Processing of personal data in the Medanets service
This is a record of the personal data processing activities in the Medanets service in accordance with the EU General Data Protection Regulation. The Medanets service consists of the Medanets solution and the related support service.
Medanets processes personal data as part of its activities. In accordance with the EU General Data Protection Regulation, Medanets acts as a processor of personal data. The controller is the client of the Medanets service.
| Data required by the notification obligation | Medanets service |
| Identity and contact information of the controller and, if applicable, the controller’s representative (Article 4(17)) | The controller is the client of the Medanets service. |
| Contact information of the data protection officer, if applicable | Client: the client’s data protection contact person Medanets Oy: dataprotectionofficer@medanets.com |
| Purposes and legal basis of processing personal data | Purposes: The personal data is processed in accordance with Article 6 of the GDPR. The information in the data file of the Medanets service is processed in the server room specified/administered by the client and on the server on which the client determines the Medanets service to be installed. The Medanets service processes personal data that is received in the service through information system interfaces specified by the client from an EHR or as recorded by the end user. The purpose is to enable healthcare personnel to use mobile documentation in the EHR, for example while visiting the patient. Legal basis: The controller specifies the legal basis of processing. |
| If the processing is based on legitimate interest (Article 6.1(f)), the legitimate interests of the controller or third party | The processing is not based on legitimate interest. |
| Categories of personal data | National identification number and name of the patient, health records and contact information of the patient, reported family members and their contact information. Names of the client’s employees who use the Medanets solution and their usernames for the EHR. |
| Recipients or categories of recipients of the personal data | The client’s EHR to which Medanets is connected (such as Lifecare, Uranus, Esko, Millenium), NewIcon medication cart. Medanets Oy: support service in Finland. |
| Information on data transfers to third countries and on the safeguards used (including information on the existence or absence of an adequacy decision by the Commission) and the means of receiving a copy or information of their content | Data will not be transferred to third countries. |
| The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period | The patient’s personal and treatment data (observation values, medication administered and other such treatment/health data) is temporarily stored on the Medanets server. The Medanets service will automatically remove the patient’s data when activity related to the patient is no longer carried out through the Medanets service. The log data related to the Medanets service is stored for a maximum of 3 months, during which the client makes a backup copy of the server’s data content in their own storage space for a potential recall. |
| Rights of the data subject • Right of access to personal data • Right to rectification • Right to erasure • Right to restriction of processing • Right to object • Right to data portability | The data subject has the rights specified by the controller (client). |
| If the processing is based on consent (Article 6.1(a)) or on explicit consent (Article 9.2(a)), the information on the right to withdraw consent at any time | The processing is not based on consent. |
| Right to lodge a complaint with a supervisory authority | The data subject has the right to lodge a complaint with a supervisory authority in accordance with the privacy policy of the controller (client). |
| Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data | Specified by the controller, in other words, the client. |
| Information on from which source the personal data originate, and, if applicable, whether it came from publicly accessible sources | The information is obtained from the EHR system connected to the Medanets service and as recorded by the user of the Medanets service. |
| Information on the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject | The Medanets service does not use the data for automated decision-making of carry out profiling. |
| A description of the technical and organisational security measures in accordance with the GDPR (Article 32(1)). | The Medanets server is installed in the client’s server room and the solution operates in the client’s intranet (and outside the intranet with a secure mobile data connection / APN connection). The customer support persons of Medanets Oy use a secure connection to the Medanets server in line with the client’s requirements. The individuals with access to the data are bound by a non-disclosure obligation and the personal data is kept confidential. The client has the right to access the personal data. The data is protected in the client’s server room and on the client’s server with security measures specified by the client, such as a firewall and other necessary technological measures. Access to the data is limited to those who need the data for their work duties. |
| The risks to the rights and freedoms of the data subject in accordance with Chapter 39 of the introduction of the GDPR | The data is confidential and the service has information security and data protection by design. |