Blood donor register privacy statement

The blood donor register is the personal data filing system for blood donors maintained by the FRC Blood Service.

Why is my data being collected?

Data is stored and processed under the provisions of the Blood Services Act (197/2005). Blood service institutions are legally obligated to collect and store the personal data of blood donors for a duration specified by the Act. Personal data specified for collection under the Blood Services Act include name, personal identity number, contact information, information on eligibility to donate blood, deferrals to blood donation, and the traceability information of blood products.

What data are collected about me?

  • Identifying personal data; personal identity number, name and sex
  • Contact information (address, phone number, email address and language), which are used for invitations and communication based on consent and for the legal requirements on traceability
  • Information on communications (time, communication channel and content)
  • Health information, insofar as they have a temporary or permanent impact on eligibility for blood donation
  • Time and place of blood donation
  • Information on blood group and results of other laboratory tests on the blood donor
  • Traceability information of products made with the donated blood up to their delivery
  • Information on medical examinations, laboratory and imaging tests on the blood donor insofar as they are needed to assess eligibility for blood donation. The individual documents/data are destroyed once the assessment has been completed.
  • Copies of letters sent to the blood donor that contain health information (e.g. laboratory test results and decisions on eligibility for donation)
  • Information on an official recognition received by the donor from the FRC
  • Information on personal injuries and/or property damage in connection with blood donation and documentation related to their claims handling
  • Appoinment and contact information and information on appointment booking given in the online booking system
  • Information on joining the Blood Service Biobank and participating in studies on blood donors
  • Information about possible prohibition of the use of register data for research purposes
  • Information about downloading the Donor app (mobile app) for blood donors

How is my data obtained?

Blood donors provide their name, personal identity number and contact and health information personally upon visiting and confirm their accuracy with a signature. Contact information may also be updated over the phone if the individual can be reliable identified. Information on medical history is requested from care units with the written consent of the blood donor. Other information is collected through activities carried out by the FRC Blood Service (e.g. test results, blood product information, information on invites and recognitions). Information related to personal injuries or property damage are provided by the data subject or received from care units with the written consent of the data subject. Information related to personal injuries or property damage are also received from insurance companies.

Why is my data processed?

With your consent, your contact information will be used for invitations and communication. In addition, the Blood Services Act obligates us to store contact information to ensure availability and communication under the law. Information on health and sex are used in the assessment of eligibility for blood donation. Laboratory test results produced by the FRC Blood Service are used to assess the safety of blood products, and blood donors will be informed of any significant findings in the results. Other information are used internally to facilitate this process (e.g. damages, recognitions).

In the event of an error or an exception, the blood donor register will store the name, personal identification number, donor number, and blood group information on an external USB memory device protected by device encryption. The data will be used in the event of an information system outage in the production of blood products.

The data in the blood donor register are processed without a name and personal identity number by the research team of the Blood Service.

Your data can be used in biobank studies or other scientific studies, where your data may also be processed and compiled by researchers outside the Blood Service, only if you specifically consent to it. These include the biobank consent and the concent to participate in the FinDonor study.

Is my data disclosed outside the Blood Service? If so, why and where?

We disclose your data to service providers in order to send out invitations, share information, digitise data, and book appointments. Service providers are not entitled to process your data for any other purpose or to store them after their contractual use.

Information required under law on blood donors who carry an infectious disease that constitutes a public threat or requires a notification are disclosed to the National Institute for Health and Welfare register of infectious diseases and to local authorities responsible for infectious diseases.

Information regarding any adverse reactions or accident insurance claims are submitted to an insurance company, with the written consent of the blood donor, via an insurance broker if the Blood Service seeks compensation from an insurance company.

Data from those who have given separate research or biobank consent can be disclosed to third parties for research purposes.

Data from those who have given a separate research or biobank consent can be disclosed to third parties for research purposes.

Is my data transferred outside the EU?

No.

How is my data being protected?

Employees of the Blood Service and service providers are under obligation to maintain confidentiality. Access to the filing system is restricted by user credentials and permitted only to those individuals required to do so due to their duties. Access to data in the filing system and the addition, editing and erasure of data is restricted with access rights. The processing of data is restricted by our contracts with service providers. Printed documents that contain personal data are stored by the FRC Blood Service in locked premises with controlled access and in locked containers.

The USB memory used during disruption is stored in a locked cabinet in a space to which access is restricted to the Blood Service, The USB memory is secure, encrypted and password protected. Its use is limited to healthcare professionals who have access to the donor register due to their duties.

Data in the filing system and their processing are a part of regularly performed information security audits and risk assessments. We use a tool for the continuous monitoring of access data and the reporting and investigation of incidents.

Is my data used for profiling or automated decision-making?

Yes. Invitations to and communication with blood donor are based on information on the place of donation, preferred place of donation, address, blood group, sex, latest date of visit and donation, and possible deferrals to blood donation recorded in the register.

For how long is my data stored?

The Blood Services Act obligates us to store traceability information related to blood donations (name, personal ID and contact information, information on the blood donation) for a period of 30 years. Health assessment information (health questionnaires) must be stored for 15 years.

How can I review my data and rectify any inaccurate information?

You can check your personal and contact details when you visit the Blood Service.

Users of the Donor App can view their own donor register information (for example, blood type, contact information, donor dates, haemoglobin results) on a telephone device.

You may request a printout of your key personal data stored in the blood donor register when visiting the Blood Service or you can call the blood donor helpline and request a copy via post.

You can check your personal data stored in the filing system by completing, printing and signing the request for data form available on the Blood Service website and submitting it to us by post or in person. The Blood Service will send an extract of the personal data concerning you contained in the filing system to you by post.

You can submit a request to rectify inaccurate information in writing by using the rectification request form available on the Blood Service website.

If you need to rectify inaccurate contact information, you can call the donor helpline.

Can I request the erasure of my data or object to the use of my data?

You can opt out of receiving invitations or newsletters by notifying the staff when you visit the Blood Service or by calling the donor helpline.

You may object to the processing of your data in the Blood Service’s research activities by completing and signing
a research opt-out form and submitting it to the Blood Service.

The erasure of other personal data or objecting to their processing is not possible under the law, see section “For how long is my data stored?”

Can I lodge a complaint with the authorities?

If you feel that the processing of your personal data is not lawful, you may lodge a complaint with the competent supervisory authority.

Contact information

Finnish Red Cross, Blood Service

Härkälenkki 13

FI-01730 Vantaa, Finland

tel. +358 29 300 1010

Person in charge of the filing system

Johanna Castrén, Director of Blood Donation Operations.