1. Name of the register
Customer register of the Fimlab mobile application
2. Data controller
Fimlab Laboratoriot Oy
PL 66
33013 Fimlab
3. Contact person in register-related matters and Data Protection Officer appointed by the organisation
Merja Maijala
Data Protection Officer
tel: 03 3117 5259
email: tietosuoja[at]fimlab.fi
4. Purpose of and legal basis for processing personal data
The basis for the processing of data stored in the customer register is either the customer’s explicit consent or the implementation of an agreement between the data subject and Fimlab.
The data controller uses the logical register for the following purposes:
- Maintenance of customer relationships, information of customers of Fimlab’s operations and reminding customers of the data controller’s services
- Processing customer feedback and surveying customer satisfaction
- Compilation of statistics, reporting, planning, and monitoring, invoicing and debt collection and other tasks necessary for the enforcement of the rights and obligations of the data controller
- Development and production of the data controller’s own organisation and its services, processes and products
- Relaying of laboratory examination results to the customer
The customer register of the Fimlab mobile application is part of the logical Fimlab customer register.
5. Data content of the register
The following customer data may be collected of the data subject:
- Name and social security number
- Telephone number
- Application download ID
- Possible contact history
- Possible customer relationship maintenance history
6. Regular sources of data
Regular sources of data consist of data provided by the customers themselves and generated in connection with services used.
7. Recipients of data
In principle, the data stored in the register are not disclosed to third parties. Where required under mandatory legislation, data may be disclosed to authorities based on individualised requests. The data controller may use subcontractors in the processing of personal data in the register.
8. Transfer of data outside the EU or EEA
In principle, personal data in the register are not transferred outside the EU or EEA.
9. Retention period
The data collected in the register are stored only for as long as and to the extent it is necessary for the original or appropriate purpose for which the personal data were collected. Personal data stored in the register are erased when the legal basis for their processing ceases to apply.
10. Principles of protection
Appropriate technical and organisational measures have been taken to ensure the information security of the register and the confidentiality, integrity and accessibility of the personal data collected.
Manual material is stored in an archive and in laboratory facilities controlled with access control and/or a locking system. Electronic material is protected securely so that it can only be accessed from the organisation’s intranet. The access rights to the organisation’s information systems and files are based on personal access rights, the use of which is controlled. All persons processing personal data are obligated to maintain secrecy.
Databases are maintained by the computer service provider. Fimlab Laboratoriot Oy’s guidelines on data security and data privacy are observed in the retention of data. Fimlab enforces adequate contractual obligations to ensure that its subcontractors are committed to processing personal data in an appropriate and legal manner.
11. Right to access and rectify data (Article 15 and 16)
The data subject shall have the right to know which of their personal data have been stored in the register. The request to access data or have data rectified is submitted by sending a written request to the Data Protection Officer (tietosuoja@fimlab.fi). After submitting their request, the data subject must identify themselves at the data controller’s service point in order to verify the identity of the applicant in accordance with the data controller’s instructions or, alternatively, the data controller may require the data subject to provide any necessary additional information to verify the applicant’s identity due to the sensitivity of the data requested.
12. Right to erasure (Article 17)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning them without undue delay if
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws their consent on which the processing is based, and where there is no other legal ground for the processing;
- the data have been collected from a minor;
- the personal data have been unlawfully processed; or
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
The request to have data erased is submitted by sending a written request to the Data Protection Officer (tietosuoja@fimlab.fi). After submitting their request, the data subject must identify themselves at the data controller’s service point in order to verify the identity of the applicant in accordance with the data controller’s instructions or, alternatively, the data controller may require the data subject to provide any necessary additional information to verify the applicant’s identity due to the sensitivity of the data requested.
Despite the request to have data erased, the data controller may be entitled to continue the processing personal data stored in the register based on a legal reason under Article 17(3) of the General Data Protection Regulation.
13. Right to restriction of processing (Article 18)
Insofar as mandatory legislation does not prevent or restrict the restriction of processing of data, the data subject shall have the right to obtain from the controller restriction of processing if
- the accuracy of the personal data is contested by the data subject;
- the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims.
The request to restrict the processing of data is submitted by sending a written request to the Data Protection Officer (tietosuoja@fimlab.fi). After submitting their request, the data subject must identify themselves at the data controller’s service point in order to verify the identity of the applicant in accordance with the data controller’s instructions or, alternatively, the data controller may require the data subject to provide any necessary additional information to verify the applicant’s identity due to the sensitivity of the data requested.
14. Right to withdraw consent (Article 7)
The data subject shall have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
15. Right to data portability (Article 20)
The data subject shall have the right to receive the personal data concerning them, which they have provided to the data controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller, if possible. This right shall apply to personal data which have been processed automatically and based on consent or for the purpose of implementing an agreement. After submitting their request, the data subject must identify themselves at the data controller’s service point in order to verify the identity of the applicant in accordance with the data controller’s instructions or, alternatively, the data controller may require the data subject to provide any necessary additional information to verify the applicant’s identity due to the sensitivity of the data requested.
16. Right to lodge a complaint with a supervisory authority (Article 77)
The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes the General Data Protection Regulation.
