Data protection
Data privacy statements for the services and registers of the Finnish Student Health Service (FSHS) describe in detail how, where and why personal data is processed.
The FSHS is drawing up a joint register to cover all its service units, including the partner units. Your patient data in the joint register, recorded at different service units, may be disclosed without your consent when you have a treatment relationship with the unit requiring your data. You also have the right to object to the disclosure of your data within the joint register.
We are constantly improving our services, and we reserve the right to change this data privacy statement, notification of which will be made through our services. Changes may also result from changes in legislation. We recommend that students familiarise themselves regularly with the contents of the data privacy statement.
Patient register
Name of the register
Patient Register of the Finnish Student Health Service
The FSHS is drawing up a joint register to cover all of its service units, including the partner units. Your patient data in the joint register, recorded at different service units, may be disclosed without your consent when you have a treatment contact with the unit requiring your data. You also have the right to object to the disclosure of your data within the joint register.
Data controller and contact persons
The Finnish Student Health Service (FSHS), Töölönkatu 37 A, FI-00260 Helsinki.
Person responsible for the register
Medical Director
Contact persons
The persons responsible for data protection: Marjo Tipuri and Aleksi Schrey
Person responsible for data protection
Email for general questions related to the register concerned: tietosuojavastaava(at)yths.fi
Secure channel for contacting the person responsible for data protection:
Contacting the person responsible for data protection – FSHS
The purpose of and the legal basis for the processing of personal data
The processing of data contained in the Patient Register is based on a statutory obligation to maintain patient documents. We only process personal data for predetermined purposes. These are:
- Planning and carrying out patients’ examinations and treatment: We offer students in higher education general healthcare, mental healthcare and oral healthcare services. Some of our services are subcontracted out to partners. In these cases we transfer the information needed for treatment to these partners. In the case of the general and mental health services provided by our partners we use an outsourcing authorisation, and the partners save the entries made in the patient record system directly to the FSHS’s register.
- Student health promotion and its planning: We monitor and promote students’ wellbeing, health and ability to study. We arrange an electronic health survey for all first-year students in accordance with the Health Care Act (1326/2010). In addition, we organise individual health check-ups as needed.
- Invoicing
- Supervising the work of healthcare professionals
- Scientific research
- Healthcare-related statutory supervision and compiling of statistics: We are required by law to provide reports and statistics about our activities for the supervisory authorities, such as the National Institute for Health and Welfare.
- Compiling statistics about the FSHS’s own activities and the planning of activities: We are constantly improving our services. We produce reports and conduct surveys to support decision-making. We pseudonymise the data needed to compile statistics. This means that we remove any information that allows for data to be connected to an individual person.
- Monitoring the quality of operations: some of the phone calls to the treatment need assessment service are recorded.
Retention of personal data
Electronic data is stored in the FSHS’s patient record systems and electronic archives, as well as in the national Kanta Data Repository, in accordance with statutory retention periods.
Hard copies are stored in the FSHS’s patient and customer data archives in accordance with statutory retention periods.
Implementation of register data protection and data security
Protection of information networks and systems, the security of premises, controlled granting of access rights, supervision of information system use, and risk management.
The FSHS’s Medical Director is in charge of the register and is responsible for data protection, retention and destruction.
Recorded phone call data may be stored for 3 months for purposes of quality control, and the fact that the call will be recorded will be mentioned during the call.
Content of the register
In compliance with a statutory obligation, we collect personal data on students (data subjects) that is necessary for the purpose for which it is to be used. The purpose determines what data is collected in each situation.
Data on all students disclosed by the university or other higher education institution (for arranging health check-ups for first-year students):
- Name and personal identification number
- Gender
- Information about the educational institution, student number, type and starting date of study right, information on attendance (term registration, attending students), educational institution, education code, study location, field of education under which the study right falls
Information given by the student or other personally identifiable information, as well information regarding the consent for data sharing from MyKanta:
- Contact details, such as address, telephone number and email address
- Demographic information, such as age, gender, native language, contact language and home country
- Information needed to ensure accessibility to services, such as physical limitations and need for an interpreter
- Information concerning permissions, such as consent to receive SMS messages and reminders on appointments, secure communications and forms provided in the service portal
- Non-disclosure for personal safety reasons
- Contact person named by the student
- Appointment booking and invoicing information
- Health status information essential for treatment, including information generated and given by the patient in electronic forms or similar
- Information concerning notifications and consent and denial of consent for data sharing as required by the National Archive of Health Information (Kanta services).
- Information about the country reimbursing medical costs
Information derived from the above:
- Derived information is defined as information deduced from student data, e.g. the placing of students into groups of users of certain services for statistical and planning purposes.
All information concerning health status is classed as so-called special personal data, which refers to data containing sensitive personal information. Particular attention is given to protecting this kind of information.
We organise patient records into logical entities and compile them in accordance with the official regulations. This way, we can use the data and, if necessary, disclose it to external parties under the conditions set out in paragraph 6, e.g. for further treatment, without compromising the availability, usability, confidentiality and integrity of the data.
Persons processing personal data
The data can only be accessed by those persons whose duties include processing it.
Regular sources of data
Personal data is primarily given by the students themselves as part of an assessment of the need for treatment or treatment contact. Other sources of data may include electronic forms completed by the student in the student portal or other reports provided by the student to support the assessment of the need for treatment or the treatment itself.
Our staff also record other data arising during examinations and treatment. We also store in our own register treatment records generated as part of subcontracting services.
With the student’s consent and within the scope of the defined permission, we receive data from other healthcare units and the Kanta Data Repository.
We receive the above-mentioned demographic and educational establishment data from the Virta data warehouse, which is a service provided by the Ministry of Education and Culture.
Regular disclosures of data
There are no regular disclosures of data to other parties.
Data relating to a person’s state of health is confidential. FSHS instructions on patient documents have been compiled based on legislation governing the use, disclosure and protection of such data to ensure uniform procedures when processing patient data.
We only disclose data in the cases described below:
- We may disclose a student’s data to third parties if the student has consented to this verbally, in writing or electronically. Consent is required for data disclosure to other healthcare providers for the provision of further treatment. In the case of outsourced services, agreeing to use these services is considered as consenting to data disclosure. If the student is unable to assess the meaning of the consent, e.g. due to their state of health, we are allowed to disclose data with the consent of their legal representative. Data disclosure to insurance companies requires written consent in some cases.
- We may disclose a student’s personal data in the manner prescribed by the legislation in force at the time as required by the competent authorities or other parties.
- We may disclose data for scientific or historical research provided that the data has been changed into a form that renders the data subject unidentifiable or with the permission of the National Institute for Health and Welfare.
- We may disclose segment data on students to our partners to improve our activities. Our partners are not permitted to link the data in any way that would enable an individual student to be identified.
- We disclose data to those authorities that maintain national healthcare registers to the extent required by the registers as stipulated in the legislation. These registers include:
- Care Register
- Finnish Cancer Registry
- Register for adverse drug reactions
- Vaccine Adverse Events Register
- National Infectious Diseases Register.
Transfer of data outside the EU/EEA
We do not transfer data outside the EU/EEA.
Automated decision-making and profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate, analyse or predict aspects concerning the characteristics of the person concerned, e.g. behaviour or health. We do not profile students and we do not apply automated decision-making to students’ data.
Rights of data subjects
We are committed to accepting requests from students regarding their data, and where such requests are reasonable we will agree to them. We will process the requests within two months and inform the applicant of any action taken or if the request has been rejected. The rights listed below apply to data contained in the Patient Register.
Inspection of data
Students have the right to receive copies of their medical records and to inspect the personal data collected about them. The easiest way to view your patient records is via the Social Insurance Institution’s (Kela) MyKanta service. The MyKanta service contains general and mental health data from 30 June 2016 onwards and oral health data from 21 December 2021 onwards. For data older than this, requests for a copy should be made using an online form, or in person or by completing a Patient Register review request form at the FSHS service unit in your study location. The student must provide identification in order to obtain the data, which is why data sought following a written request must be collected from the service unit by showing a photo ID. Requesting copies / exercising your right of inspection is free of charge once a year during your studies and once after your graduation after the treatment relationship has ended. After this, we will charge a fee in compliance with our service charges.
Rectification of inaccurate and incorrect data
Students have the right to ask the FSHS to rectify inaccurate and incorrect data on themselves. The FSHS is also obliged to rectify any incorrect personal data that comes to its attention. Because of the nature of the healthcare sector, we are occasionally forced to make decisions based on incomplete information. We can therefore only rectify data that is objectively incorrect based on the information available at the time of recording. Students have no right to decide what data about them is recorded. Requests for rectification can be made during a treatment contact directly to the staff member who recorded the information. If mutual understanding is not reached, the student can make a rectification request in writing either by completing an electronic form (identification via online banking ID or mobile ID) or at an FSHS service unit in their study location (ID required). A decision to approve or reject the request will be made by the FSHS’s Regional Medical Director, if necessary together with the Regional Medical Director for Dentistry. If the request is rejected the reasons will be given in writing. Rectified data will also be rectified in the Kanta Data Repository.
Completion of incomplete data
Students have the right to have incomplete personal data completed. Contact details and contact language can be updated via the Self online service. Significant incompleteness of data relating to state of health is processed as for rectification of data described above.
Inspection of log data
We collect log data on the use and disclosure of Patient Register data. We use log data to ensure that patient records are used appropriately. If a student suspects that their data has been misused, they have the right to ask for the log data to be checked. The request should be made using an online form or by completing a Patient Register log data request form at an FSHS service unit in the student’s study location (ID required). A decision to approve or reject the request will be made by the FSHS’s Regional Medical Director together with the person responsible for data protection. Log data from the previous two years will be checked. The Regional Medical Director or the Regional Medical Director for Dentistry will provide a report on the check, if necessary, and the student has the right to receive a copy of the log data. If the request is rejected the reasons will be given in writing.
Certain general rights of data subjects, such as erasure of data, are not applicable to Patient Register data due to its legal basis.
If any Patient Register data is destroyed, damaged, disclosed without the right to do so, or is stolen, or if such data disappears, we will inform the Office of the Data Protection Ombudsman without delay and within 72 hours at the latest. If the students concerned are likely to suffer adverse consequences as a result, we will inform them of the information security breach.
Right of data subjects to appeal to a supervisory authority
Data subjects have the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of their personal data.
For more information, read the instructions provided by the Data Protection Ombudsman.
Rights of data subjects
When processing personal data, the data controller is required to take appropriate measures to safeguard the data protection rights of data subjects and to facilitate the exercise of data subject rights.
In accordance with the GDPR, data subjects have the right:
- to receive information about the processing of their personal data
- to access their data
- to request that their data be rectified
- to inspect their data.
In social services and healthcare the processing of personal data is also governed by general and special legislation at the national level.
We are committed to accepting requests from students regarding their data, and where such requests are reasonable we will agree to them. We will process the requests within two months and inform the applicant of any action taken or if the request has been rejected. The rights listed below apply to data contained in the Patient Register.
Inspection of data
Students have the right to receive copies of their medical records registered by the data controller and to inspect the personal data collected about them. The easiest way to view your patient records is via the Social Insurance Institution’s (Kela) MyKanta service. The MyKanta service contains general and mental health data from 30 June 2016 onwards and oral health data from 21 December 2021 onwards. For data older than this, requests for a copy should be made using an online form, or in person or by completing a Patient Register review request form at the FSHS service unit in the student’s study location. The student must provide identification in order to obtain the data, which is why data sought following a written request must be collected from the service unit by showing a photo ID. Requesting copies / exercising your right of inspection is free of charge once a year during your studies and once after your graduation after your treatment contact has ended. After this, we will charge a fee in compliance with our service charges.
Rectification of inaccurate and incorrect data
Students have the right to ask the FSHS to rectify inaccurate and incorrect data on themselves. The FSHS is also obliged to rectify any incorrect personal data that comes to its attention. Because of the nature of the healthcare sector, we are occasionally forced to make decisions based on incomplete information. We can therefore only rectify data that is objectively incorrect based on the information available at the time of recording. Students have no right to decide what data about them is recorded. Requests for rectification can be made during a treatment contact directly to the staff member who recorded the information. If mutual understanding is not reached or the treatment contact with the employee concerned has ended, the student can make a rectification request in writing either by completing an electronic form (identification via online banking ID or mobile ID) or at an FSHS service unit in their study location (ID required). A decision to approve or reject the request will be made by the FSHS’s Regional Medical Director, if necessary together with the Regional Medical Director for Dentistry. If the request is rejected the reasons will be given in writing. Rectified data will also be rectified in the Kanta Data Repository.
Completion of incomplete data
Students have the right to have incomplete personal data completed. Contact details and contact language can be updated via the Self online service. Significant incompleteness of data relating to state of health is processed as for rectification of data described above.
Inspection of log data
We collect log data on the use and disclosure of Patient Register data. We use log data to ensure that patient records are used appropriately. If a student suspects that their data has been misused, they have the right to ask for the log data to be checked. The request should be made via an online form or by completing a Patient Register log data request form at an FSHS service unit in the student’s study location (ID required). A decision to approve or reject the request will be made by the person responsible for data protection. Log data from the previous two years will be checked. The person responsible for data protection will provide a report on the check, if necessary, and the student has the right to receive a copy of their log data. If the request is rejected the reasons will be given in writing.
Other points to consider
Certain general rights of data subjects, such as erasure of data, are not applicable to Patient Register data due to its legal basis.
If any Patient Register data is destroyed, damaged, disclosed without the right to do so, or is stolen, or if such data disappears, we will inform the Office of the Data Protection Ombudsman without delay and within 72 hours at the latest. If the students concerned are likely to suffer adverse consequences as a result, we will inform them of the information security breach.
Right of data subjects to appeal to a supervisory authority
Data subjects have the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of their personal data.
For more information, read the instructions provided by the Data Protection Ombudsman
Register of electronic services (patient care)
Name of the register
Register of electronic services
Data controller and contact persons
The Finnish Student Health Service (FSHS), Töölönkatu 37 A, FI-00260 Helsinki.
Contact persons:
The persons responsible for data protection: Marjo Tipuri and Aleksi Schrey
Person responsible for data protection
Email for general questions related to the register concerned: tietosuojavastaava(at)yths.fi
Secure channel for contacting the person responsible for data protection: Contacting the person responsible for data protection
The purpose of and the legal basis for the processing of personal data
The purpose of the processing of personal data is to provide students with personal treatment guidance and service guidance, as well as information related to their wellbeing. After strong authentication, students can store their data, communicate with healthcare professionals, and receive notifications related to services.
Data in the register can be transferred to a separate patient record system, in which case the processing of personal data is based on the customer relationship with social welfare and healthcare. Such relationships are governed by healthcare legislation.
In electronic services, data recorded by the students themselves is managed.
Statistics generated based on the use of electronic services can be used for service development, statistics, reporting and collecting feedback.
The processing of personal data is based on the consent given by the data subject.
Retention period for personal data
The retention period for the data corresponds with that of patient records.
Content of the register
Self online service
Students may store the following data in the register of the FSHS’s electronic services. The personal data registered in Self will be automatically transferred to the patient record system, whereas the data given via forms will be transferred through a professional:
- Student identification and contact details (personal identity code, first name, last name, address, home town, phone number, email address)
- Consents and prohibitions related to appointment reminders
- Data stored by the student (forms)
SelfChat
Using chat services does not result in a treatment relationship or patient records as intended in the Act on the Status and Rights of Patients (785/1992), with the exception of the services where the respondent is a healthcare professional handling a health matter.
Persons processing personal data
The data can only be accessed by those persons whose duties include processing it.
Regular sources of data
Data is given by the students themselves.
Regular disclosures of data
There will be no regular disclosures of your data. Data may only be disclosed with the data subject’s explicit consent or to the authorities that have the statutory right for it.
Transfer of data outside the EU/EEA
We do not transfer data outside the EU/EEA.
Implementation of register data protection and data security
The use of electronic services requires strong authentication by the user. This is done using Suomi.fi identification, which is an online identification system for citizens.
The FSHS staff can use the professional sections of the services in accordance with their duties through the patient record system. They are required to have access rights and authentication in accordance with the credentials management practices.
The application registers are located in secure premises of the FSHS service provider. The communication between the user of the electronic service and the service is encrypted.
The person in charge of the register is responsible for the protection, storage and destruction of its data.
Automated decision-making and profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate, analyse or predict aspects concerning the characteristics of the person concerned, e.g. behaviour or health. We do not profile students and we do not apply automated decision-making to students’ data.
Rights of data subjects
We are committed to accepting requests from students regarding their data, and where such requests are reasonable we will agree to them. We will process the requests within two months and inform the applicant of any action taken or if the request has been rejected.
Right of data subjects to appeal to a supervisory authority
Data subjects have the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of their personal data. For more information, read the instructions provided by the Data Protection Ombudsman.
Cross-border healthcare
Name of the register
Cross-border healthcare
Data controller and contact persons
The Finnish Student Health Service (FSHS), Töölönkatu 37 A, FI-00260 Helsinki.
Contact persons
The persons responsible for data protection: Marjo Tipuri and Aleksi Schrey
Person responsible for data protection
Email for general questions related to the register concerned: tietosuojavastaava(at)yths.fi
Secure channel for contacting the person responsible for data protection:
Contacting the person responsible for data protection
The purpose of and the legal basis for the processing of personal data
The processing of data is based on the Act on Cross-Border Health Care.
- Act on Cross-Border Health Care (finlex.fi)
- Act on Amending the Act on Cross-Border Health Care (in Finnish, finlex.fi)
Retention period for personal data
Information about invoicing and the country reimbursing costs will be stored in the patient record system in the same way as other Patient Register data.
Copies of European Health Insurance Cards and passports will be stored securely for invoicing purposes, and the data will be deleted within 12 months after the month in which the card expires.
Content of the register
If your healthcare cover is provided by another EU or EEA country, Switzerland, Great Britain or Northern Ireland, you need to have the European Health Insurance Card (EHIC card), Global Health Insurance Card (GHIC card) or equivalent provisional certificate to qualify for reimbursement of FSHS costs. We will need a copy of your health insurance card for invoicing purposes. Nordic students may present a passport or an ID card as proof of eligibility for reimbursement of medical costs.
Persons processing personal data
The data can only be accessed by those persons whose duties include processing it.
Regular sources of data
Data is given by the students themselves.
Regular disclosures of data
As a regular disclosure, a copy of the European Health Insurance Card (EHIC card, GHIC card or equivalent provisional certificate) will be submitted to Kela in connection with invoicing.
Transfer of data outside the EU/EEA
We will not transfer your data outside the EU/EEA.
Automated decision-making and profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate, analyse or predict aspects concerning the characteristics of the person concerned, e.g. behaviour or health. We do not profile students and we do not apply automated decision-making to students’ data.
Rights of data subjects
We are committed to accepting requests from students regarding their data, and where such requests are reasonable we will agree to them.
Contacts: Contacting the person responsible for data protection
Study environment inspection, wellbeing survey
Name of the register
Wellbeing survey related to a study environment inspection by the FSHS
Data controller and contact persons
The Finnish Student Health Service (FSHS), Töölönkatu 37 A, FI-00260 Helsinki.
Person responsible for data protection
Email for general questions related to the register concerned: tietosuojavastaava(at)yths.fi
Secure channel for contacting the person responsible for data protection:
Contacting the person responsible for data protection
Personal data: processing and legal basis
Answers to the wellbeing survey will be used in conjunction with the study environment inspection to describe the wellbeing of students at the inspected site. Respondents will receive automated feedback.
Persons processing personal data
The use of data is protected by user-specific IDs, passwords and access rights. Access rights to information systems are only given to those employees of the service provider who need this information to provide student healthcare services. Each user is given sufficient, but as limited access as possible to perform the task concerned.
In addition, the rights of the information system administrator are only given to those persons of the information system supplier (Movendos Oy) who need access to the recordings to ensure the proper functionality of the system.
The system stores log data about users who have downloaded survey data. The log also gathers information about what data has been downloaded and when.
Regular sources of data
The wellbeing survey data is collected from the students themselves based on the survey responses.
How will your data be processed and stored?
The responses to the wellbeing survey will be stored in a secure and confidential information system maintained by Movendos Oy. The development of the system follows and complies with all relevant laws and regulations concerning the field, as well as the laws governing the use of personal data.
We have ensured that the information system meets the requirements for data security and data protection.
Regular disclosures of data
The data obtained from the wellbeing survey will be stored in the EU/EEA. A general report will be compiled from the survey data once at least 100 respondents or 10% of those who received the survey have completed it. Individual responses will be deleted once the study environment inspection has been completed. The report’s information will be included in the study environment inspection report.
However, the FSHS may disclose data for research purposes, but always in a form preventing the identification of individual persons.
Transfer of data outside the EU/EEA
We will not transfer your data outside the EU/EEA
Automated decision-making and profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate, analyse or predict aspects concerning the characteristics of the person concerned, e.g. behaviour or health. We do not profile students and we do not apply automated decision-making to students’ data.
Rights of data subjects
Questions about the use of data and data security can be submitted to the person responsible for data protection.
The data controller is the Finnish Student Health Service (FSHS), address: Töölönkatu 37 A, FI-00260 Helsinki, Finland.
Contact the persons responsible for data protection at the FSHS by completing an online form.
Right of data subjects to appeal to a supervisory authority
Data subjects have the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of their personal data.
For more information, read the instructions provided by the Data Protection Ombudsman.
Scientific research
In addition to using personal data for the provision of healthcare and medical care services, statutory supervision and compilation of statistics, compilation of statistics about our own activities and planning our activities, we use personal data to carry out and enable scientific research.
We carry out scientific research on university students’ health, health behaviour, lifestyles, study environments and health services. We also conduct joint research together with external researchers and research bodies. The use of patient data for research always requires official permission. Data will only be disclosed for external research purposes if permitted by you or by the National Institute for Health and Welfare.
Secure data protection is a prerequisite for scientific research and builds trust among study subjects. It is essential that the processing of personal data is planned for the entire life cycle of the data before the processing begins.
The party conducting the research is responsible for producing the privacy statement, processing personal data and ensuring the rights of data subjects are honoured.
Person responsible for data protection
Email for general questions related to the register concerned: tietosuojavastaava(at)yths.fi
Secure channel for contacting the person responsible for data protection:
Contacting the person responsible for data protection
Right of data subjects to appeal to a supervisory authority
Data subjects have the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of their personal data.
For more information, read the instructions provided by the Data Protection Ombudsman.
Webinars
Name of the register
Webinars
Person responsible for data protection
Contacts: Contacting the person responsible for data protection
Personal data: processing and legal basis
Personal data will be used to make practical arrangements for webinars. The register consists of the personal data of those who have enrolled on, and participated in, webinars organised by the FSHS.
The processing of data is based on the consent given by the person concerned.
Retention period for personal data
The data will be stored up to three months after the event.
Content of the register
Name, e-mail, organisation, town.
Regular sources of data
Those who enrolled on webinars and those who participated in them.
Regular disclosures of data
We do not disclose data for other purposes.
Transfer of data outside the EU/EEA
We do not transfer data outside the EU/EEA.
Automated decision-making and profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate, analyse or predict aspects concerning the characteristics of the person concerned, e.g. behaviour or health. We do not profile students and we do not apply automated decision-making to students’ data.
Rights of data subjects
Data subjects may cancel their enrolment at any time.
Data subjects have the right:
- to check what personal data about them is stored in the register
- to have incorrect personal data rectified
- to have their data erased from the register
- to restrict the processing of their data
- to have their data transferred between systems.
Right of data subjects to appeal to a supervisory authority
Data subjects have the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of their personal data.
For more information, read the instructions provided by the Data Protection Ombudsman.
Students’ health promotion and its planning
Name of the register
Students’ health promotion and its planning
Person responsible for data protection
Contacts: Contacting the person responsible for data protection
Personal data: processing and legal basis
We use and improve our digital services to promote students’ health and wellbeing. By starting to use the service/application concerned, the user accepts the processing of their personal data.
Retention period for personal data
After you stop using the service, the data you stored will be retained for two years.
Content of the register
As part of wellbeing services we may use the personal identity code as well as demographic and study-related information to identify the user. We will only store data required to target our services. In addition, any measurements and survey answers provided by the users themselves will be stored in the programmes/applications. Data stored by the users will be used for targeting our digital wellbeing and health services.
Regular sources of data
The students themselves.
Regular disclosures of data
We will not disclose your data for other purposes.
Transfer of data outside the EU/EEA
We do not transfer data outside the EU/EEA.
The principles for how the data file is secured
Data confidentiality will be ensured by strong authentication when users log in to the service. Data used for identification purposes will be transferred from the Patient Register via an interface and will not be edited in another application.
Automated decision-making and profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate, analyse or predict aspects concerning the characteristics of the person concerned, e.g. behaviour or health. We do not profile students and we do not apply automated decision-making to students’ data.
Rights of data subjects
The rights of data subjects to have their data erased, to have the processing of their data restricted and to object to the processing of their data are put into effect by deleting the user account in question. If necessary, data can be erased earlier at the request of the user.
Right of data subjects to appeal to a supervisory authority
Data subjects have the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of their personal data.
For more information, read the instructions provided by the Data Protection Ombudsman.
Invoicing, patient services
Data controller and contact persons
The Finnish Student Health Service (FSHS), Töölönkatu 37 A, FI-00260 Helsinki.
Person responsible for data protection
Contacting the person responsible for data protection
Personal data: processing and legal basis
Invoicing (missed appointments that were not cancelled) Invoicing of EU/EEA students, see: Cross-border healthcare
Retention period for personal data
The retention period for personal data connected to invoicing is six years.
Content of the register
Name, personal identity code, contact details
Persons processing personal data
The data can only be accessed by those persons whose duties include processing it.
Regular sources of data
Data related to invoicing is transferred from the patient record system to the invoicing software.
Regular disclosures of data
Data on unpaid invoices is directed to a debt collection agency.
Transfer of data outside the EU/EEA
We do not transfer data outside the EU/EEA.
Automated decision-making and profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate, analyse or predict aspects concerning the characteristics of the person concerned, e.g. behaviour or health. We do not profile students and we do not apply automated decision-making to students’ data.
Rights of data subjects
Invoice corrections must be requested by completing a form in Self or in person at a service unit.
Right of data subjects to appeal to a supervisory authority
Data subjects have the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of their personal data.
For more information, read the instructions provided by the Data Protection Ombudsman.
(Last updated 28 March 2024.)
Contact the person responsible for data protection
The persons responsible for data protection at the FSHS are Marjo Tipuri and Aleksi Schrey. You can contact them through filling the form, which is attached under this text.
