FIRSTBEAT TECHNOLOGIES OY DESCRIPTION OF PERSONAL DATA PROCESSING FOR PARTNERS - FIRSTBEAT LIFESTYLE ASSESSMENT

Similar documents
CEM Benchmarking Privacy Policy

Privacy Policy. Effective date: 21 May 2018

SCALA FUND ADVISORY PRIVACY POLICY

PRIVACY POLICY. 1. Introduction

Platform Privacy Policy (Tier 2)

Bend Mailing Services, LLC, dba BMS Technologies ( us, we, or our ) operates the website (the Service ).

Privacy Policy Who are we? What personal date or information do we collect? How do we collect data or information from you?

Haaga-Helia University of Applied Sciences Privacy Notice for JUSTUS publication data storage service

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

Privacy Notice - Stora Enso s Supplier and Stakeholder Register. 1 Purpose

Our Data Protection Officer is Andrew Garrett, Operations Manager

Haaga-Helia University of Applied Sciences Privacy Notice for the Laura Recruitment Service

PRIVACY NOTICE 1. Introduction

Haaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software

Talenom Plc. Description of Data Protection and Descriptions of Registers

PS Mailing Services Ltd Data Protection Policy May 2018

PerfectView Privacy Statement

Cognizant Careers Portal Privacy Policy ( Policy )

Shaw Privacy Policy. 1- Our commitment to you

Vistra International Expansion Limited PRIVACY NOTICE

PRIVACY POLICY OF THE WEB SITE

DCCVITAL GDPR Privacy Statement. This privacy statement sets out

DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018

2. Which personal data is processed by SF Studios and from which source does the personal data originate?

Tampere University of Technology Privacy Policy 1 (5) 18/06/2018

1. Data Controller Metsäliitto Cooperative ( Metsä Wood ) registered address of the head office at Revontulenpuisto 2, Espoo, Finland

Haaga-Helia University of Applied Sciences Privacy Notice for Student Administration

Name: Aho Terhi Title: ecommerce Manager. Phone: terhi.aho(at)finavia.fi Name: Närvänen Carita Title: Development Manager

PRIVACY POLICY PRIVACY POLICY

A1 Complete Plumbing and Heating Limited Job Applicant Privacy Notice

TIA. Privacy Policy and Cookie Policy 5/25/18

GENERAL DATA PROTECTION REGULATION (GDPR)

Privacy Notice - Stora Enso s Customer and Sales Register. 1 Controller

DATA PROTECTION POLICY THE HOLST GROUP

PRIVACY NOTICE. 1.2 We may obtain or collect your Personal Data from various sources including but not limited to:

Data Subject Access Request Form (GDPR)

Privacy Shield Policy

Emsi Privacy Shield Policy

Graff Search Limited ( Graff Search ) is a recruitment agency and recruitment business.

Privacy Policy of the products of Ilves Solutions Ltd and Ilves Valmisohjelmistot Ltd / Ilveshaku

Our Privacy Statement

PRIVACY POLICY (extended) Personal Data Act (523/1999) 10 and 24 EU General Data Protection Regulation 2016/679

Privacy and Cookies Policy

PRIVACY NOTICE STORM RECRUITMENT UNIT 11, 2 ND FLOOR CHARLESLAND CENTRE, GREYSTONES, CO. WICKLOW 1. INTRODUCTION

WEBSITE PRIVACY POLICY

GDPR Policy WECare Worldwide

Whitepaper on EU Data Protection October 2014

VISTRA (CYPRUS) LTD. PRIVACY NOTICE

A Homeopath Registered Homeopath

NHS R&D Forum Privacy Policy: FINAL v0.1 May 25 th 2018

In compliance with the requirements of the EU General Data Protection Regulation (GDPR, Articles 13, 14 and 30)

When you submit material to the Lest We Forget project you are accepting and consenting to the practices described in this policy.

Privacy Notice For Ghana International Bank Plc customers

DISCLOSURE PURSUANT TO ART. 13 EU REGULATION No. 2016/679 (GDPR) Customers and prospects

Privacy Policy of

What options NETIM offers, including those related to gaining of access to and updating of information.

VISTRA NETHERLANDS PRIVACY NOTICE

World Wide Jobs Ltd t/a Findmyexpert.com Privacy Policy 12 th April 2018

We may change the privacy notice from time to time by amending this page.

Blue Bird Airways PRIVACY NOTICE

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

Fritztile is a brand of The Stonhard Group THE STONHARD GROUP Privacy Notice The Stonhard Group" Notice Whose Personal Data do we collect?

ZENITO OY Client register

Project Better Energy Limited s registered office is Witan Gate House, Witan Gate West, Milton Keynes, Buckinghamshire, MK9 1SH

Startup Genome LLC and its affiliates ( Startup Genome, we or us ) are committed to protecting the privacy of all individuals who ( you ):

Data Processing Agreement DPA

Wonde may collect personal information directly from You when You:

Eco Web Hosting Security and Data Processing Agreement

It s still very important that you take some steps to help keep up security when you re online:

Staff and Recruitment Privacy Notice Your personal information

Data Subject Access Request Form (GDPR)

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

LEGAL INFORMATION & PRIVACY STATEMENT Version: 17 May 2018

PRIVACY NOTICE FOR PROGRAMME APPLICANTS

GDPR RECRUITMENT POLICY

Data Processing Agreement

UWTSD Group Data Protection Policy

PRIVACY NOTICE (TIER 4)

1.3 Please follow the links below for further information. Where relevant, we have made a distinction between different categories of data subjects:

Data Protection Policy

M T BUCKLEY & Co Chartered Accountants

Privacy Policy: Data & Information Security Policy Last revised: 9 May 2018

SURGICAL REVIEW CORPORATION Privacy Policy

PRIVACY NOTICE INTRODUCTION

ATHLETICS WORLD CUP PRIVACY NOTICE

Order of Malta Volunteers Privacy Statement

Privacy Notice and Consent Form

Privacy Policy Identity Games

Whiteinch and Scotstoun Housing Association and WS Property Management Ltd. Privacy Policy

The Park Hotel Privacy Statement

DLB Privacy Policy. Why we require your information

Fluid Metering, Inc. Privacy Policy

Eight Minute Expert GDPR. Login. Password

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

Data Protection Policy

Haaga-Helia University of Applied Sciences Privacy Notice for Student Welfare Services

Website privacy policy

PRIVACY POLICY BACKGROUND:

Privacy Policy. Information about us. What personal data do we collect and how do we use it?

Transcription:

FIRSTBEAT TECHNOLOGIES OY DESCRIPTION OF PERSONAL DATA PROCESSING FOR PARTNERS - FIRSTBEAT LIFESTYLE ASSESSMENT Description of personal data processing in the Firstbeat Lifestyle Assessment service of Firstbeat Technologies Oy ("Firstbeat") when the service is provided by a Firstbeat partner. The partner is typically a professional of occupational healthcare or wellness. DATA PROCESSOR TERMINOLOGY Firstbeat Technologies Oy (Finnish business ID 1782772-5), Yliopistonkatu 28 A, FI- 40700 Jyväskylä, Finland. This description document is targeted to the data subjects (see below "Subject") defined by Firstbeat partners (see below "Service Provider"), to whom the Service Provider produces the Lifestyle Assessment service. "Service Provider" is the person or organization who acts as the Controller for the personal data in the service, and to whom Firstbeat, based on a contractual relationship, provides the technological infrastructure of the Lifestyle Assessment service. Firstbeat processes personal data on behalf of the Service Provider. "Subject" is the person, whose information is used by the Service Provider and Firstbeat to produce the Service, using pulse measurement data and other personal information about the Subject. NOTES ABOUT THE CONTROLLER AND PROCESSOR POSITION This description applies to cases, in which the Firstbeat Lifestyle Assessment service is produced by a partner of Firstbeat (Service Provider), for its own clients or employees. In these cases, the Service Provider acts as the Controller in the sense of the personal data legislation and Firstbeat acts as the data processor. In these cases, the Service Provider has acquired user permission for the Service and independently produces services from information of Subjects defined by the Service Provider or its clients. The Service Provider is e.g. responsible for maintaining privacy policy documentation, legal justification for handling personal data, informing the data subjects and fulfilling the other responsibilities of the Controller as defined in the personal data legislation. The Service Provider may choose to refer to the content of this description as a part of its own documentation regarding personal data handling, but regardless of this, the Service Provider is independently responsible for informing the Subjects in the way required by the personal data legislation. For clarity: Firstbeat also provides a service in the same technical infrastructure directly to its own clients, and in these cases Firstbeat acts as the Controller and has created privacy policy documentation, which is available in the Firstbeat website. This description does not apply to these cases.

2 (5) CONTACT PERSON FOR THE DATA CONTROLLER In matters concerning the Lifestyle Assessment service and personal data processing in the service, the Subjects should primarily contact the Service Provider acting as Controller. The Service Provider will contact Firstbeat, if needed. THE PURPOSE AND NATURE OF PROCESSING THE PERSONAL DATA In order to produce the Lifestyle Assessment service as defined in a contract between Firstbeat and the Service Provider, Firstbeat processes in its information systems personal data saved in the web service used in the Lifestyle Assessment. The type of personal data is described in more detail in subsequent chapters. The personal data is primarily used to provide personalized analysis on the effect of lifestyle factors on different aspects of well-being. The Subject's personal qualities and measured heart beat analysis data are used, with the help of the system, to create a report for the Subject and the Service Provider and possibly to agree on target actions. The expert user defined by the Service Provider (often, an employee of the Service Provider) has their own user interface to the system, and they can process the Subject data in order to create the report and as a part of the service, to give the Subject personalized feedback on the report content. The Service Provider may also use the service to create an anonymized feedback report to their client regarding the general well-being of a group of Subjects (typically employees or a specific group of employees of the client) as a whole. Additionally, Firstbeat processes personal data to provide user support operations and to collect statistics and log data of the service usage. The Service Provider will inform the Subject of possible other purposes for the personal data. Depending on the contract between the Service Provider and Firstbeat, Firstbeat may process physical measuring devices on behalf of the Service Provider as a part of the service, including for example mailing the devices to the Subjects or uploading data from returned devices to the service. The devices on their own do not contain personal information, but the device data is combined to personal data using a device ID during the upload. The legal justification for processing the data in the service is based on fulfilling a contract between the parties or the legitimate interests of the Service Provider or Firstbeat, based on the subject related connection between the parties. The justification may also be Subject consent, if required by the applicable legislation. Log data of the web service use or processing of measuring devices is saved in order to protect the legitimate interests of the Service Provider, Firstbeat and Subjects, for example in order to investigate possible data breaches and for example, so that it is possible to prove that billed services have been delivered. The Service Provider gives Firstbeat an anonymized copy of data saved in the service for statistical research, such as for determining average reference values.

3 (5) THE DURATION OF PERSONAL DATA PROCESSING AND RETENTION PERIOD The Service Provider defines the retention period for personal data as reference for possible follow-up measurements, which belong to the service concept. The collected personal data may be used after providing the service in accordance with the contract between Firstbeat and the Service Provider and the current legislation. If the Subject has not given the permission, based on a separate consent, to transfer his/her personal data to Firstbeat for possible further use, the personal data will be erased from the system in a way defined and implemented by the Service Provider, or after the end of the contract between Firstbeat and the Service Provider at latest when their agreed time period has elapsed. DESCRIPTION OF THE GROUP OF DATA SUBJECTS The personal data from participating Subjects is processed in the Service. The Service Provider determines the group of Subjects. REGULAR DATA SOURCES The Service Provider enters the email address of each Subject in the system. Each Subject is then emailed a personal web link to activate the Service. The Service Provider determines with its clients the data sources for acquiring the email addresses. The other personal data is provided by the Subjects themselves via the web interface and through the use of measuring devices. A representative of the Service Provider may additionally gather information from the Subjects when providing the Service. THE TYPE OF PERSONAL DATA The system contains the following information (partial or complete) about the Subjects: Full name (first and last) Date of birth, gender, height, weight Activity class, maximum and resting heart rate, maximal oxygen consumption Information about chronic diseases and medication provided by the Subject Heart rate measurements and diary entries created by the Subject during the measurement period, e.g. alcohol consumption, current and recent illnesses and medications, self-documented events noteworthy of interest to the Subject. Contact information, e.g. address, email address and telephone number Information about the employer, e.g. name, contact information and personnel group Information about the use of the service Information about the consents of processing data in the service The results report with defined target actions created for the Subject based on the data analysis The service technically allows the anonymous usage with an unidentifiable user identifier chosen by the Subject or the Service Provider. The Service Provider determines, whether such possibility is offered to the Subject and how the analysis results are reported to the Subject in such cases. The e-mail address will be always saved (except in special cases when no e-mail address exists).

4 (5) PRINCIPLES OF DATA PROTECTION Firstbeat follows the best practices for managing data, including appropriate technical and organisational measures, as required by the personal data legislation. The data is kept in information systems produced and controlled by Firstbeat and the data is handled with Firstbeat produced user interfaces. The Internet connection from the web interface used by the Subject or Service Provider to Firstbeat is protected with encryption (SSL). Firstbeat protects the personal data of Service Provider's customers so that only the authorized personnel defined by Firstbeat or Service Provider have access to the file and that the data is processed at Firstbeat only for work purposes related to the technical processing of the data, problem solving or support requests. Firstbeat authorized personnel may be Firstbeat employees or subcontractors. The personal link to the data entry form, which the Subject uses to enter personal data, only works for a limited time and will expire soon after the measuring for security reasons. The measuring devices on their own do not contain any personal data. The data they contain is only connected to personal data using a device ID when saving the data after the transport. Firstbeat ensures that all data systems and computer equipment are sufficiently protected with appropriate technical methods, including access control to physical premises, firewalls, passwords, personal user IDs and personnel security training. If Firstbeat uses third parties (subcontractors) for technical maintenance of data, Firstbeat fulfils the responsibilities required by the data protection legislation related to subcontractors. In all cases, in the Firstbeat processing personal data is kept in information systems governed by Firstbeat and neither Firstbeat nor subcontractors will save information in any other systems. Firstbeat is not responsible for and does not limit that the Service Provider may copy or transfer data, which the Service Provider controls and owns, from Firstbeat systems. The Service Provider is responsible for properly informing its clients and Subjects of such use in the way required by the information safety legislation. TRANSFER OF PERSONAL DATA Firstbeat does not transfer personal data without the data Subject s consent outside Firstbeat, its subsidiary companies or subcontractors, in a manner that the data could be identified, except in following exceptional circumstances: if required by any ruling of a governmental or regulatory authority, court, or by mandatory law; or if it is otherwise necessary for the purposes of preventing, or investigating, any breach of law, user terms or good practices or to protect the rights of the data controller (Service Provider), Firstbeat or third parties. Personal data is primarily stored on Firstbeat servers located in the EU and will not be transferred to countries outside the EU or the EEA, unless otherwise separately agreed. Data may be temporarily transferred outside the EU or the EEA if it is necessary for the technical implementation of the service or personal data processing, such as when sending service related information to the Subject s email address, which is

5 (5) located on a foreign email server. The Subject may also use the Service with a device outside the EU or the EEA, and in such cases, the data is visible on that device while using the Service. Each Service Provider is responsible for their part of where and how it stores any personal data which it potentially stored outside the Firstbeat systems. THE RIGHTS OF THE DATA SUBJECT The data Subject has the right according to the personal data legislation applicable in Finland, including the EU General Data Protection Regulation (GDPR), to inspect their personal information, correct or request to correct inaccurate or incorrect personal information and under some circumstances, the right to request erasure of personal information. Whenever the legal justification for processing personal data is consent, the Subject also has the right to withdraw consent at any time. The Subject has the right to lodge a complaint regarding any disputes concerning the processing of personal data to the authorities responsible for personal data protection. Any requests to inspect, modify or erase the personal data shall be indicated to the Service Provider acting as data Controller. The Service Provider confirms the requestor has the right to make such a request and fulfils the request, if necessary, or contacts Firstbeat if necessary to fulfil the request. The Service Provider is responsible for the related rights of the Subject. CHANGES TO THIS DESCRIPTION This description of the personal data processing has been updated 18.6.2018. Firstbeat follows the changes in legislation and regulator instructions related to personal data processing and develops the service further and will therefore reserve the right to make changes to this description.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback