This privacy policy has been updated latest on 22/08/2024.
ICARE FINLAND OY (Business ID 1084502-3) (“iCare”)
Address: Äyritie 22, 01510 VANTAA, Finland
telephone: +358 9 8775 1150
email: privacy@icare-world.com
The contact details may be amended from time to time and you can find current details in this privacy policy which is available at the address https://www.icare-world.com at all times.
The name of the register is iCare CLOUD Service register. The iCare CLOUD Service register includes Personal Data originating from devices iCare HOME and iCare HOME2, and from software / software service iCare CLOUD Service, and from software applications iCare PATIENT2 application, iCare PATIENT application and iCare EXPORT application. All those devices, services and applications are hereinafter referred to as “Services”.
The provision of Personal Data (as defined below in Section 5) is voluntary, and a contractual requirement. If you do not provide the Personal Data that is marked as obligatory when the data is requested, iCare is not able to provide you with the Services.
The purposes of the processing and the legal grounds for the processing of Personal Data are:
(a) Performance of the contract(s) between you and iCare (each “Agreement”), performance of the Services, to take steps prior to entering into the Agreement, providing customer service, and handling of potential reclamations under the Agreement. The legal basis for the processing of the Personal Data for this purpose is that the “Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
(b) Customer analysis, marketing and research purposes and development of iCare’s products and services, subject to regulatory requirements. “The legitimate interests pursued by iCare” is the legal basis for processing of the Personal Data for this purpose. This data is made anonymous where reasonably possible and thereafter does not constitute Personal Data.
(c) Direct marketing of iCare’s products and services. When consent is required for these actions pursuant to legislation, “consent” is the legal basis for processing of the Personal Data for this purpose. If your consent is not required for these actions pursuant to legislation, “The legitimate interests pursued by iCare” is the legal basis for processing of the Personal Data for this purpose.
(d) Taking care of data security. “Compliance with iCare’s legal obligation” is the legal basis for processing of Personal Data for this purpose.
(e) Preventing fraud. “The legitimate interests pursued by iCare” is the legal basis for processing of Personal Data for this purpose.
(f) When the processing is otherwise necessary for compliance with a legal obligation to which iCare is subject.
When “The legitimate interests pursued by iCare” is the legal basis for the processing of the Personal Data, iCare has considered that iCare’s legitimate interests are not overridden by your fundamental rights and freedoms. Such legitimate interests exist as there is a relevant and appropriate relationship with you as a user of the Services. Your interests and fundamental rights and freedoms are respected, as no special categories of Personal Data are processed and you can expect iCare’s processing activities. Provision of the Services and performance of a contract would not be possible without using the Personal Data.
If the legal basis for the processing the Personal Data is your consent:
(a) If you withdraw a consent given to the processing, the withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.
The following Personal Data is contained in the register:
(a) your email address; your password; serial number of the iCare HOME and the iCare HOME2 device (“Device”); the Device’s cheek and forehead support settings, your name, the data or other content uploaded from the Device to the Services; information on which eye is measured; point of time of measurement; measurement angle (angle of the Device compared with your eye); intraocular pressure value; intermediate results of the six samples of intraocular pressure measurements; quality rating of the measurement; cookie related information (see Section 10 below); IP addresses relating to the Device and the Services; the free-text data written by you in connection with the measurement; and the free-text data concerning conditions and actions defined by you related to measurement in general (that you have voluntarily provided).
The Personal Data will be processed by iCare’s subcontractor Taitopilvi Oy (Business ID 2786133-7). Taitopilvi Oy is processing the Personal Data to provide services to iCare.
The Personal Data will be processed by iCare’s subcontractor Amazon Web Services EMEA SARL, Luxembourg. The purpose of the processing is that Amazon Web Services EMEA SARL and its prob-processors provide to iCare cloud hosting and data storage service and the Amazon Simple Email Service. Further information:
https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf
https://aws.amazon.com/compliance/sub-processors/
The Personal Data will be processed by iCare’s subcontractor Atlassian Corporation Plc. Jira is used for internal communication to provide support services.
The Personal Data will be processed by iCare’s subcontractor Microsoft Corporation. Microsoft Outlook is used for communication to provide support services.
The Personal Data will be processed by iCare’s subcontractor Temp-Team Finland Oy (Business ID 1978563-7). Temp-Team Finland Oy is processing the Personal Data to provide services to iCare.
You can also download applications of different Google companies (such as Google Inc., Google Ireland Limited and Google Commerce Limited), in which case the Google companies process the personal data according to their policies and terms.
You can also download applications of different Apple companies (such as Apple Inc.), in which case the Apple companies process the personal data according to their policies and terms.
The Google companies or the Apple companies are not iCare’s subcontractors or personal data processors. The Google companies and the Apple companies provide their applications and services to you independently according to their policies and terms.
iCare does not transfer your Personal Data to countries outside the European Economic Area (EEA) and European Union (EU) (“Third Countries”) except to Amazon Web Services EMEA SARL and its sub-processors for the purposes set out in Section 7.2.
The legal basis of a transfer of the Personal Data outside the EU area is e.g. the model clauses of the EU Commission or other lawful basis for the transfer.
Further information on the model clauses:
New Standard Contractual Clauses are available here:
Standard contractual clauses for international transfers
Old Standard Contractual Clauses are available here:
Transfer of personal data between two controllers (2001/497/EC)
Transfer of personal data between two controllers (2004/915/EC)
Transfer of personal data between a controller and processor (2010/87/EU)
Further information in Section 7.2.
The Services may have links to third party web sites. Please note that iCare is not liable for personal data processing on such web sites. Such third parties are not deemed as iCare’s personal data processors.
The iCare CLOUD Service requires the use of cookies. The cookies are called authTokens. They are session-based cookies. They collect only the data to be able to identify the Consumer as he/she logs in and uses the iCare CLOUD Service, and are stored only for the duration of the session.
The terms regarding cookies may vary from time to time, as notified by iCare.
The Personal Data is secured by using, for example, the following methods and principles:
(a) locking systems at iCare’s and its subcontractors’ premises;
(b) electrical surveillance systems of iCare’s and its subcontractors’ premises and equipment;
(c) firewall, anti-malware and spam filtering systems of iCare’s and its subcontractors’ communication networks and other software and hardware that protect the security of communication networks;
(d) detailed user rights in iCare’s IT systems;
(e) professional knowledge of iCare’s personnel;
(f) regular training of iCare’s personnel;
(g) the content of the register is in electronic form only except in temporary special occasions; and
(h) iCare’s policies and guidelines relating to Personal Data matters.
You have the right to get information on which Personal Data on you is being processed by iCare or information that no such Personal Data is being processed. Where such Personal Data is being processed by iCare, iCare shall provide you with a copy of the Personal Data and the following information:
(a) the purposes of the processing;
(b) the categories of the Personal Data concerned;
(c) the recipients or categories of recipients to whom the Personal Data are to be or have been disclosed, in particular to recipient in Third Countries;
(d) the period for which the Personal Data will be stored;
(e) the existence of the right to request from iCare rectification or erasure of your Personal Data or to object to the processing of such Personal Data;
(f) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
(g) communication of the Personal Data undergoing processing and of any available information as to its source; and
(h) the significance and envisaged consequences of automated decision-making and related profiling, if any.
Where requests from you are manifestly unfounded or excessive, in particular because of their repetitive character, iCare may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request.
iCare shall, at your request, without undue delay correct, erase or supplement the Personal Data if the Personal Data is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing, including by way of supplementing a corrective statement.
If iCare refuses your request of the correction of the Personal Data, iCare will inform you, and you can lodge a complaint with a supervisory authority and seek a judicial remedy.
You have the right to lodge a complaint to the supervisory authority. The contact details of the Finnish supervisory authority are:
www.tietosuoja.fi
Office of the Data Protection Ombudsman
P.O. Box 800
FIN-00521 HELSINKI
FINLAND
Address:
Ratapihantie 9, 6rd floor
00520 HELSINKI
Tel: +358 29 56 66700 (exchange)
Fax: +358 29 56 66735
Email: tietosuoja@om.fi
‘Restriction of processing’ means the marking of stored Personal Data with the aim of limiting its use in the future.
If you request, iCare must restrict processing in the following situations:
(a) the accuracy of the Personal Data is contested by you, for a period enabling iCare to verify the accuracy of the Personal Data;
(b) the processing is unlawful and you oppose the erasure of the Personal Data and request the restriction of its use instead;
(c) iCare no longer needs the Personal Data for the purposes of the processing, but it is required by you for the establishment, exercise or defense of legal claims; or
(d) you have objected to processing, but verification whether the legitimate grounds of iCare override your interests is still ongoing.
In the situations listed above, iCare can only process the Personal Data:
(a) with your consent or for the establishment, exercise or defense of legal claims;
(b) for the protection of the rights of another natural or legal person;
(c) for reasons of important public interest of the EU or of an EU Member State; and
(d) to store the Personal Data.
The Personal Data is processed as long as this is required and allowed under applicable law. Information regarding the contractual relationship can be processed at least for the time until claims related to the contractual relationship expire. Main rule according to Finnish law for claims related to the contractual relationship to expire is three years. When the applicable law describes a longer or a shorter time period for the processing, such limitation is applied.
Subject to the requirements of the applicable law, the Personal Data can be processed for longer than the above-mentioned time periods if it is needed for the establishment, exercise or defense of possible legal claims.
You have the right to have your Personal Data erased at your request if one of the following grounds applies:
(a) the Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed;
(b) you withdraw your consent on which the processing is based and where there is no other legal ground for the processing;
(c) you object to the processing in accordance with Section 18;
(d) the Personal Data has been processed unlawfully; or
(e) the Personal Data has to be erased for compliance with a legal obligation in EU or EU Member State law to which iCare is subject.
However, iCare does not have to erase the Personal Data based on above grounds to the extent iCare still needs to process the Personal Data:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by law to which iCare is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with legal requirements;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with legal requirements; or
(e) for the establishment, exercise or defense of legal claims.
At your request, if iCare processes the Personal Data based on your consent or based on a contract with you and if the processing is carried out by automated means:
(a) iCare shall provide the you with the Personal Data which you have provided to iCare, in a structured, commonly used and machine-readable format;
(b) On your request and if technically feasible, iCare shall transmit the Personal Data in the same format directly to another controller.
You have the right to object, on grounds relating to your particular situation, to the processing of the Personal Data which is based on either of the following legal basis for processing: (i) when processing has been found necessary for the purposes of the legitimate interests of iCare or (ii) when processing has been found necessary in order to protect your vital interests. You however do not have the right to object, if iCare demonstrates compelling legitimate grounds for the processing which override your interests or fundamental rights and freedoms.
Where Personal Data is processed for direct marketing purposes, you have the right to object at any time to the processing of your Personal Data such marketing, including the right to object to profiling to the extent that it is related to such direct marketing.
You have the right not to be subject to a measure which produces legal effects concerning you or significantly affecting you, and which is based solely on automated processing intended to evaluate certain personal aspects relating to you or to analyze or predict in particular your performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Such automated decision-making is not used to process your Personal Data by iCare when its processes your Personal Data according to this policy.