Why is my data being collected?
Data is stored and processed under the provisions of the Blood Services Act (197/2005). Blood service institutions are legally obligated to collect and store the personal data of blood donors for a duration specified by the Act. Personal data specified for collection under the Blood Services Act include name, personal identity number, contact information, information on eligibility to donate blood, deferrals to blood donation, and the traceability information of blood products.
What data are collected about me?
◦ Identifying personal data; personal identity number, name and sex
◦ Contact information (address, phone number, email address and language), which are used for invitations and communication based on consent and for the legal requirements on traceability.
◦ Information on communications (time, communication channel and content)
◦ Health information, insofar as they have a temporary or permanent impact on eligibility for blood donation
◦ Time and place of blood donation
◦ Information on blood group and results of other laboratory tests on the blood donor
◦ Traceability information of products made with the donated blood up to their delivery
◦ Information on medical examinations, laboratory and imaging tests on the blood donor insofar as they are needed to assess eligibility for blood donation. The individual documents/data are destroyed once the assessment has been completed.
◦ Copies of letters sent to the blood donor that contain health information (e.g. laboratory test results and decisions on eligibility for donation)
◦ Information on an official recognition received by the donor from the FRC
◦ Information on personal injuries and/or property damage in connection with blood donation and documentation related to their claims handling
How is my data obtained?
Blood donors provide their name, personal identity number and contact and health information personally upon visiting and confirm their accuracy with a signature. Contact information may also be updated over the phone if the individual can be reliable identified. Information on medical history is requested from care units with the written consent of the blood donor. Other information is collected through activities carried out by the FRC Blood Service (e.g. test results, blood product information, information on invites and recognitions). Information related to personal injuries or property damage are provided by the data subject or received from care units with the written consent of the data subject. Information related to personal injuries or property damage are also received from insurance companies.
Why is my data processed?
With your consent, your contact information will be used for invitations and communication. In addition, the Blood Services Act obligates us to store contact information to ensure availability and communication under the law. Information on health and sex are used in the assessment of eligibility for blood donation. Laboratory test results produced by the FRC Blood Service are used to assess the safety of blood products, and blood donors will be informed of any significant findings in the results. Other information are used internally to facilitate this process (e.g. damages, recognitions).
Is my data disclosed outside the Blood Service? If so, why and where?
Your data is disclosed for purposes of invitations, communication and the digitisation of information. Service providers are not entitled to process your data for any other purpose or to store them after their contractual use.
Information required under law on blood donors who carry an infectious disease that constitutes a public threat or requires a notification are disclosed to the National Institute for Health and Welfare register of infectious diseases and to local authorities responsible for infectious diseases.
In personal injuries and/or property damage, information related to the loss event are disclosed to the insurance company.
Data in the filing system may be disclosed for research purposes only with the process for scientific research provided by law.
Is my data transferred outside the EU?
How is my data being protected?
Employees of the Blood Service and service providers are under obligation to maintain confidentiality. Access to the filing system is restricted by user credentials and permitted only to those individuals required to do so due to their duties. Access to data in the filing system and the addition, editing and erasure of data is restricted with access rights. The processing of data is restricted by our contracts with service providers. Printed documents that contain personal data are stored by the FRC Blood Service in locked premises with controlled access and in locked containers.
Data in the filing system and their processing are a part of regularly performed information security audits and risk assessments. We use a tool for the continuous monitoring of access data and the reporting and investigation of incidents.
Is my data used for profiling or automated decision-making?
Yes. Invitations to and communication with blood donor are based on information on the place of donation, preferred place of donation, address, blood group, latest date of visit and donation, and possible deferrals to blood donation recorded in the register.
For how long is my data stored?
The Blood Services Act obligates us to store traceability information related to blood donations (name, personal ID and contact information, information on the blood donation) for a period of 30 years. Health assessment information (health questionnaires) must be stored for 15 years.
How can I review my data and rectify any inaccurate information?
Blood donors have access to their name, personal ID and contact information during each visit. You may request an extract of your personal data in the filing system in writing when visiting the Blood Service or by sending us a free-form signed request that includes your name and personal identity number.
You may access and check your personal data stored by us by filling in, printing and signing the request for data form available on the Blood Service website and sending it to us by mail or in person. The Blood Service will send an extract of the personal data concerning you contained in the filing system to you by mail.
You may request for rectification of inaccurate information in writing by using the rectification request form found on the Blood Service’s website. Contact details may also requested to be updated over the phone.
Can I request the erasure of my data or object to the use of my data?
You may object to the sending of invitations and communications. The erasure of other personal data or objecting to their processing is not possible under the law, see section “For how long is my data stored?
Can I lodge a complaint with the authorities?
If you feel that the processing of your personal data is not lawful, you may lodge a complaint with the competent supervisory authority.
Finnish Red Cross, Blood Service
FI-00310 Helsinki, Finland
tel. +358 29 300 1010
Person in charge of the filing system:
Satu Pastila, Director of Blood Donation Operations, tel. +358 29 300 1760