Oy Medfiles Ltd
Volttikatu 5, 70700 Kuopio
Persons responsible for the filing system
Client register: Sales and marketing coordinator,
Vendor register: QA-Team
Purpose and grounds for processing personal data
Purpose for processing personal data:
- Marketing for companies
- Handling of client relations
- Implementation of service agreements
- Fulfill GxP reguirements for Vendor management
Personal data is processed based on the client relationship or consent given in connection with submitting a contact form. The processing of personal data for marketing purpose is also based on legitimate interests and legitimate interest has been evaluated by the balance test.
Personal data source
Personal data is collected
- in connection with making and executing service agreements
- in connection with contact requests
- from communities and companies’ websites and other public information sources such as social media
Data content of the filing system
Company’s contact person’s
- Work contact information
And also vendors’
- CV (consultant, freelancer)
Data subject group
Partner, client and vendor
Personal data storage information
The accuracy of personal information is regularly monitored at the time of contact and obsolete information is corrected or deleted as soon as it becomes available.
Vendor register information concerning vendors that are no longer used are archived for 25 years and then deleted from the system. Supporting documentation, excluding audit documentation, is archived 25 years before deleted. Audit documentation is archived, no destruction allowed.
Format and location of the data Format
Format: Electronic and Vendor data also in paper
Location: M-files and Visma Severa system and paper documents in fire-proof cabinet at Medfiles
Access to personal data
Persons whose job description includes marketing or sales work and handling customer contracts and billings.
Executive team and QA-team vendor responsible person and responsible person deputy in Medfiles have access to vendor register.
Disclosure / transfer of data
Client data is not disclosed outside the company. Data can be transferred within the company in EU or EEA countries.
Vendor register information and/or supporting documentation will only be disclosed outside the EU or the company for the purpose of carrying out the actions required by the audits and, where appropriate, to the Authority.
Practices on assessment and maintenance
Personal data in is maintained and updated where appropriate. Vendor register data is updated at least once a year.
Technical means of protection / data security
Secure email is used when transferring data and/or supporting documentation by email. Courier services are used when posting printed vendor register data and/or audit documentation.
At Medfiles the original wet-ink-signed documents are stored in locked fireproof cabinets with limited and controlled access.
The security and privacy policies of Visma Severa can be found here:
Data subject rights
Unless otherwise provided by law, the data subject has
- the right to obtain information on the processing of personal data
- the right to obtain access to personal data
- the right to rectify data
- the right to erase data
- the right to restrict processing
- the right to object to the processing of his or her personal data
- the right not to be subject to a decision based solely on automated processing
- the right to withdraw his or her consent and to object to the processing of personal data insofar as the processing has been based on the consent given
The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this data protection regulation.