Data Protection Information
Data protection notice for the use of SYNLAB Access (September 2022)
The following data protection notice applies to the use of the application SYNLAB Access in form of the website (https://minu.synlab.ee) [GK1] and the app.
1. Name and contact data of the data controller as well as the corporate data protection officer
Data controller: SYNLAB Eesti OÜ, a private limited company, incorporated under the laws of Estonia, registration code 11107913, registered address Veerenni st 53a, 10138, Tallinn, Estonia (in the following “SYNLAB”, “we”, “us”)
E-mail: klienditugi@synlab.ee,
Telephone: 17123 (only from Estonia), +372 640 8231 (when calling from abroad)
The corporate protection officer of SYNLAB can be reached via andmekaitse@synlab.ee.
2. Scope of data processing, purpose, and legal basis
a. Webhosting
For the provision of this website we use the web hosting service Microsoft Azure services (North Europe, Ireland) by Microsoft Corporation.
The commissioning of a web hosting service is necessary for the offer of a website. The use of Microsoft Azure service takes place according to art. 6 para. 1 lit. f GDPR due to our legitimate economic interest to provide our offer on this website. In connection with the hosting, Microsoft Azure service processes personal data on our behalf, which is generated during the use of the website.
We have concluded a data processing agreement with Microsoft Azure service . Through this agreement, the web hosting provider assures that it processes the data in accordance with the GDPR and ensures the protection of the rights of the data subject. Microsoft Azure service stores and processes data in the European Union. Only pseudonyms are transmitted. It is not possible to draw conclusions about your person.
b. Downloading the app
Our app is provided via the AppStore by Apple or the Google Play Store. We have no influence over and are not liable for the collection of data by either app store. More information on data protection by apple is available here: https://www.apple.com/legal/privacy/ (US) or https://www.apple.com/uk/legal/privacy/ (UK). More information on data protection by Google is available here.
c. When visiting the website/app
When accessing our website, the browser used on your device will automatically send information to the servers of our website. This information is temporarily stored in so-called logfiles and is automatically deleted after 2 weeks. The following information will automatically (without your doing) be collected and stored until automatic deletion:
- IP-address of the requesting computer,
- Date and time of the request (access),
- Name and URL of the accessed data,
- Website of access (referral-URL),
- Type and version of browser as well as further information transmitted by the browser (e.g., the operating system of your computer, the name of your access-provider, geographical origin, language setting, etc.).
When using the app, further information is processed, such as the IMEI (International Mobile Equipment Identity), the unique IMSI (International Mobile Subscriber Identity), the mobile number, the mac-address used for accessing the wi-fi, the name of the mobile device, the e-mail-address the SYNLAB ID as well as the in-app activity and the corresponding date of transaction.
We process the listed data for the following purposes:
- Ensuring interference-free connection to the website and app,
- Ensuring comfortable use of our website/app and optimization of our platform,
- Evaluating system security and stability.
Legal basis for the data processing is art. 6 para. 1 cl. 1 lit. f GDPR. Our legitimate interest follows from the listed purposes for data collection. A balancing of interests comes to the conclusion that there are no overriding exclusionary interests of the users of the website. In no case do we use the collected information for the purpose of drawing conclusions about the person of the user.
Cookies and analytical services are used in connection with website operations. Detailed explanation can be found under No. 4 and 5) of this data privacy notice.
We have commissioned hosting service providers based in Ireland (primary provider) and the Netherlands (secondary provider) with the technical implementation of SYNLAB Access and concluded a contract for commissioned processing with them in accordance with Art. 28 GDPR.
d. Registration, user account and corresponding SYNLAB ID
To use our website and app you first need to register. In connection with the registration, your personal and contact information is required. Here we collect the following mandatory information
- Your email address
- Your given and surname
- Mobile number
- Preferred language
- Social Security Number
- Country of residence
- Passport Number
- Date of Birth
- Gender
To access the user account, the user must identify himself/herself in the by ID card, mobile-ID or smart-ID (“Login Data”) via Estonian Information System Authority’s authentication service TARA. As an exception, tests for sexually transmitted diseases can also be ordered anonymously.
By creating a user account, we will assign you with a unique SYNLAB ID and a unique barcode. They serve the purpose of quick and easy identification of the user while performing a test. You also have the option to enter further personal information such as address, for example, in your user account. This information will be needed and used for any potentially requested personalization of test results or for preparing insurance claims by you (availability relies on your personal insurance plan; SYNLAB takes no responsibility).
This data is processed:
- To identify you as our contracting party,
- In the context of justification, content-related design, transaction and change of the contractual relationship with you about the use of our platform and the services offered by this platform,
- To check the entered data on plausibility
- To contact you in case you have any questions (if necessary)
- To assert a claim against you (if necessary)
Your personal data is stored in your user account until your user account is deleted. For deletion we ask you to use the link “Deactivate Account” at the far end of the option in the menu “Personal Information”. The user is responsible for the security of the data and test results stored in the user account.
Legal basis for the processing is art. 6 para. 1 lit. b GDPR, i.e., the relations for use established between you and us. Unfortunately, without providing the necessary information, using SYNLAB Access will not be possible.
e. Booking an appointment and overview of test results
Under “Book a Test”, registered users of SYNLAB Access have the option to book an appointment for lab services (e.g., diagnostics, the “Laboratory Service”) at any of the available locations. The Laboratory Service means the testing of biological material obtained from a human body (“Sample”) and interpretation of the test results according to the particular Laboratory Service ordered. Test results will be shown under “My Results” in your secure user account.
At the end of the booking process, you will be asked to choose a payment method. When choosing Credit/Debit Card as payment method, the data protection policy of the respective card-issuer applies. The required data will be transmitted to the issuer.
We offer payment processing via the SEB payment services (AS SEB Pank (registry code 10004252, address Tornimäe tn 2, 15010) (hereinafter "SEB"). If you choose this payment method, the information provided during the ordering process will be passed on along with information about your order (name, address, account number, bank code, credit card number if applicable, invoice amount, currency, and transaction number). Your data will only be passed on for the purpose of processing payment with the payment service provider. You can find more information about SEB’s data privacy policy at: https://www.seb.ee/en/general-principles-processing-personal-data.
Legal basis for the processing the information during booking and testing as well as providing the test results is based on art. 6 para. 1 lit. b GDPR in conjunction with art. 9 para. 2 lit. h GDPR, i.e., pre-contractual or contractual measures between you and us and for provision of medical services. Unfortunately, without providing the necessary information, booking, and provision of Laboratory Services will not be possible.
We store the data collected in connection with testing until the period for legal or contractual warranty and guarantee rights ends. After this period ends, we store the contractual information, if required by trade- and tax-law and by laws regulating the documentation obligations for the provision of health services, for the legal period on the basis of art. 6 para. 1 cl. 1 lit. b GDPR in conjunction with art. 9 para. 2 lit. h GDPR in connection with the respective national law.
f. When ordering a products
If you would like to order products via our website or app, we collect the following information:
- given name, surname
- a valid e-mail address
- address (if applicable)
- payment data, depending on the payment method you chose (for example credit card data or bank details)
These data are collected
- in order to identify you as our contractual partner
- to check the entered data for plausibility
- to process the payment of your order
- to process any warranty claims which may arise and also to assert any claims against you
The data are processed upon your query and under Art. 6 para. 1 lit. b GDPR in conjunction with art. 9 para. 2 lit. h GDPR are required for the stated purposes of fulfilling the contract and pre-contractual measures.
To ensure smooth and simple processing of your order and for faster clarification of queries, you can also provide other data:
- your telephone and mobile phone number
- an alternative delivery address
Provision of these data is voluntarily.
Your personal data which we collect for the order are saved until the end of the statutory warranty period and then automatically deleted, unless we are obliged to longer storage under Article 6 para. 1 lit. c GDPR due to tax- and commercial-law retention and documentation duties or you have consented to a prolonged period under Art. 6 para. 1 lit. a GDPR.
g. When ordering GenePlanet analytics
In so far as you have expressly consented under Art. 6 para. 1 lit. a GDPR to activate GenePlanet analytics, the Results of ordered Laboratory Services will be transferred to the company genEplanetosebna genetika, d.o.o (registered at Cesta na Poljane 24, 1210 Ljubljana - Šentvid, Slovenia, registration number 3277062000) (“GenePlanet”). The purpose of the transfer is to allow you to get an analytical overview of your past and current results and receive recommendations related to the results. For more information about GenePlanet, please see terms and conditions here https://geneplanet.com/eu/terms-and-conditions and privacy policy here https://geneplanet.com/eu/privacy-policy.
h. When registering for our newsletter
In so far as you have expressly consented under Art. 6 para. 1 lit. a GDPR, we will use your e-mail address to regularly send you our personalised newsletter. Providing an e-mail address is sufficient for receiving the newsletter.
Cancellation is possible at any time, e.g., via a link at the end of every newsletter. Alternatively, you can cancel at any time by sending an email to andmekaitse@synlab.ee.
3. Transfer of data
a. Disclosure of personal data to third parties
We only transfer personal data to third parties if the following requirements are fulfilled:
- you have given your explicit consent to this pursuant to art. 6 para. 1 lit. a GDPR or art. 9 para. 2 lit. a GDPR,
- as far as this is legally permissible and necessary according to art. 6 para. 1 lit. b GDPR or art. 9 para. 2 lit. h GDPR for the processing of contractual relationships with you,
- in the event that a legal obligation exists for the disclosure pursuant to art. 6 para. 1 lit. c GDPR or
- insofar as this is legally permissible and necessary to protect our interests or those of third parties pursuant to art. 6 para. 1 lit. f GDPR.
The data disclosed may be used by the third party exclusively for the purposes stated. In particular, SYNLAB may transfer your personal data to following parties:
- When providing health care services, SYNLAB shall transmit your health information under the current law to the e-health Patient Information Portal located at https://id.terviseportaal.ee/, the data controller of which is the Health and Welfare Information Systems Centre (reg. No. 70009770, address New Tatari st 25, 10134 Tallinn). For questions related to the patient portal, you can contact the customer service of the Health and Welfare Information Systems Centre at +372 794 3943 or by e-mail at abi@tehik.ee.
b. Transfer of personal data to third countries
A transfer of personal data to a third country or an international organization will only take place if we inform you about it and the requirements of art. 44 et seq. GDPR are given.
A third country is a country outside the European Economic Area (EEA) in which the GDPR is not directly applicable. A third country is considered to be insecure if the EU Commission has not issued an adequacy decision for that country pursuant to art. 45 para. 1 GDPR confirming that adequate protection for personal data exists in the country.
The USA is a so-called unsafe third country. This means that the USA does not offer a level of data protection comparable to that in the EU. The following risks exist when personal data is transferred to the U.S.: There is a risk that U.S. authorities may gain access to personal data on the basis of the PRISM and UPSTREAM surveillance programs based on Section 702 of FISA (Foreign Intelligence Surveillance Act), as well as on the basis of Executive Order 12333 or Presidential Police Directive 28. EU citizens have no effective legal protection against these accesses in the U.S. or the EU.
We inform you in this privacy notice when and how we transfer personal data to the USA or other unsecure third countries. We only transfer your personal data if
- sufficient guarantees are provided by the recipient in accordance with art. 46 GDPR for the protection of the personal data,
- you have explicitly consented to the transfer, after which we have informed you of the risks, in accordance with art. 49 para. 1 GDPR,
- the transfer is necessary for the fulfilment of contractual obligations between you and us, or
- another exception from art. 49 GDPR applies.
Guarantees according to art. 46 GDPR can be so-called standard contractual clauses. In these standard contractual clauses, the recipient assures to sufficiently protect the data and thus to ensure a level of protection comparable to the GDPR.
4. Data retention periods
SYNLAB does not retain your personal data longer than it is necessary for the purposes of processing personal data or pursuant to applicable law. As a general rule, SYNLAB applies the following retention periods.
- Personal data related to contracts can be retained during the term of the contract and based on SYNLAB legitimate interest pursuant to Article 6 (1) (f) of the GDPR until the end of the statutory limitation periods under applicable law. As a general rule SYNLAB retains customer data collected in relation to the provision of the SYNLAB Access as long as it is necessary for the provision of the services during the term of the agreement concluded between customer and SYNLAB for the use of SYNLAB Access. If the customer has not logged in to his/her profile on the SYNLAB Access platform for 2 years, customer’s profile and all personal data therein will be deleted, unless SYNLAB has a legal basis for retaining personal data for longer time period. If the customer is active user and is continually using the SYNLAB Access platform to access the results of the previously ordered Laboratory Services, information concerning the results of the previously ordered Laboratory Services is retained on the Platform for up to 15 years, unless the Customer opts to delete such data earlier himself or requests deletion from SYNLAB Estonia.
- Personal data collected on the basis of the consent will be retained until the withdrawal of the consent. If the customer has not withdrawn from the consent, as a general rule SYNLAB applies the same retention period to the personal data collected on the basis consents as to personal data collected to ensure the services. In this regard, as a general rule, if the customer has not used the SYNLAB Access platform for 2 years (customer has not logged in to his/her profile on the SYNLAB Access platform for 2 years), personal data collected on the basis of the consent will also be deleted.
- Personal data related accounting source documents and accounting journals must be retained in accordance with the relevant accounting laws. Therefore, pursuant to the Accounting Act, SYNLAB retains accounting documents for 7 years.
- Personal data related to documentation of health care services must be retained in accordance with Health Services Organisation Act and Regulation of the Minister of Social Affairs “Conditions and Procedure for Documentation of the Provision of Health Care Services”. Therefore, pursuant to the referred acts, documentation related to provision of health care services may be retained up to 30 years. This data may be retained in SYNLAB internal databases after the deletion of SYNLAB Access user account by the customer.
- Pursuant to § 31 of the regulation by the Minister of Social Affairs "Conditions and Procedure for Documenting the Provision of Health Care Services", the health care service provider shall retain the log files of information systems for 5 years. Log files shall include the information concerning the content of data processing, information on the data processor (who processed the data) and date and time of the data processing. Thus, log files containing the data processing in the SYNLAB Access platform shall be retained for 5 years.
5. Cookies
We use cookies on our website. These are small files that your browser automatically creates and saves on your end device (laptop, tablet, smartphone or suchlike) when you visit our website or app. Cookies do not cause any harm to your computer and do not contain any viruses, trojans or other malware.
The cookie stores information, which arises in conjunction with the specifically used end device. This does not mean, however, that this gives us direct knowledge of your identity.
Cookies are used on the one hand so that we can make the use of our offerings more pleasant for you. Therefore, we use session cookies to recognise that you have already visited individual pages of our website.
In addition, we use temporary cookies saved on your end device for a certain defined period to optimise user friendliness. If you visit our website again to use our services, it is automatically recognised that you were already here before and which entries and settings you made so that you do not have to repeat them.
On the other hand, we use cookies to compile statistics on the use of our website and to evaluate the optimisation of our offerings for you (see section 5). These cookies enable us to automatically recognise that you were here before the next time you visit our website. These cookies are automatically deleted after a defined period of time.
The data processed by cookies are required for the stated purposes to protect our justified interests and also of third parties under art. 6 para. 1 cl. 1 lit. f GDPR.
Most browsers accept cookies automatically. You can configure your browser, however, so that no cookies are saved on your computer or a message always appears before a new cookie is created. Complete deactivation of cookies can, however, lead to you not being able to use all the functions of our website.
6. Analytic Tools
The following tracking and targeting measures which we use are carried out on the basis of art. 6 para. 1 cl. 1 lit. f GDPR.
With the deployed tracking measures we want to ensure an appropriate design and continuous optimisation of our website. On the other hand, we use tracking measures to compile statistics on the use of our website and to evaluate the optimisation of our offerings for you. Via the deployed targeting measures we want to ensure that you only see advertising tailored to your actual or presumed interests on your end devices. These interests are to be considered as justified within the meaning of the aforementioned regulation.
Google Analytics
On our website we use Google Analytics, a web analytics service by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (in the following: “Google”) for the purpose of creating a website experience tailored to users’ needs and continuing optimisation of our website. For these purposes pseudonymized user profiles are created and cookies (see sect. 4) are used.
The information on the usage of our website generated by the cookie (e.g. IP-address of the accessing computer, time of access, referrer-URL as well as information on the browser and operation system used) will be send to and processed by the server of Google in the USA.
Using Google Analytics is based on your consent in accordance with art. 6 para. 1 cl. 1 lit. a GDPR. You may revoke your consent at any time via the consent-management toll. Google processes the information on our instructions for analysing the website-usage, for reporting on website-activities and for providing us with further services in connection with website- and internet-usage and need-based layout and design of this website.
We have concluded a data processing agreement with Google for the use of Google Analytics. Through this contract, Google assures that they process the data in accordance with the General Data Protection Regulation and guarantee the protection of the rights of the data subject.
We only use Google Analytics with IP-anonymisation active. Which means, the IP-address of the user is shortened within the territory of a member state of the European Union or another state party to the Agreement on the European Economic Area. The IP-address is not merged with other data from Google.
We do not use the Universal Analytics with user ID offered by Google.
Potentially, the collected data will be transferred to third parties, in so far as this is legally prescribed or the third party is commissioned to process the data.
The user data collected via cookies will automatically be deleted after 14 months.
All information on the usage of our website generated by cookies from Google Analytics are transmitted to and processed on a server of Google in the USA. The transmitted data is pseudonymised, inferring your name from this data is not possible. We concluded an agreement with Google including the EU standard contractual clauses. This guarantees a level of security comparable to the EU (on data-transfer to the USA, see No. 3b).
On Analytics Help you can find further information on data protection in connection with Google Analytics. You can find information on the use of data by Google in their privacy policy (https://policies.google.com/privacy?hl=en).
7. Data processing overview
For easier overview, we have here summarized the data processing operations described above:
Purpose of processing |
Types of personal data |
How have we obtained personal data |
Retention period applied by SYNLAB Estonia |
Legal basis for processing |
Enabling the SYNLAB Access user account |
Name (first name, last name), e-mail address, password, log in details via Estonian Information System Authority’s authentication service TARA Customer |
Directly from each data subject. |
During the term of the contract term with the data subject under SYNLAB Terms of Use and up to 2 years after termination. |
GDPR Article 6-1-(b); GDPR Article 9-(2)-(h). |
Enabling the customer to order Laboratory Services |
Name (first name, last name), specifics of ordered Laboratory Services |
Directly from each data subject. |
During the term of the contract term with the data subject under SYNLAB Terms of Use and up to 2 years after termination. |
GDPR Article 6-1-(b); GDPR Article 9-(2)-(h). |
Sample materials |
Sample material identified with the Customer |
Directly from each data subject. |
Up to 3 days or in accordance with quality control standards. |
GDPR Article 6-1-(b); GDPR Article 9-(2)-(h). |
Enabling the customer to see the results of ordered Laboratory Services |
Results of ordered Laboratory Services |
By processing the Sample given by the data subject. |
During the term of the contract term with the data subject under SYNLAB Terms of Use and up to 2 years after termination. If the Customer is active user, the historical data concerning the results of the ordered Laboratory Services is retained for up to 15 years. |
GDPR Article 6-1-(b); GDPR Article 9-(2)-(h). |
Payment data |
Payment information the customer provides, such as card number or bank account number. |
Directly from each data subject or from our third-party service providers though whom the customer ordered the services. |
7 years. |
GDPR Article 6-1-(b); GDPR Article 6-1-(f). |
Retaining accounting related information (compliance with the legal obligation) |
Accounting related information, such as invoices. |
Directly from each data subject or from our third-party service providers though whom the customer ordered the services. |
7 years. |
GDPR Article 6-1-(c), Accounting Act § 12. |
Retaining documentation related to provision of health care services. |
Documentation concerning provision of the health care services. |
By providing a health care service. |
30 years. |
GDPR Article 6-1-(c), Health Services Organisation Ac § 42. |
Sharing personal data with government agencies or when required by applicable law – please also see Section 6 below. |
Depending on the case, for example, the results of positive COVID-19 testing. |
By providing a health care service. |
N/A |
GDPR Article 6-1-(c). |
Log files concerning the use of the Platform. |
Log files. |
Automatically. |
5 years. |
GDPR Article 6-1-(c), § 31 of the regulation by the Minister of Social Affairs "Conditions and Procedure for Documenting the Provision of Health Care Services”. |
Answering the inquires of the data subject. |
Content of the inquiry, email address or other means of communication. |
Directly from each data subject. |
Up to 5 years. |
GDPR Article 6-1-(b). |
Sending newsletters. |
Electronic communications details, such as e-mail address or mobile phone number. |
Directly from each data subject. |
Up to 5 years. |
GDPR Article 6-1-(a). |
Information on how our services and SYNLAB Access platform are used, including feedback that may be provided by the Customer. |
Technical data for the purposes of improvement and development of the Services and the Platform. |
Directly from each data subject or automatically during use of the SYNLAB Access paltform. |
1 year. |
GDPR Article 6-1-(b); GDPR Article 9-(2)-(h). |
Technical data collected though cookies. |
Please see Cookie Policy. |
8. Data subject rights
You have the right:
- pursuant to art. 15 GDPR to demand information about your personal data we process. In particular, you can demand information about the purposes of the processing, the category of the personal data, the categories of recipients to whom your data were or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction or revocation of processing, the existence a right to lodge a complaint, the origin of your data, in so far as not collected by us, and also about the existence of automated decision-making including profiling and where appropriate meaningful information about to details thereof;
- pursuant to art. 16 GDPR to demand immediate rectification of inaccurate or completion of your personal data saved with us;
- pursuant to art. 17 GDPR to demand deletion of your personal data saved with us, in so far as the processing is not required for exercising the right of freedom of expression and information, to comply with a legal obligation, for reasons of public interest or to establish, exercise or defend legal claims;
- pursuant to art. 18 GDPR to demand restriction of processing of your personal data, in so far as you contest the accuracy of the data, the processing is unlawful but you oppose deletion and we no longer need the data but you do to establish, exercise or defend legal claims or you have objected to processing pursuant to art. 21 GDPR;
- pursuant to art. 20 GDPR to receive your personal data you have provided us in a structured, commonly used, and machine-readable format or to demand transmission to another controller;
- pursuant to art. 7 para. 3 GDPR to withdraw your consent to us at any time. This means that we may no longer continue processing the data based on that consent for the future; and / or
- pursuant to Art. 77 GDPR to lodge a complaint to a supervisory authority. As a rule, you can contact the supervisory authority for your habitual residence or place of work or our registered offices.
9. Information about your right to object according to art. 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of art. 6 para. 1 lit. f GDPR (processing of data on the basis of a balance of interests); this also applies to art 4 No. 4 GDPR profiling based on this provision.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
If your objection is directed against the processing of data for the purpose of direct marketing, we will immediately stop the processing. In this case, it is not necessary to specify a particular situation. This also applies to profiling, insofar as it is related to such direct advertising.
If you wish to exercise your right to object, simply send an e-mail toandmekaitse@synlab.ee.
10. Data Security
SYNLAB implemented organisational and technical security measures, to guarantee a sufficient level of integrity, confidentiality, and data security. Our security measures are continually monitored and improved to reflect technological developments.
All the data you personally transfer will be sent encrypted with the customary and secure TLS standard (Transport Layer Security). TLS is a secure and proven standard, which is also used for online banking, for example. You can recognise a secure TLS connection inter alia by the "s" appended to the http (i.e. https://...) in the address bar of your browser or by the lock symbol at the bottom of your browser.
Your sensitive data will be encrypted and stored (e.g., e-mail, password) on our platform (website/app), to protect them from unauthorised access. Additionally, your identity can be protected by using two-factor authentication (2FA), to minimize the possibility of identity theft through using compromised login-data or guessing the password (brute-force attack).
11. Actuality of and changes to this Data Protection Policy
This Data Privacy Policy is the latest version and was last amended as of September 2022.
The further development of our application or changes in statutory or public-authority requirements render it necessary to amend this data protection notice. The latest version can be accessed at any time via this website or in-app.