Privacy Policy

Combined privacy statement and information document for customer relationships and marketing.

1. Data Controller

MyHub Health Oy
Nihtisillantie 3
02630 Espoo

Business ID: 3557288-5

2. Contact person responsible for the register

Maija Kiljunen
info@myhub.fi

3. Name of registers

  • Company customer register
  • Company marketing register
  • Company surveillance camera recording register

4. Purpose and legal basis for processing personal data

The customer register is used to manage customer relationships, to implement the rights and obligations of the customer and the controller, for marketing and statistical purposes. The marketing register is used to market the company's products and services to persons who are not customers of the company but have given consent to the use of their personal data for the controller's marketing communications.

Providing personal data processed in the customer register is a prerequisite for entering into a contract with us and we cannot enter into a contract without this information. Our basis for processing in relation to the management of the customer relationship is the execution of the contract between the customer and us and, in relation to marketing based on the customer register, the customer's consent.

The processing of information provided to the marketing register is based on the consent of the data subject.

The customer has the right to object to the use of their personal data for direct marketing in customer and marketing registers.

Personal data processed in our customer and marketing registers can also be used to develop and target services.

The company's surveillance camera recording register is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6(1)(f) of the EU General Data Protection Regulation). The legitimate interest of the controller or a third party may be legal, economic or intangible. There is a compelling and justified reason for the camera surveillance, for example for the establishment, exercise or defence of legal claims (Article 21(1) of the EU General Data Protection Regulation). Among other things, monitoring the entrances to MyHub centres is necessary when staff are not present. The personal data processed in the surveillance camera recording register is not used for the development or targeting of services.

Personal data will in all situations only be processed in a manner permitted by applicable law. The data will not be used for automated decision-making or profiling without the customer's express consent.

Main legislation guiding operations:

  • EU Data Protection Regulation and Data Protection Act from May 25, 2018
  • Criminal Code 39/1889
  • Accounting Act 1336/1997

5. Recipients of personal data

The personal data you provide to the customer register is received when you log in to the data controller's system and the recipient is the data controller.

Your personal data in the customer register may also be used by centres that have entered into a cooperation agreement with the controller and that operate in accordance with the controller's concept. Agreements regarding the processing of personal data in accordance with the General Data Protection Regulation have been concluded with these operators and they have committed to comply with the controller's instructions regarding the processing of personal data and data protection.

6. Data content of the register

Customer register

Our customer register contains the following information:

  • Personal information (name, address, telephone number, email address)
  • Services purchased and/or ordered by the customer
  • Accounts payable
  • Training visits

Marketing register

We process the above-mentioned personal data in our marketing register.

Surveillance camera recording register

The MyHub center has camera surveillance. Video footage from the surveillance cameras is stored in the company's surveillance camera recording register.

The information in the register is confidential.

7. Regular sources of information

Customer register

When the customer enters into an agreement with us or our partner. The center's access control system.

Marketing register

A person who provides their information, for example, when participating in competitions, events, lotteries or similar interaction situations organized by a company. In addition, personal data can be collected and updated from the customer register.

Surveillance camera recording register

We store video footage recorded through camera surveillance in the surveillance camera recording register. The locations of the surveillance cameras are marked separately with signs.

8. Retention period of personal data

Personal data will only be stored for as long as is necessary to fulfil the purposes of processing personal data as defined in this privacy policy. Obsolete and unnecessary data will be destroyed promptly and in an appropriate manner.

In addition, customer register information is retained for as long as required by the Accounting Act or other law applicable to the customer relationship. Customer register visit information is anonymized after 5 years have passed since the end of the service agreement.

The data in the marketing register will be stored for a maximum of 12 months after the data subject has given their consent, unless the data subject renews their consent or enters into a customer agreement with us before that time. The data subject's personal data will also be deleted without delay after the data subject has withdrawn their consent to receive marketing messages.

Surveillance camera recordings are stored appropriately in a manner required by data protection and information security and the data is limited to what is necessary in relation to the purposes for which they are processed (Article 5(1)(c) of the EU General Data Protection Regulation). We store surveillance camera recordings for four weeks, after which we permanently delete the recordings from the server. Retaining the recordings ensures the investigation of property or other potential crimes and damages.

9. Regular data transfers and data transfers outside the EU or EEA

Customer register information will not be disclosed to third parties for marketing purposes.

We may use service providers to process personal data in the customer register, who may have access to your personal data in order to perform their tasks. We have entered into an agreement with these service providers in accordance with the requirements of the Data Protection Regulation.

We may use external service providers to process the data in the marketing register. The controller is responsible for ensuring that the service provider processes the personal data provided in accordance with data protection legislation and only to provide separately agreed services to the controller. We have entered into an agreement with these service providers in accordance with the requirements of the Data Protection Regulation.

The controller will not otherwise disclose the personal data provided to third parties. However, the controller has the right to disclose information if required by law or official order.

Information processed in our registers can only be published if this has been separately agreed with the data subject.

Data is not transferred or disclosed outside the EU or the EU Economic Area.

10. Principles of register protection

Personal information is stored confidentially on servers protected by passwords and necessary technical measures.

The register is handled with care and the data processed by the information systems is protected appropriately. The controller ensures that the stored data, as well as server access rights and other information critical to the security of personal data, are handled confidentially and only by employees whose job description includes this and who are committed to complying with confidentiality regulations and the data protection procedures required by the controller.

The electronically processed data contained in the register are protected by firewalls, passwords and other generally accepted technical means used by the information security industry. Manually maintained materials are stored in facilities that are inaccessible to unauthorized persons.

11. Data subject's rights

Every person in the register has the right to request access to information concerning him or her, to check his or her data stored in the register and to request its correction or deletion, or to restrict processing or to have the data transferred from one system to another. Every data subject also has the right to withdraw his or her consent to the processing of personal data, which, however, does not affect the lawfulness of the processing carried out before the withdrawal.

If a person wishes to exercise any of the above rights, a request must be sent in writing to the controller by email to info@myhub.fi.

The controller may, if necessary, ask the requester to prove their identity. The controller will respond to the customer within the time period set out in the EU Data Protection Regulation (generally within one month).

A data subject who is dissatisfied with the processing of his or her personal data also has the right to lodge a complaint regarding the processing with the relevant supervisory authority in the Member State of his or her habitual residence or place of work or in which the alleged infringement occurred. In Finland, the supervisory authority is the Data Protection Ombudsman. The address of the Data Protection Ombudsman’s office is Ratapihantie 9, 00520 Helsinki and the email address is tietosuoja@om.fi.