Merikratos Information Documents
- Information Document for Social and Health Care Services
- Information Document for the Marketing Register
- Information Document for the Subscriber/Customer Register
- Information Document for the Recruitment Register
- Information Document for Event Registers
- Information Document for the Whistleblowing Channel
1. INFORMATION DOCUMENT FOR SOCIAL AND HEALTH CARE SERVICES
Updated 28 September 2023
1.1 Controller and Data Protection Contact
Merikratos Oy (Business ID 2530437-7)
Köydenpunojankatu 9 B
20100 Turku, Finland
Mikko Niemelä (Data Protection Officer)
+358 40 587 7670
mikko.niemela@merikratos.fi
In situations where a municipality or joint municipal authority is responsible for providing the service, it also acts as the controller. In such cases, Merikratos acts as the processor, following the legislation and the instructions given by the controller. In other situations, Merikratos acts as the controller and is responsible for fulfilling the obligations associated with that role.
1.2 Purpose of Processing, Data Content of the Register, and Regular Sources of Data
Patient data is processed primarily for care, care planning, and other purposes laid down in legislation governing patient records. Social welfare client data is processed for planning, implementing, and assessing the client’s care and for other purposes laid down in social welfare legislation. In addition, data in the registers may be used for service development, monitoring, statistics, and research in accordance with data protection regulation.
The legal basis for processing is, depending on the situation, legislation, the client’s consent, or the service provider’s legitimate interest (GDPR Article 6(1)(a), (c), and (f)). The register contains the client’s name, personal identity code, contact details, and information necessary for the purposes described above. Data is obtained or has been obtained from:
- the client or their representative;
- Merikratos Oy’s frontline staff as entries made during the client relationship;
- the referrer with the client’s consent;
- the referrer or a third party under Section 17 of the Act on the Status and Rights of Social Welfare Clients or Section 26(3) of the Act on the Openness of Government Activities (information necessary for the performance of the task).
1.3 Regular Disclosures and Transfers Outside the EU/EEA
Data is not disclosed outside the European Union or the European Economic Area.
For services paid by third parties (e.g., Kela, insurance companies, hospital districts), Merikratos Oy discloses the information required by them regarding the client relationship, in compliance with current law. When Merikratos acts as a processor, it discloses data to the municipality or joint municipal authority acting as the controller. After the assignment ends, all material is delivered to the client (the commissioning party) and the data is deleted from Merikratos’ systems. In addition, Merikratos Oy discloses data to third parties in situations where legislation requires it notwithstanding confidentiality provisions.
1.4 Retention Period
Patient records are retained as required by the Decree of the Ministry of Social Affairs and Health on patient records. As a rule, data is retained at least 12 years from the patient’s death or 120 years from the patient’s birth. For social welfare services, Merikratos Oy acts as a processor. Retention periods for such data are specified in the information documents of the municipalities or joint municipal authorities acting as controllers.
1.5 Rights of the Data Subject
The client has the right to access their personal data, to rectify inaccurate data for the purposes of processing, and in certain situations to have data erased, to restrict or object to processing, and to have data transferred from one system to another. Necessary notes will be made in the register regarding the exercise of these rights. When data is rectified, both the incorrect and the corrected entry are retained, and the document is marked with the name, job title, and date of the person making the correction as well as the grounds for the correction. If processing is based on the client’s consent, the client has the right to withdraw their consent at any time.
Matters concerning the exercise of rights can be initiated by sending a signed request to the Data Protection Officer (contact details in Section 1.1). The requested measures may be refused on grounds laid down by law. If the request is refused, the client has the right to bring the matter before the Office of the Data Protection Ombudsman. The data subject also has the right to lodge a complaint with the competent supervisory authority if they consider that the controller has not complied with applicable data protection regulation (tietosuoja.fi).
As a processor, Merikratos Oy does not have the right to decide on measures based on the data subject’s request; in such cases, contact must be made with the municipality or joint municipal authority acting as the controller.
2. INFORMATION DOCUMENT FOR THE MARKETING REGISTER
Updated 28 September 2023
2.1 Controller and Data Protection Contact
Merikratos Oy (Business ID 2530437-7)
Köydenpunojankatu 9 B
20100 Turku, Finland
Mikko Niemelä (Data Protection Officer)
+358 40 587 7670
mikko.niemela@merikratos.fi
2.2 Purpose of Processing, Data Content, Regular Sources, and Retention
Personal data is processed to market new products and services and to facilitate other communications with current and potential organisational clients. The legal bases are the data subject’s consent and the controller’s legitimate interest (GDPR Article 6(1)(a) and (f)).
Data stored in the register includes the person’s name, position, company/organisation, phone number, email address, and street and postal address. Data is retained until further notice. The register is updated as information is found to be outdated. Data is collected from public sources such as websites and, in some cases, directly from the data subjects.
2.3 Regular Disclosures and Transfers Outside the EU/EEA
Data is not transferred outside the European Union or the European Economic Area, nor otherwise disclosed to third parties.
2.4 Rights of the Data Subject
The data subject has the right to access their personal data, to rectify inaccurate data for the purposes of processing, and in certain situations to have data erased, to restrict or object to processing, and to have data transferred from one system to another. Necessary notes will be made in the register regarding the exercise of these rights. When data is rectified, both the incorrect and the corrected entry are retained, and the document is marked with the name, job title, and date of the person making the correction as well as the grounds for the correction. If processing is based on consent, the customer may withdraw consent at any time.
Matters concerning the exercise of rights can be initiated by sending a signed request to the Data Protection Officer (contact details in Section 3.1). The requested measures may be refused on grounds laid down by law. If the request is refused, the customer has the right to bring the matter before the Office of the Data Protection Ombudsman. The data subject also has the right to lodge a complaint with the competent supervisory authority if they consider that the controller has not complied with applicable data protection regulation (tietosuoja.fi).
3. INFORMATION DOCUMENT FOR THE SUBSCRIBER/CUSTOMER REGISTER
Updated 28 September 2023
3.1 Controller and Data Protection Contact
Merikratos Oy (Business ID 2530437-7)
Köydenpunojankatu 9 B
20100 Turku, Finland
Mikko Niemelä (Data Protection Officer)
+358 40 587 7670
mikko.niemela@merikratos.fi
3.2 Purpose of Processing, Data Content, Regular Sources, and Retention
Personal data is processed to enable invoicing and to facilitate communication with customers. The legal bases are the customer’s consent and the controller’s legitimate interest (GDPR Article 6(1)(a) and (f)).
For organisational customers, the register contains the subscriber’s contact person’s name, position, company/organisation, contact details (phone number, email address, address), services ordered, changes to orders, invoicing details, and any other information related to the customer relationship. For private individuals, equivalent information is recorded as applicable. Personal data is deleted when no longer needed. Invoices and the information contained therein are retained for accounting purposes for at least six years after the end of the financial year.
Data stored in the register is typically obtained from the customer themselves. In addition, contact details of company and other organisational representatives may be collected from public sources such as websites.
3.3 Regular Disclosures and Transfers Outside the EU/EEA
Data is not transferred outside the European Union or the European Economic Area, nor otherwise disclosed to third parties.
3.4 Rights of the Data Subject
The data subject has the right to access their personal data, to rectify inaccurate data for the purposes of processing, and in certain situations to have data erased, to restrict or object to processing, and to have data transferred from one system to another. Necessary notes will be made in the register regarding the exercise of these rights. When data is rectified, both the incorrect and the corrected entry are retained, and the document is marked with the name, job title, and date of the person making the correction as well as the grounds for the correction. If processing is based on consent, the customer may withdraw consent at any time.
Matters concerning the exercise of rights can be initiated by sending a signed request to the Data Protection Officer (contact details in Section 4.1). The requested measures may be refused on grounds laid down by law. If the request is refused, the customer has the right to bring the matter before the Office of the Data Protection Ombudsman. The data subject also has the right to lodge a complaint with the competent supervisory authority if they consider that the controller has not complied with applicable data protection regulation (tietosuoja.fi).
4. INFORMATION DOCUMENT FOR THE RECRUITMENT REGISTER
Updated 28 September 2023
4.1 Controller and Data Protection Contact
Merikratos Oy (Business ID 2530437-7)
Köydenpunojankatu 9 B
20100 Turku, Finland
Sanna Varjonen (HR Manager)
+358 40 661 0925
sanna.varjonen@merikratos.fi
4.2 Purpose of Processing, Data Content, Regular Sources, and Retention
Personal data is collected and processed for recruitment purposes. The legal basis is the data subject’s consent (GDPR Article 6(1)(a)). The register contains the applicant’s name, contact details, education and employment history, information describing the applicant’s skills and experience, job preferences, and any other information voluntarily provided by the applicant. Most information is obtained from the applicant. Additionally, data is generated from personality and aptitude assessments and, with the applicant’s consent, from referees named by the applicant. Data is deleted within six months of the end of the recruitment process, and in the case of open applications, six months from receipt.
4.3 Regular Disclosures and Transfers Outside the EU/EEA
Data is not transferred outside the European Union or the European Economic Area, nor otherwise disclosed to third parties.
4.4 Rights of the Data Subject
The data subject has the right to access their personal data, to rectify inaccurate data for the purposes of processing, and in certain situations to have data erased, to restrict or object to processing, and to have data transferred from one system to another. Necessary notes will be made in the register regarding the exercise of these rights. When data is rectified, both the incorrect and the corrected entry are retained, and the document is marked with the name, job title, and date of the person making the correction as well as the grounds for the correction. If processing is based on consent, the customer may withdraw consent at any time.
Matters concerning the exercise of rights can be initiated by sending a signed request to the Data Protection Officer (contact details in Section 5.1). The requested measures may be refused on grounds laid down by law. If the request is refused, the customer has the right to bring the matter before the Office of the Data Protection Ombudsman. The data subject also has the right to lodge a complaint with the competent supervisory authority if they consider that the controller has not complied with applicable data protection regulation (tietosuoja.fi).
5. INFORMATION DOCUMENT FOR EVENT REGISTERS
Updated 28 September 2023
5.1 Controller and Data Protection Contact
Merikratos Oy (Business ID 2530437-7)
Köydenpunojankatu 9 B
20100 Turku, Finland
Mikko Niemelä (Data Protection Officer)
+358 40 587 7670
mikko.niemela@merikratos.fi
5.2 Purpose of Processing, Data Content, Regular Sources, and Retention
For the purposes of organising events, Merikratos Oy may collect personal data such as names, email addresses, and dietary information. The legal basis is the data subject’s consent (GDPR Article 6(1)(a)). The controller receives the data from the customer themselves or their representative. Data is deleted after the event.
5.3 Regular Disclosures and Transfers Outside the EU/EEA
Data is not transferred outside the European Union or the European Economic Area, nor otherwise disclosed to third parties.
5.4 Rights of the Data Subject
The data subject has the right to access their personal data, to rectify inaccurate data for the purposes of processing, and in certain situations to have data erased, to restrict or object to processing, and to have data transferred from one system to another. Necessary notes will be made in the register regarding the exercise of these rights. When data is rectified, both the incorrect and the corrected entry are retained, and the document is marked with the name, job title, and date of the person making the correction as well as the grounds for the correction. If processing is based on consent, the customer may withdraw consent at any time.
Matters concerning the exercise of rights can be initiated by sending a signed request to the Data Protection Officer (contact details in Section 6.1). The requested measures may be refused on grounds laid down by law. If the request is refused, the customer has the right to bring the matter before the Office of the Data Protection Ombudsman. The data subject also has the right to lodge a complaint with the competent supervisory authority if they consider that the controller has not complied with applicable data protection regulation (tietosuoja.fi).
6. INFORMATION DOCUMENT FOR THE WHISTLEBLOWING CHANNEL
Updated 28 September 2023
6.1 Controller and Data Protection Contact
Merikratos Oy (Business ID 2530437-7)
Köydenpunojankatu 9 B
20100 Turku, Finland
Mikko Niemelä (Data Protection Officer)
+358 40 587 7670
mikko.niemela@merikratos.fi
6.2 Purpose of Processing, Data Content, Regular Sources, and Retention
Merikratos Oy collects the whistleblower’s name and possibly phone number to fulfil its duty to respond as set out in the Whistleblower Protection Act. The legal basis is the data subject’s consent (GDPR Article 6(1)(a)). The controller receives the data as provided by the customer. Personal data is erased immediately when no longer needed. The content of the report is deleted no later than five years after submission unless a longer retention period is required by law.
6.3 Regular Disclosures and Transfers Outside the EU/EEA
Data is not transferred outside the European Union or the European Economic Area, nor otherwise disclosed to third parties.
6.4 Rights of the Data Subject
The customer has the right to access their personal data, to rectify inaccurate data for the purposes of processing, and in certain situations to have data erased, to restrict or object to processing, and to have data transferred from one system to another. Necessary notes will be made in the register regarding the exercise of these rights. When data is rectified, both the incorrect and the corrected entry are retained, and the document is marked with the name, job title, and date of the person making the correction as well as the grounds for the correction. If processing is based on consent, the customer may withdraw consent at any time.
Matters concerning the exercise of rights can be initiated by sending a signed request to the Data Protection Officer (contact details in Section 7.1). The requested measures may be refused on grounds laid down by law. If the request is refused, the customer has the right to bring the matter before the Office of the Data Protection Ombudsman. The data subject also has the right to lodge a complaint with the competent supervisory authority if they consider that the controller has not complied with applicable data protection regulation (tietosuoja.fi).
