Privacy policy

We process your data only for predetermined purposes:

• For handling feedback, official requests for clarification, and incident reports.
• Processing is necessary for occupational health purposes defined by your employer’s occupational health agreement with Lappica, for assessing an employee’s work ability, for medical diagnoses, and for carrying out healthcare treatment or procedures.
• For the administration of healthcare services and systems based on legislation or an agreement with a healthcare professional.
• Processing is necessary for well-being services.
• Based on given consents, for informing about and marketing services.

Your personal data subject to processing includes:

• Basic information
• Consents and prohibitions
• Employer information
• Health data
• Well-being data
• Appointment booking data
• Call and chat recordings
• Billing information
• Information from feedback, official requests for clarification, and incident reports

• The retention period for your health data is in accordance with the Ministry of Social Affairs and Health Decree on Patient Documents (298/2009). As a general rule, we store data for 12 years after death, or if the date of death is unknown, for 120 years from birth.
• Call and Chat Recordings: 3 months
• Data related to feedback: 5 years
• Data related to official requests for clarification: 12 years
• Data related to incident reports: 5 years

Based on the joint registration consent you’ve given, healthcare professionals at Lappica will treat you. In occupational healthcare, your health information is accessible to all professionals involved in your occupational health care.

Kela Prescription Centre

• Your electronic prescriptions are stored in the Prescription Centre, for which Kela acts as the data controller. More information at kanta.fi.

Kanta Patient Data Archive

• Your health data is archived in the Kanta services’ Patient Data Archive, maintained by Kela, based on the Act on Electronic Processing of Client Data in Social and Health Care (159/2007) (the “Client Data Act”). More information at kanta.fi.

Additionally, your patient data may be disclosed under Section 13 of the Patient Act (785/1992) as follows:

1. Another healthcare unit/organization/care facility or healthcare professional
   • Necessary information for your examination or treatment can be disclosed to another healthcare unit you’ve specified, in accordance with your verbal or written consent, or consent otherwise evident from the context and recorded in the patient document.
2. Insurance companies
   • Necessary information for statutory traffic and accident insurance is disclosed to the insurance company without consent (based on law).
   • For voluntary insurance, necessary information is disclosed according to your consent.
3. Authorities or entities with a legal right to access information
   • Information is provided to a court, other authority, or entity with a legal right to access information based on a written and itemized request, generally as statements to the extent required by the matter.
   • Patient’s close relative or other close person
   • If you are being treated while unconscious or due to another comparable reason, your close relative or another close person may receive information about you and your health status, unless there is reason to believe that you have prohibited such disclosure.
4. Disclosure of deceased person’s data
   • The duty of confidentiality and the need for privacy protection continue even after a person’s death. Therefore, information about a deceased person may not be disclosed without a legal basis.
5. Research use
   • The disclosure of information contained in patient documents for scientific research is governed by Section 13.4 of the Patient Act.
   • Other research use of health data requires your consent.

Your personal data will not be processed or disclosed outside the EU area.

From you directly
Information you provide.

Healthcare personnel
Information generated during your examination and treatment.

Employer
As a Lappica client, you are covered by your employer’s occupational health agreement. Your employer provides Lappica with your basic information, workplace contact details, and updates to this information at agreed intervals.

Another healthcare unit or healthcare professional
Information obtained from other healthcare institutions. Based on a referral from a unit or an agreement for purchased services, information on who was treated, what procedures were performed, and their cost is shared to verify billing accuracy.

Other data sources
Insurance company or pension insurance company.

Right to Access Personal Data

• You have the right to access your own data. You can make a written request to review your personal data at a Lappica office using this form: Rekisteritietojen tarkastuspyyntölomake

Right to Rectification of Data

• You can make a written request for rectification at a Lappica office using this form: Rekisteritietojen oikaisu- ja tarkastuspyyntölomake

Right to Erasure of Data

• Information you have provided yourself can be deleted based on your request.
• For other data:
  The retention period for health data is determined by the Ministry of Social Affairs and Health Decree (Decree on Patient Documents 298/2009). Data will be deleted after the retention period expires. Other data will be deleted after the period mentioned in the retention period section expires.

Right to Restriction of Processing

• You have the right to request that Lappica restricts the processing of your personal data if you dispute its accuracy. In such cases, processing will be restricted for a period during which we can verify the accuracy of your data. This restriction is implemented by masking your patient data.

Right to Data Portability

• Another healthcare provider can view your health data through the Kanta services, according to the consents and prohibitions you have personally provided. You can manage these consents and prohibitions through the Omakanta service (kanta.fi).

Right to Withdraw Consent

• When processing is based on your consent, you can withdraw your consent at any time. You can withdraw your consent by requesting a withdrawal from customer service at a Lappica office.

Right to Lodge a Complaint with a Supervisory Authority

• If you believe that the processing of your personal data has violated the Data Protection Regulation, you have the right to lodge a complaint with a supervisory authority.
• You can also lodge a complaint in the Member State where you have your habitual residence or place of work.

Lappica employs appropriate physical, technical, and administrative safeguards to protect data against misuse. These measures include, among others, controlling and filtering network traffic, using encryption technologies, secure server rooms, proper access control, managed granting and monitoring of access rights, instructing personnel involved in personal data processing, and risk management in the design, implementation, and maintenance of our services. Lappica carefully selects its subcontractors and ensures through contractual and other arrangements that data is processed by subcontractors in accordance with legislation and good data protection practices.

DATA PROTECTION OFFICER

Data Protection Officer email: 

PATIENT OMBUDSMAN

Lappica Oy’s Patient Ombudsman is
Lapin hyvinvointialue
Johanna Pikkuaho (040 5060 083)
Satu Peurasaari (040 4823 584)
e-mail:  (not secure, so please do not send confidential information)

The Patient Ombudsman’s duties include, among others:

• Advising and, if necessary, assisting with matters related to the application of the Patient Act, such as making a reminder and/or a patient injury report.
• Informing about patient rights and otherwise promoting patient rights.
• More information on client and patient rights is available on the Lapland Welfare Region’s website

Lappica Oy’s corporate client register maintains data on existing corporate and organizational clients, their contractual contact persons, and other contact individuals. Here, “Company” also refers to communities and associations.

We process your personal data for the following purposes:

• Managing, developing, targeting, and monitoring sales, marketing, and communication.
• Managing customer relationships and customer service, as well as maintaining information on the corporate client’s contractual and other contact persons.
• Collecting and processing customer feedback.
• Conducting market research and opinion polls.
• Analyzing, segmenting, and reporting on customer relationships, and for other purposes related to the development of the overall customer relationship and Lappica’s business operations.

Your personal data subject to processing includes:

• Contractual contact person’s role within the company
• Name, job title, and contact information
• Description of responsibilities

We’ll store your personal data for as long as you’re a contact person for our corporate client. We perform a data deletion run annually.

The processing of personal data may be outsourced to external occupational healthcare service providers when services are produced or acquired based on a subcontracting agreement. These external providers process personal data on Lappica’s behalf.

Information from the corporate client register is not disclosed to third parties.

Personal data is not disclosed or processed outside the EU area.

Contact information for Lappica Oy’s corporate and organizational clients is updated in Lappica’s contract database either based on an announcement made by the contractual contact person or by the individual themselves.

If processing is based on your consent, you can withdraw it at any time. You can send your request to .

You have the right to request access to your personal data, and you also have the right to request its rectification or erasure, or the restriction of its processing. You can send these requests to 

Please note: If you act as a contact person for a company or organization, your data cannot be deleted during this time.

Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data has violated the Data Protection Regulation, you have the right to lodge a complaint with a supervisory authority.

You can also lodge a complaint in the Member State where you have your habitual residence or place of work.

Lappica Oy employs appropriate physical, technical, and administrative safeguards to protect data against misuse. These measures include, among others, controlling and filtering network traffic, utilizing encryption technologies, using secure server rooms, ensuring proper access control, managing the granting and monitoring of access rights, providing guidance to personnel involved in personal data processing, and implementing risk management in the design, implementation, and maintenance of our services. Lappica carefully selects its subcontractors and ensures through contractual and other arrangements that data is also processed by them in accordance with legislation and good data protection practices.

Data Protection Officer: .