Privacy Policy Statement

1. General

Saga Care Finland Oy is one of Finland’s largest health and wellbeing companies, and providers of sheltered housing for the elderly. We offer seniors nursing, rehabilitation and wellbeing services in our high-quality Saga residential nursing homes. Saga Care is a part of the Esperi Care Group. Saga Care’s most important resource is its professional, skilled staff.

This Privacy Policy Statement describes the personal data Saga Care Finland Oy (”Saga Care") collects, how Saga Care processes this personal data, the purposes this data is used for and the parties the data can be disclosed to by law. This Privacy Policy Statement also provides information about the obligations Saga Care complies with in its processing of personal data. Please read this Privacy Policy Statement carefully beforehand.

Saga Care pays special attention to the protection of personal data and in all its processing of personal data complies with the EU General Data Protection Regulation (2016/679) (“GDPR”) and other applicable data protection legislation.

This Privacy Policy Statement applies to all the housing, nursing and health care services offered by Saga Care, as well as any other services offered by Saga Care both in Saga Care’s residential nursing homes and other establishments, its website and services on social media. In addition to customers’ personal data, this Privacy Policy Statement also applies to the processing of potential customers who show an interest in Saga Care’s services. Also, this Privacy Policy Statement applies to the processing of the personal data of the representatives of Saga Care’s corporate clients, partners, service providers and subcontractors, as well as to the CCTV surveillance in Saga Care’s premises.

Personal data” means any information relating to a natural person (“data subject"), from which the person can be directly or indirectly identified in the way specified in the GDPR. Data from which the data subject cannot be directly or indirectly identified is not personal data.

2. Controller and data protection officer

Controller: Saga Care
Mannerheimintie 164, 00301 Helsinki
Contact details: myynti.saga@sagacare.fi

Saga Care is a part of the Esperi Care Group. Esperi Care Group’s data protection officer: Kaisa Salo
Contact details: tietosuoja@esperi.fi

3. Legal basis and purpose of processing personal data

We process personal data for the following purposes, among others:

  • Ordering and maintaining Saga Care’s services, developing them and communicating about them
  • Promoting a customer’s health and planning, implementing and monitoring their care and rehabilitation
  • Carrying out our statutory obligations, such as those decreed by the Accounting Act
  • Ensuring the safety of our services and preventing their abuse
  • Protecting Saga Care’s real estate and property and ensuring our customers’ and other people’s safety
  • Processing contact requests and receiving orders for our newsletter
  • Service-related personalised customer service, targeted customer communications and monitoring the use of our services
  • Marketing and targeting our marketing to customers and potential customers
  • Planning and developing our business operations

The legal basis for processing the personal data of data subjects is the contractual relationship between Saga Care and the data subject, which is based on the services offered by Saga Care and ordered by the data subject. The processing of personal data is also based on our statutory obligations, such as our legal obligation to keep books, legislation concerning patient care and statutory reporting obligations.

Our processing of personal data for the purpose of managing the customer relationship and for direct marketing is based on Saga Care’s legitimate interest.

Electronic marketing and orders for Saga Care's newsletter are based on the data subject’s consent. The data subject has the right to withdraw their consent at any time (see section 9: "The rights of the data subject”).

4. Processing of special categories of personal data, and data content and sources of data

Saga Care only collects personal data about the data subject which are relevant and necessary for the purposes of use specified in this Privacy Policy Statement.

We process the following data about the data subject:

Special category of personal data

Examples of data content

4.1. Contact information Name, address, phone number and email address of the data subject
4.2. Identifiers Data subject’s identification number, other corresponding national identifiers and date of birth
4.3. Data relating to the customer relationship Account number, invoicing and payment information, and other information by which the customer relationship may be identified
4.4. Customer event information and contractual information Information about the contract between Saga Care and the data subject or Saga Care and the organisation representing the data subject, rental agreements, customer feedback, communications between the data subject and Saga Care and other interactions
4.5. Information about our care and nursing activities All the information, such as that accrued during care, which is required for organising, planning, implementing and monitoring care, nursing and rehabilitation
4.6. Disclosing of data Information concerning the disclosure of data and the basis of the disclosure and other records concerning data disclosure
4.7. CCTV surveillance Recordings of CCTV surveillance in Saga Care’s premises from which the data subject may be identified
4.8. The data subject’s consent Information about the data subject’s consent for direct electronic marketing, withdrawal of consent and objections to processing
4.9. Information about customer behaviour and technical identifiers The online behaviour of the data subject and the monitoring of Saga Care’s services, for example with the help of cookies or similar technical identifiers. The information collected may include, for example, the user’s IP address, the websites they visit, browser type, Internet address and the time and duration of the session. For more information about the cookies and other technical monitoring methods we use, go to the Saga Care website at evästekäytännöstä.

Providing personal data is necessary for Saga Care to be able to carry out its obligations, which are based on a contract between Saga Care and the data subject or on the relevant legislation, and for Sage Care to be able to produce its services. If the data subject refuses to provide the required personal data, a rental agreement for a residential nursing home, for example, cannot be made, nor can Saga Care’s obligations for implementing its services or legislative obligations be carried out.

Providing personal data for marketing and giving consent for electronic direct marketing is voluntary. The data subject may withdraw their consent at any time (see section 9: "The rights of the data subject”).
Also, the data subject may prevent the use of cookies in the way described in our practices relating to cookies.

Sources of information:

Personal data is mainly collected from the data subject themselves, for example, in connection with estimating the need for the service, concluding a rental agreement or during the customer relationship. A data subject may also have provided Saga Care with personal data, for example, via the contact form on Saga Care’s website or our services on social media.

Additionally, personal data may also be provided by the data subject’s guardian, legal representative or next of kin and nursing staff. Personal data may also be collected from the community on whose behalf the data subject is acting. In situations permitted by law, data may also be collected and updated from filing systems maintained by third parties, such as those maintained by the interest groups Saga Care cooperates with, including social welfare and health care organisations, and those maintained by social welfare and health care authorities.

Other partners of Saga Care supply Saga Care with the personal data of data subjects in situations where this is required by law and contractual obligations.

5.    Storing personal data

Saga Care stores personal data for as long as is necessary to carry out the purposes defined in this Privacy Policy Statement unless required to store the personal data longer by law (for example, due to the responsibilities and obligations dictated by special legislation or accounting or reporting obligations), or unless Saga Care needs the data to compile or file a claim or defend itself against legal claims, or to solve a corresponding situation involving dispute.

The duration of storage and storage criteria vary according to the special category of personal data, depending on what the purpose of the category is.

Personal data is processed for the duration of the validity of the customer and contractual relationship and for the necessary time after the customer and contractual relationship ends.

Data concerning potential customers, such as contacts made via our website, is generally stored for six (6) years from the date of receiving the data.

Rental agreements and contracts of service are stored for the duration of the customer and contractual relationship and generally for six (6) years from the end of the subsequent accounting period after the contractual relationship has ended.  Other customer data collected on the grounds of patient and social welfare services are stored for the duration required by the Act on the Status and Rights of Patients (785/1992, including amendments) and the Act on the Status and Rights of Social Welfare Clients (812/2000, including amendments).

For clarity’s sake, let us also note that whenever Saga Care acts as the processor of personal data in relation to a municipality that is a controller, Saga Care complies with the privacy policy principles of the controller, i.e. municipality in question, as regards the said data. When acting as a processor of personal data, Saga Care returns any data concerning customers to the municipality acting as a controller after the contractual relationship has ended.

As far as organisations are concerned, the storage of the personal data of the organisation’s representative is tied to how long the data subject in question acts as the representative of the organisation in communications with Saga Care. CCTV recordings are generally stored for 4 weeks at most until the recordings are overwritten.

When the personal data is no longer needed in the above-described way, the data is erased within a reasonable time.

6.    Processors and recipients of personal data

The data subject’s personal data may be transferred within the Esperi Care Group ("Esperi”) and between the companies belonging to the Group.

In accordance with this Privacy Policy Statement, Esperi may outsource the processing of personal data to service providers or subcontractors who offer IT systems and financial administration services, deliveries of goods, judicial services and other services. By applying sufficient contractual obligations, Esperi makes sure that all personal data is processed appropriately.

If required by legislation and contractual obligations, data subjects’ personal data may be disclosed to authorities, such as municipalities. In accordance with the requirements of the law, data is disclosed to the National Institute for Health and Welfare, which maintains national health care records, and to the national data system services for healthcare (the Kanta database).

In addition, the data subject’s personal data may have to be disclosed to a next of kin or corresponding person if the conditions are met which are dictated by the Act on the Status and Rights of Patients and the Act on the Status and Rights of Social Welfare Clients (such as important decisions on treatment if the person is not able to express their will themselves).

In emergencies or other unexpected situations, Esperi may have to disclose the personal data of data subjects in order to protect the lives and health of others or to protect property. Additionally, Esperi may have to disclose the personal data of data subjects if Esperi is party to legal proceedings or other procedures occurring in establishments of dispute settlement.

If Esperi is party to a merger, business acquisition or other corporate transaction, it may have to disclose the personal data of data subjects to third parties.

Esperi never discloses the personal data of data subjects for direct marketing.

7.    Transfers of personal data outside the European Union or the European Economic Area

No data will be transferred outside the European Union or the European Economic Area.

8.    The principles of personal data protection and processing security

Saga Care processes personal data in such a way that the appropriate security and data protection of the personal data is ensured in the best possible way in all situations, including protection from unauthorised processing and from being lost, destroyed or damaged accidentally.

In all processing of personal data, appropriate technical and organisational protective measures are applied to ensure this, including the use of firewalls, cryptography, secure equipment facilities, appropriate passage control systems and access control and staff instructions.

Original copies of documents are stored in locked facilities with restricted access provided only for authorised persons. Hard copies are destroyed in a secure way.

Any employee who processes personal data is bound by the obligation of professional secrecy in matters relating to the processing of data subjects' personal data, as required by the Employment Contracts Act and the confidentiality clauses of such contracts.

In accordance with this Privacy Policy Statement, Saga Care may outsource the processing of personal data to service providers, in which case the company ensures that the personal data is processed in an appropriate and legal way by imposing sufficient contractual obligations.

9.    The rights of the data subject

The data subject has all the rights guaranteed by data protection legislation.

Right of access and right to check the data

The data subject has the right to obtain from the controller confirmation as to whether or not their personal data is being processed.

The data subject has the right to check and see the data concerning themselves and on request to access the data in writing or in electronic form.

Right to rectification and erasure

The data subject has the right to request the rectification of inaccurate data concerning themselves. In addition, the currently valid data protection legislation gives the data subject the right to request the erasure of their personal data.

Saga Care will also erase, rectify and supplement on its own initiative any personal data that it discovers to be inaccurate, unnecessary, inadequate or outdated.

The right to data portability, restriction of processing and to object to processing

According to the currently valid data protection legislation, the data subject has the right to request that their personal data be transmitted to another controller.

In accordance with the conditions set by the data protection legislation, the data subject also has the right to request the restriction of the processing of their personal data. Additionally, in situations where a piece of personal data, which is suspected to be inaccurate, cannot be rectified or erased, or where there is some ambiguity with the request for erasure, Saga Care will restrict access to that data.
The data subject has the right to object to the use of their personal data for a certain kind of purpose. The data subject has the right to forbid the disclosure and processing of their personal data for direct marketing.

Right to withdraw consent

If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent for the processing of data concerning themselves. The withdrawal does not affect the lawfulness of the processing performed before the withdrawal.

Consent concerning electronic direct marketing can be withdrawn or direct marketing can be prohibited at any time by contacting this address: myynti.saga@sagacare.fi. In addition, the data subject may remove themselves from Saga Care’s email list at any time by clicking on the “unsubscribe” link in the email.

Implementing the rights

Requests concerning the rights of data subjects are made in writing or electronically and addressed to the controller mentioned in Section 2 of this Privacy Policy Statement. Please find the controller’s contact information in Section 2 of this Privacy Policy Statement. Before any data can be provided, we will check the identity of the person making the request, which is why we may have to ask for more information. Such requests will be answered within a reasonable time and, whenever possible, within a month from receiving the request and checking the person’s identity.

If we are unable to comply with the data subject’s request, we will inform the data subject of our refusal in writing. Saga Care may refuse a request (such as the erasure of data) on the grounds of statutory obligation or Saga Care’s statutory rights; for example, an obligation or claim directed at Saga Care.

10.    The right to file a complaint with the supervisory authority

The data subject has the right to file a complaint with the supervisory authority if the data subject considers that the processing of their personal data infringes the currently valid legislation. Contact information for the relevant supervisory authority:

Office of the Data Protection Ombudsman
Street address: Ratakatu 9, 5th floor, 00520 Helsinki
Postal address: PO BOX 800, 00521 Helsinki
Email: tietosuoja@om.fi
Switchboard: +358 29 56 66700
Fax: +358 29 56 66735

11.    Changes to the Privacy Policy Statement

We reserve the right to make changes and update this Privacy Policy Statement. If we make changes to this Privacy Policy Statement, we will add a notification about it on our website where you will also find the latest version of our Privacy Policy Statement.

This Privacy Policy Statement was published on 24 May 2018