Description of personal data processing in the Firstbeat Lifestyle Assessment service of Firstbeat Technologies Oy (“Firstbeat”) when the service is provided by a Firstbeat partner. The partner is typically a professional of occupational healthcare or wellness.
DATA PROCESSOR
Firstbeat Technologies Oy (Finnish business ID 1782772-5), Yliopistonkatu 28 A, FI-40700 Jyväskylä, Finland.
TERMINOLOGY
This description document is targeted to the data subjects (see below “Subject”) defined by Firstbeat partners (see below “Service Provider”), to whom the Service Provider produces the Lifestyle Assessment service.
“Service Provider” is the person or organization who acts as the Controller for the personal data in the service, and to whom Firstbeat, based on a contractual relationship, provides the technological infrastructure of the Lifestyle Assessment service. Firstbeat processes personal data on behalf of the Service Provider.
“Subject” is the person, whose information is used by the Service Provider and Firstbeat to produce the Service, using pulse measurement data and other personal information about the Subject.
NOTES ABOUT THE CONTROLLER AND PROCESSOR POSITION
This description applies to cases, in which the Firstbeat Lifestyle Assessment service is produced by a partner of Firstbeat (Service Provider), for its own clients or employees. In these cases, the Service Provider acts as the Controller in the sense of the personal data legislation and Firstbeat acts as the data processor. In these cases, the Service Provider has acquired user permission for the Service and independently produces services from information of Subjects defined by the Service Provider or its clients. The Service Provider is e.g. responsible for maintaining privacy policy documentation, legal justification for handling personal data, informing the data subjects and fulfilling the other responsibilities of the Controller as defined in the personal data legislation. The Service Provider may choose to refer to the content of this description as a part of its own documentation regarding personal data handling, but regardless of this, the Service Provider is independently responsible for informing the Subjects in the way required by the personal data legislation.
For clarity: Firstbeat also provides a service in the same technical infrastructure directly to its own clients, and in these cases Firstbeat acts as the Controller and has created privacy policy documentation, which is available in the Firstbeat website. This description does not apply to these cases.
CONTACT PERSON FOR THE DATA CONTROLLER
In matters concerning the Lifestyle Assessment service and personal data processing in the service, the Subjects should primarily contact the Service Provider acting as Controller. The Service Provider will contact Firstbeat, if needed.
THE PURPOSE AND NATURE OF PROCESSING THE PERSONAL DATA
In order to produce the Lifestyle Assessment service as defined in a contract between Firstbeat and the Service Provider, Firstbeat processes in its information systems personal data saved in the web service used in the Lifestyle Assessment. The type of personal data is described in more detail in subsequent chapters. The personal data is primarily used to provide personalized analysis on the effect of lifestyle factors on different aspects of well-being. The Subject’s personal qualities and measured heart beat analysis data are used, with the help of the system, to create a report for the Subject and the Service Provider and possibly to agree on target actions. The expert user defined by the Service Provider (often, an employee of the Service Provider) has their own user interface to the system, and they can process the Subject data in order to create the report and as a part of the service, to give the Subject personalized feedback on the report content. The Service Provider may also use the service to create an anonymized feedback report to their client regarding the general well-being of a group of Subjects (typically employees or a specific group of employees of the client) as a whole.
Additionally, Firstbeat processes personal data to provide user support operations and to collect statistics and log data of the service usage. The Service Provider will inform the Subject of possible other purposes for the personal data.
Depending on the contract between the Service Provider and Firstbeat, Firstbeat may process physical measuring devices on behalf of the Service Provider as a part of the service, including for example mailing the devices to the Subjects or uploading data from returned devices to the service. The devices on their own do not contain personal information, but the device data is combined to personal data using a device ID during the upload.
The legal justification for processing the data in the service is based on fulfilling a contract between the parties or the legitimate interests of the Service Provider or Firstbeat, based on the subject related connection between the parties. The justification may also be Subject consent, if required by the applicable legislation. Log data of the web service use or processing of measuring devices is saved in order to protect the legitimate interests of the Service Provider, Firstbeat and Subjects, for example in order to investigate possible data breaches and for example, so that it is possible to prove that billed services have been delivered.
The Service Provider gives Firstbeat an anonymized copy of data saved in the service for statistical research, such as for determining average reference values.
THE DURATION OF PERSONAL DATA PROCESSING AND RETENTION PERIOD
The Service Provider defines the retention period for personal data as reference for possible follow-up measurements, which belong to the service concept.
The collected personal data may be used after providing the service in accordance with the contract between Firstbeat and the Service Provider and the current legislation. If the Subject has not given the permission, based on a separate consent, to transfer his/her personal data to Firstbeat for possible further use, the personal data will be erased from the system in a way defined and implemented by the Service Provider, or after the end of the contract between Firstbeat and the Service Provider at latest when their agreed time period has elapsed.
DESCRIPTION OF THE GROUP OF DATA SUBJECTS
The personal data from participating Subjects is processed in the Service. The Service Provider determines the group of Subjects.
REGULAR DATA SOURCES
The Service Provider enters the email address of each Subject in the system. Each Subject is then emailed a personal web link to activate the Service. The Service Provider determines with its clients the data sources for acquiring the email addresses.
The other personal data is provided by the Subjects themselves via the web interface and through the use of measuring devices. A representative of the Service Provider may additionally gather information from the Subjects when providing the Service.
THE TYPE OF PERSONAL DATA
The system contains the following information (partial or complete) about the Subjects:
- Full name (first and last)
- Date of birth, gender, height, weight
- Activity class, maximum and resting heart rate, maximal oxygen consumption
- Information about chronic diseases and medication provided by the Subject
- Heart rate measurements and diary entries created by the Subject during the measurement period, e.g. alcohol consumption, current and recent illnesses and medications, self-documented events noteworthy of interest to the Subject.
- Contact information, e.g. address, email address and telephone number
- Information about the employer, e.g. name, contact information and personnel group
- Information about the use of the service
- Information about the consents of processing data in the service
- The results report with defined target actions created for the Subject based on the data analysis
The service technically allows the anonymous usage with an unidentifiable user identifier chosen by the Subject or the Service Provider. The Service Provider determines, whether such possibility is offered to the Subject and how the analysis results are reported to the Subject in such cases. The e-mail address will be always saved (except in special cases when no e-mail address exists).
PRINCIPLES OF DATA PROTECTION
Firstbeat follows the best practices for managing data, including appropriate technical and organisational measures, as required by the personal data legislation. The data is kept in information systems produced and controlled by Firstbeat and the data is handled with Firstbeat produced user interfaces. The Internet connection from the web interface used by the Subject or Service Provider to Firstbeat is protected with encryption (SSL).
Firstbeat protects the personal data of Service Provider’s customers so that only the authorized personnel defined by Firstbeat or Service Provider have access to the file and that the data is processed at Firstbeat only for work purposes related to the technical processing of the data, problem solving or support requests. Firstbeat authorized personnel may be Firstbeat employees or subcontractors.
The personal link to the data entry form, which the Subject uses to enter personal data, only works for a limited time and will expire soon after the measuring for security reasons. The measuring devices on their own do not contain any personal data. The data they contain is only connected to personal data using a device ID when saving the data after the transport.
Firstbeat ensures that all data systems and computer equipment are sufficiently protected with appropriate technical methods, including access control to physical premises, firewalls, passwords, personal user IDs and personnel security training.
If Firstbeat uses third parties (subcontractors) for technical maintenance of data, Firstbeat fulfils the responsibilities required by the data protection legislation related to subcontractors. In all cases, in the Firstbeat processing personal data is kept in information systems governed by Firstbeat and neither Firstbeat nor subcontractors will save information in any other systems.
Firstbeat is not responsible for and does not limit that the Service Provider may copy or transfer data, which the Service Provider controls and owns, from Firstbeat systems. The Service Provider is responsible for properly informing its clients and Subjects of such use in the way required by the information safety legislation.
TRANSFER OF PERSONAL DATA
Firstbeat does not transfer personal data without the data Subject’s consent outside Firstbeat, its subsidiary companies or subcontractors, in a manner that the data could be identified, except in following exceptional circumstances: if required by any ruling of a governmental or regulatory authority, court, or by mandatory law; or if it is otherwise necessary for the purposes of preventing, or investigating, any breach of law, user terms or good practices or to protect the rights of the data controller (Service Provider), Firstbeat or third parties.
Personal data is primarily stored on Firstbeat servers located in the EU and will not be transferred to countries outside the EU or the EEA, unless otherwise separately agreed. Data may be temporarily transferred outside the EU or the EEA if it is necessary for the technical implementation of the service or personal data processing, such as when sending service related information to the Subject’s email address, which is located on a foreign email server. The Subject may also use the Service with a device outside the EU or the EEA, and in such cases, the data is visible on that device while using the Service.
Each Service Provider is responsible for their part of where and how it stores any personal data which it potentially stored outside the Firstbeat systems.
THE RIGHTS OF THE DATA SUBJECT
The data Subject has the right according to the personal data legislation applicable in Finland, including the EU General Data Protection Regulation (GDPR), to inspect their personal information, correct or request to correct inaccurate or incorrect personal information and under some circumstances, the right to request erasure of personal information. Whenever the legal justification for processing personal data is consent, the Subject also has the right to withdraw consent at any time. The Subject has the right to lodge a complaint regarding any disputes concerning the processing of personal data to the authorities responsible for personal data protection.
Any requests to inspect, modify or erase the personal data shall be indicated to the Service Provider acting as data Controller. The Service Provider confirms the requestor has the right to make such a request and fulfils the request, if necessary, or contacts Firstbeat if necessary to fulfil the request. The Service Provider is responsible for the related rights of the Subject.
CHANGES TO THIS DESCRIPTION
This description of the personal data processing has been updated 18.6.2018. Firstbeat follows the changes in legislation and regulator instructions related to personal data processing and develops the service further and will therefore reserve the right to make changes to this description.