Name of the registry:
Each company’s patient registry (‘Patient Registry’).
The controller is:
Each company belonging to the Pihlajalinna Group
Pihlajalinna Lääkärikeskukset Oy, Business ID 2452505-5
Pihlajalinna Terveys Oy, Business ID 2303024-5
Lääkäriasema DokTori Oy, Business ID 2617382-3
Linnan Klinikka Oy, Business ID 0878086-5
Pihlajalinna Ikioma Oy, Business ID 2519853-5
Pihlajalinna Kainuu Oy, Business ID 3136375-2
Pihlajalinna Seppälääkärit Oy, Business ID 2786010-7
Kehräsaari B 3rd floor
Controller’s data protection officer:
Marika Vihervaara, tel +358 (0)10 312 010, email@example.com
Representatives of the controller:
Nationally, Sari Riihijärvi, Chief Medical Officer at Pihlajalinna Group, tel. +358 (0)10 312 010, firstname.lastname@example.org. The local representative is the responsible doctor at each unit.
The purpose of processing the personal data in the Patient Registry is to organise the patient’s care as follows:
To become a patient of Pihlajalinna, it is necessary that data about the person can be recorded in the Patient Registry. The processing of data in the Patient Registry is based on Pihlajalinna’s legal obligation to process patient data, Pihlajalinna’s legitimate interest on the basis of the patient care relationship and, in some cases, the patient’s consent.
When Pihlajalinna receives correct and comprehensive data from the patient, it can provide the patient with the best care and service possible.
Pihlajalinna is responsible for the general patient data registry, which is jointly accessed by various operating units and self-employed professionals acting as independent data controllers. Each controller who has joined the general registry is responsible for the legality and legal use of their own registries. The registries of such independent controllers are kept technically separate and the information contained in them cannot, in principle, be disclosed without the patient’s written consent. Occupational healthcare customers’ data also form their own separate sub-register which must be kept technically separate from the rest of the Patient Registry. Access to the sub-register has been restricted through access rights.
The personal data in the Patient Registry are provided mainly either by the patients themselves or by guardians of minor patients, or generated in connection with examinations and treatment.
On consent from the customer, data from, for example, other care institutions and insurance companies are also added to the registry.
However, the patient’s data can also be combined and supplemented, within the limits permitted by legislation, with data from other sources and derived from such sources, such as data obtained from other healthcare institutions with the consent of the patient or their guardian, or data from the Digital and Population Data Services Agency.
The Patient Registry may contain the following personal data:
In addition, the following data is collected from occupational health care customers:
The health application can also use the following information sent by the customer during a chat session to support treatment:
The data are not stored, recorded or shared and are automatically deleted after the appointment.
The following data sent by the customer may also be examined using remote examination:
The data are used during the appointment, but are not automatically stored in the patient data system.
When processing patient data, Pihlajalinna carefully obeys the requirements to act diligently and protect the patient data set down in legislation, and the good data management practice. When processing patient data, Pihlajalinna always ensures that the processing of data is adequately justified and necessary in relation to the described purpose of use.
Data in the Patient Registry is confidential, and the persons involved in their processing are subject to secrecy and confidentiality. This obligation to maintain secrecy and confidentiality will continue even after the employment relationship has been terminated. Pihlajalinna limits the number of people processing patient data. Patient data is only accessible to such employees at Pihlajalinna or its partners who, on the basis of their duties, need to process patient data.
Pihlajalinna also has strict user ID policies in place to protect the patient data. The Patient Registry system and data stored in it are protected by, among other things, access right restrictions and passwords that only persons authorised to use the system have access to. Pihlajalinna uses log data, among other things, to track and monitor the processing of patient data actively and carefully in a manner required by legislation.
Patient data can be disclosed primarily with the patient’s written consent. If a patient is not in a position to assess the importance of the consent given, data may be disclosed with a consent from their legal representative.
In addition to the above, patient data may be disclosed if the disclosure of data or the right to access information is expressly provided for in the law, for example, in the following situations:
In addition, patient data can be disclosed to scientific research.
We may transfer your personal data to service providers and subcontractors commissioned by Pihlajalinna in order to implement the service you need.
In general, Pihlajalinna does not transfer patient data outside the EU/EEA area. With regard to possible transfers, we obey all valid laws and regulations.
Patients have the right to check their personal data stored in the Patient Registry. If the patient is a child, their guardian will generally have the right to access their child’s data. A request to access the data must be made in writing using Pihlajalinna’s access request form.
Patients also have the right to review the log data concerning the processing of their patient data and to make a request for clarification regarding the processing of their patient data. The request must be made in writing using a form Pihlajalinna has provided for this purpose.
In addition to the rights of access and clarification, patients also have the right to request the rectification of incorrect data. The rectification request must be made in writing using Pihlajalinna’s rectification form. The request for rectification must be itemised and justified. The data will be rectified in a manner required by legislation so that information about the rectification and the original note will be included in the Patient Registry.
All above-mentioned forms for using the rights of patients are available on Pihlajalinna’s website at www.pihlajalinna.fi and at Pihlajalinna’s locations.
The patient data in the Patient Registry is stored in accordance with the Finnish Ministry of Social Affairs and Health’s decree on patient records (94/2022).
Log data regarding the processing of patient data will be kept for at least 12 years from their creation date.
Other information contained in the Patient Registry, such as phone records, invoicing, and debt recovery, will be stored for as long as necessary for their processing or as required by legislation (such as bookkeeping regulations).
Pihlajalinna will always try to resolve any disagreements directly with the patient. However, the patient has the right to have a disagreement regarding the processing of their personal data reviewed by the data protection authority.