Privacy policy Kivistö Pharmacy
Data Controller: Kivistö Pharmacy (hereinafter referred to as "Pharmacy")
Pharmacist: Sirpa Nieminen
Business ID: 2305512-7
Pharmacy Address: Topaasikuja 13, 01700 Vantaa
Contact Persons for the Register:
Pharmacist Sirpa Nieminen, phone: 0408274919, sirpa.nieminen@apteekit.net
Data Protection Officer Henrika Koskivirta, phone: 0505511358, kivistonapteekki@apteekit.net
The Pharmacy (data controller) is obligated under the GDPR to inform its customers (data subjects) about the processing of personal data.
Purpose of Personal Data Processing
The purpose of processing personal data in the register is to provide pharmacy services to the customer. The processing of personal data is based on general data protection legislation as well as specific laws governing pharmacy operations.
The Pharmacy processes personal data when dispensing medicines or other medical supplies prescribed by a person authorized to prescribe medicines. During medication transactions, the Pharmacy deducts from the cost any reimbursements provided by Kela, insurance companies, or workplace funds.
Additionally, based on an agreement or the customer's consent, the Pharmacy provides customers with various services related to medication management. For loyalty program members, the Pharmacy collects personal data within the scope of the loyalty agreement or the consent provided by the loyalty program member at the time, using this information to improve customer experience or services.
In matters of significant public interest, the Pharmacy collaborates with other pharmacies, pharmaceutical regulatory authorities, and addiction specialists to manage pharmacy contract procedures jointly planned with these parties.
Processing personal data at the Pharmacy is strictly confidential. In addition to standard confidentiality obligations, the staff are bound by lifelong confidentiality under healthcare legislation regarding information about a person's medications and health status.
The Pharmacy offers customers a mechanical dose-dispensing service for medicines, provided by Pharmac Finland Oy. Pharmac Finland Oy has its own privacy policy (www.oma-annos.fi).
The Pharmacy uses video surveillance to ensure the safety of customers and employees and to uphold legal protections. Video surveillance services are provided by Lesec Security Services.
The Pharmacy processes all personal data in compliance with the EU General Data Protection Regulation (GDPR). Additionally, we adhere to other laws, regulations, and guidelines governing the handling of personal data in pharmacy operations.
Register Names
The Pharmacy processes customer personal data in accordance with the registers and purposes specified in this privacy statement. The information in the registers may be in both electronic and manual formats.
- Prescription Register
- Customer Relationship Management
- Kela Direct Reimbursement and Subsistence Billing, Insurance Companies
- Dose Dispensing
- Pharmacy Agreement Register
- Billing Services
- Website
- Video Surveillance
- Statistics and Continuity Planning
- Manual Registers Generated from Special Orders
- E-commerce Customer Register
Register Content
Prescription Register, Kela Direct Reimbursement, Guarantee, and Insurance Company Registers
The Prescription Register contains information about prescriptions dispensed by the Pharmacy, as well as details of purchases for which the customer has received medication reimbursement through the Pharmacy based on the direct reimbursement agreement between pharmacies and the Social Insurance Institution of Finland (Kela).
The following personal data is processed in these registers: personal identity number, name, illness codes, prescription details, dispensed medicines and dosages, payment information (guarantees, invoicing customers, framework agreements), consents, any pharmacy agreement information, professional authorization details of the prescriber, and prescription processing information.
Additionally, the consent register of Kanta Services is used for proxy transactions, wherein the Pharmacy retrieves the following information: the customer’s personal identity number and name, the proxy’s personal identity number and name, and the customer’s healthcare unit.
The information is integrated into the national Kanta Services maintained by Kela under the Act on Electronic Prescriptions (61/2007).
Prescription information is accessible in the Pharmacy's information system for 13 months. The Pharmacy has a statutory obligation to retain the Prescription Log (Fimea Regulation 2/2016: Medicine Dispensation, retention period 5 years).
Customer Relationship Management
Customer service is supported by a pharmaceutical advice and medication management tool that combines customer relationship management with various databases necessary for pharmaceutical work. The customer relationship management system utilizes the Prescription Register database and assists pharmacists in managing, for example, drug interactions.
Loyalty Membership
For loyalty members, the system displays previously dispensed medications and alerts about their interactions.
In addition to the information contained in the Prescription Register, the following data is collected for loyalty services: the customer’s address, phone number, email address, IP address (internet protocol address), age, and any other information provided by the customer.
Becoming a loyalty member requires an agreement between the customer and the Pharmacy. Loyalty memberships are primarily created for dose-dispensing customers and clients of contracted nursing homes and home care service providers. The Pharmacy does not have a separate loyalty program.
Customer data related to loyalty membership is retained until the end of the customer relationship, unless the customer requests otherwise. Loyalty membership data is retained as outlined below.
Account Membership
Customers can become account members by entering into an agreement with the Pharmacy. In addition to prescription register data, the following information is stored in the account member register: personal identity number, name, address, phone number, any guarantee, representative/trustee, billing details (bank details are forwarded for Direct Debit or eInvoice billing), service housing unit/attending healthcare unit.
Retention obligations include the account member’s billing agreement and the Kanta e-prescription consent. The e-prescription consent authorizes the Pharmacy to process the customer’s prescription information.
Account membership data is retained only as long as necessary for the purposes of the register.
Dose Dispensing Membership
An agreement is made between the customer and the Pharmacy to initiate dose-dispensing services.
The dose-dispensing register contains the following information: personal identity number and name, address, phone number, the physician responsible for dose dispensing, and the attending healthcare unit.
Unless otherwise required by statutory obligations, customer data in the account member, dose-dispensing, and guarantee registers is deleted once the customer relationship and related mutual obligations have ended.
E-commerce Membership
For e-commerce, the Pharmacy acts as the controller of the e-commerce customer register. The Treet e-commerce platform stores order identification and content details. In other respects, ApoDigi acts as the controller. The Pharmacy processes personal data in the ApoDigi Treet customer register. ApoDigi maintains the up-to-date privacy statement. The Treet customer register includes personal data entered by the customer via the mobile application and data entered by Pharmacy staff into the Treet interface. Personal data can be processed by any professional user authorized by ApoDigi with access to the register data. Logs are generated on the Pharmacy side to monitor data protection compliance.
Special Provisions
The pharmacy also has other statutory duties, such as issuing Schengen certificates and dispensing toxic chemicals, which require the processing of personal data.
The Schengen Agreement stipulates a certificate for customers to demonstrate the necessity of carrying narcotic or psychotropic medications when traveling within the Schengen area. The following personal data is processed when issuing a Schengen certificate: the medication package to be taken, the prescription, and travel document details (passport or ID card). These details are not
stored in the pharmacy's registers, but a copy of the certificate is retained at the pharmacy for one year after the certificate's expiration date.
Personal data is also processed in connection with the dispensing of toxic chemicals. Regarding the handling of toxic and highly toxic chemicals, the pharmacy retains the following information: name, address, phone number, chemical name and quantity, and purpose of use. The pharmacy has a statutory obligation to retain this data for five
years concerning the retail sale of chemicals delivered from the pharmacy.
Website
Visit data from the pharmacy's website can be stored in our system through cookies. The purpose of this storage is to provide messages of interest to the customer, improve the customer experience, and develop the service. The use of cookies for these purposes always requires the customer's consent. The pharmacy does not use profiling data collected through cookies as a basis for decision-making about the customer.
Camera Surveillance
The pharmacy conducts camera surveillance on its premises to ensure safety and legal protection. Surveillance data includes information about individuals moving within the camera surveillance areas. In addition to video recordings, the registry stores the dates and times of events. Conversations are not recorded during camera surveillance.
The registry of camera surveillance recordings is appropriately protected. Access to the recordings is limited to pharmacy staff or service provider personnel whose job duties require it. Camera surveillance recordings may be provided to authorities in case of suspected criminal activity, in compliance with applicable legislation.
Regular Data Sources
- Data from Kela's Kanta services
- Data on direct reimbursement from Kela
- Essential health or billing information provided by the customer, their family member, guardian, or care facility
- Data related to the customer's care based on observations by employees
- Information obtained with the customer's consent/contract (billing customer agreement, billing assignment to a bank, dose dispensing agreement)
Data Disclosure and Transfer
Kela and Other Authorities
Data is integrated into the national services maintained by Kela based on the Act on Electronic Prescriptions (61/2007). These services and providers include the prescription center, sickness insurance reimbursements, livelihood billing, and insurance companies.
The system verifies professional right data from Valvira's register of healthcare professionals.
Medication Dose Dispensing
Customers using the pharmacy's medication dose dispensing service receive their medications pre-packed into individual dose pouches for two weeks at a time. The service is based on an agreement between the customer and the pharmacy.
The pharmacy transfers the following data about dose dispensing customers to its dose dispensing supplier, Pharmac Oy: name, personal identification number, and medication details.
Pharmacy Agreement Register
During prescription processing, the pharmacy also processes personal data as part of the pharmacy agreement procedure. This procedure involves an agreement between the individual and their physician to help patients with substance or medication dependency gradually detox through structured medication management. By signing the pharmacy agreement, the patient commits to a procedure where medications prone to misuse are prescribed only by a single physician or care provider and can be collected from only one pharmacy chosen by the patient.
Based on the signed pharmacy agreement, the designated pharmacy can:
- store information about the pharmacy agreement in their customer registry,
- share information about the patient's situation with the attending physician, and
- inform other pharmacies about the existence of the treatment agreement in a secure manner.
In inter-pharmacy data sharing, the so-called Pharmacy Agreement System is used, where each pharmacy acts as the controller of the personal data of its own agreement customers. The Finnish Pharmacists' Association manages the technical maintenance of the system on behalf of the pharmacy. The system records the personal identification number of the agreement patient and the start and end dates of the agreement. All related data is deleted after the agreement ends.
It is also necessary to process data about individuals who are not Pharmacy Agreement customers. Substance and medication dependency is a significant societal issue, and the important public benefit achieved through this procedure justifies its arrangement as described above. The procedure has received legislative support and guidance from the Ministry of Social Affairs and Health. The pharmacy's prescription processing system automatically checks all prescriptions containing narcotic or psychotropic drugs in the Pharmacy Agreement System to verify if the prescription holder has an active agreement with another participating pharmacy. If an agreement exists with another pharmacy, the handler is notified and directs the individual to obtain the medication from the designated agreement pharmacy. No queries or results are stored in the pharmacy or the Pharmacy Agreement System.
Billing Services by Ropo Capital Oy
The pharmacy may offer billing services to its customers. The billing service provider is Ropo Capital Oy. The service is based on an agreement with the customer. We record information about billing, payment, and collection events in the accounts receivable systems. The following information about billing service customers is transferred to the billing partner: name, billing address, and details of purchased products.
Retention Period for Personal Data
Prescription Data
Prescription data is accessible in the system for 13 months. The pharmacy has a statutory obligation to retain the Prescription Log (as per Fimea Regulation 2/2016: Dispensing Medicines) for five years.
Loyalty Customer Data
Loyalty customer data is retained in the system for two years unless otherwise specified by the customer.
Billing Customer Data
Billing customer data is retained only as long as necessary for the purpose of the registry.
The pharmacy deletes personal data from the registry if the customer requests it upon contract termination.
Schengen Certificates
The pharmacy retains copies of Schengen certificates for one year after the certificate's expiration date.
Retail Sale of Chemicals
The pharmacy has a legal obligation to retain information on retail chemical sales conducted at the pharmacy for five years.
Surveillance Cameras
Surveillance camera recordings are retained for a maximum of four weeks, after which the data is automatically deleted.
Principles for Registry Protection
All information in the registry is handled confidentially.
Registry Protection
The pharmacy implements appropriate technical and organizational measures to ensure the protection of personal data during processing, especially to guard against data breaches. Only pharmacy staff and the chosen system provider, along with its subcontractors, have access to the system.
All electronically processed data is secured in accordance with widely accepted industry standards. The system is protected by technical and administrative methods, and data is transmitted only in encrypted form. Only authorized personnel may use the system.
All information in the registry is handled confidentially. Only the pharmacy's staff and its selected system provider (Pd3) with subcontractors have access to the system. Both staff and subcontractors are bound by contractual and/or statutory confidentiality obligations. Only individuals requiring access to personal data for work-related purposes are authorized to use the system. System access requires a personal identifier and a strong password.
Rights of the Data Subject
Right to Access Data
Data subjects have the right to access their personal data. Upon request, the pharmacy as the data controller must inform the data subject whether personal data concerning them is being processed. Upon request, the controller must provide a copy of the personal data being processed, also in electronic form if requested.
Correction and Deletion of Personal Data
The data subject may request the correction of incorrect information. The pharmacy may correct the incorrect data after receiving accurate information from the data subject or another reliable source. The data subject has the right to have their personal data deleted from the registry if the conditions stipulated in applicable data protection legislation are met.
Right to Restrict Processing and Right to Object
The data subject has the right to request the data controller to restrict the processing of their personal data if the conditions stipulated in applicable data protection legislation are met. The data subject also has the right to object to the processing of their personal data for direct marketing purposes.
Right to Withdraw Consent
The data subject has the right to withdraw or modify their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Automated Decision-Making
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them in a similar way.
The above does not apply if the decision is necessary for the performance of a contract between the data subject and the controller, is based on the data subject's explicit consent, or is authorized under applicable legislation to the controller.
Right to Data Portability
The data subject has the right to have personal data processed based on their consent or a contract transferred directly from one controller to another, if technically feasible.
Right to Lodge a Complaint with a Supervisory Authority
The data subject has the right to lodge a complaint with the competent supervisory authority (Data Protection Ombudsman, Ratapihantie 9, PO Box 800, 00521 Helsinki, or tietosuoja@om.fi) if the pharmacy as the controller has not complied with applicable data protection regulations.
Transfer of Data Outside the EU or EEA
Data is not transferred or disclosed outside the EU or EEA.
Contact
For any questions related to the processing of personal data, the data subject can contact the pharmacy. Inquiries are best made in writing via post or email. Contact information can be found under "Registry Contacts."