Fredrikinkatu 64, Helsinki
Vernissakatu 6, Vantaa
Jõe 2B, Tallinn
Sipelga 2, Tallinn
Linnamäe tee 3, Tallinn
info@medicus.ee
Request a call
EngEng
FinFinRusRus
Call and come to a free consultation
Helsinki
(+358) 442 429 420
Vantaa
+(358) 45 273 9990
Write to WhatsApp
PRIVACY POLICY

Lux Medicus Finland Oy – Internal Rules for the Processing of Clients’ Personal Data

 

Controller: Lux Medicus Finland Oy

Business ID: 3122119-9

Address: Fredrikinkatu 64 A 4, 00100 Helsinki, Finland

Privacy contact: info@medicus.ee

 

1. Introduction

1.1 These internal rules for the protection and processing of clients’ personal data (hereinafter the Rules) define how Lux Medicus Finland Oy implements organisational and administrative principles for personal data protection and processing arising from applicable legislation.

1.2 The Rules are based on the EU General Data Protection Regulation (GDPR) (EU) 2016/679, Finnish data protection legislation, and other applicable laws and official guidance in Finland.

1.3 The Rules define how Lux Medicus Finland Oy’s employees and members of governing bodies apply data protection processing requirements.

1.4 Compliance with these Rules is mandatory for all persons referred to in clause 1.3.

 

2. Definitions

Lux Medicus Finland means Lux Medicus Finland Oy (Business ID 3122119-9), which provides aesthetic medicine, cosmetology and related services.

Employee means a natural person who has an employment contract, service contract, or a governing body member agreement with Lux Medicus Finland.

Data subject means a client of Lux Medicus Finland or another natural person who contacts Lux Medicus Finland to use services or for another purpose.

Services means Lux Medicus Finland’s aesthetic medicine, cosmetology, and other related services.

Personal data means ordinary personal data and special categories of personal data. Personal data includes any information through which a natural person can be identified directly or indirectly.

Ordinary personal data may include, for example, first name, last name, personal identifier, date of birth, address, phone number, email address, bank card and bank account details, etc.

Personal data also includes all documents containing personal data (e.g., enquiries, offers, offer summaries, applications, contracts, certificates, invoices, payment orders, etc.). Where documents relate to a legal entity, personal data includes any natural person’s data contained therein (e.g., board member or authorised representative details).

Special categories of personal data include data revealing religious, political or philosophical beliefs, ethnic or racial origin, health data (physical or mental), disability, genetic data, trade union membership, and sex life/sexual orientation. Special categories also include biometric data (e.g., fingerprint/palm print, iris image, facial image used for identification) and data related to aesthetic and medical procedures performed on the person. Processing such data requires enhanced safeguards under the GDPR.

Processing of personal data means any operation performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Consent means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, agree to the processing of personal data relating to them.

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Information system means a set of means, methodologies and rules used to collect, store, process (convert into information) and transmit data.

Information security concerns the protection of data and information systems and establishes rules for using, accessing and modifying data and systems.

 

3. Purpose of Processing

Lux Medicus Finland processes personal data for the provision of aesthetic medicine, cosmetology and related services, and for managing the client relationship.

 

4. Legal Basis for Processing

4.1 Lux Medicus Finland processes personal data on the basis of a contract concluded with the client for the provision of services.

4.2 Before concluding a service contract, Lux Medicus Finland may process personal data based on its legitimate interest, for example to introduce its services, make offers, respond to enquiries and for similar purposes.

4.3 Lux Medicus Finland also processes personal data to comply with a legal obligation, including accounting and taxation obligations requiring the retention of invoices and payment documents.

4.4 When processing data related to health/medical services, Lux Medicus Finland follows the applicable legislation and official guidance in Finland.

 

5. Principles of Processing

5.1 When processing personal data, Lux Medicus Finland’s employees must follow these principles:

5.1.1 Lawfulness: there is a legal basis for processing and data is collected fairly and lawfully;

5.1.2 Purpose limitation: data is collected only for specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes;

5.1.3 Data minimisation: only data necessary for the defined purposes is collected;

5.1.4 Accuracy: personal data is kept up to date and complete as necessary;

5.1.5 Storage limitation: data is not retained longer than necessary or required by law;

5.1.6 Security: safeguards are applied against accidental or unauthorised processing, disclosure or destruction;

5.1.7 Transparency: processing is transparent for the data subject, and Lux Medicus Finland enables the data subject to obtain information and exercise their rights;

5.1.8 Accountability: employees are responsible for complying with these principles.

 

6. Security Requirements

6.1 Lux Medicus Finland implements technical and organisational security measures to protect personal data against unlawful, unauthorised or improper processing, disclosure or destruction. Security implementation is ensured by the company’s management and designated responsible persons.

6.2 Organisational measures:

6.2.1 Personal data is visible and accessible to employees only to the extent required by their duties.

6.2.2 When preparing an invoice, an employee has access to ordinary personal data, but not to special categories of personal data unless strictly necessary.

6.2.3 Lux Medicus Finland ensures that all processors (service providers/contractors) have appropriate agreements imposing confidentiality, minimisation and security obligations.

6.2.4 In Microsoft 365 applications, cloud services and other tools used by Lux Medicus Finland, access is granted only on a need-to-know basis.

6.2.5 Accounting service providers process personal data only to the extent defined in the contract for the purpose of arranging accounting.

6.3 Technical measures:

6.3.1 Ensuring the security of client/patient information systems and compliance with the GDPR.

6.3.2 Access to the client program and other software/devices is based on personal accounts and role-based permissions.

 

7. Retention of Personal Data

7.1 Lux Medicus Finland follows retention periods required by Finnish legislation and applicable authority requirements, including rules governing health records and accounting.

7.1.1 Client/patient records are retained in accordance with Finnish legal and regulatory requirements.

7.1.2 Accounting documents (e.g., invoices and payment records) are retained in accordance with Finnish accounting legislation.

7.2 In addition, personal data may be retained for a reasonable period after the service or contract ends for handling claims and defending legal rights, unless longer retention is required by law or based on the data subject’s explicit consent. After that, processing must be terminated and data erased or anonymised/pseudonymised where appropriate.

7.3 Storage media and locations:

7.3.1 Employees must store personal data securely as follows:

7.3.1.1 maintain data and documents containing personal data in secure electronic systems or encrypted form; store paper documents in locked cabinets/safes;

7.3.1.2 retain data until the end of the client contract or other relevant agreement and thereafter only as long as legally required or necessary;

7.3.1.3 store paper documents securely in locked cabinets or safes;

7.3.1.4 store personal data not used for performing an active client contract in encrypted or anonymised form;

7.3.1.5 prevent personal data from coming into the possession of third parties not authorised to process it;

7.3.1.6 ensure deletion of personal data from systems after the retention period ends or upon a lawful request of the data subject where applicable.

 

8. Ensuring Accuracy, Informing the Data Subject, and Providing Data Upon Request

8.1 Lux Medicus Finland ensures the accuracy, integrity and availability of personal data and provides corrections and information as required.

8.2 An employee must:

8.2.1 correct personal data at the data subject’s request;

8.2.2 inform the data subject about the processing of their data unless processing is based directly on law or the data subject has already given consent and been informed;

8.2.3 provide, upon request, a written overview of what data Lux Medicus Finland processes about the data subject and what processing actions have been performed, without undue delay and in any case within the time limits set by the GDPR (generally within one month).

8.3 The data subject has the right to:

8.3.1 ask what personal data is processed, for what purposes, and to whom it has been disclosed;

8.3.2 access the personal data collected about them.

8.4 Upon receiving a request, Lux Medicus Finland informs the data subject of the timeframe and method for responding.

8.5 Emails sent to the data subject regarding personal data processing and confirmations of receipt may be archived securely in the systems used.

 

9. Lux Medicus Finland’s Obligations as Controller

9.1 As controller, Lux Medicus Finland implements appropriate technical and organisational measures to ensure and demonstrate GDPR-compliant processing, considering the nature, scope, context and purposes of processing and the risks to individuals’ rights and freedoms.

9.2 Measures ensure that, by default, only personal data necessary for each specific purpose is processed, including limitations on the amount of data collected, the extent of processing, retention period and accessibility.

9.3 Measures such as pseudonymisation may be implemented where appropriate to support data protection principles and safeguards.

9.4 Lux Medicus Finland allows processing only by processors providing sufficient guarantees to implement appropriate measures so that processing meets GDPR requirements.

9.5 Lux Medicus Finland maintains records of processing activities.

9.6 Lux Medicus Finland ensures availability of guidance, training and support for employees regarding data protection.

9.7 Lux Medicus Finland keeps incident-response instructions up to date for data breaches and security incidents.

9.8 Where an incident concerns an external system used by Lux Medicus Finland, Lux Medicus Finland informs the system owner without delay.

9.9 Lux Medicus Finland investigates security violations committed by employees and takes measures to prevent recurrence.

9.10 Lux Medicus Finland ensures that information systems are operational and secure and include up-to-date security mechanisms (antivirus, firewalls, regular updates).

9.11 Lux Medicus Finland ensures backup and log retention as required by law to enable data recovery and to determine who accessed data and when.

 

10. Employees’ Obligations

10.1 Employees must keep clients’ and other data subjects’ personal data confidential. This obligation remains in force indefinitely, regardless of employment status.

10.2 Employees must not disclose personal data to third parties unless required for direct job duties and must take measures to prevent unauthorised access.

10.3 Employees must use all available tools and measures to prevent personal data from being accessed by third parties.

10.4 Employees must immediately inform their supervisor/responsible person of any loss of personal data or risk thereof.

10.5 In the event of a data leak or risk of one, employees must immediately take steps to stop the leak and correct enabling errors.

10.6 Where the leak relates to an information system, employees must inform their supervisor and the system owner and follow internal instructions.

10.7 Employees must immediately report any suspicious situation that may jeopardise data security.

10.8 Employees must not share ID cards, authentication tools, credentials, passwords or codes with others.

10.9 When leaving the workstation, employees must lock their computer to prevent access by third parties.

10.10 Employees must not access or attempt to access personal data without a job-related need and must report any incorrect access rights.

10.11 Employees must process personal data minimally and delete unnecessary data in accordance with internal procedures.

10.12 Employees must process data only as necessary for service delivery, sales, or legal obligations (e.g., disclosures to authorities when required by law).

10.13 Where relevant, employees must ensure appropriate identity verification.

10.14 Employees must ensure data integrity (data remains complete).

10.15 Employees must ensure availability (data is stored in a usable format).

10.16 Employees must ensure accuracy and correct data where necessary.

10.17 Employees must not transmit personal data using insecure methods or unencrypted email.

10.18 Employees may transfer personal data to third countries or international organisations only with separate authorisation and in compliance with applicable law.

10.19 Employees must disclose and process data only as defined in data processing agreements with controllers/processors.

10.20 Employees must not record phone calls with clients unless the client has been informed and legal requirements are met.

10.21 Employees must not use or publish photos/videos/health data or other special category data without consent.

10.22 If required by job duties, employees must obtain and store consents for processing, including special categories of data.

10.23 Employees must not process special category data unless there is a lawful basis and necessary consent where required.

10.24 Employees must not use prohibited marketing practices without consent (profiling, automated decision-making, direct marketing, etc.).

10.25 Employees must promptly forward all complaints/requests relating to personal data processing to their supervisor/responsible person.

10.26 Employees must respect other employees’ privacy and must not use their passwords, email accounts, access cards or other credentials.

10.27 Employees must follow these Rules and any relevant security policies and instructions.

10.28 Employees must immediately follow instructions from management and responsible data protection persons.

Employees have the right to:

10.29 ask for advice and make proposals regarding personal data processing;

10.30 require secure electronic solutions for personal data processing.

 

11. Action in Case of a Personal Data Incident

11.1 If an incident occurs, employees must immediately notify their supervisor/responsible person verbally and by email and provide a description of the incident.

11.2 Management consults the responsible person and decides whether notification to the supervisory authority is required.

11.3 In serious cases (major leak, system compromise, blocking/encryption/ransom demand, etc.), Lux Medicus Finland may notify the relevant authorities and the system owner as required.

11.4 A breach is considered significant if it is likely to result in a risk to the rights and freedoms of data subjects.

 

12. Notification to the Supervisory Authority

12.1 Lux Medicus Finland ensures that significant personal data breaches are reported to the Office of the Data Protection Ombudsman (Finland) in accordance with the GDPR (generally within 72 hours). If notification is delayed, the reasons must be provided. No notification is required if the breach is unlikely to result in a risk to individuals’ rights and freedoms.

12.2 The notification includes:

a) the nature of the breach;

b) categories and approximate number of data subjects and personal data records concerned;

c) contact details of the relevant responsible person;

d) likely consequences;

e) measures taken or proposed to address the breach and mitigate possible adverse effects;

f) reasons for any delay beyond 72 hours.

12.3 The circumstances of the breach and the measures taken must be documented.

12.4 Where required, Lux Medicus Finland informs affected clients and other data subjects.

 

13. Ensuring Data Accuracy

Employees must:

13.1 review and correct inaccurate data based on information provided by the client;

13.2 ensure data accuracy and integrity.

 

14. Log Retention

Management must:

14.1 ensure log retention in all technical applications owned or used by the company, including requirements for service providers where applicable;

14.2 ensure that logs cover key processing actions: collection, modification, reading, disclosure, transfer, combination, deletion;

14.3 where IT services are outsourced, impose relevant obligations on the IT service provider;

14.4 where an application is not owned by Lux Medicus Finland, log retention is ensured by the application owner and specified in the contract.

 

15. Right to Data Portability

15.1 Lux Medicus Finland ensures the data subject’s right to receive personal data they have provided to the company in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, where applicable under the GDPR.

 

16. Recording of Phone Calls

16.1 Phone calls directed to Lux Medicus Finland are not recorded.

 

17. Transfer/Disclosure of Personal Data

Employees must:

17.1 ensure personal data is disclosed only on the basis of agreements with authorised processors, who are bound by confidentiality and security obligations;

17.2 ensure disclosure is made only using secure solutions (secure systems or encrypted email);

17.3 not disclose data to third countries unless GDPR requirements are met. At the time of these Rules, Lux Medicus Finland does not transfer personal data to third countries.

 

18. Marketing Communications

Management and media administrators must:

18.1 ensure marketing messages are not sent to persons who have not given consent;

18.2 not send marketing messages to clients who have withdrawn consent;

18.3 when outsourcing marketing, impose corresponding obligations on the service provider.

 

19. Validity of the Rules

19.1 These Rules enter into force on [date].

19.2 The Rules are communicated to employees by email or against signature.