Customer Register Privacy Notice

Foundation Health Finland Oy
Customer Register Privacy Notice

Last updated: 14.12.2025

1. Data Controller

Company: Foundation Health Finland Oy
Business ID: 3466230-1
Address: Ratakatu 29 A 4, 00120 Helsinki


2. Name of the Register

Foundation Health Finland Oy’s Customer Register

3. Purpose and Legal Basis for Processing Personal Data

The primary legal basis for processing personal data is the legitimate interest of Foundation Health Finland Oy (Foundation or FHF), which arises from the customer relationship between the customer and Foundation or from other legitimate interactions. Foundation’s legitimate interests include, for example, managing and administering the customer relationship, customer service and related communications, and marketing, including their execution and development.

Additionally, processing personal data may be based on the data subject’s consent or on a contract. When personal data relate to health information and are processed as part of patient care or in connection with healthcare services provided by Foundation, the processing may also be based on applicable social and healthcare legislation. For health data belonging to the data subject, processing is based either on legislation or on the data subject’s consent.

Personal data may be processed for the following purposes:

- Management, provision, development, research, and monitoring of the customer relationship, customer service, related communications, and marketing.
- Analysis, segmentation, and reporting of customer relationships, implementation of loyalty or customer-benefit programs, and other purposes related to managing the overall customer portfolio and developing Foundation’s business.
- Collection and processing of customer feedback and satisfaction data.
- Conducting market research and other surveys and opinion polls.
- Recording calls related to customer service for the purposes of verifying service events, ensuring legal protection and security, and developing staff competence and customer service quality.
- Profiling purposes as described in Section 9 of this Privacy Notice.
- Implementation, development, and maintenance of services and communications.

Where applicable, certain processing tasks may be outsourced to other group companies of Foundation and/or external service providers, in compliance with data protection legislation and within its limits.

4. Categories of Personal Data

The register contains data on individuals who are customers, former customers, or potential customers. The personal data processed may include, among others, the following categories of data about the registered persons:

- Name, given name(s), personal identity number, customer number, gender, language, address, phone number, e-mail address, and other necessary contact information.
- Next of kin, guardian, ward, number and ages of minor children (if applicable), living arrangement, household size.
- Usage and purchase history of services; level and validity period of any active loyalty or customer benefit program; marketing and communication details across different service channels (e.g. web services, automated services), including possible recordings of customer service calls.
- Content provided by the customer themselves (e.g. feedback), and additional information the customer gives related to the customer relationship, such as wishes, satisfaction data, interests, hobbies, or similarly relevant information.
- Information related to possible insurance arrangements, occupational healthcare services and contracts, sports-club or similar affiliations, and related matters.
- Information about services used and their payment details by the registered person.
- Information about persons who have provided service to the registered person (staff, professionals), including the services, units, and other related details and possible notes or preferences.
- Explicit consents, restrictions, refusals, and other choices given by the data subject.
- Other customer related data, such as data collected in connection with use of web services, for example IP address, time of visit, visited pages, browser type (e.g. Edge, Safari, Firefox), referring URL, and the server from which the user accessed the website.
- Data necessary for identification and authentication when using services or security services.
- Metadata related to processing: e.g. date of data entry, source of data.

5. Data Retention Period

Foundation retains personal data for as long as the customer relationship between the data subject and FHF is considered to be ongoing. The end date of the relationship is determined on the basis of the data subject’s most recent service contact, using Foundation’s key business metrics (for example, when a monthly-subscription agreement expires).

After termination of the customer relationship, Foundation may continue to retain personal data if there is a specific reason, for example, to enable the establishment, assertion, or defence of legal claims. The retention period may also be influenced by statutory limitation periods applicable to claims under applicable law.

6. Regular Sources of Data

Personal data may be obtained, primarily, from the following sources:

- The data subject themselves, and events related to their customer relationship, use of services, communications, and other interactions.
- A third party providing services such as identification, verification, address updates, credit-information services, or similar services.
- The Population Information System maintained by the Digital and Population Data Services Agency (or equivalent population registry), or other official systems.
- Data provided by other cooperating partners of Foundation (for example, an insurance company or a sports club), if applicable.

7. Regular Disclosures and Transfers Outside the EU/EEA

Personal data may be disclosed in certain cases to other companies belonging to the same group as Foundation, for the purposes described in Section 4 of this notice.

As a rule, personal data are not disclosed outside Foundation to third parties. If disclosure is necessary, it may be made to third parties on the basis of a contract, explicit consent, or applicable legislation.

Foundation may transfer personal data and outsource processing tasks to other group companies or external service providers who process personal data on behalf of FHF.

Personal data may be transferred to countries outside the European Union or the European Economic Area (e.g., to the United States), in compliance with applicable data protection law and within its constraints.

In such cases, the primary basis for transfer shall be an adequacy decision issued by the European Commission under Article 45 of the General Data Protection Regulation (GDPR), provided the destination country is on the list of countries or territories recognised as offering an adequate level of protection.

8. Principles for Protection of the Register

Foundation employs appropriate technical and organisational safeguards to protect personal data. Any manual records are stored in locked premises accessible only to authorised personnel. Electronic data are accessible only to authorised employees, practitioners or partner-service providers using personal user credentials (user ID and password).

Access privileges are assigned according to different levels, granting each user only those rights strictly necessary for the performance of their duties.

9. Profiling and Automated Decision-Making

As part of processing personal data stored in the Customer Register, Foundation may use profiling techniques. Profiling may involve creating a unique customer identifier and combining various data collected during service use, such as purchase history, website usage, customer service calls, to build a profile. This profile may then be compared to profiles of other customers for analytical purposes. The purpose of profiling is to assess demand for services and customer behaviour.

Foundation does not use personal data for decisions that are based solely on automated processing (i.e., without human intervention) and that would produce legal effects or similarly significant consequences for the data subject.

10. Right to Object to Processing and Direct Marketing

You have the right, on grounds relating to your particular situation, to object at any time to profiling or other processing of your personal data insofar as such processing is based on Foundation’s legitimate interest. You may also object at any time to processing for the purposes of direct marketing.

You may submit your objection using the contact details provided in Section 12. Foundation will comply with your objection unless otherwise permitted by law.

If you have given explicit consent for direct marketing or profiling, you may withdraw that consent at any time.

11. Other Rights of the Data Subject

11.1 Right of Access

The data subject has the right to obtain from Foundation a confirmation as to whether personal data concerning them are being processed. If such data are processed, the data subject has the right to obtain information about the processing, for example the purposes of the processing and the categories of personal data concerned. Foundation provides this information in its Privacy Notices. The data subject may also contact Foundation as specified in Section 12 of this notice to exercise their rights.

The data subject has the right to request inspection of what personal data regarding them are stored in Foundation’s Customer Register. The inspection request must be submitted as described in Section 12. The right of access may be refused on grounds provided by applicable law. Exercising the right of access is in principle free of charge; however, under certain conditions Foundation may charge a reasonable fee based on administrative costs.

11.2 Right to Rectification, Erasure and Restriction of Processing

If the data subject or user becomes aware that data concerning them are incorrect, unnecessary, incomplete or outdated, they must correct, erase or supplement the data without undue delay. The data subject can also submit a request for rectification to Foundation as described in Section 12.

The data subject has the right to request restriction of processing, for example while awaiting Foundation’s response to a rectification or erasure request.

Under certain conditions, the data subject may request erasure of personal data, for example if processing is based on consent and the data subject withdraws consent, and there is no other lawful basis for processing; or if the data subject objects to processing and there is no overriding legitimate basis for Foundation to continue processing. The request for erasure must be made as described in Section 12.

11.3 Right to Data Portability

To the extent that the personal data processed concern data that the data subject themselves originally provided and the processing is based on the data subject’s consent or on a contract, and the processing is carried out by automated means, the data subject has the right to receive those personal data in a structured, commonly used, and machine-readable format. They also have the right to transmit those data to another controller without hindrance, and where technically feasible, to request direct transfer of the personal data from Foundation to the other controller

11.4 Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or legal remedy, the data subject has the right to lodge a complaint with the competent supervisory authority, in Finland, the Data Protection Ombudsman, if they believe that the processing of their personal data infringes applicable data protection laws. Foundation must inform the data subject about this right and about possible judicial remedies.

11.5 Withdrawal of Consent

Where processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw that consent at any time by notifying Foundation as set out in Section 12. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

12. Contact Information

For matters related to your patient or personal data, you may contact the Data Protection Officer of Foundation Health Finland Oy at privacy@foundation.clinic.

Please note that we can only accept requests from data subjects in writing. Your identity will be verified at an FHF location by means of valid photographic identity documentation. This ensures that personal data are disclosed only to persons entitled to them.

You may also submit a data request via the nearest FHF location, where your identity will be verified in the same manner.

If you wish to submit sensitive personal data by e-mail, please first agree on the mode of transfer with the Data Protection Officer.

12.2. Data Protection Officer

The Data Protection Officer for Foundation Health Finland Oy is Fredrik Sannholm.