Foundation Health Finland Oy Privacy Notice for Personal Data
Privacy Notice for Personal Data
Last updated: 14.12.2025
Foundation Health Finland Oy (“Foundation” or “FHF”) processes the personal data of its customers responsibly and in accordance with data-protection legislation. We comply with the EU General Data Protection Regulation (GDPR), the specific legislation governing social and healthcare services, and the guidance issued by supervisory authorities. We are committed to the careful and secure processing of personal data and continuously developing industry best practices.
This document provides a summary of the processing of various categories of personal data.
1. Data Controller
Foundation Health Finland Oy, other companies belonging to the same group, and independent practitioners.
1.1 Appointments in Private Practice
Foundation and independent practitioners act as joint controllers within the meaning of Article 26 of the EU General Data Protection Regulation (GDPR) when the practitioner uses Foundation’s information systems or provides services under the name of Foundation, regardless of whether the appointment takes place on Foundation’s premises or remotely. Each party is responsible, with respect to its own activities, for ensuring that the processing of personal data is carried out in compliance with applicable legislation, including the lawful preparation of patient records and the lawful use of patient data, and that all processing activities have a valid legal basis.
Foundation serves as the primary point of contact for data subjects in matters related to the exercise of data-subject rights. However, data subjects may exercise their rights in relation to either joint controller.
2. Purposes of Processing and Legal Bases
Within Foundation’s operations, the primary personal data processed is healthcare customer data (patient and customer data). In addition, other personal data related to service interactions may be processed.
Patient data are processed principally for the provision, organisation, planning, monitoring, and delivery of care, as well as for other purposes defined in the legislation governing patient records and patient data. Patient data may also be used, in accordance with applicable data-protection legislation, for purposes such as information management, service development, monitoring, statistical analysis, and research. The primary legal basis for the processing of patient data is the legislation governing patient data; in some cases, processing may also be based on the patient’s consent.
Customer data that do not relate to the customer’s state of health are processed for purposes such as managing the customer relationship, customer service, customer satisfaction, monitoring, and service development. The primary legal basis for processing such customer data is the contractual relationship between Foundation and the customer or Foundation’s legitimate interest. Where such data are processed together with patient data, the processing is primarily based on applicable legislation.
Further information on the processing of customer data is available in Foundation’s Privacy Notice for the Customer Register.
Some of our facilities use recording CCTV surveillance, the purpose of which includes ensuring customer, patient, and staff safety. Surveillance is used exclusively to monitor the entrance areas of the premises and is not used in consultation rooms. Footage captured through CCTV is retained for a maximum of 30 days. Areas subject to recording surveillance are visibly marked. A more detailed facility-specific description is available at each unit using recording CCTV.
3. Retention Periods
Patient data for which Foundation acts as the data controller are retained in accordance with the Patient Records Decree issued by the Ministry of Social Affairs and Health (STM), primarily for at least 12 years after the patient’s death or 120 years from the patient’s birth.
With respect to customer data other than patient data, we retain personal data in the Customer Register generally for as long as a customer relationship exists between the data subject and Foundation.
Data recorded through CCTV surveillance is retained for a maximum of 30 days.
4. Categories of Personal Data
Further information on the categories of personal data processed can be found in the Foundation Privacy Notices mentioned in the Foundation Subscription Agreement.
5. Security and Location of Processing
At Foundation, we use a wide range of organisational and technical measures to ensure the security of personal data processing. Typical safeguards include, for example, access management, strong authentication, physical and environmental security arrangements for facilities and IT systems, and modern firewall and encryption technologies. We instruct and train our staff in the secure use of information systems and the secure handling of personal data. We continuously monitor and develop the security of our information systems. The safeguards applied at any given time vary according to assessed needs.
We primarily process personal data within the EU/EEA. Personal data may also be transferred outside the EU/EEA. More detailed information is available in the Privacy Notices mentioned above.
6. Categories of Recipients
6.1 Use of Personal Data Among Service Providers Operating within Foundation
When you receive services at Foundation, the processing of your patient data is primarily based on the national social and healthcare legislation in effect at any given time. In order for the healthcare professionals treating you to provide appropriate care, they require information about your state of health as well as essential information from your previous appointments, including entries made by other professionals.
You may, however, influence whether the healthcare professionals treating you may access information recorded by other professionals operating within Foundation by providing your preferences regarding the use of your data in our service agreement or via the data-protection form available at our premises. Further information is available in the Privacy Notice for Patient Records.
6.2 Transfers of Data to Cooperation Partners
In our operations, we use cooperation partners to whom we transfer necessary information for purposes, such as the analysis of laboratory samples. We also use subcontractors in connection with healthcare information systems and diagnostics. Such cooperation partners process personal data on behalf of Foundation as processors, in accordance with Foundation’s instructions and applicable agreements.
6.3 Disclosures of Data Outside Foundation
Patient data are sensitive personal data and are processed confidentially. Patient data may only be disclosed to third parties with your consent or on the basis of legislation.
Statutory disclosures include, for example, transfers to the Social Insurance Institution of Finland (Kela) for the national prescription service, to the Finnish Institute for Health and Welfare (THL), and to insurance companies for statutory and voluntary insurance matters. In addition, data may be disclosed for research purposes and for development and innovation activities in accordance with the legislation governing patient data.
We disclose patient data outside of Foundation to other healthcare service providers either on the basis of applicable legislation or on the basis of your explicit consent. You may manage the disclosure of your data between different healthcare service providers by granting or restricting disclosure permissions in the Kanta service. Further information is available at www.kanta.fi.
7. Your Rights Concerning Your Personal Data
7.1 Access to Your Own Data
The data subject has the right to obtain confirmation from Foundation as to whether personal data concerning them are being processed or not. If their personal data are being processed, the data subject has the right to receive information about the processing, including the purposes of the processing and the categories of personal data concerned. Foundation provides information about the processing of personal data in its Privacy Notices. The data subject may also contact Foundation regarding personal-data processing in the manner described in the relevant Privacy Notices.
As our customer, you have the right to access your patient data and other personal data concerning you. To exercise this right, please first contact Foundation’s Data Protection Officer at privacy@foundation.clinic.
7.2 Access to Log Data
The customer has the right to access the log data relating to the processing of their patient data. Access to the log data is free of charge once per year. The log data indicate who has accessed the data, the time of access, and the reason for the access. To request access, please contact Foundation’s Data Protection Officer at privacy@foundation.clinic.
With respect to the national Patient Data Repository (Kanta), log data may also be viewed via the kanta.fi online service.
7.3 Request an Investigation or Report a Suspected Breach
If you suspect any misuse of your patient data, you may request an investigation by submitting a free-form written request for clarification. The request must include your personal identity code and the date or other event to which the request relates. When you order log data, you will receive instructions on how to submit a request for clarification together with the log data. To begin, please contact Foundation’s Data Protection Officer at privacy@foundation.clinic.
7.4 Rectification of Incorrect Data
The customer has the right to request the rectification of incorrect personal data by contacting the company’s Data Protection Officer. For patient data, any correction is made in such a way that the original entry remains traceable if necessary.
If the data subject contests the accuracy of the personal data, they have the right to request the restriction of processing while the matter is being verified. In such cases, other interactions with Foundation are suspended for the duration of the restriction.
7.5 Right to Erasure (“Right to be Forgotten”)
Under the GDPR, the data subject has the right to request deletion of personal data concerning them (the “right to be forgotten”). This right applies to personal data processed on the basis of the data subject’s consent or on legitimate interest (for example, arising from a customer relationship).
In the case of patient data, this right to erasure does not generally apply, because patient records are subject to statutory obligations requiring retention of records generated in the course of healthcare activities
7.6 Right to Object or Restrict Processing
The data subject has the right to object to processing of their personal data insofar as processing is based on the controller’s legitimate interest (e.g. related to the customer relationship).
In the case of patient data, processing cannot be discontinued if there is a statutory obligation to process and store patient records. However, the data subject has the right to object to the use of patient data for secondary purposes such as data-driven management (“data-driven care”), scientific research, or statistical purposes based on their personal situation. The data subject also has the right to request restriction of processing, for example while a request for correction or deletion is being considered.
The data subject also has the right to oppose the use of their personal data for direct marketing; in that case, their data will not be used for direct marketing.
7.7 Right to Data Portability
As a general rule, the right to transfer personal data from one system to another does not apply to patient data.
The data subject has the right to data portability (transfer data from one controller to another) when the processing is based on the data subject’s consent or on a contract, and only insofar as these conditions apply.
7.8 Right to Lodge a Complaint with the Data Protection Authority
If the data subject believes that Foundation has violated data protection law or has issued an incorrect decision, the data subject has the right to file a complaint with the supervisory authority (in Finland: the Office of the Data Protection Ombudsman). Instructions for this complaint procedure are available on the supervisory authority’s website.
8. Contact Details
For matters related to your patient data or other personal data, you may contact Foundation’s Data Protection Officer at privacy@foundation.clinic.
Please note that requests concerning the ordering, correction, or access to log data can only be accepted in writing. Your identity must be verified at a Foundation location with a valid photo ID. This ensures that information is disclosed only to individuals who are legally entitled to receive it.
You may also submit your data request through the nearest Foundation premises, where your identity will be verified with a photo ID. Please contact your primary treating physician first, as our premises are generally open by appointment only.
If you wish to send sensitive information by email, please contact the company’s Data Protection Officer in advance.
8.1 Data Protection Officer
FHF’s Data Protection Officer is: Fredrik Sannholm.