Last updated 16 June 2021
1. Data Controller and contact details for register related matters
Nightingale Health Plc (business ID 1750524-0)
Mannerheimintie 164a, 00300 Helsinki
Phone: +358 20 730 1810
Email of the Data Protection Officer: firstname.lastname@example.org
2. For what purposes and on what basis do we process your personal data?
The register has been set up for My Nightingale -service (the “Service”) provided by Nightingale Health Plc. We process your data for the following purposes:
- Providing, organizing, planning, developing and implementing the Service (incl. purchase of the Service, user account creation, Nightingale Kit shipping and registration, sampling, sample analysis and delivery of results);
- Managing and developing our customer relationships (incl. customer service and communications, customer feedback and electronic direct marketing), invoicing the Service and processing payments;
- Monitoring the Service and its use, controlling quality, supervising health care professionals’ operations and resolving potential damages and claims;
- Planning, compiling statistics of and evaluating our operations; and
- Developing and improving products and services in an anonymized form so that the person can no longer be identified, unless otherwise agreed with a separate consent.
The processing of the personal data is based on laws and regulations, such as:
- EU General Data Protection Regulation 2016/679, points a), b), c) and f) of Article 6(1)
- Act on the Status and Rights of Patients 17.8.1992/785
- Act on the Electronic Processing of Client Data in Social and Health Care 9.2.2007/159
- Decree of the Ministry of Social Affairs and Health on Health Records 30.3.2009/298,
as well as a consent, an agreement and a legitimate interest of Nightingale Health Plc (incl. planning and reporting our operations, marketing and collection).
3. What kind of personal data do we process and from where do we collect the data?
We are processing the following personal data:
- Personal data necessary for identification of the customer and organizing transactions
- Name and national identification number or other unique identifier to identify a person;
- Contact details, such as address, phone number and email;
- Self-created password for the Service;
- Nightingale Kit's at-home blood collection device identifier
- Payment details, such as credit card details.
- Information on consents and refusals
Health data necessary for the Service:
- Service events and thereto related patient data and other health data (incl. date of sampling, sample type, unique sample identifier, gender, date of birth, information on potential medication or other clinically relevant information);
- Blood sample and the data derived from the blood sample as well as analyses and results derived from them;
- Other necessary information required to secure organizing, planning, implementation and monitoring of the Service.
Data related to the customer history:
The personal data stored in the register is primarily collected from you and the blood sample you have given. Information can be updated from public registers, such as the Population Register.
4. To whom do we disclose data, and do we transfer data outside the EU or the EEA?
Your health data is confidential. Persons processing the health data are bound by confidentiality obligation. Health data can be disclosed with a customer’s written consent or as provided by law. A consent to disclose health data can be restricted or withdrawn at any time.
Based on legislation, we have either the right or the obligation to disclose data e.g. to the supervisory authorities, such as Regional State Administrative Agencies, Office of the Data Protection Ombudsman, National Supervisory Authority for Welfare and Health, municipalities’ social welfare authorities, and judicial authorities.
We use external service providers to manage our IT, marketing, patient data, and customer information systems. We conclude data processing agreements with all service providers and require them to process personal data only to the extent necessary to provide such service.
We do not transfer your patient data outside the EU or the EEA. However, our external service providers may process your other personal data outside the EU or the EEA. In that case, we will provide adequate and appropriate safeguards in accordance with the applicable data protection legislation.
5. How do we protect the data and how long do we retain them?
Our internal organization is structured to meet the requirements of our Quality Management System certified according to EN ISO 13485, Information Security Management System certified according to ISO/EIC 27001:2013 and the data protection legislation applicable to our operations. We apply the appropriate physical, technical, and administrative safeguards to protect data from misuse. These safeguards include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to the personnel participating in the personal data processing, and risk management related to the planning, implementation, and maintenance of our services. Personal data are processed only by those persons, who need the personal data to perform their job duties. Confidential patient data and records are stored in a patient data system, to which access rights are granted based on the role described in the employees’ job description. Manual material is archived in a locked area accessible only to restricted persons according to EN ISO 13485 Quality Management System.
Material on a paper format is stored in a locked area accessible only to persons who are processing such matters or documents.
To ensure the implementation of data protection, we conclude data processing agreements with our subcontractors who are processing personal data on our behalf.
Patient data are retained for as long as necessary, subject to compliance with the retention periods stipulated by the applicable laws and regulations (such as the Act on the Status and Rights of Patients and the Decree of the Ministry of Social Affairs and Health on Patient Records). As a rule, the retention period is 12 years from the patient’s death, or, if such information is not available, 120 years from the patient’s birth. After the measurement, the blood samples are stored for three months for quality control purposes, after which they are either anonymized or disposed of according to the process of EN ISO 13485 Quality Management System. Otherwise, the personal data are retained for as long as necessary for the purposes mentioned in section 2, after which they are either deleted or anonymized.
6. Your rights as a data subject relating to the processing of the data
As a data subject, you have the following rights with the restrictions that follow from legislation:
- Right of access to personal data
- Right to rectification of inaccurate personal data and, in certain cases, right to erasure of personal data, e.g. personal data that are no longer necessary or accurate in relation to the purpose of the register;
- Right to restriction of processing, e.g. if you contest the correctness of the personal data or the lawfulness of the processing;
- Right to object, e.g., on grounds relating to your particular situation, to processing of personal data that is based on a legitimate interest, or at any time, where personal data are processed for direct marketing purposes.
- Right to data portability from one system to another
- Right of access to a patient register log data
In accordance with the Act on Client Data (Act on the Electronic Processing of Client Data in Healthcare and Social Welfare 9.2.2007/159), you can request for the log data concerning your own patient data. The right to obtain the log data may be restricted, if the discloser of the log data is aware that providing the log data could seriously endanger the health or care of the individual or the rights of someone else. In addition, there is no right to obtain log data that are older than two years, unless there is a specific reason for that.
- Withdrawal of consent. Where the processing of the personal data is based on a consent, you can, at any time, withdraw or restrict your consent. The withdrawal of the consent shall not affect the lawfulness of the processing carried out prior to the withdrawal.
You may exercise your rights by submitting a free-form written request by email or letter to the addresses mentioned in section 1 above. The requests are always processed on a case-by-case basis.
In addition, you have a right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the EU General Data Protection Regulation.