This privacy policy describes how Ovumia Oy (“Ovumia”, “we” or “the controller”) processes personal data of its clients and potential clients. This privacy policy applies to the management of the client relationship, our website at www.ovumia.com/en/fi/ and the appointment booking system, marketing and processing of personal data in relation to all the services we provide.
Ovumia maintains separate privacy policies for patient data and client data. For the processing of patient data, the privacy policy of Ovumia’s patient register can be found here: https://ovumia.com/en/fi/patient-register-privacy-policy/. The basis for processing patient data is legislation governing the processing of patient data or, in some situations, the patient’s consent.
In all processing of personal data, we comply with the applicable data protection legislation and the instructions of the authorities on the processing of personal data. “Data protection legislation” refers to existing data protection legislation, such as the General Data Protection Regulation of the European Union (2016/679; “GDPR” for short) and the Finnish Data Protection Act (1050/2018).
“Personal data” refers to any information relating to a natural person (“data subject”) from which an individual can be directly or indirectly identified, as further defined in the GDPR. Data protection concepts not defined in this privacy policy will be interpreted in accordance with data protection legislation.
Our services and website may also contain links to external websites and services operated by other organisations. This privacy policy is not applicable to their use, and therefore we ask you to consult their privacy policies separately.
For patient data and other personal data, Ovumia is the controller of the personal data.
Controller:
Ovumia Oy
Business ID: 2320294-0
Address: Biokatu 12, 33520 Tampere
Email address: privacy@ovumia.fi
Contact details of the data protection officer:
privacy@ovumia.fi
The purposes (and the legal grounds in brackets) for processing personal data are:
organisation and provision of health care services (contractual relationship or preparation thereof, legitimate interest)
concluding, establishing and managing client contracts (contractual relationship or preparation thereof, legitimate interest)
client service and communication, e.g. service notifications, information on changes to services (contractual relationship, legitimate interest)
collecting client feedback on services and client satisfaction surveys (legitimate interest, consent)
marketing, including market research, other marketing promotion and analysis, and the production of statistics and measurement of marketing effectiveness (legitimate interest)
direct marketing, including electronic direct marketing and telemarketing, as well as the design and measurement of the effectiveness of advertising and marketing and the aggregation and updating of personal data for direct marketing purposes (legitimate interest, consent)
managing relationships with partners, subcontracting and collaboration with service providers (legitimate interest, contractual relationship or preparation of a contractual relationship)
analysing, improving and developing business processes and practices (legitimate interest)
credit checks (legitimate interest)
invoicing, credit decisions and debt collection (legitimate interest)
internal reporting and other administrative measures (compliance with legal obligations)
handling warranty and liability matters and complaints (compliance with legal obligations, legitimate interest)
handling possible legal and administrative proceedings (legitimate interest)
use of data analytics to further improve the website, services, marketing, client relations and experience (legitimate interest, consent)
tracking of user traffic on our website and other services (consent)
managing and protecting our business and website, including troubleshooting, data analysis, testing and system maintenance (legitimate interest)
preventing and investigating misuse and ensuring the security of data, persons and property (legitimate interest)
other statutory obligations (e.g. accounting, tax) and reporting obligations (statutory obligation)
When we process personal data on the basis of legitimate interests, we assess the benefits and potential harm of the processing to the data subject, and we have assessed that the rights and interests of data subjects do not override the legitimate interests.
We will send marketing by email or other relevant electronic communication channel if the data subject has given us consent or if we are otherwise entitled to do so under the act on electronic communications services.
Other points to note:
Processing tasks may be outsourced to external service providers in accordance with data protection legislation.
In connection with the first appointment, Ovumia can check the person’s credit information using the services of Suomen Asiakastieto Oy. We do not store detailed information about a person’s credit history.
We may process the following personal data:
Personal data necessary for identification and communication
surname and first names
date of birth
personal identity code
gender
address
telephone number
email address
occupation
other necessary contact details
Other personal data
information relating to the treatment of the client
next of kin details (if applicable)
credit information
information about the client’s partner and/or marital status (if applicable)
content generated by the data subject (e.g. feedback, preferences, satisfaction data)
services used with payment details
information about professionals involved
prohibitions, restrictions, consent and other choices
necessary information related to identification and verification tools
We usually collect personal data directly from the data subject. Personal data may also be collected through the use of services, communications, transactions, website visits, newsletters, surveys or other interactions.
We may also receive personal data from third parties such as identification, verification or credit information service providers, public authorities, healthcare providers (with consent), and partners.
Technical and usage data may be collected using cookies and similar technologies. Non-essential cookies are only used with consent.
We do not engage in automated decision-making or profiling that would have legal or similar effects on data subjects in accordance with Article 22 of the GDPR.
We retain personal data only for as long as necessary for the purposes described in this privacy policy or as required by law.
After the retention period, personal data will be deleted or anonymised if permitted by law.
Further information on retention practices is available upon request.
Personal data may be processed by service providers such as IT, hosting, marketing, accounting or financial service providers.
Personal data may also be disclosed:
for invoicing and debt collection
to partners jointly providing services
in business reorganisations, mergers or acquisitions
to authorities or courts where required by law
for donor compensation payments
Where another controller receives personal data, their privacy policy applies.
Personal data is primarily stored within the EU/EEA. Where transfers outside the EU/EEA occur, appropriate safeguards such as standard contractual clauses or adequacy decisions are used.
Further details are available upon request.
We use appropriate technical and organisational measures to protect personal data. Access is restricted to authorised personnel, and all staff are bound by confidentiality obligations.
Data subjects have the following rights under data protection legislation:
right of access
right to rectification
right to erasure (excluding patient data)
right to restriction of processing
right to data portability
right to object to processing
right to withdraw consent
Requests can be sent by letter or email using the contact details above. Identity may be verified before processing the request. Requests are handled within one month.
Data subjects may lodge a complaint with the Finnish Data Protection Authority if they believe their personal data has been processed unlawfully.
Contact details are available here.
This privacy policy may be updated from time to time. The latest version is always available on our website.
This privacy policy was published on 9 January 2024.
