Foundation Health Finland Oy
Privacy Notice for Patient Records
Last updated: 14.12.2025
1. Data Controller
For healthcare services provided by Foundation Health Finland Oy (“Foundation” or “FHF”) in which FHF acts as the data controller, the controller is FHF, or another company in the same group. All such controllers can be reached via Foundation:
Company: Foundation Health Finland Oy
Business ID: 3466230-1
Address: Ratakatu 29 A 4, 00120 Helsinki
For healthcare services provided by an independent practitioner operating within Foundation (or a company on whose behalf the practitioner acts):
Foundation and the independent practitioner act as joint controllers under Article 26 of the EU General Data Protection Regulation (GDPR) when the practitioner uses FHF’s information systems or provides services under FHF’s name, regardless of whether the appointment takes place on Foundation’s premises or remotely. Each party is independently responsible for ensuring that its processing of personal data complies with applicable law.
Foundation is responsible for maintaining and securing the healthcare information systems it employs, ensuring their compliance, and preparing and maintaining the required data-protection documentation covering all processing by practitioners under FHF’s model for services provided at FHF premises.
The independent practitioner is responsible for ensuring that good data-protection and data-security practices are followed in their operations, that patient record entries and the use of patient data are lawful, and that there is always a valid legal basis for any processing.
Foundation serves as the primary contact point for data subjects exercising their rights. Data subjects may exercise their rights against either joint controller. Each joint controller ensures that data-subject rights are properly respected.
2. Purposes of Processing and Legal Basis for Patient Data
When you use services at Foundation, the processing of your patient data is based primarily on the applicable national social- and health-care legislation in force at the time, such as:
- The [Act on the Status and Rights of Patients](http://www.finlex.fi/en/laki/kaannokset/1992/en19920785) (785/1992)
- The Client Data Act (Asiakastietolaki, 703/2023)
- The Patient Documents Decree (Potilasasiakirja-asetus, 94/2022)
- The Secondary Use Act (Toisiolaki, 552/2019)
There are multiple statutory provisions permitting the processing of patient data. For example, under Section 17 of the Customer Data Act, healthcare professionals and assisting personnel providing services must record all necessary and sufficient information for the organisation, planning, implementation, monitoring and supervision of services and patient care. In some cases, processing may also be based on the patient’s consent. In addition to the specific healthcare regulations, processing is also governed by general data-protection laws such as the EU GDPR (2016/679) and the Finnish Data Protection Act (1050/2018).
Patient data are used, in particular, for organising, planning, delivering and monitoring care, for patient administration, and for other purposes permitted by law and based on given consents. Administrative patient documents are stored separately from clinical patient records, as required by law.
Under the Secondary Use Act, patient data may also be used for information management, and with separate permission, for development, innovation, or scientific research.
3. Categories of Personal Data
Processed personal data may include (but are not limited to):
- Patient’s name, personal identity code, contact information
- The patient’s designated next-of-kin, guardian (for a minor), or legal representative
- Information necessary for organising, planning, delivering and monitoring care, including health data generated in examinations or treatment, and relevant background (medical history) data
- Other treatment-related necessary information recorded by nurses, hygienists, dietitians, psychologists, etc.
- Records of any consents or data-sharing permissions and their bases
- Data required for patient identification
- Data relating to customer service events (e.g., appointment bookings, communications)
- Billing and payment data
- Data about healthcare personnel involved in the patient’s care, and the patient’s appointment schedule and care programs stored as a sub-registry of the patient record system
- The patient’s given expressions of will, e.g., whether the patient permits other Foundation practitioners to view records made by a different provider when necessary for care; consents given for data sharing via national services (e.g., Kanta)
- Laboratory, radiology, and cardiac examination results generated in diagnosis/treatment, stored either in the patient registry sub-register, a shared register with a cooperating party, or Foundation’s authorised data repository
- Laboratory data may also be stored separately in the laboratory information system, distinct from the main patient registry
- In addition to the electronic registry, when needed a paper-based basic registry may be maintained, this may include patient consents and refusals regarding data disclosures
3.1 Regular Sources of Data
Personal data are regularly collected from:
- The patient, the patient’s guardian or legal representative, or a significant other
- Healthcare professionals and other healthcare staff
- With the patient’s consent, other healthcare units or professionals, e.g., via the national health-data archive (Kanta)
- Other social and healthcare providers who deliver patient data to FHF for continuation of care
3.2 Use of Patient Data Between Service Providers within Foundation
When you attend a private appointment at Foundation, Foundation and the treating independent practitioner (the “Service Providers”) act as joint controllers. For other services produced at Foundation, FHF may act as the sole data controller.
To provide you with the best possible care, health professionals need access to your health history and any necessary information from your previous visits, even if recorded by other professionals, including at different times. If you prefer, you can limit access to such shared data by giving your data-sharing preferences in the FHF service agreement or via the data-protection consent form at the facility. Additionally, you may request during or after an appointment that the data from that visit be flagged as private, restricting visibility of those records.
Please note that consent to data sharing at Foundation is separate from any data-sharing consent you give in the national Kanta system. Consents given to Foundation do not affect how your data are shared via Kanta. For more information, see: https://www.kanta.fi/potilastietojen-luovutuslupa
3.3 Retention Period
Patient data are retained in accordance with applicable statutory retention periods. Under the Patient Documents Decree (94/2022), normally patient records are stored for 12 years after the patient’s death, or if that is not known, 120 years from the date of birth.
4. Disclosure of Patient Data
Patient data are confidential and protected by professional secrecy obligations.
Patient data may only be disclosed:
- With the patient’s or their legal representative’s consent, or
- Based on legal obligations under applicable law
4.1 Routine Disclosures / Recipient Categories
Patient data may be disclosed only with the data subject’s consent or as required by law. Routine potential recipients include:
- Healthcare authorities who are legally entitled to receive health data for official purposes, for example, the Finnish Institute for Health and Welfare (THL), The Finnish Medicines Agency (Fimea), The Finnish Social and Health Data Permit Authority (Findata), or the Social Insurance Institution of Finland (Kela)
- Another healthcare provider, e.g., for continuation of care, on the basis of consent or statutory allowance
- In cases where the patient lacks capacity (due to dementia, mental illness, disability, unconsciousness etc.) and no legal representative exists, necessary data may be disclosed to another provider for essential care, even without explicit consent, in accordance with statutory confidentiality rules
- The national prescription centre (the Kanta National Archive)
- With patient’s written consent or a statutory basis, to an insurance company (statutory or voluntary)
- To the patient’s guardian, lawful representative or a close relative if the patient has consented.
- If a minor patient has the capacity to decide on their care, they can refuse sharing their health data with the guardian or legal representative
- If the patient is unconscious or otherwise unable to consent and has no legal representative, data may be disclosed to a close relative or other trusted person, provided there is no reason to suspect the patient would refuse
5. Transfers Outside the EU/EEA
We process all patient data primarily within the European Union or European Economic Area (EU/EEA). Personal data may also be transferred outside the EU/EEA (e.g., to the United States), in compliance with data-protection legislation and its limitations. In such cases, the primary legal basis for transfer shall be a Commission adequacy decision under Article 45 of the GDPR. For transfers to countries not covered by adequacy decisions, appropriate safeguards will be implemented.
If data are to be transferred to a non-EEA research institution (e.g., for analysis) you may request, in advance of testing, information about the destination country of the data. Where possible, data destined for non-EEA research institutions will be pseudonymised or anonymised so that individual patients are not identifiable.
5.1 Subcontractors
In our operations, we engage cooperation partners as subcontractors, for example, for diagnostic services. These partners act as processors ****on behalf of Foundation and process personal data only under Foundation’s instructions, in accordance with relevant agreements. We also use IT-service providers. Personal data may also be transferred between companies belonging to the same group, with one company processing data on behalf of another within the group.
We endeavour to use partners based within the EU/EEA wherever possible.
6. General Principles for Use and Protection of Patient Data
Patient data are subject to statutory confidentiality. Patient data is not disclosed to unauthorized third parties without a lawful basis. Only personnel involved in the patient’s care or otherwise authorized under applicable law may access patient data. The data controller determines organisational access rights, granting access only to those employees who need it to perform their duties and in compliance with statutory requirements.
Paper-based archives are maintained in locked and controlled facilities when used. Access to electronic records requires individual credentials (user ID and password) for authorized personnel. Use of patient data is logged and monitored through logging mechanisms.
7. Rights of the Data Subject
7.1 Right of Access
You have the right to obtain confirmation from Foundation as to whether your personal data are being processed; if they are, you have the right to access the data and obtain information about the processing. You may request this by contacting the controller via the contact details in Section 8 of this notice. Access may be refused only on legal grounds.
7.2 Right to Rectification, Erasure or Restriction of Processing
The controller shall, without undue delay, correct, delete or complete personal data in the patient registry that is inaccurate, unnecessary, incomplete or outdated, either on its own initiative or at the data subject’s request. Requests must be made in writing to the controller as specified in Section 8 of this notice. The identity of the requester will be verified.
Corrections are made so that both original and corrected entries remain traceable. The identity and role of the person making the correction, and date of correction must be recorded. If information that is unnecessary for treatment is deleted, a record of the deletion must be kept, indicating who deleted it and when, in accordance with the Patient Documents Decree.
Given that data processing is based on law, deletion is generally not possible. However, for other categories of data (e.g., consent-based data) the data subject may request erasure under certain conditions, e.g., if consent is withdrawn and no other legal basis applies.
The data subject may request restriction of processing while a correction or erasure request is being evaluated. During the restriction period, access to services at Foundation may be suspended. The data subject also has the right to object to processing on grounds relating to their particular situation for example, for data processing for profiling or for information-management purposes. The data subject must specify the grounds for the objection; Foundation may refuse the request if permitted by law.
7.3 Implementation of Corrections or Processing Restrictions
Requests for correction, erasure or restriction of processing must be submitted in writing and addressed to the controller as per Section 8. Identity verification will be required. If the request is justified, corrections and restrictions will be applied. Records of corrections, along with the identity of the person making the correction and date, will be maintained. Data not required for patient care or statutory record-keeping that are deleted will be recorded as required by law.
7.4 Right to Object to Processing
You have the right to object at any time to processing of your personal data on grounds relating to your particular situation when the legal basis for processing is a task carried out in the public interest (e.g., information management). For instance, you may object to processing for research or statistical purposes. Your objection must be submitted in writing. Foundation may refuse the objection if permitted by law.
7.5 Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with the competent supervisory authority (in Finland, the Office of the Data Protection Ombudsman) if you believe that the controller has not complied with applicable data-protection legislation.
7.6 National Health-Data Repository (Kanta Archive)
Foundation Health Finland Oy joined the national Kanta data archive on 15 April 2025, and patient data generated after that date are stored in Kanta. For data stored in Kanta, both Kela and the healthcare provider (e.g., Foundation) act as joint controllers under applicable legislation. The legal basis for processing is statutory.
For data-management services, consent services, health-data disclosure logs, and the Prescription Centre (including disclosure logs), the controllers include healthcare providers, independent prescribers, pharmacies and Kela, in accordance with data-protection legislation and the relevant operational agreements.
You may exercise your data-subject rights with respect to any of the joint controllers.
7.6 National Health Data Repository (Kanta Archive)
Foundation Health Finland Oy joined the national Kanta archive on 15 April 2025, and patient data generated thereafter are stored in the Kanta archive. Patients must manage these data via the “OmaKanta” (MyKanta) service.
For patient data stored in the Kanta Services, the national Kela and the care provider (for example Foundation) act as **joint controllers**. The legal basis for processing such personal data is legislation.
Kela, together with social and healthcare service providers, act as joint controllers also with respect to the national data management service, the consent service, and the healthcare disclosure log service. The procedures for joint controller relationships, including exercise of data-subject rights and other obligations of the controllers, are defined in the agreement between the parties.
The joint controllers each act as a data controller under the applicable data protection regulation, and are independently responsible for the correctness and lawfulness of the personal data processing they perform under the responsibilities assigned by the Client Data Act and the Medicines Act. The joint controllers are:
- Data management service: Social and healthcare providers and Kela
- Consent service: Social and healthcare providers and Kela
- Disclosure logs for data generated in social and healthcare: Social and healthcare providers and Kela
- Prescription Centre (including the prescription-service disclosure logs): Social and health-care service providers, independent prescribers, pharmacies, and Kela
8. Contact Information
Data subjects have the right to exercise their data protection rights against each of the data controllers separately.
Under the Client Data Act and the Medicines Act, Kela acts as the designated contact point under Article 26 of the GDPR for the data management service, the consent service, healthcare disclosure logs, and the Prescription Centre. As a contact point, Kela is responsible for fulfilling the information-obligation required by data protection law in relation to data stored in Kanta. More information is available on Kela’s website: https://www.kanta.fi
For matters relating to your patient data or other personal data held by Foundation, you may contact Foundation’s Data Protection Officer at privacy@foundation.clinic.
Please note that requests concerning personal-data access, correction or log data may only be accepted in writing. Your identity will be verified at one of Foundation’s locations using a valid photographic ID. This ensures that data are only released to persons with a right to access them.
You may also submit a data request via the nearest Foundation premises, where your identity will be verified in the same manner.
Data Protection Officer
The Data Protection Officer for Foundation Health Finland Oy is Fredrik Sannholm.