Privacy Policy – Research Purposes 

Last updated on 30.9.2025 

 

This Privacy Policy describes how we at Nightingale Health Plc (the “Company”) and our affiliates collect and store personal data for research purposes. 

Personal data refers to any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly. For research purposes we only process anonymized or pseudonymized data which means that we cannot directly identify the persons whose personal data we are processing without additional information to which we do not have access to, and which is stored only by the discloser of the data e.g. a biobank or data permit authority.  

 

Controller 

  • The controller responsible for your personal data is Nightingale Health Plc
  • To get in touch with us, please use the following email address: privacy@nightingalehealth.com  

 

What information do we process and for which purposes? 

For research purposes we may process the following data: 

  • Data related to samples from biobanks such as NMR metabolomics data
  • Clinical information
  • Demographic information such as age

The purposes for which we process personal data and with which legal basis based on the General Data Protection Regulation (“GDPR”) or other applicable national data protection legislation are:

 

Purpose for processingPersonal data processedLegal basis for processing
For the performance of scientific research projects in accordance with an approved research plan. 

Data related to samples from biobanks

Clinical information

Demographic information

 

 GDPR Art. 6(1)(e) (public interest) and Data Protection Act Art. 4(3) (scientific research)

Special category data: GDPR Art. 9(2)(j) and Data Protection Act Art. 6(1)(7) (the prohibition to process special category data does not apply to scientific research)

   

Disclosures of personal data  

We do not disclose or transfer your personal data to third parties, unless disclosure is required by the law. When processing for research purposes we can be obligated by a contractual arrangement to disclose your personal data to the party from whom we have received the personal data, e.g. a biobank. 

We might also disclose personal data to our processors, who process your personal data under contractual obligations and instructions from us. Our processors are our affiliates and service providers who provide IT services to us. 

 

Transfers of personal data outside of the EU/EEA 

If you are located inside EU/EEA, we generally do not transfer your personal data outside of the EU/EEA. However, some of our processors may be located outside of the EU/EEA. In these cases, we will ensure that your personal data is subject to an adequate level of protection as required by the applicable data protection legislation. 

 

How long we store your personal data  

Your personal data will be stored for the duration of the approved research project and as long as there is a valid data permit in force for the processing of the personal data.   

 

What are your rights and how to exercise them 

Please find below a description of data protection rights. Please note that some of the rights of the data subject are only related to specific legal bases for processing provided for in the GDPR and all the rights cannot be exercised in all situations. 

  • to access the personal data we process about you and request a copy of the data (right of access);
  • to request that we make corrections to any incorrect or incomplete personal data about you in our records and in some cases, the erasure of your personal data (right to rectification and erasure);
  • to request that we restrict the processing of your personal data only to storage, e.g. if you contest the correctness of the data or the lawfulness of the processing (right to restriction of processing);
  • to object to the processing of your personal data when the processing is based on our legitimate interest (right to object);
  • to receive, when the processing is based on your consent or contract, your personal data you have provided to us in a structured, commonly used, and machine-readable format, and the right to transmit the data to another controller (right to data portability); and
  • not to be subject to a decision based solely on automated processing, including profiling.   

If your request concerns either biobank’s or a data permit authority’s processing and disclosure of personal data or a biobank or register data project, and if you do not want to have your personal data anymore processed and disclosed for research purposes, please contact the relevant biobank or data permit authority directly. Where applicable, the relevant party will further instruct us not to process your personal data anymore.

To contact us directly, please send an email to: privacy@nightingalehealth.com

If you consider that the processing of your personal data infringes the applicable data protection legislation, you have also the right to lodge a complaint with a supervisory authority (Office of the Data Protection Ombudsman). You can find contact details for the Office of the Data Protection Ombudsman here: https://tietosuoja.fi/en/home.   

 

How we protect your personal data 

Our internal organization is structured to meet the requirements of our Quality Management System certified according to EN ISO 13485, our information security management system certified according to ISO/IEC 27001 and the data protection legislation applicable to our operations. We have implemented appropriate technical and organizational measures to secure your personal data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.  

 Our personnel are trained in appropriate information security practices covering necessary security and safety matters, such as ensuring the confidentiality of personal data and preventing exposure of personal data to non-authorized persons. Only authorized employees of the Company (or other companies working on our behalf), who need your personal data to perform their job duties, have access to and the right to process your personal data in our system. Access to the system requires a personal username and password for each user. 

 Whenever we process your personal data, we honor and take account of your privacy rights under the applicable data protection legislation. We regularly check our security policies and procedures to ensure our systems, and your personal data are secure and protected.   

 

Changes to our Privacy Policy

You can always find an up-to-date Privacy Policy with an indication of the possible amendment date on our webpage.