Nightingale Health Ltd. (business ID 1750524-0)
Mannerheimintie 164a, 00300 Helsinki
Phone: +358 20 730 1810
Email of the Data Protection Officer: firstname.lastname@example.org
The register has been set up for My Nightingale -service (the “Service”) provided by Nightingale Health Ltd.. We process your data for the following purposes:
The processing of the personal data is based on laws and regulations, such as:
as well as a consent, an agreement and a legitimate interest of Nightingale Health Ltd. (incl. planning and reporting our operations, marketing and collection).
We are processing the following personal data:
Health data necessary for the Service:
Data related to the customer history:
The personal data stored in the register is primarily collected from you and the blood sample you have given. Information can be updated from public registers, such as the Population Register.
Your health data is confidential. Persons processing the health data are bound by confidentiality obligation. Health data can be disclosed with a customer’s written consent or as provided by law. A consent to disclose health data can be restricted or withdrawn at any time.
Based on legislation, we have either the right or the obligation to disclose data e.g. to the supervisory authorities, such as Regional State Administrative Agencies, Office of the Data Protection Ombudsman, National Supervisory Authority for Welfare and Health, municipalities’ social welfare authorities, and judicial authorities.
We use external service providers to manage our IT, marketing, patient data, and customer information systems. We conclude data processing agreements with all service providers and require them to process personal data only to the extent necessary to provide such service.
We do not transfer your patient data outside the EU or the EEA. However, our external service providers may process your other personal data outside the EU or the EEA. In that case, we will provide adequate and appropriate safeguards in accordance with the applicable data protection legislation.
Our internal organization is structured to meet the requirements of our Quality Management System certified according to EN ISO 13485 and the data protection legislation applicable to our operations. We apply the appropriate physical, technical, and administrative safeguards to protect data from misuse. These safeguards include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to the personnel participating in the personal data processing, and risk management related to the planning, implementation, and maintenance of our services. Personal data are processed only by those persons, who need the personal data to perform their job duties. Confidential patient data and records are stored in a patient data system, to which access rights are granted based on the role described in the employees’ job description. Manual material is archived in a locked area accessible only to restricted persons according to EN ISO 13485 Quality Management System.
Material on a paper format is stored in a locked area accessible only to persons who are processing such matters or documents.
To ensure the implementation of data protection, we conclude data processing agreements with our subcontractors who are processing personal data on our behalf.
Patient data are retained for as long as necessary, subject to compliance with the retention periods stipulated by the applicable laws and regulations (such as the Act on the Status and Rights of Patients and the Decree of the Ministry of Social Affairs and Health on Patient Records). As a rule, the retention period is 12 years from the patient’s death, or, if such information is not available, 120 years from the patient’s birth. After the measurement, the blood samples are stored for three months for quality control purposes, after which they are either anonymized or disposed of according to the process of EN ISO 13485 Quality Management System. Otherwise, the personal data are retained for as long as necessary for the purposes mentioned in section 2, after which they are either deleted or anonymized.
As a data subject, you have the following rights:
You may exercise your rights by submitting a free-form written request by email or letter to the addresses mentioned in section 1 above. The requests are always processed on a case-by-case basis.
In addition, you have a right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the EU General Data Protection Regulation.