Data Protection Description

This data protection description applies to the processing of personal data of private customers. The purpose of this policy is to provide information in accordance with data protection legislation to both the data subject and the supervisory authority (description of processing activities).

Data Controller

Cross Friction (hereinafter “CF”)
Linnankatu 61, 20100 TURKU

CF’s patient register is in paper format and is not shared with other parties.

Purpose of Processing Personal Data and Legal Basis

Personal data is processed for the following purposes:

  • Provision of healthcare services, based on legal requirements
  • Supervision of the activities and work quality of professionals, based on legal requirements
  • Marketing and/or communication purposes, based on the customer’s consent or a contract
  • Planning, development, management, monitoring, and reporting of CF’s operations, as well as quality assurance and knowledge management, based on law and CF’s legitimate interest
  • Research and statistical purposes, based on consent, law, public interest, and/or CF’s legitimate interest
  • Handling feedback, official investigation requests, and incident reports, based on law and CF’s legitimate interest
  • Billing and debt collection, based on the contract between the customer and CF
  • Ensuring correct use of services and detecting misuse, based on law and CF’s legitimate interest
Categories of Personal Data Processed

We process the following categories of personal data:

  • Basic information
  • Health information
  • Information related to work ability
  • Information related to well-being
  • Appointment information
  • Billing information
  • Feedback, official investigation requests, and incident reports
  • Information on website and online service usage
  • Information on identification and authentication services
  • Data on web behavior and analytics
Retention Periods for Personal Data

Patient-related data is retained according to the Finnish Ministry of Social Affairs and Health’s regulation on patient records: 12 years after death, or if the date of death is unknown, 120 years from the patient’s birth.

For other personal data, we regularly assess the necessity of retention in relation to the processing purposes. When the data is no longer needed and no legal obligation to retain exists, it is deleted.

Sources of Personal Data

Personal data is usually collected from the patient. If the patient is a minor, information may also be collected from guardians. Personal data may also be collected by healthcare personnel during examinations and treatment.

Personal data may also be obtained from other healthcare units or professionals with the patient’s consent.

Processing and Disclosure of Personal Data

Processing of personal data may be outsourced to external service providers for billing and marketing, who then process the data on behalf of CF. Patient data is not transferred, and the processing of patient data is not outsourced.

Personal data may be disclosed to:

Kanta Patient Data Archive
  • The law does not require storage in Kanta services when long-term archival of patient records is handled in a non-electronic manner.
  • Data may be disclosed to another healthcare unit or professional based on law or consent (oral, written, or documented in the patient record).
  • Insurance Companies
    Statutory insurance: necessary information is disclosed according to law, without consent.
    Voluntary insurance: information is disclosed based on the patient’s consent.
Authorities and/or Organizations
  • Data may be disclosed to courts, authorities, or other organizations with a legal right to access the information. Disclosure is made based on a written and specific request.
Research Organizations
  • Anonymized and/or statistical data may be processed for research and statistical purposes without consent.

In the event of death, confidentiality and privacy continue to apply. Data may not be disclosed without a legal basis.

Rights of the Data Subject
Right to Access Data
  • Data subjects have the right to information on the processing of personal data.
  • CF must provide access to their personal data within a reasonable time.
Right to Rectification
  • Data subjects have the right to request correction of inaccurate or incomplete data.
Right to Erasure
  • Data subjects may request deletion of personal data within legal limits. CF has a legal obligation to retain health information.
Right to Restrict Processing
  • Data subjects may request restriction of processing if the accuracy of the data is contested. Processing is limited during the investigation period.
Right to Data Portability
  • Data subjects may request transfer of data to another system if the processing is based on consent or a contract and the data was provided by the data subject. Patient data is not included in this right.
  • If patient data is stored in Kanta, other healthcare providers can access it according to the patient’s consents and prohibitions, managed via Omakanta.
Right to Withdraw Consent
  • When processing is based on consent, it may be withdrawn at any time.
Right to File a Complaint
  • Data subjects may file a complaint with the supervisory authority if they believe data protection laws have been violated.

Requests concerning data subject rights must be submitted in writing and delivered personally. Identity is verified upon submission.

Protection of Personal Data

CF uses appropriate physical, technical, and administrative safeguards to protect data against misuse.

Contact Information

Data Protection Officer
Jari Vuorijoki
Email: jari.vuorijoki@gmail.com

CF reserves the right to modify this data protection description without prior notice. Changes take effect when the updated version is published on CF’s website. CF recommends regularly reviewing the current data protection description.