Valid from 2.02.2022
This webpage, www.koroonatestimine.ee (hereinafter the Webpage) has been created in connection with the organisation of the testing of coronavirus SARS-CoV-2, commissioned by the Health Board. In Estonia public coronavirus SARS-CoV-2 testing has been commissioned by the Health Board and is performed by:
- SYNLAB Eesti (registry code: 11107913, address Veerenni 53a, 11313 Tallinn, e-mail firstname.lastname@example.org, hereinafter SYNLAB);
- AS Medicum Tervishoiuteenused (registry code: 14335034, address Punane 61, 13619 Tallinn, e-mail: email@example.com, hereinafter Medicum);
- Qvalitas Arstikeskus AS (registry code 10303948, address Jalgpalli 1, 10139 Tallinn, e-mail firstname.lastname@example.org, hereinafter Qvalitas);
- OÜ Arstikeskus Confido (registry code 12381384, address Veerenni 53a, 11313 Tallinn, e-mail email@example.com, hereinafter Confido);
- Foundation Kuressaare Hospital (registry code 90004059, address Aia 25, 93815 Kuressaare, e-mail firstname.lastname@example.org, hereinafter Kuressaare Hospital);
- Foundation Hiiumaa Hospital (registry code 90013880, address Rahu 2b, 92414 Kärdla, e-mail email@example.com, hereinafter Hiiumaa Hospital).
SYNLAB Eesti is the administrator of the Webpage. The Webpage offers information as well as an opportunity to e-register for coronavirus SARS-CoV-2 testing at the Health Board’s contractual partners SYNLAB, Medicum, Qvalitas, Confido, Kuressaare Hospital, Hiiumaa Hospital or via them at other healthcare service providers, which perform public testing (hereinafter the Public Testing Partner or Public Testing Organisation).
This personal data processing policy document describes how your personal data are processed in connection with the use of the Webpage and upon registering for coronavirus testing via the Webpage.
If you have any specific questions about how we process your personal data or if you wish to submit requests to us for exercising the rights which the processing of your personal data entails, please contact us using the contact details presented below in the section “Customer support”. If you have any specific requests about how the specific Public Testing Organisation or the Health Board processes your personal data, please send your request or question to this Public Testing Organisation or the Health Board using the contact details presented at the end of this Policy.
These personal data processing terms and conditions may be amended from time to time. The updated personal data processing terms and conditions are published on the Webpage.
|GDPR||Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR).
|Personal Data||Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
|Applicable Law||All the applicable legal acts of the European Union and all the applicable legal acts of the Republic of Estonia, including, but not limited to the national implementing acts of the GDPR, which apply during the validity of a data processing agreement or enter into force after the conclusion of a data processing agreement, and legal acts which regulate the provision of healthcare services.
|A natural person whose personal data are processed.
|Public Testing Organisation Partner
|A healthcare service provider, who provides the service of coronavirus SARS-CoV-2 testing in cooperation with the Health Board and who can be contacted for a referral-based testing free of charge.
|Processing||Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
|Controller||A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.|
|Processor||A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.|
- OBJECTIVE OF WEBPAGE AND CORONAVIRUS TESTING
- The objective of the Webpage is to provide information about coronavirus SARS-CoV-2 testing possibilities in Estonia and to e-register for testing at a Public Testing Organisation Partner.
- The Webpage also provides information concerning paid coronavirus SARS-CoV-2 testing. In the case of paid coronavirus testing, your Personal Data shall be processed by the healthcare service provider whose services you have decided to use in accordance with the applicable service terms and conditions.
- WHEN AND FOR WHAT PURPOSES DO WE PROCESS PERSONAL DATA?
- Your Personal Data are processed via the Webpage when you register for coronavirus testing via the Webpage.
- You can only register for coronavirus testing with a referral letter issued by a healthcare service provider; as a rule, the family doctor issues such a referral.
- Upon a referral-based coronavirus testing your Personal Data shall be processed on the following terms and conditions:
|Processed Personal Data and processing procedures||Purpose of processing Personal Data||Legal basis for processing Personal Data||(Co-)controller of Personal Data||Processor of Personal Data|
|First name, last name, personal identification code, coronavirus sample||Coronavirus testing||The provision of healthcare services to Data Subjects under subparagraph (b) of paragraph 1 of Article 6 and subparagraph (h) of paragraph 2 of Article 9 of the GDPR.||Public Testing Partner who has taken the sample||Not applicable|
|First name, last name, personal identification code, coronavirus test result (positive/negative)||The transmission of the coronavirus test result to the Data Subject and other persons on the basis of law.||The provision of healthcare services to Data Subjects under subparagraph (b) of paragraph 1 of Article 6 and subparagraph (h) of paragraph 2 of Article 9 of the GDPR.
Legal obligation in accordance with subparagraph (c) of paragraph 1 of Article 6 of the GDPR (see section 4).
|Public Testing Partner who has taken the sample, the Health Board||Not applicable|
- TRANSMISSION OF PERSONAL DATA
- Your Personal Data shall not be transmitted to third persons in connection with using the Webpage, registering for coronavirus testing and testing for coronavirus, except upon the existence of a lawful right to do so on the basis of the applicable law.
- Pursuant to the applicable law, Personal Data related to coronavirus SARS-CoV-2 testing and test results shall be transmitted as follows.
|Personal Data||Recipient||Legal basis for transmission||Storage of Personal Data|
|First name, last name, personal identification code, mobile phone number, e-mail address, coronavirus test result||To the web address of the Patient Portal at: https://www.digilugu.ee. The Controller: the Ministry of Social Affairs via the Health and Welfare Information System Centre, phone +372 794 3943, e-mail firstname.lastname@example.org.||Legal obligation in accordance with subparagraph (c) of paragraph 1 of Article 6 of the GDPR and section 592 of the Healthcare Services Organisation Act (HSOA).||The Ministry of Social Affairs shall store the Personal Data as the Personal Data Controller in the information system in accordance with the Regulation of the Minister of Social Affairs, “Data composition of documents transmitted to the health information system and the terms and conditions of and the procedure for the submission thereof”.|
|First name, last name, personal identification code, mobile phone number, e-mail address, coronavirus test result in the case of a positive test result||The Health Board (registry code 70008799), address Paldiski mnt 81, Tallinn 10617, e-mail email@example.com, who registers the Personal Data in the Communicable Diseases Register.||Legal obligation in accordance with subparagraph (c) of paragraph 1 of Article 6 of the GDPR, section 21 of the Communicable Diseases Prevention and Control Act (CDPC) section 11 of the Regulation of the Minister of Health and Labour, “Procedure for the transmission of information concerning the occurrence of communicable diseases and suspected cases of communicable diseases and infection risk factors and prevention, a list of communicable diseases, and the composition of the data to be transmitted together with the personal data of a data subject”.||The Health Board shall store Personal Data as the Controller in accordance with the Regulation of the Minister of Health and Labour, “Procedure for the transmission of information concerning the occurrence of communicable diseases and suspected cases of communicable diseases and infection risk factors and prevention, a list of communicable diseases, and the composition of the data to be transmitted together with the personal data of a data subject”.|
- STORAGE OF PERSONAL DATA
- SYNLAB Eesti shall not store Personal Data longer than necessary according to the purpose of processing the Personal Data or on the basis of the applicable law.
- In storing the data, SYNLAB Eesti complies with the applicable law and we have applied the following storage terms:
- As a general rule, we store samples for up to 3 days or in accordance with the quality requirements for laboratory services;
- If you have ordered paid coronavirus testing for which we have issued an invoice to you, we are pursuant to the Accounting Act obligated to store invoices and other accounting documents for 7 years; accounting documents do not contain health data or information about whether the coronavirus test result was positive or negative;
- As a general rule, we store Personal Data related to the conclusion of a contract, the longer storage term of which does not arise from the applicable law, until the data are needed in connection with the fulfilment of the contract during the validity of the contract or for up to 5 years after the end of the contract in accordance with the limitation period applicable upon the provision of healthcare services as stipulated in the Law of Obligations Act.
- If you wish to receive more detailed information about the storage terms of the Personal Data related to you, please contact us using the contact details provided below in the section “Customer support”.
- RIGHTS OF DATA SUBJECTS
- If you are a Data Subject, you shall, inter alia, have the following rights:
- Right of access: you have the right to enquire at any time whether the Personal Data Controller has Personal Data about you or not, and to receive information about which Personal Data the Controller processes with regard to you;
- Right to have Personal Data rectified: you have the right to request that the Controller specify or rectify your Personal Data, if the data are insufficient, deficient or incorrect;
- Right to submit objections: you have the right to submit objections to the Controller with regard to the processing of your Personal Data;
- Right to request the erasure of Personal Data: you have the right to request the erasure of Personal Data;
- Right to restrict processing: you have the right to request that the Personal Data Controller restrict the processing of your Personal Data, for instance when the Personal Data Controller no longer needs your Personal Data for the processing purposes or when you have submitted an objection with regard to the processing of Personal Data;
- Right to withdraw the consent given for processing Personal Data: if the processing of Personal Data is based on the consent given by you, you have the right to withdraw the consent given to the Personal Data Controller at any time;
- Right to data portability: you have the right to receive Personal Data which you have submitted to the Personal Data Controller and which are being processed on the basis of your consent from the Personal Data Controller in a written or generally recognised electronic format, and, if technically possible, request that the Personal Data Controller transmit such data to a third person;
- Right to file complaints: if you find that your rights have been violated in the processing of your Personal Data, you can file a claim or complaint to the Data Protection Inspectorate (Tatari 39, Tallinn 10134, firstname.lastname@example.org, aki.ee) or court.
- Your rights listed in this section in connection with the processing of Personal Data are not complete rights. In certain cases, the rights of a Data Subject may be restricted by the rights of other Data Subjects or the obligations of the Personal Data Controller, including the legal obligations of SYNLAB Eesti, the Public Testing Organisation Partner or any other Personal Data Controller and/or healthcare service provider that is a Public Testing Organisation. For instance, the applicable law obligates healthcare service providers to transmit coronavirus test results to the Health Board and the Patient Portal in personalised form as described above in section 4.
- In order to exercise the rights related to the processing of Personal Data or submit requests related to the processing of Personal Data, please contact us using the contact details provided below in the section “Contact”.
- The Webpage uses the following types of cookies:
- Session cookies: session cookies or temporary cookies are used every time upon the Webpage being used and are deleted after the web browser is closed. Temporary cookies are necessary for the functionality of the Webpage to work.
- More specifically, the Webpage uses the following cookies:
|PHPSESSID||This cookie is used by the PHP application. The cookie is used for recording and identifying the unique session ID of the user to manage the user’s session on the website. The cookie is a session cookie and is deleted when all the browser windows are closed.||Until the browser is closed||Necessary|
|__utmc||The cookie is assigned by Google Analytics and it is deleted when the user closes the browser. Ga.js does not use the cookie. The cookie is used for allowing interoperability with urchin.js which is an older version of Google Analytics and which is used together with __utmb cookies for determining new sessions/visits.||Until the browser is closed||Analytics for evaluating the use of the Webpage|
|__utmz||This cookie is assigned by Google Analytics and it is used for recording the source of traffic or campaign via which the visitor reached the site.||6 months||Analytics for evaluating the use of the Webpage|
|__utmt||The cookie is assigned by Google Analytics and it is used for limiting enquiry speed.||10 minutes||Analytics for evaluating the use of the Webpage|
- SECURITY OF PERSONAL DATA
- The Personal Data Controller shall be obligated to ensure the security of the processing of Personal Data with the aim to protect Personal Data from unintentional or unauthorised processing, disclosure or destruction.
- Considering the latest science and technology developments and implementation costs and the manner, extent, context and purposes of the processing of Personal Data, as well as the risks of varying probability and size that threaten the rights and freedoms of natural persons arising from processing, the Personal Data Controller shall be obligated to apply appropriate technical and organisational measures in order to ensure the security of Personal Data in the processing of Personal Data.
- In processing Personal Data, SYNLAB complies with the state system of security measures for information systems, ISKE. ISKE is a three-level standard security system for information systems, the aim of which is to ensure the sufficient level of security of the data processed in information systems. The system has been created primarily for the information systems used in maintaining the state and local government databases and for ensuring the security of the related information assets. The selected security class and security level of the Webpage correspond to those established for similar data processing procedures by the state (e.g., the security class of the Cancer Register). Pursuant to that, the database security class is K1T2S2 and the security level is medium (M).
- CUSTOMER SUPPORT
- In the case of questions related to the processing of Personal Data or in order to submit requests related to the processing of Personal Data, please contact SYNLAB Eesti, Medicum Tervishoiuteenused and/or the Public Testing Organisation Partner at which you have registered for testing by phone, e-mail or post.
Contact details of Qvalitas Medical Centre AS:
Address: Jalgpalli 1, 10139 Tallinn
Phone: +372 605 1500
Data Protection Specialist: Kadi Rokk, email@example.com
Contact details of OÜ Arstikeskus Confido:
Address: Veerenni 53a, 11313 Tallinn
Data Protection Specialist: Marit Martens, firstname.lastname@example.org
Contact details of Foundation Kuressaare Hospital:
Address: Aia 25, 93815 Kuressaare
Phone: 452 0040
Data Protection Specialist: Maris Tuisk, email@example.com;
Contact details of Foundation Hiiumaa Hospital:
Address: Rahu 2b, 92414 Kärdla
Phone: 462 2795
Data Protection Specialist: Riina Tamm, firstname.lastname@example.org
The contact details of every Public Testing Organisation Partner at which you can e-register for testing via the Webpage are provided on the webpage of that Public Testing Organisation Partner.