Prepared on 11 January 2024 / ESUR
Approved on 13 January 2024 / MH
Muotosairaala (Helsinki Plastic Surgery & Dermatology Oy) processes the personal and other data of its clients carefully, taking care of its data protection obligations as a responsible operator in the social welfare and healthcare sector. In its operations, Muotosairaala complies with the EU General Data Protection Regulation, special legislation concerning social welfare and healthcare, other valid legislation applicable to Muotosairaala’s operations, and the guidelines issued by authorities. We pay special attention to the careful and secure processing of personal data and follow generally accepted good data protection practices in the field.
Legislation governing the maintenance of the patient register:
- Decree of the Ministry of Social Affairs and Health on Patient Documents (94/2022)
- Act on the Status and Rights of Patients (785/1992)
- Private Health Care Act (152/1990)
- Act on the Electronic Processing of Client Data in Social and Health Care (784/2021)
- Act on Health Care Professionals (559/1994)
- EU General Data Protection Regulation (679/2016)
- Data Protection Act (1050/2018)
1. Data Controller
Helsinki Plastic Surgery & Dermatology Oy (Muotosairaala), Business ID 3297684-1
Mannerheimintie 164a, 00300 Helsinki, phone +358 29 123 1010.
2. Name of the Register
The centralized patient data register of Helsinki Plastic Surgery & Dermatology Oy and its practitioners, or the companies under which the practitioners operate. The patient and client data register of the clinic is centralized in one Dynamic Health patient information system certified and approved by Kela. The system is connected to the national health archive, Kanta.
3. Contact Person for Register Matters
Helsinki Plastic Surgery & Dermatology Oy, Muotosairaala
Mannerheimintie 164a, 00300 Helsinki
Phone +358 29 123 1010
Medical Director Maiju Härmä
4. Purpose of Processing Personal Data in the Patient Register
- Planning, carrying out and archiving examinations and treatment related to the health status and/or illness of a person in a client relationship.
- Planning, statistics, monitoring and evaluation of healthcare operations, as well as scientific research.
- Invoicing and collection.
- The data controller may also use the register for the development of business operations and services, marketing research and measuring client volumes.
5. Data Content of the Register
- The client’s name, personal identity code and contact details, including phone number, address and email address.
- The client’s named next of kin, contact person, guardian of a minor, or legal representative of the client.
- Background information and health data necessary for organizing, planning, carrying out and monitoring the client’s treatment.
- Laboratory and examination data.
- Prescription, referral and statement data.
- Appointment booking and invoicing data.
- Information about the person making the entry.
- Invoicing data concerning products and services.
6. Regular Sources of Data
- The person themselves or the guardian of a minor.
- A healthcare professional, and information, responses and statements generated in connection with examinations and treatment.
- Documents received from other care units with the consent of the person or the guardian of a minor, including data received from the national health archive, Kanta.
7. Regular Disclosures of Data
The Act on the Electronic Processing of Client Data in Social and Health Care (784/2021) obliges the data controller to transfer patient record entries to the Kanta service for archiving. Through the My Kanta service, the person can view their own data and determine which parties may view the registered patient and prescription data through the Kanta service. For more information, see https://www.kanta.fi/.
- Patient data is confidential, and persons participating in the processing of the data are bound by confidentiality and non-disclosure obligations.
- As a rule, patient data is disclosed with the patient’s written permission. Data may also be disclosed to the patient themselves.
- Patient data may be disclosed to authorities based on specific provisions of law: the Parliamentary Ombudsman, the National Supervisory Authority for Welfare and Health, and the Regional State Administrative Agency.
- Notwithstanding confidentiality provisions, the police have the right, upon a justified request, to receive necessary information related to the health status of a licence holder, for example when assessing the validity of a driving licence or firearms licence, if there is reason to suspect that the licence holder no longer meets the requirements for obtaining the licence.
- Patient data may be disclosed to authorities maintaining national healthcare registers for research, planning and statistical purposes: THL, the Finnish Institute for Health and Welfare, including the Care Register for Health Care, Cancer Registry, Register of Visual Impairment and Infectious Diseases Register, and Fimea, including the register of adverse drug reactions.
- Data may be disclosed to an insurance company with the patient’s written consent or based on an express provision of law.
- Data may be disclosed to the patient’s guardian, other legal representative, or next of kin if the patient has given consent to this. However, if a minor patient is capable of deciding on their treatment in view of their age and level of development, they have the right to prohibit the disclosure of information concerning their health status and treatment to their guardian or other legal representative.
- The patient’s electronic prescriptions are stored in the Prescription Centre, for which Kela acts as the data controller. More information is available at kanta.fi.
- In addition, information about the health status of a patient who is being treated due to unconsciousness or another comparable reason may be given to the patient’s next of kin or another person close to them, unless there is reason to assume that the patient would object to this.
- As a rule, data is not disclosed outside the EU or EEA.
8. Protection of the Patient Register and Grounds for Data Processing
- Patient data may only be processed by healthcare professionals participating in the patient’s treatment and their assistants. Data is processed only to the extent required by the procedures.
- Data is processed using a personal username and password or an electronic healthcare certificate issued by the Population Register Centre.
- Any paper-based data, including signed consent or disclosure forms, is scanned into the patient information system as electronic attachments.
- A person has the right to prohibit the recording of their data for joint use. In such a case, both the right to read the patient record and the right to make entries in it belong only to the treating doctor connected to the visit. Invoicing data, appointment booking data and entries concerning examination responses remain visible.
- The person responsible for the company’s register matters determines the access rights to the manual and electronic data in the register according to work duties.
- The system keeps a detailed internal log of data processing, showing by user and by patient which patient data the user has viewed or edited.
9. Right to Inspect and Request Correction of Data
- The patient has the right to inspect their own patient data and log data once a year free of charge.
- The patient has the right to request the correction of incorrect data without delay. The request must include grounds for the correction. Patient data is corrected in the manner required by legislation so that both the correction made and the original entry are visible in the patient data register.
- The request must be submitted in writing to Helsinki Plastic Surgery & Dermatology Oy, Mannerheimintie 164a, 00300 Helsinki.
- The requested data will be provided in writing. The patient’s identity will be verified before the data is disclosed.
All data stored in the patient register of Helsinki Plastic Surgery & Dermatology Oy is confidential, and the data subject does not necessarily need to present a separate, express prohibition on the disclosure of data. The data subject has the right to prohibit the data controller from processing data concerning them for direct marketing, distance selling, market and opinion research, personal directories and genealogical research. The patient/client may withdraw their consent at any time.
10. Storage, Archiving and Destruction of Patient Register Data
All patient data is entered and stored centrally in a maintained electronic patient information system. Patient data is transferred, in accordance with the law, to the national Kanta archive under the Act on the Electronic Processing of Client Data in Social and Health Care (784/2021). Basic information forms printed from the patient information system and signed by data subjects are stored as electronic attachment documents in the patient information system.
11. Register Administration
Helsinki Plastic Surgery & Dermatology Oy is responsible for the centralized maintenance of the register.
The data controller monitors changes in data protection legislation and authority guidelines and reserves the right to update this privacy notice.