Information Security

Information security

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe. Thermidas Oy complies with applicable GDPR regulations as a data processor.

Data description

Typically the data is delivered to Thermidas Oy (Data Processor) by podiatrists, physiotherapists, nurses, or doctors (Data Controllers).

The purpose of processing this data is that Data Controllers must be able to store, analyze and share thermal images and patient data. To do this effectively, data can be collected with Thermidas Oy’s developed products, sent to the cloud, viewed, downloaded, and shared with parties with the correct credentials. Because Thermidas Oy develops and maintains such thermal image and patient data capturing and analyzing solutions, it must have access to data.

Personal data saved in Thermidas Oy’ cloud consists of the following data items:

  • Name
  • Social security number if applicable (in some implementations other means of identification are used by data controller, e.g. hospital I.D. number)
  • Date of Birth

 
When using certain optional software programs the following data items may also be saved:

  • Height, weight, and gender
  • Adderss
  • E-mail address
  • Consent to send marketing material

Data location

There are basically two types of Thermidas Oy’s installations. The location of the saved data depends on the installation type of the system.

Cloud-based installation

Thermidas Oy data in Europe is saved in Microsoft Azure Cloud. Thermidas Oy cloud instances are located in Azure Northern Europe Region and physically in Stockholm, Sweden or Dublin, Ireland.

In-house hosted installation

Thermidas Oy data is saved in a local server and database infrastructure and managed by the Data Controller in their premises. In some cases Thermidas Oy has no direct access to the on-premises data.

Portable, mobile or handheld devices

Thermidas Oy is not considered a data processor of any data stored in portable, mobile or handheld devices such as desktop computers, tablets, or smartphones. The Data Controller is solely responsible for data security arrangements of such data. The users of the data must comply with the Data Security policies of the Data Controller.

Breach Notification

In the case of a data breach, Thermidas Oy will notify their customers, the controllers and authorities immediately after becoming aware of the breach.

Right to Access

The data subjects have a right to get a copy of their personal data, free of charge, in an electronic format by written request to the Data Controller.

Right to be Forgotten

The data subjects have a right to request deletion of their personal data and discontinuation of further processing of the data by written request to the Data Controller.

Data Portability

The data subjects have a right to request transmission of their personal data to another controller. The transmission will be performed upon written request to the Data Controller.

Privacy by Design

Thermidas Oy will hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.

Data Protection Officer

Jouni Kyllönen, CEO

DR00070.A