Book a visit
Book a visit

Privacy Policy

MIND NURTURE OÜ PRIVACY POLICY

Effective as of 23.12.2025

  1. INTRODUCTION AND APPLICATION OF PRIVACY POLICY
    1. These terms and conditions of processing of personal data (hereinafter: Privacy Policy) apply in all cases where Minu Kliinik aka Mind Nurture OÜ (hereinafter: Kliinik) processes the personal data of natural persons (hereinafter: Data Subject) as a controller in connection with the provision of health care services to patients and the provision of any other service in the course of its business to other service recipients (hereinafter: Patient). This Privacy Policy also applies in a situation where the Data Subject applies for a job at the Clinic or the Clinic is actively looking for a new employee.
    2. These Privacy Policy Terms and Conditions describe the principles and rules on the basis of which the Clinic processes the personal data of Data Subjects (including Patients). The protection of personal data is very important to the Clinic. The Clinic asks all Data Subjects to carefully read the Privacy Policy and contact us if they have any questions (see contact details in the section 2).
    3. Personal data is processed in accordance with the requirements arising from the legislation in force in the Republic of Estonia and the provisions of the General Data Protection Regulation (EU) 2016/679 of the European Union (hereinafter: GDPR), as well as in accordance with the data processing rules of the Clinic established on the basis of legislation. The Clinic also proceeds from the provisions of the Health Services Organisation Act (hereinafter: Health Services Organisation Act).
    4. In this Privacy Policy, terms (e.g. controller, personal data, processing, etc.) are used in the meaning set out in the GDPR and other relevant legislation.
    5. The Privacy Policy is effective as of the above date. The Clinic has the right to unilaterally amend the Privacy Policy. Changes to the Privacy Policy Terms and Conditions shall be notified to the Data Subjects by e-mail or by uploading the new Privacy Policy Terms to the Website. In any case, the Clinic recommends that Data Subjects visit this website from time to time and familiarise themselves with them in the event of changes to the Privacy Policy.
    6. If the Privacy Policy is available in several languages, the Privacy Policy in Estonian shall prevail in the event of any differences.
  2. DATA CONTROLLER
    1. The controller of personal data in the cases provided for in the Privacy Policy is Minu Kliinik or Kliinik, the registered name of which is Mind Nurture OÜ, the registry code is 16737524 and the address of which is Harju County, Tallinn, Põhja-Tallinn linnaosa, Ädala tn 1, 10614. The website of the clinic can be found at https://minukliinik.ee/ (hereinafter: Website).
    2. If you have any questions related to the processing of personal data, you can contact the data protection specialist of the Clinic by e-mail at andmekaitse@minukliinik.ee.
  3. PURPOSES, CATEGORIES, LEGAL BASES AND RETENTION PERIODS OF PERSONAL DATA PROCESSING
    1. The Clinic processes personal data only for specified purposes and in accordance with the applicable legislation. The following is an overview of the purposes of processing personal data – i.e. why the Clinic processes personal data. For each purpose, it is described whose personal data is processed, what personal data is processed and what is the legal basis for the processing in accordance with the applicable legislation.
    2. Planning health care or other services
      Processing for this purpose includes activities that are aimed at planning health care services and other services, such as registering for an appointment, preparing for an appointment and communicating in the context of the preparation of health care services or other services, including sending organisational information, etc.Within the framework of this purpose, the Clinic primarily processes the following personal data of the Patient:

      • Patient’s name, personal identification code (or date of birth), e-mail address, telephone number;
      • Type of service to be booked (e.g. psychiatric service, psychological service, occupational therapy service, examination, psychedelic therapy service, etc.), as well as subtype of service, if possible;
      • Any remarks made by the Patient or the booker, including why the booking is being made – this may include the reason why the service is requested;
      • Information about the appointment booking, including the place, time and content of the visit;
      • Health-related data, the processing of which is necessary to prepare for the visit.If the service is booked by a person other than the Patient, the name, personal identification code (or date of birth), e-mail address and phone number of the booker will also be processed separately.The legal basis for the processing of personal data to the extent that the Clinic processes personal data for the purpose of performing operations prior to the provision of health care services is § 41 (1) 2) of the TTIA. If the Clinic is contacted for a service other than health care, the basis for processing personal data is the person’s request pursuant to Article 6 (1) (b) of the GDPR.
    3.  Provision of health care or other servicesProcessing for this purpose includes activities such as diagnosis and treatment of the patient, communication within the framework of the provision of health care services, follow-up care and follow-up, and related activities.For this purpose, the Clinic processes the following personal data of the following Data Subjects:
      • Patient’s personal data – the same personal data as within the scope of the above purpose (see section Error! Reference source not found. – “planning of health care services or other services”) as well as any other data that the Patient discloses at the appointment (including data about their lifestyle, habits, family relationships, etc.);
      • The personal data of the Patients’ family members may also be processed to a limited extent where it is necessary for the provision of services to the Patient (e.g. a question about diseases in the family);
      • If the service is paid for by a person other than the Patient, the payer’s personal data – name and relevant payment data – will also be processed separately;
      • If the service is booked by a person other than the Patient, the personal data of the booker will also be processed separately – the same personal data as within the scope of the above purpose (see section Error! Reference source not found. – ‘planning of health services or other services’);
      • If the Patient appoints a contact person, the contact person’s name, personal identification code (or date of birth), e-mail address, phone number and connection to the Patient will also be processed.

      If the Clinic processes personal data for the provision of health care services, the legal basis for the processing of personal data is § 41 (1) 1) of the Health Care Act. If the Clinic should provide a service to the Patient that is not a health care service, the legal basis for the processing is the contract entered into between the Clinic and the Patient pursuant to Article 6 (1) (b) of the GDPR. If the service is paid for by a person other than the Patient, the Clinic processes the Clinic’s personal data on the basis of the Clinic’s legitimate interest (Article 6(1)(f) of the GDPR). The Clinic’s legitimate interest is to receive payment for the service provided and thereby process the payer’s personal data.

    4. Quality management of healthcare and other services, including complaint handling and documentation of patient safety incidents
      Processing for this purpose includes activities such as quality assurance of the services provided, including health services, which may also include ex post investigations of services already provided. This purpose also includes handling complaints submitted by the Patient and documenting patient safety incidents in accordance with the law. For this purpose, the Clinic processes the following data:

      • Patient’s personal data and relevant Patient’s health data (in the case of health care services) and, in the case of a complaint, also personal data related to the complaint;
      • Personal data of the patient’s representative, if the complaint is submitted by a representative – the representative’s name, legal basis for representation and contact details.

      In the case of health care services, the legal basis for processing is ensuring the quality of health care services and documenting patient safety cases pursuant to § 41(1)3) of the GDPR and Article 9(2)(f) of the GDPR. In the case of other services, the legal basis is the legitimate interest of the Clinic in accordance with Article 6(1)(f) of the GDPR. The clinic has a legitimate interest in ensuring the quality of its services.

       

    5. Fulfilment of the clinic’s legal obligationsProcessing for this purpose includes operations that the Clinic is obliged to carry out in accordance with the applicable legislation.For this purpose, the Clinic processes the following data:
      • Any personal data of any Data Subject in accordance with the obligation and scope of the Clinic provided by law;
      • In order to fulfil the obligations set out in the TTKS, the Clinic processes the following personal data, for example: Patient’s consent to the relevant procedure; data related to the documentation obligation; health data in accordance with the requirements of the TTKS; the Patient’s personal data to be entered on the health record;
      • In order to fulfil the obligations set out in the Accounting Act, the Clinic processes personal data stored in accounting documents (e.g. payment data).

      If the obligation of the Clinic is related to the provision of health care services, the legal basis is § 41 (1) 1) of the Healthcare Act and the relevant provision of the legislation requiring the performance of the specific obligation. If the Clinic is obliged to document the Patient Safety Incident, the relevant legal basis is § 41 (1) 3) of the Patient Safety Act. If no health data is processed, the legal basis is Article 6(1)(c) GDPR.

       

    6. Exercising the rights of the clinic
      Processing for this purpose includes operations that consist of exercising the rights of the Clinic. The exact procedures are determined on a case-by-case basis in accordance with the legal law applied by the Clinic. Such a right may also include the exercise of a legal claim, which may include the processing of personal data. The Clinic processes any personal data of any Data Subject for this purpose in accordance with the legal law applied by the Clinic. If the Clinic processes special categories of personal data (e.g. health data) for the purpose of establishing, asserting or defending a legal claim, the legal basis is Article 9 (2) (f) of the GDPR. Other personal data is processed by the Clinic on the basis of Article 6 (1) (f) of the GDPR, i.e. on the basis of legitimate interest. It is the legitimate interest of the clinic to protect and exercise its rights as it sees fit.
    7. Conducting research
      As a general rule, if the data is processed for the purpose of conducting research, then the data have been previously anonymised, which is why they are no longer personal data, and in this case, the requirements for processing personal data (incl. GDPR) do not apply. However, the Clinic may ask for the Patient’s consent and the Patient has the opportunity to voluntarily give consent to the processing of their health data in a personalised form for conducting research. In this case, the object of processing is the Patient’s health data. However, this is only done in a situation where the Patient’s prior explicit consent has been requested and obtained in accordance with Article 9(2)(a) of the GDPR. If the Patient has not given consent, their personal data will not be processed for the respective purpose.
    8. Finding new staff members and assessing suitability for work
      Processing for this purpose includes activities that are necessary to find candidates (e.g. searching for a suitable candidate through relevant service providers) and assessing the suitability of candidates (e.g. communicating with the candidate). For this purpose, the Clinic may process, among other things, the following personal data of a job applicant or a candidate being sought: name, job position, e-mail, phone number, address, CV, education, work experience, skills, qualifications and other data found in public sources. If a person applies for a job at the Clinic themselves, the legal basis for the processing of personal data is Article 6(1)(b) of the GDPR – i.e. taking pre-contractual measures in accordance with the candidate’s request. If the Clinic itself is actively looking for a new potential employee, the legal basis for the processing is the legitimate interest of the Clinic (Article 6(1)(f) of the GDPR) – the legitimate interest of the Clinic is to find new employees. If a candidate was not hired, but the Clinic wishes to store their data for more than 1 year after the end of the recruitment process, the storage will take place only on the basis of the consent of the respective candidate (Article 6(1)(a) of the GDPR).
    9. Collection of website usage statistics and analysis of usage
      Processing for this purpose includes the collection and processing of data with relevant cookies in order to generate statistics on visits to the Website and to analyse the use of the Website. The personal data that may be processed for this purpose are collected by analytical cookies and are related to the use and visit of the Website – i.e. data on the use of the Website (e.g. page operations). More information about cookies is provided in the Privacy Policy chapter below 8. The legal basis for the processing of personal data is the consent of the Website visitor in accordance with Article 6 (1) point (a) of the GDPR. The website visitor has the right to withdraw their consent at any time.
  4. SOURCES AND DISCLOSURE OF PERSONAL DATA
    1. The Clinic receives the Patient’s personal data both directly from the Patient and from third sources. Such a third source may primarily be the health information system, other health care service provider, the Health Insurance Fund, the Prescription Centre, the Image Bank or other health-related information technology environment, the insurer (in the case of an insurance claim), or in certain cases the Patient’s representative or close relative or the person who made the booking.
    2. The Clinic receives the personal data of job applicants from the job applicant as well as from public third sources (e.g. the Internet). The Clinic receives the data of visitors to the Website primarily through the Website. The Clinic may also receive the personal data of other Data Subjects either from the Data Subject or from a third source.
    3. Submission of various personal data related to the provision of health care services to the Clinic is mandatory, as the Clinic is obliged to follow the procedure for the provision of health care services, its documentation and quality management set out in legislation, which require the processing of certain personal data. If the required data is not submitted, the Clinic will not be able to provide health care services to the Patient. Also, if the Clinic starts to provide or provides a service other than a health care service, it may be necessary to submit the personal data necessary for that purpose and if the Clinic fails to provide them, it may not be possible for the Clinic to enter into a contract for the provision of the relevant service (e.g. if the recipient of the service does not disclose their name) or to perform the respective contract.
    4. Also, for example, if a job applicant decides not to disclose their information, they cannot apply for a job.
    5. To the extent that the Clinic has not made the submission of personal data mandatory, the submission of such data is voluntary and failure to submit them does not result in harmful consequences for the Data Subject.
  5. RETENTION OF PERSONAL DATA
    1. The Clinic retains personal data only for as long as it is necessary to achieve the purpose for which the personal data is processed or if it is required by applicable law.
    2. When storing health data, the Clinic is guided by the following principles:
      • The logs of the information system used by the clinic are stored for 5 years;
      • On the basis of subsections 42 (4) and (5) of the Health Care Act, the data certifying the provision of health care services are retained for 30 years after the confirmation of the data concerning the service provided to the Patient.
    3. In addition, the following rules are laid down for the retention of personal data:
      • If personal data is stored in the above Error! Reference source not found. (quality management), then personal data will be processed for the respective purpose for as long as it is purposeful for the respective case, but as a general rule not longer than 10 years;
      • Where personal data is processed in the above clause Error! Reference source not found. for the purpose specified above (conducting research), the personal data will be stored until the Data Subject withdraws the consent or in any case for a maximum of 7 years;
      • Where personal data is processed in the above clause Error! Reference source not found. (finding new staff members and assessing suitability for work), then personal data will be stored as follows: personal data will be deleted one year after the end of the recruitment process, unless an employment contract or other contract with similar content is entered into with the candidate; alternatively, if consent is obtained from the candidate for a longer period of time to store the data, the personal data will be stored until the withdrawal of consent, but in any case no longer than 3 years;
      • According to the Accounting Act, accounting documents are stored for 7 years starting from the end of the respective financial year;
  6. TRANSFER OF PERSONAL DATA TO THIRD PARTIES
    1. The Clinic forwards personal data to third parties only if such right or obligation is prescribed for the Clinic by law or if the transfer of personal data to third parties is necessary for the provision of services to the Patient or the performance of the daily tasks of the Clinic.
    2. The Clinic may transfer personal data to third parties in the following cases, who act as processors on behalf of the Clinic as a general rule:
      • The Clinic forwards personal data (including health data) to medical software service providers that the Clinic uses in its daily activities to provide healthcare services to Patients – these include, for example, Connected OÜ (Estonian association), which manages the eKliinik system.
      • The Clinic also transfers personal data to a software service provider, such as Microsoft Ireland Operations, Ltd (Irish Association), as the Clinic uses Microsoft programs such as Microsoft Office on its computers. The Clinic also forwards personal data to the software service provider Tandem Health AB (Swedish association), which provides the Clinic with a documentation service, in the course of which the appointment is recorded and documented in writing with the software service. The audio recording is deleted on a rolling basis and immediately after it has been transcribed.
      • The Clinic also forwards personal data to an IT service provider, such as Elisa Eesti AS (an Estonian association), which provides IT solution services to the Clinic and may thus have access to health data from time to time.
      • The Clinic also forwards personal data to an accounting software provider, such as the public limited company Merit Tarkvara (Estonian company), which provides software services to the Clinic and has access to invoices and the data contained therein.
      • The Clinic may transfer the data related to the website to the service provider of analytical cookies, such as Google LCC (Irish Association), which manages the analytics. In certain cases, Google is also considered to be a separate controller.
    3. All authorised third-party processors to whom the Clinic forwards personal data ensure the protection of personal data in accordance with the legislation regulating the protection of personal data, including the GDPR. They also ensure the confidentiality of the data. As a general rule, the Clinic never forwards health data outside the European Economic Area.
    4. The Clinic may also transfer personal data to third parties who, as a general rule, process personal data as an independent controller, as explained below:
      • When providing health care services to patients, the Clinic forwards personal data to the health information system on the basis of the applicable law, which is a central national database through which health care service providers can exchange data with each other and see the health data sent about the Patient by other health care service providers. The joint controllers of the health information system are the Ministry of Social Affairs and the Health Insurance Fund (formerly known as the Health Insurance Fund). When sending data to the health information system, the data is also forwarded to the Estonian Health Care Image Bank, which, as the authorised processor of the health information system, manages, processes and archives the data of medical images. The administrator of the health information system and thereby the authorised processor is TEHIK, i.e. the Centre for Health and Welfare Information Systems.
      • The Clinic also forwards personal data to the Prescription Centre, the controller of which is the Health Insurance Fund. The Prescription Centre is a database established for the purpose of issuing and processing prescriptions and medical device cards and for providing medicinal products and medical device benefits to insured persons under the conditions provided for in the Health Insurance Act, the purpose of which is to ensure the protection of the health of persons using prescription medicines and supervision over the correctness and justification of the dispensing of medicinal products, and to create opportunities for the state to compile pharmaceutical statistics.
      • The clinic may also forward health data to other health care service providers in accordance with the procedure prescribed by law.
      • The Clinic may also make personal data available to the relevant insurer – e.g. the Clinic has entered into a liability insurance contract with PZU (AB “Lietuvos draudimas” Estonian branch), to whom the Patient’s health data and other relevant personal data may be forwarded in the event of an insured event.
      • If the Patient has health insurance, the Clinic may forward the personal data to the relevant insurer who has entered into a respective insurance contract with the Patient.
      • If the Patient (or other relevant Data Subject) has become indebted for the services provided by the Clinic, the Clinic has the right to forward personal data (including name, phone number, address, e-mail address and invoices issued in the name of the Data Subject that form the basis for the debt, together with the information contained in the invoices and related to the processing of the invoices so far) to the contractual collection service providers dealing with the Clinic’s debt claims, as well as to the court, bailiffs and other debt collection service providers dealing with the Clinic’s debt claims. to persons/institutions entitled to process personal data.
      • Personal data may also be transferred to another institution or person if the Clinic is obliged to do so in accordance with the applicable law (e.g. the police).
    5. The list of service providers and cooperation partners mentioned in this chapter is illustrative and may not be fixed over time. The clinic is not obliged to amend the Privacy Policy every time a service provider or cooperation partner changes.
  7. RIGHTS IN RELATION TO THE PROCESSING OF PERSONAL DATA
    1. The Data Subject (including the Patient) has the right to contact the Clinic at any time by writing to the e-mail address andmekaitse@minukliinik.ee or by contacting the Clinic’s registration desk in order to:
      • to request access to the personal data concerning the Data Subject, i.e. to examine the personal data that the Clinic has processed and collected in respect of the Data Subject;
      • request correction of personal data;
      • request the deletion of personal data;
      • restrict the processing of personal data;
      • object to the processing of personal data;
      • request the transfer of personal data;
      • to request that no decision based on automated processing be taken in respect of the Data Subject;
      • where the data processing is based on consent, withdraw the consent; and
      • lodge a complaint regarding the processing of personal data.
    2. Please note that the above rights are not absolute and the implementation of these rights is limited to the provisions arising from the GDPR and other legislation, as well as the rights of the Clinic. For example, the Clinic cannot delete data if the law requires the storage of such data. Thus, in accordance with the provisions of the applicable law, the Clinic has the right to refuse to comply with the Data Subject’s request or to fulfil it to a limited extent, in which case the Clinic will explain this to the Data Subject.
    3. The Data Subject’s application must be digitally signed or, if the application is submitted at the Clinic, the Data Subject must enable identification with an identity document. If the data is issued by e-mail, it is only done in an encrypted way. For security reasons, data will not be issued over the phone
    4. The Data Subject also has the right to file a complaint with the Data Protection Inspectorate (Tatari 39, 10134 Tallinn; e-mail address info@aki.ee).
  8. COOKIES
    1. The website of the clinic uses cookies. Cookies are small text files that are stored in the user’s web browser or device when visiting the Website. Cookies can be so-called first-party cookies, which are directly related to the Kliinik Website, as well as third-party cookies managed by third-party service providers.
    2. The clinic uses the following cookies: a) Essential and functional cookies – i.e. cookies that are used for the operation of the Website. Such cookies are deleted at the end of the session, i.e. the end of your visit to the Website. b) Statistics cookies – i.e. cookies that create statistics about visits to the Website and with which it is possible to analyse visits to the Website (e.g. how many users visit the Website, how the Website is used, how the Website is reached, etc.). For this, Kliinik uses Google Analytics cookies (_ga and other cookies, stored for up to 2 years) and Google Tag Manager.
    3. The website visitor has the right to refuse the use of cookies by not giving consent or withdrawing consent, or by selecting the appropriate settings in the web browser and deleting the cookies that have already been stored on their device. Cookies can be disabled by following the instructions in the “help” or “help” function of the web browser. More information about how cookies work or how to disable cookies can also be found on the website www.allaboutcookies.org.