Saga Care Finland Oy is one of Finland’s largest health and wellbeing companies, and providers of sheltered housing for the elderly. We offer seniors nursing, rehabilitation and wellbeing services in our high-quality Saga residential nursing homes. Saga Care is a part of the Esperi Care Group. Saga Care’s most important resource is its professional, skilled staff.
Saga Care pays special attention to the protection of personal data and in all its processing of personal data complies with the EU General Data Protection Regulation (2016/679) (“GDPR”) and other applicable data protection legislation.
“Personal data” means any information relating to a natural person (“data subject"), from which the person can be directly or indirectly identified in the way specified in the GDPR. Data from which the data subject cannot be directly or indirectly identified is not personal data.
2. Controller and data protection officer
Controller: Saga Care
Mannerheimintie 164, 00301 Helsinki
Contact details: email@example.com
Saga Care is a part of the Esperi Care Group. Esperi Care Group’s data protection officer: Kaisa Salo
Contact details: firstname.lastname@example.org
3. Legal basis and purpose of processing personal data
We process personal data for the following purposes, among others:
- Ordering and maintaining Saga Care’s services, developing them and communicating about them
- Promoting a customer’s health and planning, implementing and monitoring their care and rehabilitation
- Carrying out our statutory obligations, such as those decreed by the Accounting Act
- Ensuring the safety of our services and preventing their abuse
- Protecting Saga Care’s real estate and property and ensuring our customers’ and other people’s safety
- Processing contact requests and receiving orders for our newsletter
- Service-related personalised customer service, targeted customer communications and monitoring the use of our services
- Marketing and targeting our marketing to customers and potential customers
- Planning and developing our business operations
The legal basis for processing the personal data of data subjects is the contractual relationship between Saga Care and the data subject, which is based on the services offered by Saga Care and ordered by the data subject. The processing of personal data is also based on our statutory obligations, such as our legal obligation to keep books, legislation concerning patient care and statutory reporting obligations.
Our processing of personal data for the purpose of managing the customer relationship and for direct marketing is based on Saga Care’s legitimate interest.
Electronic marketing and orders for Saga Care's newsletter are based on the data subject’s consent. The data subject has the right to withdraw their consent at any time (see section 9: "The rights of the data subject”).
4. Processing of special categories of personal data, and data content and sources of data
We process the following data about the data subject:
|Special category of personal data||
Examples of data content
|4.1. Contact information||Name, address, phone number and email address of the data subject|
|4.2. Identifiers||Data subject’s identification number, other corresponding national identifiers and date of birth|
|4.3. Data relating to the customer relationship||Account number, invoicing and payment information, and other information by which the customer relationship may be identified|
|4.4. Customer event information and contractual information||Information about the contract between Saga Care and the data subject or Saga Care and the organisation representing the data subject, rental agreements, customer feedback, communications between the data subject and Saga Care and other interactions|
|4.5. Information about our care and nursing activities||All the information, such as that accrued during care, which is required for organising, planning, implementing and monitoring care, nursing and rehabilitation|
|4.6. Disclosing of data||Information concerning the disclosure of data and the basis of the disclosure and other records concerning data disclosure|
|4.7. CCTV surveillance||Recordings of CCTV surveillance in Saga Care’s premises from which the data subject may be identified|
|4.8. The data subject’s consent||Information about the data subject’s consent for direct electronic marketing, withdrawal of consent and objections to processing|
|4.9. Information about customer behaviour and technical identifiers||The online behaviour of the data subject and the monitoring of Saga Care’s services, for example with the help of cookies or similar technical identifiers. The information collected may include, for example, the user’s IP address, the websites they visit, browser type, Internet address and the time and duration of the session. For more information about the cookies and other technical monitoring methods we use, go to the Saga Care website at evästekäytännöstä.|
Providing personal data is necessary for Saga Care to be able to carry out its obligations, which are based on a contract between Saga Care and the data subject or on the relevant legislation, and for Sage Care to be able to produce its services. If the data subject refuses to provide the required personal data, a rental agreement for a residential nursing home, for example, cannot be made, nor can Saga Care’s obligations for implementing its services or legislative obligations be carried out.
Providing personal data for marketing and giving consent for electronic direct marketing is voluntary. The data subject may withdraw their consent at any time (see section 9: "The rights of the data subject”).
Sources of information:
Personal data is mainly collected from the data subject themselves, for example, in connection with estimating the need for the service, concluding a rental agreement or during the customer relationship. A data subject may also have provided Saga Care with personal data, for example, via the contact form on Saga Care’s website or our services on social media.
Additionally, personal data may also be provided by the data subject’s guardian, legal representative or next of kin and nursing staff. Personal data may also be collected from the community on whose behalf the data subject is acting. In situations permitted by law, data may also be collected and updated from filing systems maintained by third parties, such as those maintained by the interest groups Saga Care cooperates with, including social welfare and health care organisations, and those maintained by social welfare and health care authorities.
Other partners of Saga Care supply Saga Care with the personal data of data subjects in situations where this is required by law and contractual obligations.
5. Storing personal data
The duration of storage and storage criteria vary according to the special category of personal data, depending on what the purpose of the category is.
Personal data is processed for the duration of the validity of the customer and contractual relationship and for the necessary time after the customer and contractual relationship ends.
Data concerning potential customers, such as contacts made via our website, is generally stored for six (6) years from the date of receiving the data.
Rental agreements and contracts of service are stored for the duration of the customer and contractual relationship and generally for six (6) years from the end of the subsequent accounting period after the contractual relationship has ended. Other customer data collected on the grounds of patient and social welfare services are stored for the duration required by the Act on the Status and Rights of Patients (785/1992, including amendments) and the Act on the Status and Rights of Social Welfare Clients (812/2000, including amendments).
As far as organisations are concerned, the storage of the personal data of the organisation’s representative is tied to how long the data subject in question acts as the representative of the organisation in communications with Saga Care. CCTV recordings are generally stored for 4 weeks at most until the recordings are overwritten.
When the personal data is no longer needed in the above-described way, the data is erased within a reasonable time.
6. Processors and recipients of personal data
The data subject’s personal data may be transferred within the Esperi Care Group ("Esperi”) and between the companies belonging to the Group.
If required by legislation and contractual obligations, data subjects’ personal data may be disclosed to authorities, such as municipalities. In accordance with the requirements of the law, data is disclosed to the National Institute for Health and Welfare, which maintains national health care records, and to the national data system services for healthcare (the Kanta database).
In addition, the data subject’s personal data may have to be disclosed to a next of kin or corresponding person if the conditions are met which are dictated by the Act on the Status and Rights of Patients and the Act on the Status and Rights of Social Welfare Clients (such as important decisions on treatment if the person is not able to express their will themselves).
In emergencies or other unexpected situations, Esperi may have to disclose the personal data of data subjects in order to protect the lives and health of others or to protect property. Additionally, Esperi may have to disclose the personal data of data subjects if Esperi is party to legal proceedings or other procedures occurring in establishments of dispute settlement.
If Esperi is party to a merger, business acquisition or other corporate transaction, it may have to disclose the personal data of data subjects to third parties.
Esperi never discloses the personal data of data subjects for direct marketing.
7. Transfers of personal data outside the European Union or the European Economic Area
No data will be transferred outside the European Union or the European Economic Area.
8. The principles of personal data protection and processing security
Saga Care processes personal data in such a way that the appropriate security and data protection of the personal data is ensured in the best possible way in all situations, including protection from unauthorised processing and from being lost, destroyed or damaged accidentally.
In all processing of personal data, appropriate technical and organisational protective measures are applied to ensure this, including the use of firewalls, cryptography, secure equipment facilities, appropriate passage control systems and access control and staff instructions.
Original copies of documents are stored in locked facilities with restricted access provided only for authorised persons. Hard copies are destroyed in a secure way.
Any employee who processes personal data is bound by the obligation of professional secrecy in matters relating to the processing of data subjects' personal data, as required by the Employment Contracts Act and the confidentiality clauses of such contracts.
9. The rights of the data subject
The data subject has all the rights guaranteed by data protection legislation.
Right of access and right to check the data
The data subject has the right to obtain from the controller confirmation as to whether or not their personal data is being processed.
The data subject has the right to check and see the data concerning themselves and on request to access the data in writing or in electronic form.
Right to rectification and erasure
The data subject has the right to request the rectification of inaccurate data concerning themselves. In addition, the currently valid data protection legislation gives the data subject the right to request the erasure of their personal data.
Saga Care will also erase, rectify and supplement on its own initiative any personal data that it discovers to be inaccurate, unnecessary, inadequate or outdated.
The right to data portability, restriction of processing and to object to processing
According to the currently valid data protection legislation, the data subject has the right to request that their personal data be transmitted to another controller.
In accordance with the conditions set by the data protection legislation, the data subject also has the right to request the restriction of the processing of their personal data. Additionally, in situations where a piece of personal data, which is suspected to be inaccurate, cannot be rectified or erased, or where there is some ambiguity with the request for erasure, Saga Care will restrict access to that data.
The data subject has the right to object to the use of their personal data for a certain kind of purpose. The data subject has the right to forbid the disclosure and processing of their personal data for direct marketing.
Right to withdraw consent
If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent for the processing of data concerning themselves. The withdrawal does not affect the lawfulness of the processing performed before the withdrawal.
Consent concerning electronic direct marketing can be withdrawn or direct marketing can be prohibited at any time by contacting this address: email@example.com. In addition, the data subject may remove themselves from Saga Care’s email list at any time by clicking on the “unsubscribe” link in the email.
Implementing the rights
If we are unable to comply with the data subject’s request, we will inform the data subject of our refusal in writing. Saga Care may refuse a request (such as the erasure of data) on the grounds of statutory obligation or Saga Care’s statutory rights; for example, an obligation or claim directed at Saga Care.
10. The right to file a complaint with the supervisory authority
The data subject has the right to file a complaint with the supervisory authority if the data subject considers that the processing of their personal data infringes the currently valid legislation. Contact information for the relevant supervisory authority:
Office of the Data Protection Ombudsman
Street address: Ratakatu 9, 5th floor, 00520 Helsinki
Postal address: PO BOX 800, 00521 Helsinki
Switchboard: +358 29 56 66700
Fax: +358 29 56 66735