Updated: 15 May 2026

This privacy notice concerns the patient register that arises in connection with the provision of psychotherapy services. The notice describes how personal data is collected, processed and protected in accordance with the EU General Data Protection Regulation (GDPR), the Finnish Data Protection Act (1050/2018), the Act on the Status and Rights of Patients (785/1992), the Act on Health Care Professionals (559/1994) and the Decree of the Ministry of Social Affairs and Health on Patient Records (94/2022).

1. Data controller

Niila Rahko, sole trader Terapia Rahko
Business ID: 3320668-9
Email: niila.rahko@psykoterapeuhtta.info

2. Contact person for matters concerning the register

Niila Rahko
Email: niila.rahko@psykoterapeuhtta.info

3. Name of the register

Patient register of Terapia Rahko.

4. Purpose and legal basis for processing personal data

Personal data is processed in order to provide, document and invoice psychotherapy services and to fulfil statutory obligations.

Legal bases for processing:

  • Compliance with a legal obligation (GDPR Art. 6(1)(c)) – the Act on the Status and Rights of Patients and the Patient Records Decree
  • The performance of a task carried out in the public interest or in the exercise of official authority (GDPR Art. 6(1)(e)) in health care services
  • For special categories of personal data: GDPR Art. 9(2)(h) (the provision of health care services) and Art. 9(2)(c) (the protection of the vital interests of the data subject, where applicable)
  • Consent of the data subject, where processing is based on consent (e.g. disclosure of data to a third party)

5. Data content of the register

The following information about the client is stored in the register:

  • Name, personal identity code, contact details (address, phone, email)
  • Details of a next of kin or contact person where necessary
  • Information related to commencing therapy (background information, referral, symptom assessment, consents)
  • Dates and content descriptions of therapy sessions, care assessments and treatment plans
  • Information provided by the client and notes created during therapy
  • Consents and prohibitions regarding access to and disclosure of information
  • Billing information

6. Regular sources of data

  • The client themselves (orally, in writing or electronically through contact, therapy sessions and the Terapianavigaattori service)
  • The referring party (physician, health care unit) with the client’s consent
  • Decisions and commitments from Kela (the Social Insurance Institution of Finland) regarding rehabilitative psychotherapy

7. Regular disclosure of data

Patient data is not disclosed to outside parties without the written consent of the client, except:

  • In cases separately provided for by law (e.g. a child welfare notification, a notification of an immediate threat)
  • For data required by Kela in connection with rehabilitative psychotherapy
  • To authorities in situations required by law

8. Transfer of data outside the EU or EEA

Patient data is not transferred outside the EU or the EEA. The information systems in use (Nextcloud, ERPNext and Jitsi Meet) are located in Finland, and the data remains within the EU area.

9. Retention period

Patient records are retained in accordance with the Patient Records Decree (94/2022). As a general rule, patient records are retained for 12 years after the death of the patient or, if there is no information of death, for 120 years after the birth of the patient. Billing information is retained in accordance with the Accounting Act.

10. Principles for protecting the register

A. Manual material: Any paper material is kept in a locked space accessible only to the data controller.

B. Electronically processed data: Electronic patient data is stored in Nextcloud, which is protected by server-side encryption. Remote sessions are conducted via Jitsi Meet, where the connection is encrypted. Access to the systems is protected by strong authentication, and only the data controller has access rights. Data is not stored permanently on phones or end devices.

11. Rights of the data subject

The data subject has the right to:

  • Be informed about the processing of their personal data
  • Access information concerning themselves
  • Request the rectification of inaccurate data
  • Request the erasure of their data to the extent legally possible (the obligation to retain patient records limits the right to erasure)
  • Restrict the processing of data on the grounds provided by law
  • Lodge a complaint with the supervisory authority (Office of the Data Protection Ombudsman, tietosuoja.fi)

Requests are made in writing to the data controller using the contact details above.

12. Automated decision-making and profiling

The register does not involve automated decision-making or profiling.

13. Handling of data breaches

Any data breaches affecting personal data are handled without delay. The data controller notifies the Data Protection Ombudsman of a data breach within 72 hours and the data subject without undue delay where the breach is likely to result in a high risk to the rights and freedoms of the data subject.

14. Changes to this notice

This notice may be updated as legislation or practices change. The date of update is shown at the beginning of the notice.