Data Protection Conditions

The current Meliva data protection terms describe the conditions for processing personal data that all service providers under the Meliva brand adhere to. Depending on the service chosen by the customer, Meliva may establish specific conditions for the service, which also include terms for processing personal data.

Please carefully review the data protection terms, and if you have any specific questions about how we process your personal data or if you wish to submit requests to execute your rights related to the processing of your personal data, contact us using the contact details provided below.

Meliva may occasionally change these data processing terms. The current data protection terms are published on the Meliva website.

1.DEFINITIONS 

"data protection terms"
These data protection terms describe the conditions for the processing of personal data that service providers under the Meliva brand adhere to.

"Digital Clinic application"
Provision of healthcare services or services through the Digital Clinic application.

"GDPR"
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

"personal data"
Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data includes, for example, your name, identification number, email address, and health status information.

"applicable law"
All current European Union legislation and all current laws of the Republic of Estonia, including, but not limited to, the Personal Data Protection Act or other national implementing acts of the GDPR and legislation regulating the provision of healthcare services.

"patient", "client", or "data subject"
A person who seeks or has sought a service from Meliva.

"Meliva"
Any service provider under the Meliva brand. At the time of acceptance of these data protection terms, the Meliva brand includes: Meliva AS (registry code 10303948, address Rävala pst 5, 10143, Tallinn).

"service provider"
A company operating under the Meliva brand, an employee of Meliva or another representative or a partner of Meliva used in the provision of services and/or who is a provider of services or healthcare services.

"service"
All services that are not healthcare services, such as nutritional counseling, rehabilitation, or other services not considered healthcare services.

"healthcare service"
All healthcare services provided to the client by Meliva (including remote services via the Digital Clinic). Meliva provides various healthcare services based on the Healthcare Services Organization Act, for example, Meliva issues work-related health certificates under the Occupational Health and Safety Act and provides other services in accordance with applicable law. A list of Meliva services is available on the website at http://www.meliva.ee.

"processing"
Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"controller"
A person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of these data protection terms, the controller of the client's personal data is the service provider providing the service. For the purposes of these data protection terms, this is the Meliva service providers.

"processor"
A person, public authority, agency or other body which processes personal data on behalf of the controller.

 

2. GENERAL TERMS

2.1. The data protection terms apply when you seek services from Meliva.

2.2. The data protection terms describe the general principles of Meliva's personal data processing.

2.3. Meliva ensures the processing of patients' personal data in accordance with applicable law. The most important legal acts that Meliva follows in processing client personal data are the Healthcare Services Organization Act, the Health Insurance Act, the Medicinal Products Act, the Occupational Health and Safety Act, the Personal Data Protection Act, and the GDPR.

3. WHEN AND FOR WHAT PURPOSES DO WE PROCESS PERSONAL DATA?

3.1. Meliva processes patients' personal data only for specific purposes based on applicable law. A detailed overview of the processed personal data can be found in chapter 4.

Processing personal data for the fulfillment of a concluded contract 

3.2. If you contact Meliva for healthcare services, we process your personal data to provide you with the specific healthcare service and/or to prepare for the provision of the healthcare service. Personal data processing in this case is based on the Healthcare Services Organization Act and the contract concluded with you for the provision of the healthcare service you requested. We also process your personal data for the purpose of providing healthcare services if you contact us through the Digital Clinic application and use the Digital Clinic application.

3.3. If you contact Meliva for healthcare services on the referral of your employer or another person, we process your personal data to provide you with the healthcare service and/or to prepare for the provision of the healthcare service based on the contract concluded with your employer or another person, the Healthcare Services Organization Act, and the Occupational Health and Safety Act.

3.4. If you contact Meliva for a service, we process your personal data to provide the service you requested. We also process your personal data for the purpose of providing the service if you contact us through the Digital Clinic application and use the Digital Clinic application.

3.5. Please note that if you cancel an agreed appointment the day before or on the day of the appointment, Meliva may have already processed your personal data to properly prepare for the appointment. Personal data processing for the fulfillment of the contract may also occur, for example, in situations where we send you a reminder about the appointment.

3.6. For the purpose of analyzing and evaluating patient satisfaction, Meliva has the right to ask for your feedback on the provided services. If the patient is a minor, feedback is requested from their parent or guardian.

3.7. In the cases specified in points 3.2.-3.4., the legal basis for personal data processing is GDPR Article 6(1)(b), i.e., the processing of personal data is necessary for the performance of a contract related to the provision of healthcare services or services to the client.

Processing personal data to fulfill a legal obligation 

3.8. We also process personal data when it is necessary to fulfill our legal obligations. For example, if a court requires personal data from Meliva based on a valid court order or judgment, or if personal data is required by law enforcement based on a valid regulation. Likewise, if Meliva is obligated to retain personal data, for example, under the Accounting Act or other applicable laws. The legal basis for personal data processing in such cases is GDPR Article 6(1)(c).

Processing personal data based on consent 

3.9. If you have given us separate consent to process your personal data, the legal basis for processing your personal data is your given consent. In this case, we process your personal data for the purposes specified in the consent and to the extent stated in the consent. Please note that if you have given us consent to process your personal data, you have the right to withdraw the consent at any time. The legal basis for personal data processing in such cases is GDPR Article 6(1)(a).

Processing personal data based on legitimate interest 

3.10. In certain cases, we may process personal data when it is necessary for Meliva's legitimate interests. The legal basis for personal data processing in such cases is GDPR Article 6(1)(f). We process personal data based on legitimate interest only if such processing is not overridden by the client's interests or fundamental rights and freedoms, which require the protection of personal data. Personal data obtained from the data subject or arising during the performance of a contract is processed based on legitimate interest. For example, we may have a legitimate interest in processing personal data when it is necessary for the preparation, submission, or defense of legal claims. We may also have a legitimate interest in processing personal data when it is necessary to ensure the technical functionality of our website. Additionally, we process personal data based on legitimate interest when it is necessary to monitor quality requirements and supervise the provision of healthcare services (documentation).

3.11. Regularly, but no more frequently than once a quarter, Meliva uses the contact details provided to us by legal entities to share news and best practices related to occupational health and environment, as well as know-how. The representative of such a legal entity has the right to opt out of receiving informational emails according to the instructions in the email or by notifying their Meliva contact.

Processing of anonymized data 

3.12. Meliva also processes anonymized patient data for statistical purposes. Such anonymized data processed for statistical purposes includes, among other things, the patient's nationality and/or country of residence. Data collected for statistical purposes cannot be directly or indirectly associated with the patient.

4. OVERVIEW OF PROCESSED PERSONAL DATA

Depending on the legal relationship between you and Meliva, Meliva may process the following data about you:

Purpose: Documentation of healthcare service provision

  • Health data (data proving the provision of healthcare services)
  • Data proving the provision of healthcare services may include, for example, a referral, referral response, medical history, dental record.
  • These also include general personal data that allow the patient to be identified (e.g., first and last name, personal identification number).
  • Legal basis: GDPR Article 6(1)(b), after the termination of the contract, GDPR Article 6(1)(c)
  • Based on the Healthcare Services Organization Act (Section 42(4)), data proving the provision of outpatient and inpatient healthcare services are generally retained for 30 years from the date of the service provided. Dental records are retained for 15 years (Healthcare Services Organization Act Section 591(5)).

Purpose: Provision of healthcare services (providing quality service)

  • Health data (data proving the provision of healthcare services and other necessary data for providing the healthcare service). These may include health questionnaires, confirmations.
  • Depending on the healthcare service provided, we may ask the patient to fill out a health questionnaire during or before the visit, the content of which depends on the specific questionnaire. In such cases, the processed health data may include past or current illnesses, as well as information about previously performed procedures.
  • Legal basis: GDPR Article 6(1)(b), after the termination of the contract, GDPR Article 6(1)(c)
  • Health questionnaires collected on paper are destroyed no later than 1 month after the visit.
  • To the extent that the data answered in the questionnaire are necessary for the documentation of healthcare service provision, data proving the provision of outpatient and inpatient healthcare services are generally retained for 30 years from the date of the service provided based on the Healthcare Services Organization Act (Section 42(4)).

Purpose: Organization and provision of healthcare services or other services (making and managing bookings, contacting the client for service-related information)

  • Identity verification data, contact details, health data (including health insurance data), data on service provision.
  • Identity verification data include name, personal identification number (or date of birth if no ID number). Contact details include email address, phone, address. Data related to service provision may include the time, place, content of the service, and the name of the service provider (e.g., information about which doctor the client has visited or wishes to visit), as well as data on medications used and clinical images taken of the client.
  • The specific health data processed by Meliva depend on the healthcare service provided.
  • Health insurance data processed by Meliva primarily include information about whether the client has health insurance.
  • Legal basis: GDPR Article 6(1)(b), after the termination of the contract, GDPR Article 6(1)(f)
  • Data retention: 5 years from the provision of the healthcare service or service (Law of Obligations Act Section 771).

Purpose: Offering the Digital Clinic application

  • Identity verification data, contact details, health data (including health insurance data), call or video recording.
  • Name, personal identification number, email address, phone, address, information about the client’s health condition (e.g., information about which doctor the client has visited or wishes to visit), as well as data on medications used and clinical images taken of the client.
  • Additionally, information collected through phone calls, web chats, or video calls.
  • The specific health data processed by Meliva depend on the healthcare service provided.
  • Health insurance data processed by Meliva primarily include information about whether the client has health insurance.
  • Legal basis: GDPR Article 6(1)(b), after the termination of the contract, GDPR Article 6(1)(c) or Article 6(1)(f)
  • Based on the Healthcare Services Organization Act (Section 42(4)), data proving the provision of outpatient and inpatient healthcare services are generally retained for 30 years from the date of the service provided. Other data are retained for up to 5 years from the provision of the healthcare service or service (Law of Obligations Act Section 771) or accounting data for 7 years (see below).

Purpose: Assessing patient satisfaction

  • Feedback received from the patient
  • Legal basis: GDPR Article 6(1)(b), after the termination of the contract, GDPR Article 6(1)(f)
  • Feedback collected for patient satisfaction assessment is retained for 1 year from the receipt of the feedback.

Purpose: Ensuring service quality

  • Data related to a complaint or suggestion submitted by the client (healthcare service or service provision number, service provider data such as first and last name).
  • Legal basis: GDPR Article 6(1)(c), after the termination of the contract, GDPR Article 6(1)(f)
  • Complaints and suggestions received for ensuring service quality are retained for 3 years from their receipt.

Purpose: Resolving legal disputes

  • Data and documents related to the specific dispute
  • Legal basis: GDPR Article 6(1)(f)
  • Data retention: 3-10 years based on the Civil Code Section 146(1), (4), and Law of Obligations Act Section 771 regulations, depending on the specific legal dispute and its content.

Purpose: Payment and billing for healthcare services or services

  • Payment data. Information related to the invoice for the provision of healthcare services or services such as contact details, service cost, bank account details.
  • Legal basis: GDPR Article 6(1)(b), after the termination of the contract, GDPR Article 6(1)(f)
  • Invoice-related data are retained for up to 7 years in accordance with the Accounting Act (primarily Section 12).

Purpose: Other accounting documents

  • Accounting data
  • Documents necessary for fulfilling legal obligations.
  • Legal basis: GDPR Article 6(1)(c)
  • Based on the Accounting Act, we retain accounting documents for 7 years (Accounting Act Section 12).

Purpose: Data collected through cookies

  • Read a separate chapter 6 “Cookies”

5. TRANSFER OF PERSONAL DATA AND USE OF AUTHORIZED PROCESSORS

5.1. Meliva does not transfer your personal data to third parties, except when legally permitted under applicable law.

5.2. Under applicable law, Meliva has the right to use authorized processors for processing personal data. In limited cases, authorized processors of Meliva may process patients' personal data. Meliva only uses cooperation partners as authorized processors who have committed to processing personal data in accordance with these personal data processing principles and applicable law. The range of Meliva's authorized processors mentioned in this chapter is not limited, and Meliva may also use individuals not named in this chapter as authorized processors. Meliva primarily uses various healthcare service providers (e.g., optometrists, general or specialist medical service providers used by Meliva to offer services to the patient, as well as dental and blood labs), IT partners (various server service providers, IT support service providers, communication service providers, and other IT service providers), marketing partners, payment service providers, and other service providers or partners. In connection with the provision of the Digital Clinic service, Meliva uses BeeHealthy Oy as a cooperation partner, who provides maintenance, data storage, and technical support for the Digital Clinic digital platform.

5.3. When providing you with healthcare services, Meliva transfers your health data to the e-health patient portal information system, which is located at https://id.digilugu.ee/ and managed by the Health and Welfare Information Systems Centre (registry code 70009770, address Pärnu mnt 132, 11317 Tallinn). For questions related to the patient portal, you can contact the Health and Welfare Information Systems Centre user support at +372 794 3943 or by email at abi@tehik.ee.

5.4. When providing you with healthcare services, Meliva may, as necessary, transfer and/or receive your health data via the prescription center, managed by the Health and Welfare Information Systems Centre (registry code 70009770, address Pärnu mnt 132, 11317 Tallinn), if it is necessary for providing you with healthcare services. For questions related to the prescription center, you can contact the Health and Welfare Information Systems Centre user support at +372 794 3943 or by email at abi@tehik.ee.

5.5. When providing you with healthcare services, Meliva may, as necessary, transfer and/or receive your health data via the image bank, managed by the Estonian Health Image Bank Foundation (registry code 90007945, address Puusepa 8, 51014 Tartu, Estonia), if it is necessary for providing you with healthcare services. For questions related to the image bank, you can contact the Health and Welfare Information Systems Centre user support at +372 5331 8888 or by email at abi@pildipank.ee.

5.6. When providing you with healthcare services related to issuing a health certificate for a motor vehicle driver, we may transfer your health data (health certificate) to the digital environment of the Transport Administration, managed by the Transport Administration (registry code 70001490, address Valge tn 4, 11413 Tallinn). For questions related to the data processing by the Transport Administration, please contact the Transport Administration at +372 620 1200 or by email at info@transpordiamet.ee.

5.7. When providing you with healthcare services, we may transfer your treatment data to the Health Insurance Fund (Health Insurance Fund, registry code 74000091, address Lastekodu tn 48, 10144 Tallinn) if your treatment bill is partially or fully paid by the Health Insurance Fund using health insurance funds. For questions related to the Health Insurance Fund, you can contact the Health Insurance Fund at +372 669 6630 or by email at info@tervisekassa.ee.

5.8. In certain cases, Meliva is legally required to transfer personal data, for example to courts or law enforcement agencies based on an order issued by the relevant authority under applicable law or when the transfer of personal data is obligatory under the Insurance Activities Act in response to an inquiry from an insurer. Additionally, we may transfer your health check decision to your employer under the Occupational Health and Safety Act but not your additional health data or the results of the tests or analyses performed. Moreover, when providing healthcare services or renewing a prescription through the Digital Clinic, Meliva must transfer service-related data to the Patient Portal or prescription center as required by law. In all such cases, Meliva transfers personal data only when legally mandatory and adheres to all applicable data processing principles, including the principle of data minimization.

6. COOKIES

6.1. Meliva's website uses cookies. Cookies are small text files that store information on your device and are used to track or identify you. This chapter explains our cookie usage policy.

6.2. Meliva uses the following cookies on its website:

  • ws-cookiebar-Meliva.ee-analytical - Checks whether Google Analytics is enabled or disabled on the page.Cookie retention period: 1 monthCookie type: Analytical
  • ws-cookiebar-Meliva.ee-anonymize_analytical - Stores the status regulating the user's choice to anonymize Google Analytics. When anonymized, Google Analytics does not store critical IP-based location information. The last 3 digits of the IP address are replaced with the value 0. More information is available at: Google Analytics IP Anonymization.Cookie retention period: 1 monthCookie type: Analytical
  • _gat - Used to limit Google Analytics requests.Cookie retention period: 1 minuteCookie type: Analytical
  • _gid - Used to distinguish between Google Analytics requests.Cookie retention period: 1 dayCookie type: Analytical
  • _ga - Used to distinguish between Google Analytics requests.Cookie retention period: 2 yearsCookie type: Analytical
  • _fbp - A cookie used by Meta to track website visitors' behavior after they are redirected to the service provider's website by clicking on a Facebook ad. This helps analyze the effectiveness of Facebook ads for statistical and market research purposes and improve future advertising measures.Cookie retention period: 3 monthsCookie type: Analytical

6.3. You have the right to disable the use of cookies at any time by changing your web browser settings. However, please note that in this case, not all functions of the website may work correctly.

6.4. Cookies can be disabled by following the instructions in your web browser's "help" or "support" function. More information about how cookies work or how to disable cookies can also be found on the website www.allaboutcookies.org.

7. YOUR DATA SUBJECT RIGHTS

7.1. You have all the rights provided by applicable law regarding the processing of your personal data.

7.2. In the context of personal data processing, you have the following rights, among others:

7.2.1. Right of Access: You have the right to inquire at any time whether Meliva holds personal data about you and to obtain information about the personal data Meliva processes about you.

7.2.2. Right to Rectification: You have the right to request Meliva to correct or amend your personal data if it is inaccurate, incomplete, or incorrect.

7.2.3. Right to Object: You have the right to object to the processing of your personal data by Meliva, for instance, when the use of personal data is based on Meliva's legitimate interest.

7.2.4. Right to Erasure: You have the right to request the deletion of your personal data, for example, when the data is processed based on your consent and you have withdrawn that consent.

7.2.5. Right to Restrict Processing: You have the right to request Meliva to restrict the processing of your personal data according to applicable law, for instance, when Meliva no longer needs your personal data for processing purposes or if you have objected to the processing of your personal data.

7.2.6. Right to Withdraw Consent: If the processing of personal data is based on your consent, you have the right to withdraw your consent at any time.

7.2.7. Right to Data Portability: You have the right to receive the personal data you have provided to Meliva, which is processed based on your consent or for the performance of a contract, in a written or commonly used electronic format, and, if technically feasible, to request that Meliva transfers this data to a third-party service provider.

7.2.8. Right to Submit a Complaint: If you believe that your rights have been violated in the processing of your personal data, you have the right to submit a claim or complaint to the Data Protection Inspectorate or a court.

7.3. The rights listed in this chapter regarding the processing of personal data are not absolute. In certain cases, the rights of other data subjects or Meliva’s legal obligations may limit your rights.

7.4. To exercise your rights related to personal data processing or to submit requests concerning personal data processing, please contact us using the contact details provided in the "Contact" section below.

8. PERSONAL DATA SECURITY

8.1. Meliva is committed to ensuring the security of personal data processing to protect personal data from accidental or unauthorized processing, disclosure, or destruction.

8.2. Taking into account the latest developments in science and technology, the costs of implementation, the nature, scope, context, and purposes of personal data processing, as well as the varying probabilities and severities of risks to the rights and freedoms of natural persons, Meliva implements appropriate technical and organizational measures to ensure the security of personal data processing.

9. CONTACT

For questions related to personal data processing or to submit requests related to personal data processing, please contact us by phone, email, or mail. You can also contact our data protection officer via email.

Our contact details are:

  • Address: Rävala pst 5, Tallinn 10143
  • Phone: +372 605 1550
  • Email: meliva@meliva.ee

The contact details of Meliva's data protection officer are:

  • Email: andmekaitse@meliva.ee