HeBA Privacy Provisions

Valid from 01.05.2020

 

INTRODUCTION

HeBA, under the business name of Tervise Teejuht Ltd (registry code 14644401, legal address: Vambola 6, 10114 Tallinn, Estonia, licenses No L04467 and L04468) is a health care company. We provide health services under the Health Services Organisation Act, the Occupational Health and Safety Act, the Communicable Diseases Prevention and Control Act, and provide other health services in accordance with applicable Estonian and European Union law. You can find a list of HeBA services here.

The health, privacy and sense of security of our Clients are of utmost importance to us. All of our services are subject to the processing of your Personal Data and in accordance with this Privacy Policy. We explain our Privacy Policy to our customers through our Privacy Provisions.

These Privacy Provisions describe in a comprehensive manner how and for what purpose HeBA collects and processes Personal Data. The processing of Personal Data is governed by the applicable Personal Data Protection Legislation, including the Health Services Organization Act, the Terms and Conditions for Documenting and Maintaining Health Care Services, the Occupational Health and Safety Act, Regulation (EU) 2016/679 (“GDPR”) Personal Data Protection Act.

 

  1. The Purpose of Privacy Policy

The purpose of this Privacy Policy is to protect the privacy of Clients in accordance with the laws of the Republic of Estonia and the European Union.

 

  1. The Purpose of processing personal data

2.1. HeBA collects and processes the Personal Data of its Clients for the provision of agreed health services, which are strategically aimed at managing the (natural person) health of the Client, managing health risks and achieving a good quality of working life, and reducing the health risks of Client (legal person) staff.

 

2.2. We process the personal information of HeBA Service Users: Clients (natural persons), Client Companies (legal persons) and Voluntary Users of Marketing Channels in order to fulfill our contractual obligations as well as provide potential customers with better service and information.

 

2.3. When providing health care services to a client (natural person), including occupational health services, HeBA processes personal data based on the Health Services Organization Act and the Occupational Health and Safety Act.

 

2.3.1. When providing occupational health services, we process Personal Data in order to:

– Assess the Client’s general health and the impact of work environment risk factors on the Client’s health;

– Provide personalized health advice that encourages personal and occupational health;

– Prepare a personal health plan for the Client to manage, maintain and improve health risks.

To achieve this goal, we analyze customer health and work environment data, including physical and mental health and health behavior patterns. We carry out the health assessment either solely on the basis of the data provided or on the basis of both the submitted data and the examination performed at the Client’s reception.

2.3.2. When providing other health care services (vaccinations, medical examinations or other), we process Personal Data in order to fulfill the Client’s intended purpose when seeking health care.

 

2.4. In order to provide a service other than health care (nutrition counseling, rehabilitation or other service), HeBA processes Personal Data for the purpose of providing the service requested.

 

2.5. We provide health care services to a Client Company (legal person), including occupational health services, on the basis of an agreement with the compnay, based on the Health Services Organization Act and the Occupational Health and Safety Act.

2.5.1. When providing occupational health services, we process Personal Data in order to:

– to provide the Client Company with an overview of the factors affecting the health of its employees;

– Provide input to the Client Company to plan health and risk management activities for its staff.

To accomplish this goal, we analyze  aggregated Personal Data of the staff.

2.5.2. The Principles of Processing Personal Data are signed with the Client Company as part of the contract for Health Services.

 

2.6. For the purposes of analyzing and evaluating Client Satisfaction and Improving Services, HeBA has the right to request feedback from Clients and Client Companies regarding the services provided.

 

2.7. For the purposes of measuring and improving the quality of the service, and for educational and scientific purposes, HeBA processes the Personal Data collected in the course of providing the Services in an impersonal manner, i.e the identification of the data subject is made impossible, taking into account the applicable legislation.

 

  1. Collection of personal data

3.1. When providing occupational health services:

– the Client Company transmits the personal data of its employees (Client) to HeBA in accordance with applicable law using a secure web-based platform that fully complies with GDPR requirements (heba.ee);

– We request health and health behavior data directly from the Client on the basis of a personal questionnaire using the GDPR Compliant Personally Identified Web Platform (heba.ee) and when meeting with the Client for health care purposes;

– Personal health information is retrieved from the Health Information System for the purpose of providing health care, both during the provision of health care and during planning.

 

3.2. When providing health services:

– request health and health behavior data directly from the Client when meeting with the Client to provide health care;

– Personal health information is retrieved from the Health Information System for the purpose of providing health care, both during the provision of health care and during planning.

 

3.3. Voluntary use of marketing channels:

– We request Client’s Personal Data directly from the Cleint using a private cloud web platform, paper medium or e-mail service.

 

  1. Personal data collected and processed

4.1. We process personally identifiable information, such as name and personal identification code, as well as data, including health data, for the purpose of providing healthcare. When providing a health care service, we may process personal contact information and bank account details for billing of the health care service provided and to provide organizational information before and after the visit.

 

4.2. The composition of the Personal Data that is processed on a case-by-case basis depends on the content of the service and is strictly limited to the minimum of Personal Data required for the service provided.

 

4.3. List of data to be processed:

– General information such as name, surname, telephone number, email address and address

– Personal identification number

– Bank account details

– Job, position, unit

– Workload, length of service

– Individual work environment decisions

– Health behavior data

– Health records

 

  1. Transmission of personal data

5.1. Health data will not be disclosed to third parties, except as required by law.

 

5.2. HeBA may transfer Client’s health data for the purpose of providing health care for the Client to another health care provider and to a laboratory for analysis. The HeBA healthcare professional has the right to consult another healthcare professional in order to provide the best healthcare to the Client.

 

5.3. When providing health care, HeBA shall transfer the health data to the eHealth Patient Portal Information System, which is located on the website https://id.digilugu.ee/ and is processed by the Health and Welfare Information Systems Center (registry code 70009770, address: Uus-Tatari tn 25, 10134 Tallinn) ). If you have any questions about the Patient Portal, please contact the Health and Welfare Information Systems Helpdesk at +372 794 3943 or at abi@tehik.ee.

 

5.4. When providing health care, HeBA may transfer and / or receive health data as required under applicable law through a prescription center, the controller of which is the Health and Welfare Information Systems Center (registry code 70009770, address: Uus-Tatari tn 25, 10134 Tallinn). If you have any questions about the Recipe Center, you can contact the Health and Wellbeing Information Systems Helpdesk at +372 794 3943 or at abi@tehik.ee.

 

5.5. When providing health care, HeBA may transfer and / or receive health data as required under applicable law through an image bank, the controller of which is the Estonian Healthcare Image Bank (registry code 90007945, address Puusepa 8, 51014 Tartu Estonia), if required for the provision of health care. If you have any questions regarding the Image Bank, please contact the Health and Welfare Information Systems Helpdesk at +372 5331 8888 or send an e-mail to abi@pildipank.ee.

 

5.6. With the exception of individual health and health behavior data, we transfer personal information to the Client Company under the law applicable to its employees, such as a health review decision under the Occupational Health and Safety Act. Health data enabling personalization shall not be transferred to third parties.

 

5.7. HeBA has the right to use Authorized Processors for the processing of Personal Data, which are support service providers: Connected OÜ, e-clinic of specialized medical software and its reservation system; Devbreak OÜ, which develops the HeBA health management platform. Authorized processors may have access to Personal Data only in limited cases. As Affiliated Processors, we will only use partners who process Personal Data in accordance with applicable law and this Privacy Policy.

 

5.8. When providing health care services in connection with the issuing of a health certificate for a motor vehicle driver, HeBA health data (health certificate) may be transmitted to the Road Administration’s digital environment, the controller of which is the Road Administration (registry code 70001490, address Teelise 4, 10916 Tallinn). For any questions regarding data processing by the Estonian Road Administration, please contact the Estonian Road Administration by phone +372 620 1200 or by e-mail info@mnt.ee.

 

  1. Retention of personal data

6.1. HeBA will retain Personal Data relating to the provision of healthcare for as long as the purpose for which it is processed and for as long as required by applicable law.

 

6.2. Pursuant to the Health Services Organization Act and pursuant to the regulation of the Minister of Social Affairs “Conditions and Procedure for Documenting Health Care Services and Maintaining These Documents”, HeBA shall keep the following documents containing Personal Data:

6.2.1. Patient health records will be retained until 30 years after data validation;

6.2.2. When ordering examinations, we will keep the examination results for 30 years with the patient’s health record.

 

6.3. Under Section 13’ (11) of the Occupational Health and Safety Act, we will keep the HeBA medical records and medical examination results for 30 years as of the making of a medical examination decision. 

 

6.4 Under the Accounting Act, we preserve accountng documents for 7 years.

 

6.5. Data collected for the performance of a health care contract, the longer retention period of which does not derive from applicable law, will, as a general rule, be retained personally for as long as necessary for the performance of the contract during the contract or up to 3 years after termination of the contract.

 

6.6. We keep the feedback collected to evaluate customer satisfaction for 5 years from the date we receive the feedback.

 

  1. Protection of personal data

7.1. To prevent unauthorized access or disclosure of Personal Data, HeBA uses technical and organizational high-security measures in accordance with the requirements of the three-level reference security system developed by the National Information Systems Authority.

 

7.2. All HeBA employees’ and partners’ contracts contain a confidentiality obligation.

 

7.3. Access rights to Personal Data are limited according to the need to provide the service. In order to process personal information, HeBA employees must identify themselves. All personal data logs are retained.

 

7.4. Personal information is stored on the HeBA platform in a secure private GDPR compliant private cloud in an encrypted form.

 

7.5. The client can access his / her personal data through multi-step authentication. At the Client’s express request and in a form that can be reproduced in writing, it is possible to transmit the Client’s data in an unencrypted form (via e-mail, on paper).

 

  1. Customer Rights in relation to Personal Data

8.1. The Client has all the rights arising from the law applicable to the data subject when processing the Personal Data.

 

8.2. The Client has, among other things, the following rights when processing Personal Data:

8.2.1. Right of access: the right to ask at any time whether HeBA has Personal Information about the Client and to receive information about which Personal Information HeBA processes on the Client;

8.2.2. Right to correction of Personal Data: The right to request from HeBA the rectification or correction of Personal Data if it is inadequate, incomplete or incorrect;

8.2.3. Right of objection: the right to object to HeBA regarding the processing of Personal Data;

8.2.4 Right to Request Deletion of Personal Data: The right to request deletion of Personal Data, for example, when Personal Data is processed with the Client’s consent and the Client has withdrawn consent;

8.2.5. Right to Restrict Processing: The right to require HeBA to restrict the processing of Client Personal Data under applicable law, for example, if HeBA no longer requires Client Personal Data for processing purposes or if Client has objected to the processing of Personal Data;

8.2.6. Right to Withdraw Consent for the Processing of Personal Data: If processing of Personal Data is based on Client’s consent, Client shall have the right to withdraw the consent granted to HeBA at any time;

8.2.7. Right to data portability: The Client is entitled to receive from HeBA the Personal Data that the Client has provided to HeBA and which is processed on the basis of the Client’s consent or for the performance of the contract with the Client;

8.2.8. Right to complain: If the Client finds that his or her rights have been violated in the processing of his or her Personal Data, he or she has the right to lodge a claim or complaint with the Data Protection Inspectorate or the court.

 

8.3. In some cases, the rights of other data subjects or the legal obligations of HeBA may limit the rights of the data subject.

 

8.4. Notwithstanding the existence of a legal basis for the request for deletion, HeBA shall refuse to delete the data if it is necessary:

8.4.1. To perform an obligation or a public interest obligation under the law of the European Union or a Member State to HeBA, and in particular the obligation to keep records and records in connection with the provision of healthcare;

8.4.2. In the field of public health for reasons of public interest;

8.4.3. For archiving, research or statistical purposes in the public interest; or

8.4.4. For the preparation, filing or defense of legal claims.

 

8.5. In order to exercise the rights associated with the processing of personal data or to submit requests for the processing of personal data, please contact us using the contact details provided in the “Contact” section below.

 

  1. Contact

If you have any questions regarding the processing of your personal data or you have any requests for the processing of your personal data, please contact HeBA by phone, email or post.

HeBA’s contact details are:

Business name: Tervise Teejuht Ltd

Data Protection Officer: Evelyn Aaviksoo

Address: Vambola 6, 10114 Tallinn

Phone: +372 58 87 01 31

E-mail: tervis@heba.ee

Thank you! Your request has been successfully sent.

Click here to close the form