Register and Privacy Statement
Register and Privacy Statement
Effective from 25 June of 2026
Data Controller
Company Name: Suomen Työterveys & Suomen Etälääkärit Oy (hereinafter referred to as the Data Controller)
Business ID: 3453527-3
Registered and Postal Address: Tiirasaarentie 27 A 1, FI-00200 Helsinki, Finland
Email: info@suomentyoterveys.com
For all matters related to the processing of personal data and data protection, please contact us by email at info@suomentyoterveys.com.
General
This Privacy Policy has been prepared in accordance with the EU General Data Protection Regulation (GDPR) and describes how we process personal data as the Data Controller.
This Privacy Policy also serves as a Data Processing Agreement (DPA) in situations where we process personal data on behalf of you or your company. In such cases, we act as the Data Processor, while you or your company acts as the Data Controller.
Purposes and Legal Basis for Data Processing
We process personal data for the following purposes:
- Managing customer relationships (including customer acquisition)
- Fulfilling the rights and obligations of both the customer and the Data Controller
- Providing and developing online services
- Research activities
- Targeted marketing carried out by the Data Controller and its business partners
The processing of personal data is based on one or more of the following legal grounds:
- Performance of a contract
- The data subject’s consent
- The legitimate interests of the Data Controller (Article 6(1)(f) GDPR)
Processing based on legitimate interest particularly includes customer acquisition, direct marketing, and lead generation targeting companies and business decision-makers.
The data subject has the right to object to processing based on legitimate interest and to prohibit direct marketing at any time (see Data Subject Rights below).
Sources of Personal Data
Personal data may be collected from:
- Messages submitted through website forms
- Email correspondence
- Cookies
- Telephone communications
- Social media services
- Contracts, meetings, and other situations where personal data is voluntarily provided
Where personal data is obtained from sources other than the data subject, the Data Controller will inform the data subject of the source of the data, the purposes of processing, and the legal basis for processing no later than one month after obtaining the data, or at the time of the first communication with the data subject, in accordance with Article 14 GDPR.
The Data Controller uses cookies to improve user experience, measure website performance, and enable targeted marketing. Cookies are small text files stored on your device by your web browser. You may disable cookies through your browser settings.
Categories of Personal Data Processed
We may process one or more of the following categories of personal data:
- First and last name
- Postal address
- Telephone number
- Email address
- Professional affiliation or occupational group
- Information collected through cookies (such as IP address, browser type, and approximate location)
- Company name and job title
- Company contact information
- Social media usernames and profiles
- Information regarding purchased or subscribed services
- Customer relationship information
- Chat conversation history
Disclosure of Personal Data
Personal data may be processed by the systems used by the Data Controller, which are physically located either within Europe or in the United States and operate under the EU–U.S. Data Privacy Framework, or otherwise provide GDPR-compliant safeguards.
The Data Controller may disclose personal data within the EU and EEA to:
- Data processors acting on behalf of the Data Controller
- Companies within the same corporate group
- Business partners for the purposes described in this Privacy Policy
Personal data may also be disclosed to public authorities where required by law.
Personal data may be published where separately agreed.
Partners involved in lead generation and customer acquisition may act either as:
- Independent Data Controllers with respect to their own registers; or
- Data Processors acting on behalf of the Data Controller under a written Data Processing Agreement (DPA).
The Data Controller ensures that such partners are entitled to disclose the personal data and have fulfilled their own information obligations.
Transfers of Personal Data Outside the EU/EEA
Some personal data is stored and processed outside the European Union.
All international transfers comply with the requirements of the GDPR and are based on:
- An adequacy decision issued by the European Commission (such as the EU–U.S. Data Privacy Framework), or
- The European Commission’s Standard Contractual Clauses (SCCs).
Personal data is not disclosed to unauthorized third parties.
Principles of Data Protection
Access to personal data is limited to employees and specifically designated persons who require the information in order to perform their duties, including personnel responsible for customer relationships.
The Data Controller ensures that personal data is processed only by authorized persons who are subject to confidentiality obligations, either contractually or by law.
The Data Controller implements appropriate technical and organizational measures to safeguard personal data, including staff training, secure information systems, and appropriate technical security measures.
Personal data may also be processed by the following service providers and their affiliated companies:
- Cloud services: Google LLC, Microsoft Corporation
- Customer communications: Mailchimp
- Website analytics: Google LLC
- Financial administration service providers
Retention Period
Personal data processed on the basis of consent is retained until the data subject withdraws their consent.
However, the Data Controller may retain personal data for a longer period where necessary to establish, exercise, or defend legal claims or to fulfil statutory obligations.
Marketing and prospecting data processed on the basis of legitimate interest will be retained only as long as necessary for marketing purposes or until the data subject objects to the processing or opts out of direct marketing.
After an opt-out request, the Data Controller may retain minimal information (such as an email address or telephone number on a suppression list) solely to ensure that the individual is not contacted again.
Data Subject Rights
The data subject has the right to:
- Access their personal data
- Request rectification of inaccurate personal data
- Request erasure (“right to be forgotten”)
- Request restriction of processing
- Object to processing based on legitimate interests
- Object to the use of personal data for direct marketing at any time
- Receive personal data processed on the basis of consent or a contract in a structured, commonly used, and machine-readable format (data portability)
- Withdraw consent at any time
- Lodge a complaint with the competent supervisory authority (the Office of the Data Protection Ombudsman)
Requests should be submitted in writing to the Data Controller.
The Data Controller may request proof of identity before processing the request.
Requests will generally be responded to within one month, as required by the GDPR.
Changes to the Privacy Policy
The Data Controller continuously develops its business operations and therefore reserves the right to amend this Privacy Policy.
Changes may also be necessary due to amendments in applicable legislation.
The Data Controller recommends reviewing this Privacy Policy regularly to stay informed of any updates.