Skip to main content

Privacy notice for maintaining customer records and educational records at the psychology training and research clinic PSYKE

PSYKE is a psychology training and research clinic at Tampere University. The clinic develops professional practices in psychology, serves customers, provides teaching and training to psychology students, and conducts research. PSYKE conducts neuropsychological rehabilitation of children and young people, neuropsychological studies and work guidance for psychologists and health care professionals.

The data controller is Tampere University Foundation sr, psychology training and research clinic PSYKE (address Kalevantie 5, FI-33014 Tampere University, Finland). The contact person is the head of PSYKE.

Why we are allowed to process personal data

The personal data stored in the customer records is used for purposes related to the treatment, therapy and rehabilitation of the customers, the planning and implementation of research, as well as matters related to the management of the customer relationship, such as invoicing.

A legal basis for processing personal data

The processing of personal data at the psychology teaching and research clinic is primarily based on the customer's consent and the controller's legal obligation to process the customer's personal data.

Applicable legislation:

  • Data subjects have provided their consent for processing their personal data (GDPR 2016/679; article 6, paragraph 1a).
  • Processing is necessary to comply with the data controller’s legal obligation (GDPR 2016/679; article 6, paragraph 1c).
  • Processing is necessary in order to perform a specific task in the public interest for scientific research purposes (GDPR 2016/679; article 6, paragraph 13).
  • Data Protection Act (1050/2018, section 4)
  • Act on the Status and Rights of Patients, section 13 (785/1992)
  • Health Care Act (1326/2010)
  • Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021)
  • Act on Health Care Professionals (559/1994)
  • Decree on Patient Records issued by the Ministry of Social Affairs and Health (30.3.2009/289)
  • Act on the Openness of Government Activities (621/1999)

The types of personal data we process

We process the following types of personal data while serving customers:
Customer’s name, date of birth, personal identity number, hometown, contact information, name and contact information of parents/guardian, first language and preferred language, consent regarding the disclosure of data and other basic information that is essential from the perspective of treatment, such as family structure, a child’s school, teacher and support measures provided by the school, the doctor or psychologist overseeing the treatment, a child’s diagnosis and medication.

With a customer’s consent, video or audio recordings may be made. The data stored in our records includes information about a payment commitment/service voucher concerning evaluation or rehabilitation services, the number of customer sessions and, in the necessary extent, key information about treatment, the final statement or feedback, and other treatment-related information and documents received from external parties.

The records are confidential.

How long we retain personal data  

The retention period for customer records is defined in the decree issued by the Ministry of Social Affairs and Health (298/2009). Depending on the type of document, documents are generally stored for 12 years after they are prepared or after treatment has ended, 12 years after the customer has passed away/120 years after the customer was born. Patient documents are securely disposed of by using secure shredding services intended for sensitive materials.
 

How we collect personal data

We collect customer information from customers or their parents/guardian or, with the consent of a customer or his or her parent/guardian, from the unit that refers the customer to PSYKE, other units that provide treatment to the customer, or a customer’s school. Data can also be generated in connection with treatment. The customer’s consent (or his or her parent’s/guardian’s consent) is always required for communicating with another unit that provides treatment to our customer or with his or her school.  

Transfer of personal data

Data stored in our customer records will only be disclosed with the customer’s consent (or his or her parent’s/guardian’s consent) or to fulfil the data controller’s legal obligations (Data Protection Act, patient records privacy laws). In cases where it is necessary to disclose data, the recipient is generally another healthcare unit or a healthcare professional that has referred the customer to PSYKE or that needs the data to organize an evaluation or provide treatment. Persons who process the records have a strict duty to maintain confidentiality.   

When customers who have received a payment commitment or a service voucher use our services, the data controller of their customer records is the organization that issued the payment commitment/service voucher, and PSYKE acts as the data processor as defined in the GDPR. The employee responsible for the treatment will provide information about the number of sessions that have taken place and feedback management to the organization that issued the payment commitment/service voucher and the party that referred the customer to PSYKE. Other important documents that are drawn up during treatment will be stored by PSYKE on behalf of the data controller. The retention period for these documents will be specified in the agreement signed by PSYKE and the data controller, after which the documents will be handed over to the data controller.

Transfer of data outside of the EU or the EEA

Customer data is not transferred outside of the EU or the EEA.

How we process your personal data

Customer records are confidential and are not disclosed to any third parties. Access to customer records is restricted to persons who provide treatment to the customer or are involved in the delivery of treatment. PSYKE uses electronic and manual recording and archiving in parallel. In the electronic archive, or Diarium, the patient information system supplied by Nordhealth Finland Oy, visit records and treatment period-specific feedback are made and archived. PSYKE employees designated as Diarium administrators manage Diarium access rights, which are created for each employee doing customer work at PSYKE.

In Diarium, a customer relationship is created for a new customer by the employee or administrator responsible for his care. After opening a customer account, each customer's information can only be viewed by the employees responsible for his care and participating in the treatment, and possibly students participating in the treatment, under the supervision of the employees participating in the treatment. In addition, the administrators of Diarium or their authorized persons can view the information if there is a justified reason for doing so. Nordhealth Finland Oy is responsible for Diarium's data protection and information security.

In the manual archive, paper referral documents, paper copies of patient documents from other health care operational units obtained for treatment planning, paper permission forms and research and data collection forms (for example, psychologist's testing documents) are stored and archived. The manual end archive is located behind two locks in a fireproof cabinet, protected from outsiders, and archiving is done per data controller.

Rights of data subjects

Right of access (GDPR, Article 15)

You have the right to know what personal data we process and hold about you.

Right to rectification (Article 16)

You have the right to have any incorrect, inaccurate or incomplete personal details that we hold about you revised or supplemented without undue delay. You are also entitled to have any unnecessary personal data erased from our records.

Right to be forgotten (Article 17)

In certain circumstances, you have the right to have your personal data erased from the university’s records. Such a right does not exist, for example, in cases where the processing of your personal data is necessary to fulfil legal obligations or to exercise public authority belonging to the university.

Right to restrict processing (Article 18)

In certain circumstances, you have the right to request that we restrict processing your personal data until the accuracy of your data or the lawful basis for processing your data has been appropriately reviewed and potentially revised or supplemented.

Right to data portability (Article 20)

You have the right to obtain a copy of the personal data that you have submitted to the university in a commonly used, machine-readable format and transfer the data to another data controller. This right applies to situations where data is processed automatically on the basis of consent or contract.
This means that the right to data portability does not apply to data processing that is necessary for the performance of a task carried out in the public interest or to fulfil legal obligations imposed on the data controller. Consequently, this right does not generally apply to the higher education institution’s personal data registers.

Right to object (Article 21)

You may at any time object to the processing of your personal data for special personal reasons if the basis for processing is a task carried out in the public interest, the exercise of official authority, or the higher education institution’s legitimate interests. After receiving such a request, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing your data.

Right to lodge a complaint with a supervisory authority (Article 77)

You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data violates the provisions of the GDPR (2016/679). In addition, you may follow other administrative procedures to appeal against a decision made by a supervisory authority or seek a judicial remedy.

Office of the Data Protection Ombudsman

Street address: Lintulahdenkuja 4
Postal address: PO Box 800, FI-00531 Helsinki, Finland
Email: tietosuoja [at] om.fi
Switchboard: +358 2956 66700

Questions about data protection

You can request to have any inaccurate personal data rectified in connection with the process where the data is generated. Please address your written request primarily to a contact person at PSYKE.

Please deliver all subject access requests to the data protection officer of Tampere University (by email at dpo [at] tuni.fi or by post to the following address: Data Protection Officer, Tampere University, FI-33014, Tampere, Finland).

This privacy notice was updated on February 14, 2024.