REGISTER AND PRIVACY STATEMENT
The Finnish Personal Data Act (523/1999) Sections 10 and 24
Drafting date 6 Mar 2016. Updated 31 Mar 2020 (updated the contact information for the register contact person, added processed data, updated the section on disclosure of information and the data subject’s right to remove their data)
1. Controller
Gynaecological Patient Association Korento
Näsilinnankatu 22 A 20
33210 Tampere, Finland
2. Person responsible for the data register
yhdistys(at)korento.fi
3. Register name
User register of the Moona Symptom Diary application
4. What are the legal justification and purpose of processing personal data?
The basis for processing personal data is the consent given by the user for the processing of their personal data for the purposes of using the application. The user gives the consent during registration. The purpose of the application is to monitor the menstrual cycle and related symptoms, which means that the application will process related data provided by the user.
Personal data may also be used for developing the application. Application development may include, for instance, adding a function to the application.
5. Which data are we processing?
In connection with the user register, we will process the following personal data of the user: e-mail address* and password*. For users registered before 25 May 2018, it was also mandatory to provide a first and last name. After 3 April 2020, the users have the option of saving their first and last name in the application. In addition to this data, the register includes data saved in the service by the user, such as information on menstruation, weight and height, and daily entries regarding symptoms, absences, medication taken, mood, and other possible data related to the application’s functions.
* The personal data marked with a star are a prerequisite for using the application because they are used for creating an individual user account for the user. With the user account, the application can be used on multiple devices. Without this information, the application cannot be used.
We will also store possible correspondence and communications between us and the user, which can be related to correcting a problem in the application or other matters related to using the application. The correspondence will be stored using appropriate protection during the handling of the matter and a reasonable time afterwards so that the previous correspondence can be referred to in problem situations. The correspondence will only be processed by a Korento employee and the partner responsible for the application’s technical maintenance and development.
6. Where do we get the information?
The controller registers the user information that the user provides when using the application.
7. To whom do we disclose and transfer data, and do we transfer data to outside the EU and the EEA?
In processing personal data, we will use a partner responsible for the application’s technical maintenance and development in co-operation with Korento. Some of the data may be transferred to the partner’s servers due to technical requirements. The service provider for the application’s back end system is Google (cloud services), which means that personal data may be transferred outside the EU. Personal data will, however, be protected as provided by the Personal Data Act.
The data will not be disclosed to any third parties without separate consent from the user. For those users who are using the application as part of their digital treatment path or healthcare research, information is only disclosed to parties agreed with the user in advance.
8. How are we protecting the data and for how long are we storing it?
The register is protected with a firewall and other advanced protection techniques. A secure connection is used for information exchange. Using the system requires a username and password. The data can only be accessed by administrators and developers authorized by Korento. We will store the personal data as long as is necessary for the purpose of processing the data.
We will rectify, remove, or complete any personal data which is inaccurate, unnecessary, incomplete or outdated for the purpose of processing, either unprompted or by the user’s request.
9. What are your rights as a data subject?
The data subjects have the right to inspect their data stored in the register and request the rectification or removal of inaccurate data if there is a legal justification for it. Inspecting one’s personal data is free of charge if it has been over one year since the last time that the data has been provided for inspection.
The data subjects also have the right to cancel their consent or change it. The user has the possibility to delete their username and all data stored in the application at any time.
In accordance with the data protection regulation, the data subject has the right to object to or request restrictions to the processing of their personal data and submit a complaint on the processing of their personal data to a controlling authority.
10. Who can you contact?
For more information on the person register and its use, contact the person responsible for register-related matters, designated in section 2. All contacts and requests regarding the register must be submitted in writing. The request will be replied to within a month of reception.
11. Changes to the privacy statement.
If we change this statement, we will highlight the changes with implementation dates. If the changes are significant, we may also inform the users in other ways, such as by e-mail or by adding a notification to our website. We recommend that you visit our website regularly and observe possible changes to the statement.