Customers’ and stakeholders’ privacy notice

Updated on 12.06.2024.

1       Controller

MedEngine Oy (hereinafter “MedEngine” or “we”)
Business ID 2593051-1
Eteläranta 14
00130 Helsinki, Finland


2      What processing of personal data does this privacy notice concern?

This privacy notice concerns MedEngine’s processing of your personal data when you are acting as a contact person or any other representative of our current or potential business clients, vendors, business partners and other stakeholders. This privacy notice also applies whenever you are visiting our website or subscribing to our newsletter, regardless of your relationship to MedEngine.


3      How do we process your personal data?

For what purpose do we
process your personal data?
What types of data do we
What is the legal basis for processing?
Delivering our products and services to our clients; managing our business relationship with our clients and other stakeholders (such as communication with our potential clients, vendors and other parties, invoicing, contract management, maintaining documentation on customers etc. as well as any other activities we may deem necessary in order to maintain our business relationships and carry out sourcing and purchasing)


Your basic information and contact details such as name, name of the company represented, position at the company, email address, phone number, customer number and/or another identifier;

information regarding the actual or potential customer relationship such as past and current contracts and orders, our correspondence with you as well as other contacts, consents, and prohibitions (related to e.g. direct marketing), information related to events organized by us;

information collected from other sources such as information collected from your company’s website and/or social media profiles as well as public register information.

Our legitimate interests, art. 6(1)(f) GDPR

The legal basis for processing affects what kind of rights you have as a data subject, as certain rights are only applicable to processing based on certain legal bases. For additional information, see section 9 below.

Developing our products and services, reporting (such as collecting statistics on and analysing the use of our products and services) Information regarding the customer relationship (see details in list above), information provided by you in your feedback.
Marketing and promotion of our products and services, seeking out potential clients, personalization and development of our marketing activities Your basic information and contact details, information regarding the actual or potential customer relationship, information collected from other sources (see details in lists above).
Preventing, detecting, and investigating fraud and other unlawful activities


Your basic information and contact details, information regarding the actual or potential customer relationship, information collected when visiting our website (especially in cases of unusual activity on our website), information collected from other sources (see details in lists above & below).
Processing and storage of personal data for accounting purposes and in order to comply with other legal obligations Any personal data contained in our accounting material (e.g. your name, transaction details) as well as any other types of data we may be required to process. Legal obligation, art. 6(1)(c) GDPR
Direct marketing (Medengine’s Insight newsletter) Your name, e-mail address and information about the types of communications you have chosen to receive. Your consent, art. 6(1)(a) GDPR
Improving your experience when using our website, statistics and analytics, marketing optimization, provision of embedded third-party services Information collected when visiting our website such as information about your device and browser, your IP address, visiting times, cookie information and data related to using them.

For additional information about our use of cookies, please see our cookie policy.

4      From which sources do we receive your data?

We receive information primarily from you, the data subject, when you order our services, subscribe to our newsletter or otherwise contact us. In addition, we collect information about your interactions with us and with our website. We may also receive personal data from our group companies.

For the purposes described in this privacy notice, personal data may also be collected and updated from publicly available sources and based on information received from the authorities or other third parties within the limits of the applicable laws and regulations. Such updating of data is performed manually or by automated means.

5      Profiling and automated decision-making

You are not profiled and no automated decisions concerning you are made based on your personal data.

6      To whom do we disclose data, and do we transfer data outside the EU or the EEA?

Personal data may be disclosed to our group companies for the purposes described in this privacy notice and in order to enable group-wide reporting and use of centralized data systems.

In order to carry out processing described in this privacy notice, we use subcontractors that process personal data on our behalf. We ensure that our subcontractors ensure the security and integrity of the personal data by using non-disclosure and data processing agreements as well as strict information security requirements.

In order to detect and investigate unlawful activities or to respond to legal proceedings or a lawful data requests, we may need to disclose your personal data to authorities (such as courts or law enforcement authorities) or other third parties.

Your personal data may be transferred to or accessed from outside the EU/EEA. When personal data is processed outside the EU/EEA, we make sure that where the recipient of personal data is not located in a country subject to an European Commission’s adequacy decision, the recipient has committed to use the standard contractual clauses issued by the European Commission, or that any other appropriate safeguards for the transfer are in place.

7      How do we protect the data?

We commit to ensuring that we and our service providers process personal data in a manner that ensures its security, integrity, and confidentiality.

Only those of our employees, who need to process customer data to carry out their tasks, are entitled to use the systems containing personal data. Each user has a personal username and password to the systems used in processing of personal data. The data is collected into databases that are protected by firewalls, passwords, and other technical measures. The databases and their backup copies are physically stored at locked premises and can only be accessed by certain pre-designated persons. The persons processing data are bound by professional secrecy.

8      How long do we store your personal data?

We store the data of our existing customers and other stakeholders for the duration of our business relationship and for 2 years after the end of the business relationship. Certain information may be stored for longer periods in accordance with statutory requirements or for purposes of legal claims.

Personal data of our potential customers is stored for as long as it remains relevant for our business purposes – however, our general retention period for marketing data is 2 years. Information concerning communication subscriptions and consents is stored as long as the subscription remains active.

We assess the need for data storage regularly, taking into account the applicable legislation. In addition, we take care of such reasonable actions that ensure no incompatible, outdated, or inaccurate personal data is stored in the register taking into account the purpose of the processing. We correct or erase such data without delay.

9      What are your rights as a data subject?

You always have the right to:

  • Access the personal data concerning yourself that is stored by us
  • Demand rectification of inaccurate or outdated data (in some cases, you can update your information yourself)
  • Lodge a complaint with the supervisory authority (Office of the Data Protection Ombudsman in Finland)

Additionally, subject to certain conditions (left column), you may have the following rights:

If the processing is based on your (explicit) consent in accordance with art. 6(1)(a) and/or 9(2)(a) GDPR: You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

You can withdraw your consent concerning cookies by using the cookie settings at the bottom of our website. To unsubscribe from our Insight newsletter, please use the link provided in each message.

If you have withdrawn your consent, or if any other of the conditions to use “the right to be forgotten” (art. 17 GDPR) are met: You have the right to have your personal data erased.
If you have contested the accuracy of personal data, or if any other of the conditions to use the right to restriction of processing (art. 18 GDPR) are met: You have the right to have the processing of your personal data restricted e.g. while your requests related to your personal data are investigated and resolved.
If the processing is based on your consent or a contract with you, and where the processing is carried out by automated means: You have the right to transmit your data to system maintained by another controller (if it is technically feasible and as far as your request concerns information provided to us by yourself)
If the processing is based on our legitimate interest (art. 6(1)(f) GDPR): You have the right to object to processing of your personal data on grounds relating to your particular situation.

How to use your rights:

All contacts and requests concerning the rights mentioned above should be made in writing using the contact information in the beginning of this privacy notice. Your request should include your name and contact details. Please note that when submitting a request concerning your rights, we may ask you to provide additional information in order to verify your identity – this information is not used for any other purposes and is deleted after identification.

We will answer your contacts and requests related to your rights as a data subject within one month.

10   Changes to this privacy notice

We may update this privacy notice from time to time, and we will communicate the updated privacy notice on this webpage. The updated version will be indicated by an updated ‘Updated on’ date at the top of this notice, and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.