Privacy Policy for Business Contacts and Visitors
Last updated 13 June 2023
This Privacy Policy for Business Contacts and Visitors describes how Nightingale Health collects and processes personal data of representatives at existing and potential customers, vendors, and other business contacts, participants to our events, webinars, and campaigns, as well as visitors to our Website and office premises. Nightingale Health is the controller of the personal data and is committed to protecting your privacy in accordance with the Data Protection Laws. Please read this Privacy Policy to find out how Nightingale Health collects and processes your personal data.
We have separate privacy policies for our consumer services, recruitment process, managers’ transactions, and general shareholders’ meetings, which you can access through this link. In addition, our group companies may have their own separate privacy policies which shall apply instead of this Privacy Policy.
1 Definitions
As used herein, the following terms have the meanings defined below:
Cookie Policy | means our Cookie Policy |
Data Protection Laws | means the applicable mandatory data protection legislation, including the EU General Data Protection Regulation 2016/679 ("GDPR”) |
Nightingale Health (we, us) | means Nightingale Health Plc and its group companies |
Privacy Policy | means this Privacy Policy for Business Contacts and Visitors |
Website | means Nightingale Health’s websites at nightingalehealth.com |
The terms “controller”, “processor”, “data subject”, “personal data”, and “processing” have the meanings set out to them in the GDPR.
2 What personal data do we process and where do we obtain such data?
We process the following types of personal data depending on the interactions we have with you:
- Basic information: first and last name; title; job description; company; country; postal address; email address; phone number
- Preferences and settings: information on acceptances, consents, and refusals you have provided to us
- Login information: login details (e.g., username and password) to restricted areas of the Website
- Submitted information: information you submit through the Website, to our customer support (such as feedback, recommendations, complaints), or to your business contact at Nightingale Health
- Service information: information on which services you have used and what assignments you have performed for us; service delivery and invoicing information
- Analytics information: data related to which parts of the Website you have used and what actions you have performed on the Website and on emails we send to you
- Event information: information you submit to us in connection to participation in our events, campaigns, or webinars
- Camera surveillance information: video footage registered by security cameras at Nightingale Health’s office premises
- Office visitor information: time and host of visit; picture; any additional information you provide to us prior to or in connection to your visit
The personal data is primarily collected directly from you, for example, when you contact us using the contact details available on the Website or enter into a business relationship with us. In addition, we collect personal data from other sources, such as third-party websites, private and public registers, our service providers, and camera surveillance. Analytics information is collected with tracking technologies through your use of the Website. For more information on the tracking technologies that we use, please visit our Cookie Policy.
3 For what purposes and on what bases do we process your personal data?
We process your personal data for the purposes and on the legal bases set out below:
Purpose of processing | Processed personal data | Legal basis |
Provision of our services | Basic information Preferences and settings Login information Submitted information | Contract between you and us (GDPR Art. 6.1b) |
Customer support and important customer communications | Submitted information Additional information if needed to respond to your request or to send an important customer communication to you | Contract between you and us (GDPR Art. 6.1b) Our legitimate interest to provide customer support and send important customer notices and to respond to customer complaints and other inquiries made to us (GDPR Art. 6.1f) Our legal obligation to provide an important customer communication or to respond to a customer request (GDPR Art. 6.1c) |
Business relationship management | Basic information Submitted information Service Information Additional information if needed to respond to your request or to send an important communication to you | Contract between you and us (GDPR Art. 6.1b) Our legitimate interest to manage our business relationships and communicate with our business partners, and to process orders and invoices (GDPR Art. 6.1f) Our legal obligation to provide an important communication or to respond to a request made to us, and to perform accounting (GDPR Art. 6.1c) |
Management of visits to Nightingale Health’s office premises | Basic information Office visitor information | Our legitimate interest to manage and ensure security of visits to our office premises (GDPR Art. 6.1f) |
Planning, monitoring, supervising, compiling statistics of, controlling quality of, and evaluating our operations and services | Basic information Preferences and settings Login information Submitted information Service Information Analytics information Event information Office visitor information | Our legitimate interest to plan, monitor,supervise, compile statistics of, control quality of, and evaluate our operations and services (GDPR Art. 6.1f) |
Organizing and allowing participation in events, campaigns, and webinars | Basic information Event information | Contract between you and us (GDPR Art. 6.1b) Our legitimate interest to organize and manage participation in events, campaigns, and webinars organized or promoted by us or our business partners (GDPR Art. 6.1f) Your consent (GDPR Art. 6.1a) If we need to process special categories of personal data, we will request your explicit consent for a specific purpose (GDPR Art. 6.1a and 9.2a) |
Marketing of our services | Basic information | Our legitimate interest to market our services (GDPR Art. 6.1f) Where required by applicable mandatory law, we will ask for your consent before sending you electronic direct marketing messages |
Collection of analytics information | Analytics information | Your consent (GDPR Art. 6.1a) Our legitimate interest to collect analytics information (GDPR Art. 6.1f) |
Developing and improving the Website and our services | All categories of personal data in an anonymized from | No legal basis needed as you can no longer be identified based on the data (the data is no longer personal data) |
Basic information Preferences and settings Login information Submitted information Service Information Analytics information Event information | Our legitimate interest to develop and improve our services (GDPR Art. 6.1f) If we need to process special categories of personal data, we will request your explicit consent for a specific purpose (GDPR Art. 6.1a and 9.2a) | |
Detecting and preventing unlawful behavior and non-compliance with our terms and conditions; enforcing our legal rights | Basic information Preferences and settings Login information Submitted information Service Information Analytics information Event information Camera surveillance information | Our legitimate interest to detect and prevent unlawful behaviour and non-compliance with our terms and conditions and to enforce our legal rights; our legitimate interest to ensure safety of employees and others at Nightingale Health's premises and to protect assets (GDPR Art. 6.1f) Our legal obligation to detect and prevent unlawful behaviour (GDPR Art. 6.1c) |
We will only process your personal data on the basis of our legitimate interest where we consider that our legitimate interest is not outweighed or overridden by your rights. You may object to our use of your personal data by contacting us using details provided in Section 8.
Please note that if you refuse to provide the requested personal data necessary for the provision of our services in the form chosen by you, purchase of services from you, or participation in an event, campaign, or webinar, we may not be able to provide the requested services to you, purchase services from you, or let you participate in the relevant event, campaign, or webinar.
4 To whom do we transfer and share and where do we store your personal data?
We treat your personal data as confidential. Persons we ask to process your personal data are bound by a confidentiality obligation.
We may share your personal data to third parties in the following situations:
- We may share your personal data within the Nightingale Health group of companies to the extent necessary for the purposes of processing described in Section 3 above.
- We may share your personal data with external service providers which manage our IT, payment, marketing, analytics, data storage, webshop, asset bank, event, webinar, campaign, visitor management, and customer support systems. We conclude data processing agreements with all service providers which process personal data on behalf of us as processors.
- We may also share your personal data with other third parties when necessary for the purposes described in Section 3 above. If necessary, we will notify you and request your consent.
We may disclose your personal data in the following situations:
- Based on legislation, we may have either the right or the obligation to disclose your personal data to third parties, such as to judicial and other public authorities.
- If we are involved in a sale or transfer of business, a merger, a business reorganization, or a similar process, we may transfer your personal data to one or more third parties as part of the transaction.
- We may also disclose your personal data to the extent necessary to protect our own or a third party's interests.
We primarily store and process your personal data in the geographic region where it has been collected, such as in the European Economic Area (EEA) and the United Kingdom (UK). However, we and our external service providers may also process the personal data outside such geographic region to the extent necessary for the purposes described in this Privacy Policy, and this may include transfers to third countries (countries outside the UK and the EEA that are not subject to a data protection adequacy decision) when necessary. In that case, we will provide adequate and appropriate safeguards in accordance with the Data Protection Laws to ensure sufficient protection for your personal data. For example, as regards personal data of individuals based in the EU or the UK, we either ensure that there is an adequacy decision by the European Commission or an adequacy regulation from the UK government (as applicable) in place regarding the recipient country. Alternatively, we will enter into the standard contractual clauses approved by the European Commission and/or the UK government (as applicable) with the recipient of your personal data. You may request more details about these safeguards by contacting us using the details provided in Section 8.
5 How do we protect and how long do we retain your personal data?
Our internal organization is structured to meet the requirements of our quality management system certified according to EN ISO 13485, our information security management system certified according to ISO/IEC 27001, and the requirements of the Data Protection Laws.
We apply appropriate physical, technical, and administrative safeguards to protect personal data from misuse. These safeguards include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to personnel processing personal data, and risk management related to planning, implementation, and maintenance of our services. Personal data are processed only by persons who need the personal data to perform their job duties.
Nightingale Health informs about camera surveillance at its office premises with appropriate warning signs. Surveillance cameras are located in positions necessary to fulfil the purpose of the camera surveillance.
We retain your personal data in accordance with our internal record retention policies as long as reasonably necessary for the purposes for which they are processed in accordance with applicable laws, including for the purposes of our business relationship with you, performance of a contract we have with you, or any regulatory, accounting or reporting requirements. After the necessary retention period, we will either delete or anonymize all personal data.
6 Your rights as a data subject relating to the processing of your personal data
As a data subject, you have the following rights subject to the restrictions that follow from legislation:
- Right of access to personal data. You have the right to know whether we process personal data about you and the right to request access to any personal data undergoing processing.
- Right to rectification and erasure. You have the right to rectify inaccurate personal data about you and, in certain cases, the right to erasure of your personal data, e.g., personal data that is no longer necessary or accurate in relation to the purposes of the processing.
- Right to restrict processing. You have the right to request that we restrict our processing of your personal data, e.g., if you contest the correctness of the personal data we process or the lawfulness of the processing.
- Right to object. You may object to the processing of your personal data, on grounds relating to your situation, e.g., if the processing is based on our legitimate interest or the personal data are processed for direct marketing purposes. We will give you the opportunity to opt out of future electronic direct marketing whenever we send you such marketing. You can also opt out at any time by contacting us using the contact details provided in Section 8. If you opt out from receiving our marketing communications, we retain certain limited personal data about you (e.g., name and email address) to ensure that we comply with your request.
- Right to data portability. Under specific circumstances you have the right to request your personal data to be transferred from one system to another.
- Withdrawal of consent. Where our processing of your personal data is based on your consent, you can, at any time, withdraw or restrict your consent. The withdrawal or restriction of consent does not affect the lawfulness of the processing carried out prior to the withdrawal or restriction.
You may exercise your rights by contacting us using the contact details provided in Section 8. The requests are always processed on a case-by-case basis. For your protection, we need to verify your identity before fulfilling your request. We will respond as soon as reasonably possible within the times set forth by applicable mandatory law. We reserve the right to deny your request based on applicable law and will inform you if we do so.
In addition, you have a right to lodge a complaint with your local supervisory authority if you consider that the processing of your personal data infringes the Data Protection Laws. Before contacting the supervisory authority, we recommend that you get in contact with us first, so we can consider your complaint. You may also contact us to receive the contact details of your local supervisory authority.
7 Changes to the Privacy Policy
We may revise this Privacy Policy from time to time. Any changes to this Privacy Policy will be posted on this page. We will use reasonable efforts to contact you when we make significant changes.
8 Contact us
If you have any questions, feedback, or complaints about our processing of your personal data, or if you would like to exercise your rights under the Data Protection Laws, please contact us:
- by email at privacy@nightingalehealth.com; or
- by post at Data Protection Officer, Nightingale Health Plc, Mannerheimintie 164a, 00300 Helsinki, Finland.