1 Protecting your privacy

The privacy of our customers is of the utmost importance to Pihlajalinna. Pihlajalinna is committed to protecting customer privacy and to complying with applicable legislation governing the processing of patient data and data protection. Protecting the privacy of individuals is a fundamental part of Pihlajalinna's responsible business principles. Pihlajalinna processes patient data collected about its customers in accordance with the terms set out in this privacy notice.

2 General information on the keeping of records

Name of the registry: Each company’s patient registry (‘Patient Registry’).

The controller is: Each company belonging to the Pihlajalinna Group

For health services provided by Pihlajalinna where Pihlajalinna acts as the data controller (including occupational healthcare services), the data controller is Pihlajalinna Terveys Oy, or another company belonging to the Pihlajalinna Group, as listed below. All data controllers can be reached through Pihlajalinna Terveys Oy.

Companies: Pihlajalinna Terveys Oy, Business ID 2303024-5 Pihlajalinna Lääkärikeskukset Oy, Business ID 2452505-5 Lääkäriasema DokTori Oy, Business ID 2617382-3 Linnan Klinikka Oy, Business ID 0878086-5 Pihlajalinna Ikioma Oy, Business ID 2519853-5 Pihlajalinna Kainuu Oy, Business ID 3136375-2

Contact information: PL 110 33101 Tampere

Representatives of the controller:

National representative: Sari Riihijärvi, Chief Medical Officer at Pihlajalinna Group, tel. 010 312 010, [email protected]. The local representative is the responsible doctor at each unit.

If you have questions about how your personal data is processed, or if you want to exercise your rights under the EU General Data Protection Regulation (EU 2016/679), you can contact the Data Protection Officer: Marika Vihervaara, tel. 010 312 010, [email protected].

Where health services are provided by an independent service provider operating within Pihlajalinna or by that provider's company, the data controllership is determined as follows:

Pihlajalinna and the service provider operating on Pihlajalinna's premises are joint controllers within the meaning of Article 26 of the EU General Data Protection Regulation, where the service provider operates a private practice and uses Pihlajalinna's patient information systems. Pihlajalinna is responsible for the technical maintenance of the patient register and for the storage of patient data. The service provider is responsible for the preparation of patient records and for the accuracy of the information entered. Each joint controller is responsible for the lawful use of the register.

Pihlajalinna acts as the primary point of contact for requests relating to the exercise of data subjects' rights. However, data subjects may exercise their rights in relation to either joint controller. Each joint controller shall ensure, within its own sphere of responsibility, that the rights of data subjects are appropriately fulfilled.

The registers of the different data controllers are kept technically separate, and the information they contain may not, as a general rule, be disclosed without the customer's written consent. The data of occupational healthcare customers also forms its own separate sub-register, which is kept technically separate from the main patient register and to which access is restricted through access controls.

3 Purpose of processing personal data

The purpose of processing the personal data in the Patient Registry is to organise the patient’s care as follows:

• organisation of the patient’s examination, care, and rehabilitation, planning, implementation, monitoring, archiving, quality control, guidance, and disease prevention;

• planning, monitoring, and evaluating healthcare operations and compiling statistics on it, and scientific research;

• invoicing and debt recovery; and

• production of occupational health services for companies and communities.

• in accordance with the Act on Secondary Use of Health and Social Data, data is used for knowledge management;

• Communication between patients and the customer service centre (e.g. phone calls) may be recorded to support staff training, ensure service quality, and verify the service event.

To become a patient of Pihlajalinna, it is necessary that data about the person can be recorded in the Patient Registry. The processing of data in the Patient Registry is based on Pihlajalinna’s legal obligation to process patient data, Pihlajalinna’s legitimate interest on the basis of the patient care relationship and, in some cases, the patient’s consent. AI-assisted documentation is used to support the work of healthcare professionals, but no automated decisions concerning the patient are made on its basis.

When Pihlajalinna receives correct and comprehensive data from the patient, it can provide the patient with the best care and service possible.

4 Content and sources of the data in the registry

The personal data in the Patient Registry are provided mainly either by the patients themselves or by guardians of minor patients, or generated in connection with examinations and treatment.

On consent from the customer, data from, for example, other care institutions and insurance companies are also added to the registry.

However, the patient’s data can also be combined and supplemented, within the limits permitted by legislation, with data from other sources and derived from such sources, such as data obtained from other healthcare institutions with the consent of the patient or their guardian, or data from the Digital and Population Data Services Agency.

The Patient Registry may contain the following personal data:

• full name;

• personal identity code;

• contact details (including address and telephone number and email address);

• the patient’s contact person (including the patient’s designated next of kin and the guardian(s) of minor patients), their contact details and, if necessary, their personal identity codes;

• medical information and preliminary information necessary for the patient’s care (including patient records, referrals, and doctor’s statements);

• examination data (including laboratory, imaging, and other examination data);

• health survey data;

• appointment data;

• invoicing and payment information;

• the name and status of the person submitting the note, date of the note, and data of the person reading the note;

• information about the receipt and origin of documents; and

• declarations of intent and consents given by the customer;

• information relating to the identification of the customer;

• a caller’s telephone number, receiver’s ID, date, and a recording of the call.

In addition, the following data is collected from occupational health care customers:

• employer and their contact details;

• data about the employment relationship (including department/office, professional title, and other similar information);

• insurance company information;

• possible health risks associated with the workplace;

Through remote services, the customer may also provide Pihlajalinna with the following personal data:

• video (a video connection opened with the customer’s consent);

• audio (an audio connection opened with the customer’s consent);

• photographs and videos sent by the customer; and

• other data transmitted via the customer’s remote examination equipment, such as heart and lung auscultation sounds, videos and photographs, as well as pulse data and body temperature.

In connection with AI-assisted documentation, the speech from conversations held during appointments may be processed, along with a text-based transcription generated from that speech and a draft entry for the patient record. The data is generated from the conversation between the patient and the healthcare professional that takes place during the appointment.

5 Protection of the registry and principles of data processing

When processing patient data, Pihlajalinna carefully follows the legal requirements to act diligently, safeguard patient data, and apply good data management practices. We always ensure that the processing is properly justified and limited to what is necessary for the purposes described in this notice.

Data in the Patient Registry is confidential, and the persons involved in their processing are subject to secrecy and confidentiality. This obligation to maintain secrecy and confidentiality will continue even after the employment relationship has been terminated. Pihlajalinna limits the number of people processing patient data. Patient data is only accessible to such employees at Pihlajalinna or its partners who, on the basis of their duties, need to process patient data.

Pihlajalinna also has strict user ID policies in place to protect the patient data. The Patient Registry system and data stored in it are protected by, among other things, access right restrictions and passwords that only persons authorised to use the system have access to. Pihlajalinna uses log data, among other things, to track and monitor the processing of patient data actively and carefully in a manner required by legislation.

6 Data disclosures and transfers

Patient data constitutes sensitive personal data. We disclose your patient data to third parties only with your consent or based on legislation. Such legally based disclosures include, for example, the national information system service maintained by Kela (Kanta Services), the Finnish Institute for Health and Welfare (THL), and insurance companies in respect of statutory insurance. In respect of voluntary insurance held by private customers, the necessary data is disclosed based on the customer's consent. In addition, data may be disclosed for research purposes and for development and innovation activities in accordance with the legislation governing patient data.

We disclose patient data outside Pihlajalinna to other social and healthcare service providers either based on applicable legislation or based on a disclosure authorisation granted by you. You can manage the disclosure of your data between different social and healthcare service providers by granting a disclosure authorisation in the Kanta service. Further information is available at https://www.kanta.fi/en/.

We may transfer your personal data to service providers and subcontractors processing data on behalf of Pihlajalinna to deliver the service you require.

Pihlajalinna does not, as a general rule, transfer patient data outside the EU/EEA. However, maintenance connections to information systems may extend outside the European Union or the European Economic Area. In such cases, the safeguards required under the EU General Data Protection Regulation have been implemented, such as standard contractual clauses on data protection annexed to agreements, and supplementary safeguards as recommended by the European Data Protection Board have been applied where necessary.

In respect of social services and public health services, decisions on data disclosures are made by the municipality acting as the data controller.

7 Your rights

In accordance with applicable data protection legislation, the data subject has the right to be informed about the processing of their personal data, the right of access to their data, and the right to request the rectification of inaccurate or incomplete personal data.

As the processing of personal data is based on the data controller's statutory obligation, not all of the data subject's rights may apply in full to this register. For example, patient records cannot be deleted at the request of the data subject where the retention of data is based on mandatory legislation.

The data subject may also have the right to request the restriction of processing and to exercise other rights under the General Data Protection Regulation to the extent that they apply to the processing in question. The data subject may request the deletion of data not subject to statutory retention requirements, or the restriction of its processing.

The data subject may request that AI-assisted documentation not be used during their appointment. Such a request does not affect the provision of care.

Further information on exercising your rights is available on the Pihlajalinna website at https://www.pihlajalinna.fi/en/for-customers/processing-of-your-personal-data and at Pihlajalinna locations.

The data subject may submit a request relating to the exercise of their rights to the contact persons referred to in section 2.

8 Period of storage of personal data

Patient data in the Patient Registry is retained for the period required by mandatory legislation (Laki sosiaali- ja terveydenhuollon asiakastietojen käsittelystä, laki 703/2023)

Data relating to billing and debt collection is retained for the period required by accounting legislation (Kirjanpitolaki, laki 1336/1997).

Other data contained in the patient register, such as call, audio and chat recordings and data related to remote services, is retained only for as long as necessary for the provision of the service, for ensuring service quality, or for fulfilling statutory obligations.

9 Other terms and conditions

Pihlajalinna will always try to resolve any disagreements directly with the patient. However, the patient has the right to have a disagreement regarding the processing of their personal data reviewed by the data protection authority. https://tietosuoja.fi/ilmoitus-tietosuojavaltuutetulle