BioEximi OÜ is a healthcare service provider who is obligated to maintain confidentiality under the law and has the right to process personal data required for the provision of health services, including personal data of special categories, i.e. health data, without the permission of the data subject under section 11 of the Statutes of the Estonian Health Information System and section 41 of the Health Services Organisation Act.

The Privacy Policy of BioEximi OÜ applies to the following data subjects:

• employees, job applicants and trainees of BioEximi OÜ;
• customers of BioEximi OÜ and contact persons appointed by them;
• representatives and contact persons of the contractual partners of BioEximi OÜ and of other healthcare service providers;
• persons who have sent requests for clarification, e-mails, requests for information, letters of gratitude, etc. to BioEximi OÜ, and their representatives.

The principles on the basis of which BioEximi OÜ processes the personal data of data subjects have been presented in the following Privacy Policy.

1. Data controller

1.1. The data controller is BioEximi OÜ, registry code 11767227, address Veerenni 51, 10138 Tallinn, e-mail info@ivfnordic.com, telephone 607 0017.

1.2. Matters pertaining to the processing of personal data are handled by Eerika Eensalu, the Data Protection Specialist of BioEximi OÜ, address: Veerenni 51, 10138 Tallinn, telephone 607 0017, e-mail eerika.eensalu@ivfnordic.com.

2. Purposes of processing personal data

2.1. The purposes of the processing of personal data by BioEximi OÜ are the following:

2.1.1. provision of healthcare services;

2.1.2. organisation and conduct of training activities, i.e. practical training;

2.1.3. organisation of scientific research;

2.1.4. performance of contractual and legal obligations and protection of rights in employment and debt relationships.

2.2. BioEximi OÜ adheres to the principles of purposefulness and minimalism when processing personal data, i.e. only the data required for the achievement of a specific objective are processed and to the extent necessary.

3. Legal grounds for processing personal data

3.1. BioEximi OÜ collects and processes personal data on the following legal grounds:

3.1.1. on the basis of a contract, i.e. the processing of personal data is necessary for the entry into and performance of a contract between BioEximi OÜ and the data subject;

3.1.2. on the basis of the law, i.e. personal data are processed in order to perform BioEximi OÜ’s obligations and to guarantee their rights under the law;

3.1.3. on the basis of consent, i.e. the data subject has provided BioEximi OÜ with their explicit consent to the processing of their personal data for one or more purposes known to them in advance;

3.1.4. BioEximi OÜ only processes personal data on the basis of legitimate interest if such processing is not outweighed by the interests or fundamental rights and freedoms of the data subject.

4. Categories of processed personal data

4.1. BioEximi OÜ collects and processes the following personal data:

4.1.1. the general personal data of the data subject, i.e. information on the basis of which the person can be identified directly or indirectly, in particular their name, surname and personal identification code;

4.1.2. the contact details of the data subject, such as their e-mail address, telephone number and address;

4.1.3. the special categories of personal data of the data subject, in particular their health data and genetic data;

4.1.4. personal data related to the performance of the contract, including the personal data of the contact person of the data subject, as well as their bank data and data concerning their obligation under the law of obligations;

4.1.5. personal data related to the performance of the employment contract, including information confirming the data subject’s education and profession and information concerning their minor children;

4.1.6. the data of the representative and contact person of the contractual partner and other healthcare service provider, as well as the personal data of the trainee;

4.1.7. any other information provided by the data subject.

5. Sources of personal data

5.1. The sources related to healthcare services are information provided by the data subject, documents reflecting their health data and state of health, the results of tests, other healthcare service providers and state databases.

5.2. The sources used for the traineeship and scientific research are data, the use of which the data subject has given permission for in a contract or with their express consent.

5.3. With regard to the employment and debt relationship, the sources of personal data are the employee and persons involved in the employment and debt relationship, state databases and information received from authorities.

5.4. BioEximi OÜ may also collect and process personal data obtained from publicly available sources and sources based on information received from other third parties to the extent allowed under applicable laws and legislation.

6. Safety of personal data processing

6.1. BioEximi OÜ’s objective is to ensure the safety of the processing of personal data.

6.2. In order to ensure the security of data held on BioEximi OÜ’s websites https://next-fertilitynordic.com, www.viljakus.ee, www.munarakudoonor.ee and www.lapsesoov.ee and in the information system, technical and organisational security measures are used, such as firewalls and passwords which protect the data from illegal access, accidental loss and alteration. Documents received on paper are stored in locked rooms. Only authorised persons have access to documents and information systems containing personal data.

6.3. The websites of BioEximi OÜ use an updated SSL certificate that allows for using a private encrypted communications channel (HTTPS) on the public Internet, with the help of which the transmitted data remains confidential and intact.

7. Transfer of personal data

7.1. BioEximi OÜ transfers personal data if there is a legal basis for this, adhering to all the principles applicable to the processing of personal data, in order to ensure that such processing is lawful, fair and transparent to the data subject.

7.2. Personal data may also be processed, viewed and stored outside Estonia. The transfer of personal data to recipients outside the European Union or the European Economic Area only takes place in exceptional cases on the basis of the express consent of the data subject or a contract entered into with them as specified in Article 49 (1) of the General Data Protection Regulation (GDPR).

8. Storage of personal data

8.1. BioEximi OÜ stores data for as long as necessary, taking into account the purpose of processing personal data and following the deadlines determined in the law, with the consent of the data subject and in a contract entered into with the data subject.

8.2. BioEximi OÜ takes all reasonable measures to ensure that no personal data which are in conflict with the purposes of processing personal data, outdated or inaccurate are stored in their information system.

9. Rights of data subject

9.1. The data subject has the right to receive information about the processing of their personal data and to request access to the personal data concerning them.

9.2. The data subject has the right to request the correction or deletion of personal data. The data subject has the right to object to or limit the processing of personal data.

9.3. The data subject has the right to withdraw or amend the consent granted for the processing of their personal data in situations where the processing is based on the explicit consent of the data subject.

9.4. If you have any questions or complaints concerning the processing of personal data, you can contact the Data Protection Specialist of BioEximi OÜ at eerika.eensalu@ivfnordic.com. Requests, applications and suggestions can also be submitted in a digitally signed format by e-mail at info@ivfnordic.com.

9.5. Data requested by the data subject in writing are issued on the basis of an identity document or in an encrypted format. In order to ensure the security of the processing of personal data, no data will be provided by phone.

9.6. The data subject also has the right to file a complaint with the data protection supervisory authority, namely the Estonian Data Protection Inspectorate, address Tatari 39, Tallinn 10134, e-mail info@aki.ee.