General information
This privacy policy describes how Ovumia Oy (“Ovumia”, “we” or “the controller”) processes personal data of its clients and potential clients. This privacy policy applies to the management of the client relationship, our website at www.ovumia.fi and the appointment booking system, marketing and processing of personal data in relation to all the services we provide.
Ovumia maintains separate privacy policies for patient data and client data. For the processing of patient data, the privacy policy of Ovumia’s patient register can be found here: [link to privacy policy]. The basis for processing patient data is legislation governing the processing of patient data or, in some situations, the patient’s consent.
In all processing of personal data, we comply with the applicable data protection legislation and the instructions of the authorities on the processing of personal data. “Data protection legislation” refers to existing data protection legislation, such as the General Data Protection Regulation of the European Union (2016/679; “GDPR” for short) and the Finnish Data Protection Act (1050/2018).
“Personal data” refers to any information relating to a natural person (“data subject”) from which an individual can be directly or indirectly identified, as further defined in the GDPR. Data protection concepts not defined in this privacy policy will be interpreted in accordance with data protection legislation.
Our services and website may also contain links to external websites and services operated by other organisations. This privacy policy is not applicable to their use, and therefore we ask you to consult their privacy policies separately.
Controller and data protection officer
For patient data and other personal data, Ovumia is the controller of the personal data.
Controller: Ovumia Oy
Business ID: 2320294-0
Address: Biokatu 12, 33520 Tampere
Email address: privacy@ovumia.fi
Contact details of the data protection officer:
privacy@ovumia.fi
Purposes and legal grounds for processing personal data
The purposes (and the legal grounds in brackets) for processing personal data are:
- organisation and provision of health care services (contractual relationship or preparation thereof, legitimate interest)
- concluding, establishing and managing client contracts (contractual relationship or preparation thereof, legitimate interest)
- client service and communication, e.g. service notifications, information on changes to services (contractual relationship, legitimate interest)
- collecting client feedback on services and client satisfaction surveys (legitimate interest, consent)
- marketing, including market research, other marketing promotion and analysis, and the production of statistics and measurement of marketing effectiveness (legitimate interest)
- direct marketing, including electronic direct marketing and telemarketing, as well as the design and measurement of the effectiveness of advertising and marketing and the aggregation and updating of personal data for direct marketing purposes (the controller may use personal data to customise its offerings and provide relevant content; this includes, for example, recommendations or tailored content and tailored advertisements on its own and third-party services) (legitimate interest, consent)
- managing relationships with partners, subcontracting and collaboration with service providers (legitimate interest, contractual relationship or preparation of a contractual relationship)
- analysing, improving and developing business processes and practices (legitimate interest)
- credit checks (legitimate interest)
- invoicing, credit decisions and debt collection (legitimate interest)
- internal reporting and other administrative measures (compliance with legal obligations)
- handling warranty and liability matters and complaints (compliance with legal obligations, legitimate interest)
- handling possible legal and administrative proceedings (legitimate interest)
- use of data analytics to further improve the website, services, marketing, client relations and experience (legitimate interest, consent)
- tracking of user traffic on our website and other services (consent)
- managing and protecting our business and website, including troubleshooting, data analysis, testing and system maintenance (legitimate interest)
- preventing and investigating misuse and ensuring the security of data, persons and property (legitimate interest)
- other statutory obligations (e.g. accounting, tax) and reporting obligations (statutory obligation)
When we process personal data on the basis of legitimate interests, we assess the benefits and potential harm of the processing to the data subject, and we have assessed that the rights and interests of data subjects do not override the legitimate interests. We will provide more information on the processing of personal data based on legitimate interests upon request.
We will send marketing by email or other relevant electronic communication channel if the data subject has given us consent or if we are otherwise entitled to do so under the act on electronic communications services.
Other points to note:
Processing tasks may be outsourced to external service providers in accordance with and within the bounds of data protection legislation.
In connection with the first appointment, Ovumia can check the person’s credit information using the services of Suomen Asiakastieto Oy. We do not store detailed information about a person’s credit history. In the event of any discrepancies, we will make a general entry in our internal register.
Personal data processed
We may process the following personal data:
- Personal data necessary for identification and communication
- surname and first names
- date of birth
- personal identity code
- gender
- address
- telephone number
- email address
- occupation
- other necessary contact details
- Information relating to the treatment of the client
- Next of kin details (if applicable)
- Credit information
- Information about the client’s partner (if applicable) and/or marital status, which is necessary in connection with fertility treatments or other Ovumia-related activities
- Content generated by the data subject, such as client feedback and additional information provided by the data subject, such as client preferences, satisfaction data or similar information
- Services used by the data subject with payment details
- Information about the persons who have dealt with the data subject. Other requests or notes concerning professionals, services, units and other aspects
- Prohibitions, restrictions, consent and other choices
- Necessary information related to the use of identification and verification tools and servicesRegular sources of information
Regular sources of information
We usually collect personal data directly from the data subject, where this person themselves provides their personal data. Personal data may also be collected, for example events related to the data subject’s client relationship, use of services, communications and transactions. Personal data may also be collected when a data subject visits our website and uses our other electronic services, subscribes to our newsletter, responds to a client satisfaction survey or otherwise communicates with us.
We also receive personal information from other external sources, such as a third-party provider of identification, verification, credit information service or other similar services, or from registers maintained by public authorities. With the consent of the data subject, we may also receive information from other healthcare providers.
Information provided by Ovumia’s partners may also be added to the register.
When a data subject uses our website or our electronic services, we may automatically collect technical and usage data about the devices used by the data subject, browsing and browsing behaviour. We collect this information using cookies and other similar technologies. We will only use cookies if the data subject has given their consent to their use, unless they are technical cookies necessary for the functioning of the site.
Automated decision-making and profiling
We do not engage in automated decision-making or profiling that would have legal or similar effects on data subjects in accordance with Article 22 of the GDPR.
Retention of personal data
We will retain personal data for as long as is necessary for the purposes set out in this privacy policy and for as long as is required by law (for example, in relation to accounting or reporting responsibilities and obligations), or if we need the data to prepare, present or defend a claim or to resolve a similar dispute.
After the end of the period of time necessary for the purpose of use, the personal data will be deleted or rendered anonymous within a reasonable period of time, if permitted by the applicable law.
We will provide further information about our personal data retention practices upon request.
Recipients of personal data
Various service providers and other third parties may be used for the processing of personal data, such as providers of technical solutions or server space, client service and marketing service providers, or accounting and financial service providers, in accordance with and within the limits of data protection legislation.
We use partners to which we disclose the necessary information, for example for the analysis of laboratory samples. Such partners generally process personal data as independent controllers.
We ensure that we have agreements with the parties we use to process personal data as required by data protection legislation.
In addition to the above, the controller may disclose personal data for the following purposes:
- to invoice and collect payments for services, and may, for example, transfer or sell unpaid invoices to third parties providing debt collection services
- to partners with which the controller jointly provides services
- the controller may share personal data in the context of an acquisition or other business reorganisation or when the service is transferred to another service provider. The controller may share personal data on the order of a court or similar authority
- to third parties in situations required by law, by a public authority or to investigate misconduct, and to ensure security. In addition, personal data may have to be disclosed in connection with legal or similar proceedings
- where the controller is involved in a merger, acquisition or other business arrangement, personal data may be disclosed to the parties to the arrangement or to persons assisting in it
- for the payment of donor compensation.
Where personal data is disclosed to a third party, i.e. another controller, the privacy policy of that organisation will apply.
Our website and service may set cookies and collect or transfer information to third parties. For information about these third parties and the purposes for which data is collected, please refer to the cookie notice and cookie settings on our website. We will only use non-essential cookies if the data subject has given their consent.
We will provide additional information about the recipients of personal data upon the person’s request.
Transfer of personal data outside the European Economic Area
The controller will endeavour to store personal data within the European Economic Area (EEA) and the European Union (EU), but this is not always possible. Where data is transferred outside the EU or the EEA, the controller will ensure an adequate level of protection of personal data by various means, such as by agreeing on the matters related to the processing of personal data as required by data protection legislation, e.g. standard contractual clauses adopted by the European Commission or on the basis of an adequacy finding by the European Commission.
We will provide further information on transfers of personal data upon request.
Protection of personal data
Data security and the protection of personal data is of the utmost importance to us. We use appropriate technical and organisational safeguards to protect personal data. We also ensure that our systems are fault-tolerant and that data can be recovered.
Access to personal data is limited to specifically authorised parties. Any manual material is kept in a locked facility, accessible only to authorised persons. Those who process personal data have a duty of confidentiality in relation to the processing of personal data. We instruct and train our staff in the secure handling of information systems and personal data.
Rights of data subjects
Under data protection legislation, data subjects have rights to their personal data. However, the application of the rights in each particular situation depends on the purpose and context in which the personal data is used.
- Right of access to personal data. The data subject has the right to obtain confirmation as to whether the data subject’s personal data is being processed, and other information on the processing of personal data in accordance with data protection legislation. The data subject has the right to obtain a copy of their personal data.
- Right to rectification of personal data. Subject to certain limitations, the data subject has the right to request the correction or deletion of inaccurate or incorrect data.
- Right to erasure of personal data. The data subject has the right to request the erasure of their own personal data in accordance with the conditions laid down in data protection legislation. We will delete personal data on request, unless we are required to retain the personal data by law or any other applicable exception under data protection legislation. There is no right to erasure for patient data, because patient data is subject to a legal obligation binding on the healthcare service to retain patient data generated in the course of its activities.
- Right to restriction of processing. The data subject has the right to request the restriction of the processing of personal data in certain circumstances, subject to the conditions set out in data protection legislation.
- The right to transfer personal data. Data subjects have the right to request the transfer of their personal data to another controller. In principle, the right of transfer applies to personal data which the data subject has provided to the controller in a structured and machine-readable form, and the processing of which is based on the data subject’s consent or on a contract, and/or for which the processing is carried out automatically.
- The right to object to processing. The data subject has the right to object to the processing of personal data based on legitimate interests, including profiling, under the conditions set out in data protection legislation. We may refuse a request if the processing is necessary for the purposes of compelling legitimate interests pursued by the controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and profiling related to direct marketing.
- The right to withdraw consent. Where the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent to the processing of personal data concerning themselves. Withdrawal of consent has no effect on the processing carried out before the withdrawal.
Exercising rights
We hope that as a data subject, you will be in contact with us if you have any questions about the processing of your personal data.
You can send a request for data subject rights to us by letter or email using the contact details provided in this privacy policy.
The identity of the applicant may be verified before the request is processed. The request will be answered within a reasonable time, and as a rule within one month of the request and verification of identity. If the request cannot be granted, notification of the refusal will be sent separately.
Right to complain to a supervisory authority
The data subject has the right to lodge a complaint with the competent data protection authority if he or she considers that his or her personal data have been processed in breach of the data protection legislation.
Contact details for the Finnish Data Protection Authority can be found here.
Changes to the privacy policy
This privacy policy may need to be amended from time to time. Changes may also be based on changes in data protection legislation. We therefore encourage you to check the privacy policy regularly to keep track of any changes. The latest version is available on our website.
This privacy policy was published on 9 January 2024.