This Privacy Statement describes how Biomark Health Oy collects, processes, stores, and protects personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR). The purpose of this statement is to provide transparent information regarding the processing of personal data, the rights of data subjects, and the principles applied to the protection and lawful handling of personal information.
1. Personal data controller
Biomark Health Oy
VAT FI33496575
Contact information:
HealthHub, FinnMedi 5
Biokatu 12
FI33520 Tampere
Finland
Contact information in matters related to personal data files:
Biomark Health Oy
Markus Soimasuo
+358 505167827
2. Data Subjects
The register may contain personal data relating to:
- current customers and client organisations;
- potential customers and business contacts;
- representatives, contact persons, and employees of customer or partner organisations; and
- individuals who have contacted Biomark Health Oy regarding its services or operations.
3. Purpose of Processing Personal Data
Personal data is processed only for predefined, legitimate, and business-related purposes in accordance with applicable data protection legislation.
The processing of personal data may be based on:
- an existing customer or cooperation relationship;
- the preparation, execution, or administration of agreements;
- the legitimate interests of the controller related to business operations and customer relationship management;
- the consent of the data subject, for example in connection with marketing communications, newsletter subscriptions, or event registrations; and
- compliance with legal, regulatory, accounting, or contractual obligations.
Personal data may be processed for the following purposes:
- management and maintenance of customer and stakeholder relationships;
- provision, planning, and delivery of services;
- communication related to services, projects, assignments, or customer enquiries;
- preparation of offers, agreements, invoices, and other administrative documentation;
- management of contracts and cooperation relationships;
- customer service and support;
- marketing, newsletters, and professional communications where permitted by law;
- organisation of meetings, webinars, events, or training activities;
- development, maintenance, and security of the controller’s website, systems, and digital services;
- analysis and improvement of service quality, business operations, and customer experience;
- compliance with legal, regulatory, and reporting obligations; and
- protection of the rights, property, and security of the controller, customers, and other stakeholders.
Personal data is processed only to the extent necessary for the relevant purpose and retained only for as long as required by applicable legislation and the legitimate needs of the controller.
4. Personal Data Stored in the Register
The register may contain the following categories of personal data relating to customers, potential customers, cooperation partners, and other stakeholders of Biomark Health Oy:
Basic contact and identification information
- name;
- company and job title;
- postal address;
- e-mail address;
- telephone number; and
- other contact details voluntarily provided by the data subject.
Customer relationship and business-related information
- information related to requested, purchased, or delivered services;
- contract and invoicing information;
- communication and correspondence related to customer relationships or assignments;
- meeting, project, and cooperation information;
- customer feedback and other service-related information; and
- marketing permissions, subscriptions, and communication preferences.
Technical and website-related information
- information collected through website contact forms or electronic services;
- IP address, browser information, cookies, and related technical identification data where applicable; and
- information relating to the use of the controller’s website or digital services.
Only personal data necessary for the defined processing purposes is collected and processed.
5. Rights of the Data Subject
Data subjects whose personal data is processed by Biomark Health Oy have the rights granted under the General Data Protection Regulation (EU) 2016/679 (GDPR). Requests concerning the exercise of these rights may be submitted using the contact details provided by the controller (Markus Soimasuo markus.soimasuo(at)biomark.fi; +358505167827).
Right of Access
The data subject has the right to obtain confirmation as to whether personal data concerning them is being processed and to access such personal data in accordance with applicable legislation.
Right to Rectification
The data subject has the right to request the correction of inaccurate, outdated, or incomplete personal data.
Right to Object to Processing
The data subject may object to the processing of personal data where the processing is based on the legitimate interests of the controller or where the data subject considers that the processing is otherwise not lawful.
Right to Restrict Processing
The data subject has the right to request the restriction of processing in situations defined by applicable data protection legislation, for example while the accuracy or lawfulness of the data is being assessed.
Right to Withdraw Consent
Where the processing of personal data is based on consent, the data subject has the right to withdraw such consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Right to Prohibit Direct Marketing
The data subject has the right to object to and prohibit the use of personal data for direct marketing purposes at any time.
Right to Erasure
The data subject may request the deletion of personal data where the processing is no longer necessary for the purpose for which the data was collected, or where there is another lawful basis for erasure under the GDPR. The controller will assess each request individually and either delete the data or provide a justified explanation where the data cannot be removed. Certain information may need to be retained to comply with legal obligations, such as accounting, taxation, contractual, or regulatory requirements. For example, accounting records may need to be preserved for the retention period required under applicable legislation.
Right to Lodge a Complaint
The data subject has the right to lodge a complaint with the competent supervisory authority if they believe that the processing of personal data violates applicable data protection legislation. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman: www.tietosuoja.fi/en/index/yhteystiedot.html.
6. Regular Sources of Personal Data
Personal data processed by the controller is primarily collected directly from the data subject in connection with the establishment and maintenance of a customer or cooperation relationship. Information may be provided by the customer through electronic communication, website contact forms, e-mail correspondence, telephone discussions, meetings, agreements, or other direct interactions with the controller.
Personal data may also be obtained when individuals use the controller’s services, subscribe to communications, participate in events or campaigns, or otherwise interact with the controller’s digital services and information systems.
In addition, information may be collected from publicly available sources, professional networking services, business directories, or other external registers maintained by private or public organizations, where permitted under applicable legislation. Such sources may include contact information update services and company information databases operating within the EU or, where applicable, outside the EU in compliance with the requirements of the General Data Protection Regulation (GDPR).
Customer information is regularly collected:
- directly from the customer during the initiation or administration of the customer relationship;
- through website forms or other electronic data submission channels;
- in connection with marketing, communication, or networking activities;
- from the controller’s internal information systems and customer management registers; and
- from publicly available professional or business-related information sources where legally permitted.
7. Regular Disclosure of Personal Data
Personal data is not regularly disclosed to third parties for marketing purposes outside Biomark Health Oy.
Personal data may be disclosed only where necessary for the provision of services, the fulfilment of contractual obligations, or compliance with applicable legal requirements. In such cases, data may be processed by carefully selected service providers acting on behalf of the controller. The controller ensures that all external service providers and partners processing personal data comply with the applicable data protection legislation, including the requirements of the General Data Protection Regulation (EU) 2016/679 (GDPR).
8. Duration of Processing and Data Retention
Personal data is retained only for as long as necessary for the purposes for which it was collected and processed, including the fulfilment of contractual, legal, accounting, and regulatory obligations.
As a general principle, personal data and related documentation are stored for up to ten (10) years from receipt of the relevant documents or from the end of the customer relationship, unless a longer retention period is required or permitted by applicable legislation.
Marketing-related personal data will be processed until the data subject withdraws consent or objects to such processing. Recipients of marketing communications may unsubscribe at any time by using the unsubscribe link included in marketing e-mails or by contacting the controller directly.
9. Processors of Personal Data
Personal data contained in the customer register is processed by authorised personnel of Biomark Health Oy whose duties require access to such information.
Personal data may also be processed on behalf of the controller by external service providers, such as providers of information technology, cloud storage, website maintenance, accounting, or other administrative support services. Access to personal data is limited to the extent necessary for the performance of the relevant services.
Where the processing of personal data is delegated to external parties, the controller ensures through appropriate agreements and data processing arrangements that all personal data is handled confidentially, securely, and in accordance with applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 (GDPR).
10. Transfer of Personal Data Outside the EU or EEA
Personal data is generally processed and stored within the European Union (EU) or the European Economic Area (EEA). As a rule, the controller does not transfer personal data outside the EU or EEA.
However, in certain situations personal data may be transferred or accessed outside the EU or EEA, for example where the controller uses international cloud-based software, communication platforms, IT support services, analytics services, or other external service providers whose servers or support operations may be located partially outside the EU/EEA. Such transfers may also occur where an international collaboration partner, customer, or subcontractor is involved in the provision of services.
In cases where personal data is transferred outside the EU or EEA, the controller will ensure an adequate level of protection for personal data in accordance with applicable data protection legislation. Appropriate safeguards may include the use of European Commission adequacy decisions, standard contractual clauses (SCCs), or other lawful transfer mechanisms required under the General Data Protection Regulation (EU) 2016/679 (GDPR).
11. Automated Decision-Making and Profiling
Biomark Health Oy does not use personal data for automated decision-making, profiling, or other forms of automated processing that would produce legal effects or similarly significant effects on the data subject.
All decisions related to customer relationships, services, and communications are based on human assessment and consideration.