Privacy policy
1. General Principles
1.1 The protection of personal data is very important to us, and we take it very seriously. In this Privacy Policy, the principles followed by Health Tests OÜ, hereinafter referred to as the Service Provider (www.terviseuuringud.ee), you will find detailed information about what personal data is collected about you, what it is used for, and who has access to it. These Privacy Terms describe the procedure and conditions for the processing of the Patient’s personal data by the Service Provider.
1.2 In processing personal data, we are guided by applicable data protection legislation, including the Health Services Organization Act, the Regulation on the Documentation and Retention of Health Services, Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter “GDPR”), and the Estonian Personal Data Protection Act.
1.3 The Service Provider processes the Patient’s personal data only if there is a legal basis and only for legitimate purposes.
1.4 The Service Provider processes the Patient’s personal data when concluding and fulfilling a contract and when providing services, in addition to other cases specified in the Privacy Terms.
1.5 The Service Provider has the right to unilaterally amend the Privacy Terms, notifying one month in advance via the Service Provider’s website or another method chosen by the Service Provider.
1.6 In the course of our activities, we collect and use your personal data to provide you with the best service, advice, and solutions.
1.7 The Service Provider respects your rights relating to the control of your privacy. It is important to us that you can exercise your rights. Below you will find details on how to do this.
Controller
Company name: Health Tests OÜ
Address: Sepapaja 12/1, Tallinn 11415
E-mail: info@terviseuuringud.ee
You can contact the data protection officer of Health Tests OÜ via e-mail at info@terviseuuringud.ee
2. Definitions
2.1 Personal data – any information relating to an identified or identifiable natural person, including health data;
2.2 Processing of personal data – any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.3 Patient – a natural person who has concluded a contract with the Service Provider or has expressed a desire to conclude a contract;
2.4 Service Provider – Health Tests OÜ, registry code 12702440;
2.5 Privacy Terms – these terms and conditions of personal data processing;
2.6 Controller – the Service Provider as the entity that determines the purposes and means of processing personal data;
2.7 Processor – a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Controller.
3. Collection and Use of Personal Data
3.1 The Service Provider is obliged to request the Patient’s consent for processing their personal data for purposes not specified in the Privacy Terms.
3.2 The Service Provider processes the following Patient personal data:
3.2.1 name, personal identification code, date of birth and other general data (including preferred language of communication);
3.2.2 contact details (including phone number, e-mail address, postal address, place of residence);
3.2.3 health data, including examination, study, and treatment data, as well as hereditary information and health behavior data related to the provision of healthcare services;
3.2.4 information related to concluded contracts;
3.2.5 bank account number and information related to invoicing, payment, and debt collection;
3.2.6 communication (customer interaction), including e-mail correspondence and phone calls (the Patient is always informed of call recordings);
3.2.7 information collected in compliance with legal obligations;
3.2.8 In case of changes in personal data, the Patient is obliged to notify the Service Provider within a reasonable time, but no later than ten days.
3.3 Collection and use of website browsing statistics.
3.3.1 In addition to personal data, anonymous website (www.terviseuuringud.ee) browsing statistics are collected. Health Tests OÜ wishes to make its website as easy to use as possible. To improve user experience, the following information may be saved when you visit the website: browser type and version, device type and operating system, IP address, session duration and time, visited pages, and demographic information such as preferred language and location. Data collected for website browsing statistics is used anonymously and is not linked to any specific individual.
3.3.2 To collect and analyze this data, Health Tests OÜ uses the automated tool Google Analytics. You may disable Google Analytics data collection at any time as described.
3.4 Logs
4.1 The server hosting Health Tests OÜ’s website may also store queries made to the server (web addresses opened, browser and device used, IP address, access time). These data are used only for technical purposes – to ensure proper website functioning, security, and to investigate possible security incidents.
3.5 Cookies
3.5.1 What are cookies? A cookie is a small text file that a website saves on your computer or mobile device when you visit the website. It allows the website to remember your actions and preferences over time so you do not need to re-enter them each time you visit.
3.5.2 Be aware that the website uses persistent cookies that remain on your device after closing the browser. Persistent cookies can stay on your device for days, months, or even years. Such cookies also help us target advertising you see on Facebook, Google, Instagram, and YouTube.
3.6 Disabling and deleting cookies
3.6.1 As an internet user, you can disable or restrict cookies being saved on your computer. You can also delete all cookies already saved on your computer. This requires changing your browser privacy settings. Note that if you do so, you may need to manually adjust certain preferences each time you visit the website, and some services or functionalities may not work.
3.7 Inquiries via the website
3.7.1 If you wish to order a service or receive more information via Health Tests OÜ’s website, sharing personal data with us is necessary. Inquiries can be submitted by filling in the contact form or sending an e-mail to info@terviseuuringud.ee.
3.7.2 To respond to your inquiry, we collect the following personal data: your name, contact details (e-mail, phone number), personal identification code or date of birth. When filling in the contact form, all cookie-stored fragments of information related to you will be linked with the personal data submitted through the form. This creates a so-called contact history.
3.7.3 The legal basis for such processing is fulfilling a contract concluded with the data subject or taking steps at the data subject’s request prior to entering into a contract (GDPR Art 6). Only Health Tests OÜ employees have access to these data. If the inquiry is submitted through the contact form, the IT service provider may also access this data. We apply appropriate technical and organizational measures to ensure data security.
3.7.4 Personal data collected through inquiries is stored as long as the contract is valid. If no contract is signed, data is stored only for statistical purposes (sales statistics) for 5 years from the date of inquiry. Health Tests OÜ has a legitimate interest (GDPR Art 6) to conduct sales statistics to improve business planning.
3.8 Processing of health data
3.9 The Service Provider processes Patient personal data for the purpose of concluding, performing, and ensuring the fulfillment of a contract to:
3.9.1 prepare for concluding a contract with the Patient;
3.9.2 fulfill obligations undertaken with the Patient and ensure quality service. For this purpose, processing Patient health data is essential, in some cases also hereditary and health behavior data;
3.9.3 ensure smooth invoicing, including issuing invoices and collecting debts;
3.9.4 protect the Service Provider’s rights in case of disputes;
3.9.5 provide the Patient with important contractual information.
3.10 The Service Provider processes Patient personal data to comply with legal obligations to:
3.10.1 provide data to authorized institutions (e.g., Health Insurance Fund, Health Board) as required by law or contracts;
3.10.2 ensure protection of Patient’s rights related to their personal data;
3.10.3 retain data for compliance with legal obligations;
3.10.4 fulfill any other legal obligations.
3.11 The Service Provider processes Patient personal data according to its legitimate interest to:
3.11.1 improve the quality of services provided;
3.11.2 make direct offers of additional services provided by the Service Provider;
3.11.3 assess risks related to providing services, conduct audits, and analyses;
3.11.4 Patient health and other data are processed solely for providing healthcare services, organizing healthcare provision, and fulfilling legal obligations. Patient data confidentiality, security, and lawful processing are integral to quality healthcare services and a key priority.
3.12 Disclosure and transfer of personal data
3.12.1 The Service Provider may disclose and transfer Patient personal data without consent only to comply with legal obligations.
3.12.2 The Service Provider may transfer Patient personal data to life insurance companies only with Patient consent.
3.12.3 To fulfill contracts, the Service Provider may transfer Patient personal data to Processors (e.g., laboratories, cardiologists, gastroenterologists, software providers).
3.12.4 In case of contract breach, the Service Provider may transfer Patient data to third parties to protect its rights, including legal counsel, auditors, and debt collectors. Transferring health data is permitted only with a legal basis.
3.13 Retention of personal data
3.13.1 The Service Provider retains Patient data as long as necessary for the purposes set out in the Privacy Terms, to protect the Service Provider’s rights, or to comply with legal obligations.
3.13.2 To ensure customer service quality, the Service Provider retains Patient data for at least five years after contract termination, unless a longer period is required by law.
3.14 Your rights and how to exercise them
3.14.1 By contacting Health Tests OÜ via info@terviseuuringud.ee, you can exercise your rights to:
3.14.2 access your personal data;
3.14.3 rectify your personal data;
3.14.4 erase your personal data;
3.14.5 transfer your personal data;
3.14.6 ensure decisions about you are not based solely on automated processing;
3.14.7 withdraw consent;
3.14.8 in certain cases, restrict or object to processing;
3.14.9 You may exercise these rights in accordance with GDPR and other local legislation.
3.15 Protection of personal data
3.15.1 The Service Provider implements necessary information and cybersecurity measures to ensure effective protection of Patient data.
3.15.2 Access to Patient data is granted only to persons necessary for task performance.
3.15.3 The Service Provider ensures confidentiality of Patient data and does not disclose them without legal basis.
3.15.4 The Service Provider signs data processing agreements with Processors, defining conditions, purposes, and data protection requirements.
3.15.5 If you believe your privacy has been violated, contact us via the above e-mail. You also have the right to lodge a complaint with the supervisory authority of your country of residence. In Estonia, this is the Data Protection Inspectorate.
3.15.6 Information on measures taken to guarantee these rights is provided to the Patient within one month of receiving a request. This may be extended by two months for complex or large requests, with justification.
3.15.7 Exercising rights is free of charge. In case of abuse of rights (manifestly unfounded or excessive requests), measures may be refused or a reasonable fee charged.
3.15.8 Right to access and obtain copies. Patients may request confirmation whether their data is being processed and further details, including retention, transfer, and the right to complain. In this case, a copy of processed personal data is provided.
3.15.9 Correction and deletion. Patients may request rectification of inaccurate or incomplete data. They may also request deletion if conditions are met, such as withdrawal of consent (without other legal grounds), data no longer needed, or unlawful processing.
3.15.10 Restriction. Patients may request restriction of use where accuracy or lawfulness is contested or data is no longer needed. Use is then limited unless legal grounds apply.
3.15.11 Objection. If Patient data is processed for direct marketing, they may object, after which processing for that purpose is prohibited.
3.15.12 Withdrawal of consent. If consent is given for purposes other than fulfilling contracts, it may be withdrawn at any time, without affecting previous lawful processing.
3.16 Complaints
3.16.1 If the Patient believes their data is not processed in compliance with law, they may demand correction or file a complaint with the Data Protection Inspectorate and seek all legal remedies.
3.16.2 If a data breach occurs likely to endanger Patient rights and freedoms, the Service Provider will notify the Data Protection Inspectorate within 72 hours and inform the Patient without undue delay, unless otherwise required by law.
3.16.3 For questions, please contact us at info@terviseuuringud.ee