Puhti tietosuoja

Privacy Statement

This is an English translation of the original Finnish version, valid as of 22 December 2023, available here.

In this data privacy statement, we describe how your personal data is processed in connection with Puhti’s services.

1. Controller and contact information

Puhti Lab Oy

In the marketing of the service and later on this page, the company is referred to by the brand name Puhti.

Customer service

Email: asiakaspalvelu@puhti.fi

Telephone number: +358 (0)10 338 7049 (Mon-Fri, 9 a.m. to 4 p.m.)

Postal address: Pohjoinen Hesperiankatu 17c, 00260 Helsinki

2. What data do we collect?

Puhti collects data that is necessary for the customer relationship between you and Puhti and for the purposes for which the data is used. Puhti collects the following categories of personal data:

Health data:

  • Results of laboratory tests
  • Other health and wellness data provided by the customer, such as satisfaction data
  • Customer service chat recordings and phone call recordings that reveal health or wellness-related data
  • Information about your use of our services, such as ordered tests and other order details that reveal health or wellness-related data
  • Communications – for example, survey responses and other feedback and messages sent to us that reveal health or wellness-related data
  • Payment method and transaction details – for example, information required for billing and payment

Other personal data:

  • Basic and contact information (e.g., name, personal identification number, address, phone number, email address)
  • Permission information – such as marketing consents
  • Online behavior data – such as login details, other data obtained from your use of our services, including offline behavior, data collected by cookies on websites
  • Information related to the data processing device – such as IP address, cookie data
  • Customer service chat recordings and phone call recordings that do not reveal health or wellness-related data
  • Communications – for example, survey responses and other feedback and messages sent to us that do not reveal health or wellness-related data
  • Data about your use of our services that does not reveal health or wellness-related data

3. What sources do we obtain personal data from?

The personal data processed includes information obtained from you during the ordering process, upon joining the service, or during the customer relationship.

Results of tests acquired through Puhti and produced by the laboratory.

We also receive tracking information on how you use our website and services. Puhti may also process derived data, which is derived or inferred from the information received. Our service is also connected to parties providing identification, authentication, credit information, payment processing, or similar services, and receives related information from them.

In addition, the user’s online behavior is monitored and analyzed using services such as Google Analytics, Active Campaign, Giosg, Hotjar, Wistia, YouTube, Getsitecontrol, Readpeak, Microsoft Clarity, Google Optimize, Google Ads, Google Tag Manager, and Facebook.

The above-mentioned services are used for website development, customer service organization, and targeted marketing.

4. What purposes do we process personal data for?

We process health information for the following purposes:

Service implementation and development

  • Customer relationship management – for example, receipt of order, notifications related to the service including completed laboratory results and customer sample collection instructions
  • Service provision and maintenance, order management and delivery
  • Identification of data subjects
  • Retention of transaction data
  • Organization, implementation, and monitoring of laboratory tests
  • Subcontractor communication with our contract laboratory
  • Management of information entered by the user
  • Invoices, debt collection, refunding payments to customers
  • Archiving of contracts and invoices
  • Development of Puhti’s services and business operations, and related customer service development
  • Planning of Puhti’s operations, development, statistics, reporting, audits, and other tasks necessary for the exercise of the rights and obligations of the controller
  • Processing of customer feedback, management of complaints and disputes
  • Handling of official inquiries based on EU or Finnish legislation, e.g., the General Data Protection Regulation
  • Transfers of personal data (e.g., business transfers, assignments, or business transactions)
  • Justification, presentation, or defense of legal claims
  • Partner reporting (as separately agreed with corporate customers as part of the service)
  • Statistical processing, e.g. for service development purposes

Service and marketing communications

  • Informing and reminding the customer using customer and health data, for example, about possible follow-up tests and feedback surveys
  • Communication related to Puhti’s services and targeted direct marketing (for current and potential future customers)
  • We may send you service and direct marketing communications related to your previous interactions and purchase history, such as reminders, surveys, offers, or information about Puhti’s services. You can opt-out of receiving this communication by clicking on a link attached to each message or by notifying Puhti’s customer service (contact details in section 1).

5. What is the legal basis for the processing of personal data?

The processing of personal data is based on, among other things, the following legal grounds:

  • Contract: We must establish a contractual relationship between you and Puhti and fulfil our contractual obligations.
  • Consent: Your given consent. If our processing of personal data is based on your consent, you can withdraw your consent at any time.
  • Legal obligations: We must comply with legal obligations (e.g. legislation, such as accounting regulations, requires us to retain certain data for a certain period of time) and justify, present or defend Puhti’s legal claims.
  • Legitimate interest: Implementation of Puhti’s legitimate interests. Puhti’s legitimate interest is based on the registered customer relationship or other similarly significant relationship between Puhti and the data subject.

6. Who processes my personal data and where is it disclosed?

At Puhti, personal data is processed for the above-mentioned purposes. Puhti may outsource the processing of personal data to external service providers who process personal data on Puhti’s behalf.

Puhti acquires laboratory services from Mehiläinen, which processes patient data generated in its operations as an independent controller and healthcare unit. The results of the laboratory tests ordered by Puhti’s customer will also be delivered to Puhti’s online service for the customer to see.

At Mehiläinen, laboratory results are processed and stored in accordance with healthcare legislation.

Patient data generated at Mehiläinen can be viewed in the OmaMehiläinen app and the OmaKanta service. Patient data generated at Mehiläinen is available to Mehiläinen’s healthcare professionals, for example, when you visit Mehiläinen. For more information about Mehiläinen’s privacy statement, please visit: https://www.mehilainen.fi/en/privacy-statements

Tests for sexually transmitted diseases: A positive result is always reported in accordance with the Communicable Diseases Act.

At Puhti, your data and the test results you have ordered can be viewed in Puhti’s online service so that you can view them and monitor your progress. Puhti retains personal data only as long as necessary for the implementation of the purposes described in this privacy statement. Puhti generally retains personal data for as long as the customer relationship is considered to exist between Puhti and the data subject, after which personal data is retained from the end of the customer relationship for as long as retention is necessary for the fulfillment of Puhti’s legal obligations or legitimate interests or, for example, for the preparation, presentation, or defense of a legal claim.

Puhti is part of the Mehiläinen Group, but it operates independently, and Puhti does not have access to patient data in Mehiläinen’s patient information system. However, Mehiläinen does disclose patient data, i.e., in this case, ordered laboratory test results, to Puhti.

From Puhti’s report, you can move to Mehiläinen’s healthcare services and receive advice on laboratory results and health-related issues. Mehiläinen provides healthcare services as an independent healthcare unit and controller.

Customer data is not generally transferred outside of the European Union or the European Economic Area. However, Puhti may transfer personal data (excluding laboratory test results) to countries such as the United States, where the transfer is primarily based on the European Commission’s decision on the adequate level of data protection in the United States, or alternatively on other transfer mechanisms in accordance with data protection legislation.

7. Profiling and automated decision making

Our operations do not involve profiling or automated decision-making.

8. Your rights

Right to information about the processing of personal data: You have the right to receive information about the processing of personal data, for example, for what purposes or how personal data is processed. Puhti informs about the processing of personal data in this privacy statement. You can also contact Puhti regarding the processing of personal data in the manner specified in section 1 of this privacy statement.

Right to access personal data: You have the possibility to review your own data through your own Puhti reporting page. The service covers personal data you have reported as well as health-related test results and information you have provided. You can also make a written request for inspection of personal data to Puhti in the manner specified in section 1 of this privacy statement.

Right to rectification of data: You can make a written request for rectification to Puhti’s office and request the correction of inaccurate and incorrect personal data.

Right to erasure of data: Your data can be deleted from Puhti based on your request, unless there is a specific reason to deny the deletion request.

Withdrawal of consent: When processing is based on your consent, you can withdraw your consent at any time. You can withdraw your consent by contacting our customer service.

Right to data portability: If the processing of personal data is based on your consent or a contract, and the processing is carried out automatically, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. If you want, you can save the test results for yourself through your My Journal reporting page.

Right to restrict the processing of personal data: Under certain conditions, you have the right to request that the processing of your personal data be restricted, for example, if you contest the accuracy of your data, in which case processing will be restricted for a period enabling Puhti to verify their accuracy.

Right to object to processing: You have the right to object to the processing of your personal data on grounds relating to your particular situation, to the extent that the processing is based on Puhti’s legitimate interest. In such a case, Puhti will no longer process the personal data unless there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. To the extent that personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing.

Prohibition of electronic direct marketing: You can refuse to receive marketing communications by opting out in each message or by notifying Puhti’s customer service (contact details in section 1).

Right to lodge a complaint with a supervisory authority: If you believe that the processing of your personal data is in breach of the data protection legislation, you have the right to lodge a complaint with the supervisory authority at the office of the Data Protection Ombudsman.

9. How is personal data protected?

Data protection and information security are of the utmost importance to us. All data processing is carried out using Puhti information system, which has been registered with the National Supervisory Authority for Welfare and Health (Valvira). Personal data remains in Finland within a high-security classification server room, which is designed for healthcare services.

Laboratory test results are accessed only by those individuals responsible for laboratory testing who must handle health data to provide the service and who are bound by statutory or contractual confidentiality obligations. Personal data is processed in accordance with individual user IDs and the authorizations required by job responsibilities.

The Data Protection Officer at Puhti is the Data Protection Officer of the Mehiläinen Group Kim Klemetti (tietosuoja@mehilainen.fi).

Previous data protection description in Finnish (8.11.2022)

Go to cart: 0,00