Privacy statement for the Aisti Health service

1 Data controller

Aava Medical Centre (2311119-2)
Annankatu 32
00100 Helsinki
(hereinafter referred to as “us” or “Aava”)

2 Contact person for queries related to the personal data file

Data Protection Officer Ida-Emilia Laasonen
tel. 010 380 3800

3 Name of the personal data file

Personal data file related to the Aisti Health well-being service (hereinafter referred to as “Aisti Health”). Through the Aisti Health service, Aava contributes to the provision of well-being services to private persons, corporate customers and their employees.

4 What is the legal basis for and purpose of the processing of personal data?

If your employer or a corresponding party has ordered the Aisti Health service for your use, we process your email address received from the party referred to above in order to send a registration message concerning the initial use of the service.

Personal data is processed on the grounds of your express consent to the processing of your personal data in our Aisti Health service, including sensitive health data. Your personal data stored in the Aisti Health service is not transferred to the patient information system unless you agree on this separately with a health care professional.

The purpose of the processing of personal data is:

  • A survey concerning your well-being, which is implemented through a well-being survey included in the Aisti Health service (hereinafter referred to as “the well-being survey”).
  • Based on a separate order placed by you, the running of comprehensive and preventive blood tests, including an analysis of your blood sample and an examination-based assessment (excluding any medical diagnoses) of your risk of cardiovascular diseases, type 2 diabetes and other chronic illnesses.
  • The processing of any personal data provided by you in connection with direct marketing based on Aava’s legitimate interest (including electronic direct marketing), through which we offer you our well-being services while considering your individual needs. Regarding electronic direct marketing, we ask for your consent to the sending of messages.
  • Based on your consent, the utilisation of well-being data provided by you in connection with any patient visits and coaching meetings at Aava or at the provider of your employer’s occupational health care service supplier as part of occupational health care services or in relation to some other well-being programme you participate in.
  • Conducting customer satisfaction surveys aiming at the development of the Aisti Health service.

5 Profiling

The personal data you provide for the Aisti Health service may be used for profiling purposes. We use profiling and screening based on your personal data, including your responses to the well-being survey, in order to identify, for example, resources, risks and needs related to well-being so that we can better provide you with suitable occupational health and well-being services in a timely manner. We also use such data to target our marketing and to develop our services.

6 Which information do we process?

In connection with the provision of the Aisti Health service, we process the following personal data concerning you:

  • first and last name
  • gender
  • date of birth
  • email address
  • marital status
  • preferred language
  • professional status
  • identifiers of test results
  • consents and prohibitions concerning direct marketing
  • when you use the Aisti Health service, the data on the use of our web pages that we collect includes the following: IP address, identification data concerning the end device and operating system, pages visited and the server from which you accessed the Aisti Health service website.

The information referred to above is necessary for the implementation of Aava’s well-being services and in order to enable contacts.

We process the following data concerning your health and well-being:

  • responses to the well-being survey
  • analyses and results generated based on the survey

Your patient data is not processed in the Aisti Health service.

7 From where do we collect data?

We collect personal data primarily from you (the data subject). In addition, we collect data generated in connection with the use of the Aisti Health service, as specified in this privacy statement.

If your employer or a corresponding party has ordered the Aisti Health service for your use, we obtain your email address as a disclosure from the party referred to above in order for us to provide you with information concerning the initial use of the Aisti Health service. In addition, said party may disclose to us unit specifications of organisations in order to enable the reporting of anonymised group-level results.

Furthermore, personal data may be collected and updated for the purposes described in this privacy statement based on data obtained from public sources and authorities or from other third parties within the limits of the applicable legislation. Such updating of data is carried out manually or through automated means.

8 To whom do we disclose or transfer data and do we transfer data outside the EU or EEA?

In relation to service provision, we use subcontractors who process personal data on our behalf, with such subcontractors providing Aava with services related to well-being coaching and IT management.

As a rule, Aava does not transfer personal data outside the European Union or European Economic Area. For example, the processing of all sensitive personal data such as health data takes place in the European Union or European Economic Area.

However, some of our service providers operate outside the EU or EEA, and we transfer general personal data to them if it is necessary for the purposes referred to in this privacy statement. In these cases, we ensure the safety of personal data through contractual safeguards.

9 How do we protect data and data security?

Only our employees who are authorised to process customer data as part of their work duties have the right to use the system containing personal data. Each user has a user ID and password for the system, with two-factor identification required for access. Data is collected into databases that are located in a network that is separated from the internet, with the databases protected by firewalls, passwords and other technical means. Data protection is tested on a regular basis so that we can ensure that the technical and organisational data protection measures are comprehensive and sufficient. The up-to-dateness of software programmes is monitored with automated tools. Servers, databases and their backups are located in secure premises, and information can only be accessed by pre-assigned persons who need access in order for them to carry out their work duties.

Aava’s personnel receives regular training on data security and data protection.

10 For how long do we retain your personal data?

We retain your personal data for as long as you have an account in the Aisti Health service.

After this, personal data is irreversibly anonymised by compiling statistics and/or by removing all identification data. Anonymous (not possible to identify individuals) data is utilised for research and statistical purposes.

We regularly assess the need to retain personal data while considering the applicable legislation. In addition, we take reasonable measures to ensure that no personal data on data subjects that is incompatible with the purposes of processing or data that is outdated or inaccurate is stored in the register. We rectify or erase such data without delay at our own initiative or upon your request.

11 What are your rights as a data subject?

As a data subject, you have the right to check the data stored in the personal data file concerning you and demand that inaccurate, outdated or unlawful data be rectified or erased. In so far as you have personal access to your data, you can modify the data yourself. For processing based on consent, you also have the right to withdraw your consent at any time. Please note that a withdrawal of consent has no effect on the lawfulness of any processing that took place before consent was withdrawn.

Based on grounds relating to your particular situation, you also have the right to object to any processing concerning you when the processing of data is based on Aava’s legitimate interest. When presenting your demand, you must specify the particular situation based on which you object to the processing. We may refuse to comply with a request concerning an objection only based on grounds laid down in law.

As a data subject, you have the right to object to the processing at any time and at no cost, including profiling and direct marketing.

You always have the right to submit a complaint to a competent data protection authority. In Finland, this authority is the Data Protection Ombudsman, the contact details of which are available online at

12 Who can you contact?

All queries and requests concerning this privacy statement must be presented in writing or personally to the contact person specified in section two (2).