This webpage, www.koroonatestimine.ee, (hereinafter the Webpage) has been created in connection with the organisation of the testing of coronavirus SARS-CoV-2, which is done on the basis of the framework agreement “Taking coronavirus samples and testing the taken samples for the Health Board” concluded between the Health Board, SYNLAB Eesti (registry code 11107913, address Veerenni 53a, 11313 Tallinn, e-mail firstname.lastname@example.org, hereinafter SYNLAB) and AS Medicum Tervishoiuteenused (registry code 14335034, address Punane 61, 13619, e-mail: email@example.com, hereinafter Medicum).
SYNLAB Eesti is the administrator of the Webpage. The Webpage offers information as well as an opportunity to e-register for coronavirus SARS-CoV-2 testing at the Health Board’s contractual partners SYNLAB and Medicum or via them at other healthcare service providers, which perform public testing (hereinafter the Public Testing Organisation).
This personal data processing policy document describes how your personal data are processed in connection with the use of the Webpage and upon registering for coronavirus testing via the Webpage.
If you have any specific questions about how we process your personal data or if you wish to submit requests to us for exercising the rights which the processing of your personal data entails, please contact us using the contact details presented below in the section “Customer support”.
These personal data processing terms and conditions may be amended from time to time. The updated personal data processing terms and conditions are published on the Webpage.
|GDPR||Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR).
|Personal Data||Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
|Applicable Law||All the applicable legal acts of the European Union and all the applicable legal acts of the Republic of Estonia, including, but not limited to the national implementing acts of the GDPR, which apply during the validity of a data processing agreement or enter into force after the conclusion of a data processing agreement, and legal acts which regulate the provision of healthcare services.
|A natural person whose personal data are processed.
|Public Testing Organisation Partner
|A healthcare service provider, who provides the service of coronavirus SARS-CoV-2 testing in cooperation with the Health Board, SYNLAB Eesti and Medicum Tervishoiuteenused and who can be contacted for a referral-based testing free of charge.
|Processing||Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
|Controller||The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
|Processor||A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.|
- OBJECTIVE OF WEBPAGE AND CORONAVIRUS TESTING
- The objective of the Webpage is to provide information about coronavirus SARS-CoV-2 testing possibilities in Estonia and to e-register for testing at a Public Testing Organisation Partner.
- The Webpage also provides information concerning paid coronavirus SARS-CoV-2 testing. In the case of paid coronavirus testing, your Personal Data shall be processed by the healthcare service provider whose services you have decided to use in accordance with the applicable service terms and conditions.
- WHEN AND FOR WHAT PURPOSES DO WE PROCESS PERSONAL DATA?
- Your Personal Data are processed via the Webpage when you register for coronavirus testing via the Webpage.
- You can only register for coronavirus testing with a referral letter issued by a healthcare service provider; as a rule, the family doctor issues such a referral.
- Upon a referral-based coronavirus testing your Personal Data shall be processed on the following terms and conditions:
|Processed Personal Data and processing procedures||Purpose of processing Personal Data||Legal basis for processing Personal Data||(Co-)controller of Personal Data||Processor of Personal Data|
|First name, last name, personal identification code, coronavirus sample||Coronavirus testing||The provision of healthcare services to Data Subjects under subparagraph (b) of paragraph 1 of Article 6 and subparagraph (h) of paragraph 2 of Article 9 of the GDPR.||The competent person who has referred you to coronavirus testing (usually a healthcare provider, e.g. your family doctor); SYNLAB, Medicum and a Public Testing Organisation Partner at whom you register for testing.||Not applicable|
|First name, last name, personal identification code, coronavirus test result (positive/negative)||The transmission of the coronavirus test result to the Data Subject and other persons on the basis of law.||The provision of healthcare services to Data Subjects under subparagraph (b) of paragraph 1 of Article 6 and subparagraph (h) of paragraph 2 of Article 9 of the GDPR.
Legal obligation in accordance with subparagraph (c) of paragraph 1 of Article 6 of the GDPR (see section 4).
|The competent person who has referred you to coronavirus testing (usually a healthcare provider, e.g. your family doctor); SYNLAB, Medicum and a Public Testing Organisation Partner at whom you register for testing.||Not applicable.|
- TRANSMISSION OF PERSONAL DATA
- Your Personal Data shall not be transmitted to third persons in connection with using the Webpage, registering for coronavirus testing and testing for coronavirus, except upon the existence of a lawful right to do so on the basis of the applicable law.
- Pursuant to the applicable law, Personal Data related to coronavirus SARS-CoV-2 testing and test results shall be transmitted as follows.
|Personal Data||Recipient||Legal basis for transmission||Storage of Personal Data|
|First name, last name, personal identification code, mobile phone number, e-mail address, coronavirus test result||To the web address of the Patient Portal at https://www.digilugu.ee. The Controller: the Ministry of Social Affairs via the Health and Welfare Information System Centre, phone +372 794 3943, e-post firstname.lastname@example.org.||Legal obligation in accordance with subparagraph (c) of paragraph 1 of Article 6 of the GDPR and section 592 of the Healthcare Services Organisation Act (HSOA).||The Ministry of Social Affairs shall store the Personal Data as the Personal Data Controller in the information system in accordance with the Regulation of the Minister of Social Affairs, “Data composition of documents transmitted to the health information system and the terms and conditions of and the procedure for the submission thereof”.|
|First name, last name, personal identification code, mobile phone number, e-mail address, coronavirus test result in the case of a positive test result||The Health Board (registry code 70008799), address Paldiski mnt 81, Tallinn 10617, e-post email@example.com, who registers the Personal Data in the Communicable Diseases Register.||Legal obligation in accordance with subparagraph (c) of paragraph 1 of Article 6 of the GDPR, section 21 of the Communicable Diseases Prevention and Control Act (CDPC) section 11 of the Regulation of the Minister of Health and Labour, “Procedure for the transmission of information concerning the occurrence of communicable diseases and suspected cases of communicable diseases and infection risk factors and prevention, a list of communicable diseases, and the composition of the data to be transmitted together with the personal data of a data subject”.||The Health Board shall store Personal Data as the Controller in accordance with the Regulation of the Minister of Health and Labour, “Procedure for the transmission of information concerning the occurrence of communicable diseases and suspected cases of communicable diseases and infection risk factors and prevention, a list of communicable diseases, and the composition of the data to be transmitted together with the personal data of a data subject”.|
- STORAGE OF PERSONAL DATA
- SYNLAB Eesti shall not store Personal Data longer than necessary according to the purpose of processing the Personal Data or on the basis of the applicable law.
- In storing the data, SYNLAB Eesti complies with the applicable law and we have applied the following storage terms:
- As a general rule, we store samples for up to 3 days or in accordance with the quality requirements for laboratory services;
- If you have ordered paid coronavirus testing for which we have issued an invoice to you, we are pursuant to the Accounting Act obligated to store invoices and other accounting documents for 7 years; accounting documents do not contain health data or information about whether the coronavirus test result was positive or negative;
- As a general rule, we store Personal Data related to the conclusion of a contract, the longer storage term of which does not arise from the applicable law, until the data are needed in connection with the fulfilment of the contract during the validity of the contract or for up to 5 years after the end of the contract in accordance with the limitation period applicable upon the provision of healthcare services as stipulated in the Law of Obligations Act.
- If you wish to receive more detailed information about the storage terms of the Personal Data related to you, please contact us using the contact details provided below in the section “Customer support”.
- RIGHTS OF DATA SUBJECTS
- If you are a Data Subject, you shall, inter alia, have the following rights:
- Right of access: you have the right to enquire at any time whether the Personal Data Controller has Personal Data about you or not, and to receive information about which Personal Data the Controller processes with regard to you;
- Right to have Personal Data rectified: you have the right to request that the Controller specify or rectify your Personal Data, if the data are insufficient, deficient or incorrect;
- Right to submit objections: you have the right to submit objections to the Controller with regard to the processing of your Personal Data;
- Right to request the erasure of Personal Data: you have the right to request the erasure of Personal Data;
- Right to restrict processing: you have the right to request that the Personal Data Controller restrict the processing of your Personal Data, for instance when the Personal Data Controller no longer needs your Personal Data for the processing purposes or when you have submitted an objection with regard to the processing of Personal Data;
- Right to withdraw the consent given for processing Personal Data: if the processing of Personal Data is based on the consent given by you, you have the right to withdraw the consent given to the Personal Data Controller at any time;
- Right to data portability: you have the right to receive Personal Data which you have submitted to the Personal Data Controller and which are being processed on the basis of your consent from the Personal Data Controller in a written or generally recognised electronic format, and, if technically possible, request that the Personal Data Controller transmit such data to a third person;
- Right to file complaints: if you find that your rights have been violated in the processing of your Personal Data, you can file a claim or complaint to the Data Protection Inspectorate (Tatari 39, Tallinn 10134, firstname.lastname@example.org, aki.ee) or court.
- Your rights listed in this section in connection with the processing of Personal Data are not complete rights. In certain cases, the rights of a Data Subject may be restricted by the rights of other Data Subjects or the obligations of the Personal Data Controller, including the legal obligations of SYNLAB Eesti, Medicum Tervishoiuteenused or any other Personal Data Controller and/or healthcare service provider that is a Public Testing Organisation. For instance, the applicable law obligates healthcare service providers to transmit coronavirus test results to the Health Board and the Patient Portal in personalised form as described above in section 4.
- In order to exercise the rights related to the processing of Personal Data or submit requests related to the processing of Personal Data, please contact us using the contact details provided below in the section “Contact”.
- The Webpage uses the following types of cookies:
- Session cookies: session cookies or temporary cookies are used every time upon the Webpage being used and are deleted after the web browser is closed. Temporary cookies are necessary for the functionality of the Webpage to work.
- More specifically, the Webpage uses the following cookies:
|PHPSESSID||This cookie is used by the PHP application. The cookie is used for recording and identifying the unique session ID of the user to manage the user’s session on the website. The cookie is a session cookie and is deleted when all the browser windows are closed.||Until the browser is closed||Necessary|
|__utmc||The cookie is assigned by Google Analytics and it is deleted when the user closes the browser. Ga.js does not use the cookie. The cookie is used for allowing interoperability with urchin.js which is an older version of Google Analytics and which is used together with __utmb cookies for determining new sessions/visits.||Until the browser is closed||Analytics for evaluating the use of the Webpage|
|__utmz||This cookie is assigned by Google Analytics and it is used for recording the source of traffic or campaign via which the visitor reached the site.||6 months||Analytics for evaluating the use of the Webpage|
|__utmt||The cookie is assigned by Google Analytics and it is used for limiting enquiry speed.||10 minutes||Analytics for evaluating the use of the Webpage|
- SECURITY OF PERSONAL DATA
- The Personal Data Controller shall be obligated to ensure the security of the processing of Personal Data with the aim to protect Personal Data from unintentional or unauthorised processing, disclosure or destruction.
- Considering the latest science and technology developments and implementation costs and the manner, extent, context and purposes of the processing of Personal Data, as well as the risks of varying probability and size that threaten the rights and freedoms of natural persons arising from processing, the Personal Data Controller shall be obligated to apply appropriate technical and organisational measures in order to ensure the security of Personal Data in the processing of Personal Data.
- In processing Personal Data, SYNLAB complies with the state system of security measures for information systems, ISKE. ISKE is a three-level standard security system for information systems, the aim of which is to ensure the sufficient level of security of the data processed in information systems. The system has been created primarily for the information systems used in maintaining the state and local government databases and for ensuring the security of the related information assets. The selected security class and security level of the Webpage correspond to those established for similar data processing procedures by the state (e.g. the security class of the Cancer Register). Pursuant to that, the database security class is K1T2S2 and the security level is medium (M).
- CUSTOMER SUPPOPRT
- In the case of questions related to the processing of Personal Data or in order to submit requests related to the processing of Personal Data, please contact SYNLAB Eesti, Medicum Tervishoiuteenused and/or the Public Testing Organisation Partner at which you have registered for testing by phone, e-mail or post.
Contact details of Medicum Tervishoiuteenused:
Address: Punane 61, 13619
Data Protection Specialist: Mari Matjus, email@example.com
The contact details of every Public Testing Organisation Partner at which you can e-register for testing via the Webpage are provided on the webpage of that Public Testing Organisation Partner.