and the use of web services, are also deleted during the customer relationship. Data that are no longer needed, outdated or lack a legal basis are anonymised or destroyed in a secure manner.
Sources of data
Personal data are primarily collected from the customer themselves. Data may also be obtained in the course of providing services and medical care from healthcare staff and from medical devices/software. Basic information may be updated from the Digital and Population Data Services Agency’s register (Digi- ja väestötietovirasto). In the field of occupational health, data may be obtained from the employer: basic information about the employee and the organisation’s contact details, as well as changes to these. In certain cases, information may be received from other healthcare providers (based on law or the patient’s consent), as well as from insurance or pension companies.
Processing and disclosure of personal data
The Medfin corporate customer register is jointly used with healthcare service providers working at Medfin as independent practitioners or separate legal entities.
Additional information:
Personal data may be transferred outside the EU/EEA only in cases permitted by law, using the European Commission’s standard contractual clauses or another lawful transfer mechanism. Nevertheless, all information systems used by Medfin are located within the EU/EEA.
Data may be transferred to third-party service providers acting as independent data controllers – for example, providers of payment, financial or debt collection services, as well as transport and courier service providers.
Other healthcare providers
Data necessary for providing occupational healthcare services may be disclosed to another healthcare provider.
Kela
Information necessary for payments related to occupational healthcare services may be disclosed to the Social Insurance Institution of Finland (Kela) on a statutory basis without separate consent.
Insurance companies
Data required under statutory insurance may be disclosed to insurance companies on a statutory basis without consent.
Public authorities and organisations
Information may be disclosed to authorities or organisations that have a statutory right of access to data, on the basis of a written and specified request, in the form and scope required, or based on the customer’s consent.
Research organisations
Corporate data may be disclosed to research organisations in accordance with legislation.
Rights of the data subject
Right of access to personal data
The data subject has the right to know whether their personal data are being processed and to access the data concerning themselves. The data subject can view and access their data via digital services intended for registered customers (for example, the Oma Medfin app and Oma Medfin web portal), as well as via the OmaKanta service (www.kanta.fi/omakanta). In addition, the data subject may submit an official request for their personal data.
Right to rectification
The customer has the right to request the rectification of inaccurate or incomplete data.
Right to object to and restrict processing
In certain cases, the customer has the right to object to processing on grounds relating to their particular situation. The customer may also request the temporary restriction of processing, for example while the accuracy of the data is being verified.
Right to lodge a complaint
If the customer considers that their personal data are being processed in violation of legislation, they have the right to lodge a complaint with the Data Protection Ombudsman (tietosuojavaltuutettu).
Protection of personal data
Medfin applies appropriate physical, technical and administrative measures to protect data against misuse. These include monitoring and filtering network traffic, the use of encryption technologies and secure server facilities, locking systems and access control, management and monitoring of access rights, training of personnel who process personal data, and risk management in the design, implementation and maintenance of services. Medfin carefully selects its subcontractors and ensures through contractual and other arrangements that they also process data in accordance with legislation and good data protection practices.
Contact information Euromedfin Oy / Medical Centre Medfin Itämerenkatu 11 EF, 00180 Helsinki Tel.: +358 10 574 39 70 Data Protection Officer: Olga Loginov — olga.loginov@medfin.fi Patient Ombudsman: Marina Meier — marina.maier@medfin.fi