Privacy policy

This document elucidates how SL Meedik OÜ (hereinafter referred to as “SL Meedik”) utilizes the personal data of its clients and ensures their lawful processing, confidentiality, and security.

Definitions: 

Personal Data – any information relating to an identified or identifiable natural person. 

Special Categories of Personal Data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. 

Genetic Data – personal data relating to inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. 

Biometric Data – personal data obtained through specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images, fingerprints, iris scans, etc. 

Health Data – personal data relating to the physical or mental health of a natural person, including the provision of health care services to him or her that reveal information about his or her health status. 

Data Subject – an identified or identifiable natural person, whereby an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. In this context, the data subjects are: 

• Patients of SL Meedik who provide their personal data themselves to receive the service or whose personal data is provided by their legal representative (e.g., a child).
• Third parties designated by the data subject as a contact person or about whom the data subject provides information related to the health care service provided to them. 

Controller – SL Meedik, registration code: 10159121, Pärnu mnt 48a, Tallinn, phone: 646 3390, email: slmeedik@slmeedik.com. 

Processor – a natural or legal person, public authority, agency, or other body that processes personal data on behalf of SL Meedik. 

Third Party – a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data. 

Processing of Personal Data – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

What Personal Data Does SL Meedik Collect?

1. 1. Identifying information, including name, personal identification code;
   2. Contact information;
   3. Information about health insurance;
   4. Information about health status and disabilities, including diagnosed illnesses, medications used, immunizations, surgeries performed, tests conducted, etc.;
   5. Information about hereditary traits.

How Does SL Meedik Use Personal Data?

1. 1. For identifying the data subject;
   2. For establishing contact with the data subject and conveying information;
   3. For providing health care services to the data subject;
   4. For determining the existence of health insurance for the data subject;
   5. For fulfilling legal obligations.

How and From Where Does SL Meedik Collect Personal Data?

1. 1. Directly from the data subject through their statements;
   2. From the legal representative of the data subject (e.g., a parent providing a child’s personal data);
   3. Through statements provided by a contact person designated by the data subject;
   4. SL Meedik collects contact person’s personal data from the data subject who discloses their contact person’s personal data to SL Meedik;
   5. From an identity document of the data subject;
   6. From a document proving the data subject’s health insurance or from a database used for verifying health insurance;
   7. From information obtained during the provision of health care services, including from other health care providers involved in or previously involved in the data subject’s treatment process.

On What Basis Does SL Meedik Process Personal Data?

1. 1. SL Meedik processes personal data of its patients, their legal representatives, and contact persons:
      1. With the consent of the data subject, consent is presumed for data disclosed by the data subject or their legal representative to SL Meedik.
      2. For the performance of or in preparation for a contract with the data subject, i.e., for the provision of health care services;
      3. To fulfill a legal obligation as stipulated by law;
      4. To protect the vital interests of the data subject or another natural person.
   2. SL Meedik processes special categories of personal data only:
      1. With the consent of the data subject, consent is presumed for data disclosed by the data subject or their legal representative to SL Meedik.
      2. When the processing of special categories of personal data is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity;
      3. When the processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
      4. When the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of Union or Member State law or pursuant to a contract with a health professional.

To Whom Does SL Meedik Disclose/Share Personal Data of Data Subjects?

1. 1. To third parties requested by the data subject based on a signed application. If third parties themselves request information, they must prove the data subject’s consent and the necessity of obtaining the information;
   2. To health care providers involved in the data subject’s treatment process (e.g., specialists) and to a laboratory providing laboratory testing services to the processor;
   3. To individuals or institutions to whom the disclosure of personal data is required by law or regulation (e.g., national medical registries, the police prefecture for traffic accident victims, Health Protection Inspectorate, Estonian Traffic Insurance Fund, Pension Board, Social Insurance Board, Estonian Health Insurance Fund, Health Board);
   4. To individuals providing services to SL Meedik under a contractual relationship and who, as a result, have access to personal data (e.g., the owner of medical software, etc.);
   5. In individual cases, to other persons who have the right under the law upon justified request (e.g., investigative authorities, courts, expert institutions, educational institutions, welfare institutions, social departments of local governments, public expert commissions). 

The data subject has the right to obtain an accurate list of individuals to whom their personal data has been disclosed or shared. For this purpose, the data subject must submit a written request to SL Meedik. 

SL Meedik does not transfer the personal data of data subjects to foreign countries.

How Long Does SL Meedik Retain Personal Data? 

SL Meedik retains the personal data of data subjects, including special categories of personal data, in accordance with the conditions and procedure for the documentation and preservation of documents provided for in the regulation of the Minister of Social Affairs established on the basis of § 42 (2) of the Health Services Organization Act.

When Are Personal Data Disclosed?

1. 1. Personal data is disclosed at the data subject’s request;
   2. When the obligation to disclose personal data arises from law or regulation.

Rights of the Data Subject (Customer):

1. 1. To access their personal data and obtain extracts and copies of their personal data;
   2. To request information about the types of data processed and the purposes of such processing;
   3. To request the correction of their personal data if the data is inaccurate or incomplete;
   4. To request the deletion of their personal data if the processing of the data is no longer necessary;
   5. To request the restriction of the processing of their personal data if the data subject has submitted a request for the correction or deletion of personal data, or if the data subject has contested the accuracy of the processed personal data;
   6. To lodge a complaint to SL Meedik via email at slmeedik@slmeedik.ee if the data subject believes that the processing of their personal data is unlawful;
   7. To lodge a complaint with the Data Protection Inspectorate (www.aki.ee, Väike-Ameerika 19, 10129, Tallinn) if the data subject believes that the processing of their personal data is unlawful.

SL Meedik’s Activities for the Lawful Processing and Security of Personal Data.

1. 1. SL Meedik adheres to the principles of lawfulness, transparency, purpose limitation, and data minimization in the processing of personal data, as well as the requirements of applicable data protection law.
   2. SL Meedik processes personal data only for the purposes described in this document in point 3 (How Does SL Meedik Use Personal Data?).
   3. SL Meedik retains personal data only to the extent necessary for the purpose of data processing.
   4. SL Meedik has implemented physical and technological security measures to ensure the lawful processing and protection of personal data.
   5. SL Meedik fulfills the data subject’s request for information or takes the requested action immediately, but no later than thirty (30) calendar days from the receipt of the information request. If SL Meedik finds that the information request is not lawful, SL Meedik informs the data subject immediately, but no later than thirty (30) calendar days. In cases where fulfilling the data subject’s information request is complex, the aforementioned deadline may be extended by a maximum of sixty (60) calendar days.
   6. SL Meedik fulfills the data subject’s legitimate information request free of charge. If the data subject’s requests are clearly unfounded or excessive, particularly due to their repetitive nature, the controller may request a reasonable fee or refuse to provide the requested information or take action.