Privacy policy


Oy Medfiles Ltd
Volttikatu 5, 70700 Kuopio

Persons responsible for the filing system

Client register: Sales and marketing coordinator,

Vendor register: QA-Team

Purpose and grounds for processing personal data

Purpose for processing personal data:

  • Marketing for companies
  • Handling of client relations
  • Implementation of service agreements
  • Fulfill GxP reguirements for Vendor management

Personal data is processed based on the client relationship or consent given in connection with submitting a contact form. The processing of personal data for marketing purpose is also based on legitimate interests and legitimate interest has been evaluated by the balance test.

Personal data source

Personal data is collected

  • in connection with making and executing service agreements
  • in connection with contact requests
  • from communities and companies’ websites and other public information sources such as social media

Data content of the filing system

Company’s contact person’s

  • Name
  • Title
  • Work contact information

And also vendors’

  • CV (consultant, freelancer)

Data subject group

Partner, client and vendor

Personal data storage information

The accuracy of personal information is regularly monitored at the time of contact and obsolete information is corrected or deleted as soon as it becomes available.

Vendor register information concerning vendors that are no longer used are archived for 25 years and then deleted from the system. Supporting documentation, excluding audit documentation, is archived 25 years before deleted. Audit documentation is archived, no destruction allowed.

Format and location of the data Format

Format: Electronic and Vendor data also in paper
Location: M-files and Visma Severa system and paper documents in fire-proof cabinet at Medfiles

Access to personal data

Persons whose job description includes marketing or sales work and handling customer contracts and billings.

Executive team and QA-team vendor responsible person and responsible person deputy in Medfiles have access to vendor register.

Disclosure / transfer of data

Client data is not disclosed outside the company. Data can be transferred within the company in EU or EEA countries.

Vendor register information and/or supporting documentation will only be disclosed outside the EU or the company for the purpose of carrying out the actions required by the audits and, where appropriate, to the Authority.

Practices on assessment and maintenance

Personal data in is maintained and updated where appropriate. Vendor register data is updated at least once a year.

Technical means of protection / data security

The filing system data is secured technically with the M-Files filing-system-specific definitions for right of access (ACL = Access Control List). This practice prevents unauthorised use of the filing system and ensures that the filing system is usable for the parties defined in the privacy policy.

Secure email is used when transferring data and/or supporting documentation by email. Courier services are used when posting printed vendor register data and/or audit documentation.

At Medfiles the original wet-ink-signed documents are stored in locked fireproof cabinets with limited and controlled access.

The security and privacy policies of Visma Severa can be found here:

Data subject rights

Unless otherwise provided by law, the data subject has

  • the right to obtain information on the processing of personal data
  • the right to obtain access to personal data
  • the right to rectify data
  • the right to erase data
  • the right to restrict processing
  • the right to object to the processing of his or her personal data
  • the right not to be subject to a decision based solely on automated processing
  • the right to withdraw his or her consent and to object to the processing of personal data insofar as the processing has been based on the consent given

The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this data protection regulation.

Let’s chat