Duodecim in English Duodecim Account Privacy Policy for Users of the EBM Guidelines and the Duodecim Desktop

At Duodecim, we value your privacy and wish to respect your right to the protection of personal data. Accordingly, all our activities are conducted in compliance with the EU General Data Protection Regulation (EU) 2016/679 and national (Finnish) data protection legislation.

Personal use of the EBM Guidelines and the Duodecim Desktop requires that the user has a Duodecim account. This privacy policy applies to the use of the EBM Guidelines and Duodecim Desktop (for providing partner feedback) outside Finland. For use in Finland, please see the Finnish version.

Who is the data controller?

Duodecim Publishing Company Ltd

POB 874 (Visiting address: Keskuskatu 6 E)
00101 Helsinki
Finland

Tel. +358-9-618851

E-mail of the data protection officer: tietosuojavastaava@duodecim.fi

The Finnish Medical Society Duodecim has mainly incorporated its business activities in its wholly owned Duodecim Publishing Company Ltd. The Medical Society and the Company share the financial and information management of the group. The Group’s data protection issues are managed by the Company’s customer service. Personal data is processed through the Duodecim account in the Group’s common information system.

Who is the data protection officer?

The data protection officer at Duodecim is an internal and independent data protection expert whose task is to ensure that we comply with the applicable data protection legislation when processing personal data. Data protection officer acts as a contact person for matters related to the processing of personal data, such as handling requests for information and other matters related to the exercise of rights.

What is the purpose of collecting personal data, and what is the legal basis for its processing?

We collect personal data on registered users of our services. The processing of personal data is based on the contract that the user enters into with the Duodecim Publishing Company Ltd when registering a Duodecim account under Article 6(1)(b) of the GDPR, and it is carried out to enable the use of our services, inform users about them, and develop our services.

We do not collect personal data on users that access our services through an organizational subscription (IP-based recognition of users).

What personal data do we collect about you?

For each user of a Duodecim account the following personal data are recorded

first name and last name
e-mail address
work title
authentication and access data

In addition, the following data are recorded for users of the EBM Guidelines and the Duodecim Desktop, whenever the use is enabled through a Duodecim account:

Country
Organization

Regular data sources and data retention periods

Data subjects	Regular data sources	Retention period
Registered users of our services	As a rule, we collect personal data directly from our users. When registering, the registrant records his/her own data.	We retain account data for as long as the account is active or as considered necessary to maintain the customer relationship.
Registered users of our services	Alternatively, a third party (e.g. local distributor or other representative of Duodecim) may record data that the user has given to them for the purpose of accessing our services (e.g. for EBM guidelines trial period). This typically applies to situations where the user’s subscription to our services is handled by a local partner.

Who are the recipients of personal data and how is the data processed?

The transfer of personal data is carried out only to those individuals and units who are authorised to process the data based on their job responsibilities. In processing the data, we adhere to data protection principles and the data protection guidelines defined by Duodecim.

Duodecim may also engage external data processors who provide system services for data processing. In such cases, the operation is based on a processing agreement, and the external processor complies with Duodecim’s data protection principles and guidelines in its activities.

Personal data is not disclosed to any other third parties except in the following case.

User-related data may be made available to both Duodecim and the authorized distributor of the EBM Guidelines/representative of Duodecim in the user’s geographical region.

However, data on the contents of the EBM Guidelines accessed by an individual user is never disclosed to third parties.

Is data transferred outside the EU or EEA?

Personal data may be transferred outside the European Union or the European Economic Area within the limits permitted by the General Data Protection Regulation (GDPR). The lawfulness of such processing is based on a European Commission decision under Article 45 of the GDPR, determining that the third country ensures an adequate level of data protection, or appropriate safeguards are implemented in accordance with Article 46 of the GDPR.

Principles for the protection of the register

The secure processing of your personal data is important to us. We have taken the necessary technical and administrative measures to protect your personal data.

Access to systems containing personal data requires a personal username and password. The registers are located in a secure data centre on servers to which access by unauthorised persons is denied. The data centres are equipped with appropriate access control, video surveillance, intrusion protection and fire protection equipment to ensure data availability and security.

Persons registered with the My Duodecim service can view and update their own contact details on the My Duodecim service. In order to view their own data in My Duodecim, a person must register as a user of a Duodecim account using the activation code they receive from Duodecim or a third party.

The Duodecim Desktop service (applies only to Duodecim’s local partners) is activated for the person by the Duodecim content manager.

Rights of the data subject

The data subject has the following rights, the exercise of which should be requested at info@duodecim.fi.

Right to Object

You have the right to object to the processing of your personal data when your data is processed for reasons of public interest, in the exercise of official authority, or for the purposes of legitimate interest. In such cases, we may not process your personal data unless we can demonstrate that:

There is a compelling legitimate reason for the processing that overrides your interests, rights, and freedoms, or
The processing is necessary for the establishment, exercise, or defense of legal claims.

You always have the right to object to the processing of your personal data for direct marketing purposes.

To exercise your right to object, you can submit a request to our data protection officer, specifying the grounds for your objection.

Right of Access

As a registered data subject, you have the right to know what data we collect, for what purposes, and how we process your personal data. You also have the right to request access to the personal data we hold about you.

Right to rectification

You have the right to rectify or amend the personal data we hold about you if you believe your personal data is erroneous, incomplete, or inaccurate.

Right to erasure

You have the right to request the deletion of your personal data, and we are obliged to delete it in the following cases:

The personal data is no longer necessary for the purposes for which it was collected or processed;
You withdraw your consent on which the processing is based, and there is no other legal ground for the processing;
You object to the processing, and there is no overriding legitimate ground for the processing;
You believe that we have processed your personal data unlawfully;
The personal data must be erased to comply with a legal obligation in Union or Member State law to which the controller is subject.

However, we are not required to delete the data if the processing is necessary:

For exercising the right of freedom of expression and information;
For compliance with a legal obligation, for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
For reasons of public interest in the area of public health;
For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
For the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing

You have the right to restrict the processing of your data in the following situations:

You contest the accuracy of your personal data. In such cases the restriction is in place for a period enabling us to verify the accuracy;
The processing is unlawful, and you oppose the erasure of the data but request the restriction of its use instead;
We no longer need the personal data for the purposes of the processing, but you require it for the establishment, exercise, or defense of legal claims;
You have objected to the processing, pending the verification of whether our legitimate grounds override yours.

Right to Data Portability

You have the right to have your personal data transmitted from us to another controller, provided that:

The processing is based on your consent or a contract;
You have provided the data to us yourself;
The data is in a transferable format (e.g. electronic);
The transfer does not adversely affect the rights and freedoms of third parties.

In such cases, you have the right to have your personal data transmitted directly from one controller to another, where technically feasible.

Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with the supervisory authority if you believe that the processing of your personal data is in breach of the law. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman.

Contact Information:

Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: POB 800, 00531 Helsinki
Switchboard: +358 29 566 6700
Registry Office: +358 29 566 6768
Email (Registry Office): tietosuoja(at)om.fi
More information: https://tietosuoja.fi/

Updates to this notice

We reserve the right to amend and update this Privacy Notice as necessary. We will communicate material changes to our privacy policy on our web site.