Privacy notice for antibody determinations in fee-based service operations
Privacy notice to inform the data subject
EU General Data Protection Regulation, Articles 12–14
The Finnish Institute for Health and Welfare (THL) processes personal data for the purpose of carrying out its statutory duties. The organization complies with applicable data protection legislation in processing personal data and ensures that data security is at an appropriate level. In this notice, we provide more detailed information on how the organization processes your personal data for the purpose of determining antibody concentrations as a paid service.
1. Data Controllers
Finnish Institute for Health and Welfare (THL)
P.O. Box 30, 00271 Helsinki, Finland
+358 29 524 6000
The above-mentioned organizations decide on and are responsible for the processing of personal data for the purpose described in this notice, i.e., they are the data controllers for this data.
2. Contact Person for Personal Data Processing Matters
Name: Camilla Virta
Telephone number: +358 29 524 8492
Email: camilla.virta(at)thl.fi
The organization's Data Protection Officer's email address is tietosuoja(at)thl.fi
3. Name of the Dataset
Antibody determinations for paid service activities
4. Purpose of Personal Data Processing
We process your personal data for the purpose of determining antibody concentrations as a paid service.
5. Legal Basis for Personal Data Processing
The processing of personal data is always based on applicable legislation. The legal basis for processing in accordance with this notice is:
Compliance with a legal obligation (Article 6(1)(c) of the Data Protection Regulation)
6. Personal Data Processed
Name, personal identity code, sample number from the customer's information system, IgG class antibody concentrations for pneumococcus, Hib, tetanus, or diphtheria according to the research request. For some of the subjects, there is vaccination information and information about underlying diseases related to immunity. Information about the research customer: organization name and address, possibly the treating physician's name.
7. Regular Data Sources
Hospitals, health centers, and private medical clinics.
8. Transfer or Disclosure of Personal Data
The subject's data is disclosed to the laboratory that ordered the test. The data is transferred by mail with a paper test report in a sealed opaque envelope or by secure email (registered letter), whereby the recipient receives a message-specific PIN code to their mobile phone via text message when they open the email.
9. Transfer of Data Outside the EU or EEA
Personal data is not transferred outside the EU or EEA.
10. Profiling and Automated Decision-Making
The Finnish Institute for Health and Welfare (THL) does not engage in automated decision-making based on, among other things, profiling of individuals
11. Retention of Personal Data
The retention periods for personal data are determined in accordance with the Archives Act (831/1994) and the organization's information management plan. Material containing personal data is archived with identifying information after processing is completed.
Archiving location: Serum samples are stored in the laboratory in a lockable cabinet freezer or in the freezer room of sample management facilities. Referrals and paper copies of test reports are stored in a lockable cabinet. Office, laboratory, and sample management facilities have access control. Digital data is located on THL's network drive and in THL's database, which are protected by processing rights, username, and password.
Retention period: five years
12. What Rights Do You Have?
Data protection legislation guarantees you certain rights with which you can ensure the implementation of privacy protection as a fundamental right. If you wish to exercise your right, contact the organization's registry office. In certain cases, your rights may be restricted in certain situations, for example, due to the organization's statutory obligation or if processing takes place for scientific research, statistics, or archiving purposes. If your rights have been restricted, the organization implements appropriate and necessary safeguards required by legislation.
Right to Withdraw Consent
If we process your personal data based on your consent, you have the right to withdraw such consent you have given. Note that, in principle, data processing not related to scientific research is based on legislation and not on your consent.
Right to Access Personal Data
You have the right to know whether the organization processes personal data relating to you. In addition, you have the right to know what personal data relating to you is processed and how it is processed. You also have the right to obtain a copy of your personal data to the extent that providing the copy does not have harmful effects on the rights and freedoms of others or if the organization does not have a legal basis to refuse to disclose the data.
Right to Rectification of Data
In principle, you have the right to rectification of inaccurate or incorrect data.
Right to Erasure of Data
You may have the right to erasure of data from the organization's registers. If data processing is based on the organization's performance of a statutory task or if there is some other legal obligation to retain data, your right to erasure of data is likely to be restricted.
Right to Restriction of Processing
You may have the right to restrict the processing of personal data in cases provided by law. The right to restriction may be relevant, for example, if the personal data concerning you is, in your opinion, incorrect, it is being processed unlawfully, or you have objected to the processing of your data. In this case, we may process your personal data only with your consent, for the establishment, exercise, or defense of legal claims, for reasons of public interest, or to protect the rights of another person.
Right to Object to Personal Data Processing
You may have the right to object to the processing of personal data in cases provided by law. The right to object may be relevant, for example, if the processing involves automated decision-making based on profiling or if data is used for direct marketing purposes.
Right to Lodge a Complaint with the Supervisory Authority
You have the right to submit the legality of the organization's operations to the Data Protection Ombudsman for assessment
Contact details:
Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Postal address: P.O. Box 800, 00531 Helsinki, Finland
Telephone: +358 29 56 66700
Fax: +358 29 56 66735
Email: [email protected]