Ab Grotell Oy
Helsinki, Finland
Official Home Page

Registry and Privacy Policy

This registry and privacy policy has been drafted to comply with the EU General Data Protection Regulation (GDPR) requirements and describes how Ab Grotell Oy and Ab Grotell Lääkäripalvelut Oy process personal data. This policy was last updated on August 14, 2024.

Note: This privacy policy applies solely to Ab Grotell Oy (Business ID: 3222672-5) and Ab Grotell Lääkäripalvelut Oy (Business ID: 3465545-1) joint register. This joint register does not contain patient records.

Patient records are processed in a separate register maintained technically by Suomen Terveystalo Oy (Business ID: 1093863-3), which is jointly used by Ab Grotell Lääkäripalvelut Oy and Suomen Terveystalo Oy. Ab Grotell Lääkäripalvelut Oy adheres to the privacy policy maintained by Suomen Terveystalo Oy. Any inquiries regarding patient records should be directed through Suomen Terveystalo Oy's online inquiry platform, which can be found here. The privacy policy for this patient register can be found on Suomen Terveystalo Oy's website.

1. Data Controller

The joint controllers are:

• Ab Grotell Oy
  Business ID: 3222672-5
  Address: c/o Milo Grotell, Jaakonkatu 3B, 2nd Floor, 00100 Helsinki
  Email: [email protected]
• Ab Grotell Lääkäripalvelut Oy
  Business ID: 3465545-1
  Address: c/o Grotell Oy, Jaakonkatu 3B, 2nd Floor, 00100 Helsinki
  Email: [email protected]

2. Contact Person Responsible for the Registry

Data Protection Officer: Milo Grotell
Address: Jaakonkatu 3B, 2nd Floor, 00100 Helsinki
Email: [email protected]

The Data Protection Officer is responsible for ensuring that the processing of personal data is appropriate and that the data controllers comply with GDPR requirements. The Data Protection Officer also serves as the contact person for inquiries, requests, and questions from data subjects.

3. Name of the Register

Name: Customer and Personnel Data Register

This register covers the customer and personnel data of Ab Grotell Oy and Ab Grotell Lääkäripalvelut Oy, which are used to support the companies' business operations, customer service, human resources management, and legal obligations.

4. Legal Basis and Purpose of Data Processing

Legal Bases:

The processing of personal data is based on the following legal grounds:

• Contract: The processing of personal data is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract.
• Legitimate Interest: The data controller processes personal data that is necessary for the conduct of business, maintaining customer relationships, providing services, and carrying out marketing. This legitimate interest is based on business needs, customer service, and human resources management.
• Legal Obligations: Data processing is necessary to fulfill the legal obligations of the data controllers, such as compliance with accounting, tax, and labor law requirements.

Purposes of Data Processing:

The main purposes of personal data processing are:

1. Customer Relationship Management and Development: The register is used to manage customer relationships, track order history, and provide customers with the services they require. This also includes customer communication, such as sending notifications, invoices, and collecting customer feedback.
2. Human Resources Management: Personal data is processed for managing employment relationships, such as drafting employment contracts, payroll processing, and tracking working hours.
3. Marketing and Communication: Personal data may be used for marketing purposes, such as direct marketing and sending newsletters. Marketing is based either on the consent of the data subject or the legitimate interest of the data controller.
4. Compliance with Legal Obligations: The data controllers must process personal data to fulfill their legal obligations, such as regulatory reporting, taxation, accounting, and employment-related requirements.

The processing of personal data is strictly limited and designed to ensure secure and lawful handling of personal data. Personal data is not used for profiling or automated decision-making without the explicit consent of the data subject.

5. Content of the Register

The following personal data may be stored in the register:

Personal Information:

• Name: First and last name, previous name, or nickname, if applicable.
• Date of Birth: Personal identification number or date of birth, if necessary for identity verification or compliance with legal obligations.

Contact Information:

• Postal Address: Permanent address, temporary address, PO box.
• Phone Number: Mobile phone number, work phone number, and possibly home phone number.
• Email Address: Work and private email address.
• Social Media Profiles: Contact information on social media channels, if necessary for communication or service delivery.

Employment-Related Information:

• Job Title and Duties: The employee's current job title and description of tasks.
• Employment Start and End Date: Information on the duration of employment, employment type (fixed-term, permanent), and possible previous employments.
• Payroll Information: Salary details, salary basis, tax information, payroll data, and other payroll-related information.
• Work Hours Information: Work hours tracking, work shifts, and leave information.

Customer Relationship Information:

• Customer Number and Contracts: The data subject’s customer number, contract details, and service orders.
• Order History and Billing Information: Information on the customer’s order history, billing information, payment details, and possible payment reminders.
• Customer Feedback and Complaints: Feedback provided by the customer, complaints, and related actions.

Technical Information:

• IP Addresses: IP addresses of website visitors, which may be necessary to ensure security and service functionality.
• Cookies and Browser Information: Information collected through cookies, browser data, and hardware information.

Data Retention Period:
Personal data is retained as long as necessary to fulfill the purposes of processing, such as the duration of the customer or employment relationship, and as long as required by law. After the retention period expires, the data is securely deleted or anonymized.

6. Regular Data Sources

Data stored in the register is collected from various sources:

1. From the Data Subject Themselves:

• Information provided directly by the data subject, such as through forms completed during a customer or employment relationship, emails, phone calls, meetings, or website forms.
• The data subject may also provide information by participating in customer surveys, competitions, campaigns, or events.

2. Through the Data Subject’s Activities:

• Information collected through the data subject's activities, such as website usage data, orders, and transactions, work time logs, and other similar functional data.

3. From Public and Third-Party Sources:

• Publicly available sources, such as company websites, social media profiles, trade registers, and other similar public data sources.
• Third-party sources, such as marketing and customer databases, used only in accordance with applicable law and with the consent of the data subject.

7. Regular Data Disclosures and Transfers Outside the EU or EEA

Data Disclosures:

Personal data may be disclosed to the following parties:

• Service Providers and Subcontractors: Personal data may be disclosed to companies and subcontractors that provide services to the data controllers, such as IT support, payment services, transportation services, marketing services, and customer service. These parties process personal data on behalf of the data controller and in accordance with their instructions.
• Authorities: Personal data may be disclosed to authorities, such as the police, tax authorities, and other parties necessary to fulfill legal obligations, in accordance with applicable law.
• Other Third Parties: Data may also be disclosed to other parties if the data subject has given explicit consent, or if disclosure is necessary to protect the rights of the data controllers, such as in legal proceedings or debt collection.

Transfer of Data Outside the EU or EEA:

Personal data may be transferred outside the EU or EEA only if necessary for the provision of services and if the following conditions are met:

1. Transfers to Countries Approved by the EU Commission: Data may be transferred to countries where the level of data protection has been deemed adequate by the EU Commission.
2. Standard Contractual Clauses: If data is transferred to a country where the level of data protection has not been deemed adequate by the EU Commission, the transfer will be conducted using the EU Commission's approved standard contractual clauses.
3. Consent: Data may be transferred outside the EU or EEA with the explicit consent of the data subject if other legal bases for the transfer are not available.

8. Principles of Data Security

Technical and Organizational Measures:

The data controllers are committed to ensuring that personal data is protected against misuse, loss, destruction, and unauthorized processing. Data security is ensured through the following principles:

Physical Protection:

Information systems and storage media are kept in secure facilities. Access to data is restricted to employees who need the data to perform their job duties.

Technical Protection:

Personal data is stored in encrypted databases protected by up-to-date security solutions. Data is transmitted only through secure connections, and access rights to systems are restricted and properly managed.

Anonymization and Pseudonymization of Data:

If personal data is no longer needed for its original processing purpose, the data is anonymized or pseudonymized so that it can no longer be linked to an individual without additional information.

9. Right to Access and Correct Data

Right to Access:

The data subject has the right to check what data has been stored about them in the register. An access request must be submitted in writing to the data controller, either by email or by post. An email request must include the data subject's digital signature, based on strong authentication. The access request must also provide sufficient information to verify the data subject's identity, such as name, address, and possible customer or employee number. The data controller may request additional information to verify identity.

Right to Correct Data:

The data subject has the right to request the correction of incorrect or incomplete data in the register. A correction request can be submitted in the same way as an access request. The data controller will process the request as quickly as possible and correct the data or provide a justified explanation of why the correction cannot be made.

The data controller will respond to all access and correction requests within the timeframe specified in the EU General Data Protection Regulation, which is generally one month from the receipt of the request.

10. Other Rights Related to Data Processing

The data subject has the following rights under the EU General Data Protection Regulation:

Right to Erasure (Right to be Forgotten):

The data subject has the right to request the deletion of their personal data from the register if the data is no longer needed for the purpose for which it was collected, or if the processing is based on the data subject's consent, which is then withdrawn. Deletion may also be requested if the personal data has been processed unlawfully or if the data subject objects to the processing on legitimate grounds, and there are no overriding reasons for the processing.

Right to Restrict Processing:

The data subject has the right to request the restriction of their personal data processing in certain situations, such as when the data is incorrect, the processing is unlawful, the data subject has objected to the processing, or the data is no longer needed for the original purpose but is required for the establishment, exercise, or defense of legal claims.

Right to Object:

The data subject has the right to object to the processing of their personal data if the processing is based on the data controller's legitimate interest. The data controller may no longer process the data unless it can demonstrate compelling legitimate grounds that override the data subject's interests, rights, and freedoms, or if the data is necessary for the establishment, exercise, or defense of legal claims.

Right to Data Portability:

The data subject has the right to receive their personal data in a structured, commonly used, and machine-readable format and to transfer this data to another data controller. This right applies to data provided by the data subject and processed based on consent or contract, as well as cases where the processing is carried out by automated means.

Right to Withdraw Consent:

If the processing of personal data is based on the data subject's consent, the data subject has the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to Lodge a Complaint with a Supervisory Authority:

The data subject has the right to lodge a complaint with a competent supervisory authority if they believe that their personal data has been processed in violation of the GDPR.

The data controller will respond to all requests related to the exercise of the data subject's rights within the timeframe specified in the GDPR, which is generally one month from the receipt of the request.

11. Updates to the Privacy Policy

This privacy policy has been drafted to describe the practices of Ab Grotell Oy and Ab Grotell Lääkäripalvelut Oy regarding the processing of personal data. The policy may be updated as necessary, for example, in response to changes in legislation or business practices. The current privacy policy is always available on the data controllers' websites, and significant changes will be communicated to data subjects as appropriate.

For any inquiries, please contact us at [email protected]. Please note that due to our limited personnel, response times may be longer than usual as we prioritize our core business operations. We appreciate your understanding.