Privacy policy

SYNLAB and data protection

We are committed to protecting and respecting your privacy. On this page, we tell you about SYNLAB Suomi Ltd’s (“SYNLAB”) personal data processing in general terms. You will be informed about the processing of your personal data when you use our services and especially when you register for the first time. On this page, you will find general information and descriptions. SYNLAB will update this page when necessary and inform the data subject of any updates.  

When you use our healthcare services, your information will be processed with utmost confidentiality. You can read about the data that is processed when using healthcare services at: 

When you use SYNLAB web services meant to facilitate your use of services with SYNLAB (e.g. Health Folder for customers, LOUNA Lab and, you will be informed of how your personal data is processed when using the service. You may be required to accept our terms and conditions in order to use our services. When using our services, you can give your consent to different purposes your information may be used for, such as digital marketing.  

When you use our web services that utilise third party services (such as identification or payment transfer), the service provider responsible for that service will inform you of how your personal data is processed in their service. 

When you use our services at or visit our offices or other premises, your personal data may be processed for safety reasons which you will be informed of separately; for example, you may be subject to video surveillance and access control.  

On this page, we also tell you how we process your personal data when you contact us by phone or e-mail. 


SYNLAB Suomi Ltd (Business ID 2674625-7), Kivihaantie 7, 00310 Helsinki
Contacts regarding the register: 
Data protection officer’s contact information: 


SYNLAB’s personal data register processes the personal data of its services’ consumer-customers, people who visit its website, people who order its newsletter, business customers’ or potential business customers’ contact persons, people who apply to work at SYNLAB and its current employees.  

We collect personal data directly from you when  

  • you fill out forms on our website (or other forms that we ask you to fill out) that ask you to include personal information 
  • you contact us by telephone, mail, e-mail or any other means  
  • you give us your business card (or an equivalent item) 
  • you use our web services 
  • you purchase our services through our sales channels 
  • you book an appointment  

We also collect your personal data when 

  • you visit our website 
  • you visit our premises 
  • you contact our customers, suppliers or other business partners.   

Processed personal data in accordance with the service you use 

  • Basic information (such as name, date of birth, profession) 
  • Contact information (phone number, address, e-mail) 
  • Identification data (such as personal identity code, customer number, username, registration number) 
  • The information of your next of kin, guardian or the person who uses our services on your behalf 
  • Information concerning your customer relationship (e.g. the service you use) 
  • Information concerning your use of services (such as e-mail, letter, telephone call)  
  • Patient information (patient’s basic information, patient event information, information regarding diagnostic examinations) 
  • Healthcare professionals’ information 
  • Employment information 
  • Business relationship information (your connection to SYNLAB, professional role, background and interests).  
  • Footage captured by video surveillance 
  • Consents, permits and bans 
  • Payment and invoicing details 
  • User data management details 

Information that our website and our other systems collect about you: 

  • Provisioning information for online communications (sender, recipient and time records created from, e.g., phone calls, SMS, e-mails, accessing the internet and similar activity). 
  • Log data (event data automatically logged into the information system memory) 
  • Our website can also store “cookies” on your device that the website requires to function properly – you can read more about cookies in the section describing our cookie policy.  
  • If you contact our employees or other staff by e-mail, telephone or through other digital channels, our IT systems record information on the these discussions, which may sometimes include their content, as well. 
  • Some of our premises use a video surveillance system which may capture footage of you for safety purposes when visiting our premises. 

We may receive your personal data from other sources when necessary 

  • If you sign in to use our services using strong identification, we may use the verified personal data from the Digital and Population Data Services Agency 
  • If we have a business relationship with an organisation that you represent, your colleagues or other business relations may provide us information on you, such as your contact information or your role in the organisation.  
  • Sometimes we collect information from third party information service providers or from public sources to prevent money laundering, for background checks and corresponding purposes and to protect our business and fulfill our statutory obligations.  
  • We may check companies’ responsible persons and persons with the authority to sign through the Finnish Patent and Registration Office 
  • We may use general marketing and contact registers 
  • We may verify self-employed persons’ information through the Tax Administration or Valvira (National Supervisory Authority for Welfare and Health) 

If we have received your information from sources other than yourself, we will inform you when appropriate.  


When we ask you to provide your personal data, we will tell you whether providing the data is necessary to fulfill our legal obligations or if it is optional, in which case refusal to provide data does not carry any consequences. Otherwise, you can assume that we require your information for our business or to fulfill our obligations (as mentioned below).If you have any doubts about why SYNLAB requires specific information from you, contact the SYNLAB representative who is requesting the information or contact us in accordance with the instructions in the section 6. 

We may use your information for the following purposes only as much as necessary and when appropriate. When processing your information, we take care to prevent damage to you or your privacy in a way that would invalidate our legal right to fulfill the relevant obligations. 

2.1 Based on a signed contract 

When you purchase our services through our online stores, a customer relationship is created between you and us as a result of the transaction. We process your information to provide services, for invoicing purposes and, in some cases, to verify solvency or regarding collection of charges.  

When necessary, we may use your information for communications and contacts. We may use your personal data (such as your contact information) in the event of disturbance to ensure that we can provide you a good quality service. 

We use your personal data when necessary to answer your questions, to gather feedback and to process complaints, claims for compensation and to process other similar cases. We use processed data to improve our services and to develop our operations.  

When you use our systems, we may use your information to fulfill our obligations as set out in the terms and conditions. 

If you are employed at SYNLAB, we use your information to manage your employment.

2.2 Based on your given consent 

The following processing is based on consent: processing an applicant’s information during the recruitment process and processing information when joining the digital marketing register.

Consent in relation to the processing of patient information is explained in the Privacy Policy for the Patient Register (see the link at the top of the page).  

You can read about giving consent for marketing in more detail on this page.

The cookie policy is explained at the end of this page.

2.3 Based on legal obligations 

We are obligated to act according to national legislation on healthcare and the Accounting Act when processing personal data. Statutory purposes for processing personal data include  

  • Invoicing-related obligations 
  • Planning, arrangement, implementation and monitoring of the patient’s care 
  • Storing data created in healthcare services 
  • Obligations of healthcare service providers as set out in the Communicable Diseases Act 
  • Processing of data to ensure the quality of treatment and patient safety 
  • Access control of the processors of patient information, prevention of misconduct, ensuring information security and enabling data rectification 
  • Obligations concerning employment management 
  • Knowledge management (Act on the Secondary Use of Health and Social Data) 

2.4 Based on a legitimate interest  

A legitimate interest in personal data processing may occur when we have a justified legitimate interest to process personal data which does not override the data subject’s rights. We may offer targeted customer communications for information purposes concerning the services you have purchased or ordered.

In some circumstances, we may have a legitimate interest to process personal data to protect our business against fraud, money laundering, breach of confidentiality, cyber attacks, theft of data subject to industrial property rights and copyrights and other business-related or financial crime. We may also process personal data to defend the rights of SYNLAB and its staff and for the establishment of legal claims concerning those rights.

We may use call recordings to verify the use of telephone services (ensuring economic and other rights) and to ensure that the service is both of good quality and appropriate. Phone call recordings concern the phone numbers for appointment booking and professional advice. 

We have a legitimate interest to process our business partners’ information for the purposes of contacting and informing them. We may also use personal data to ensure the functionality of our digital services and websites (such as necessary cookies) and for justified reasons to plan, monitor, report and develop the controller’s operations. 


Your personal data is mainly processed by SYNLAB Suomi. In some circumstances, your data can also be processed by the SYNLAB group (e.g. employees and partners), and we purchase some services from our service providers. We ensure that each of these parties only processes personal data whenever it is necessary to fulfill their duties regarding service provision. The processing of data is managed with, e.g., planning data processing, contracts, staff instructions and access management. The parties who process such data are under a duty of confidentiality and nondisclosure.  

Patient information is only disclosed under the conditions laid down by law.  

Authorities may have a legal right of access to our register. 

In some circumstances, we may request your consent to disclose your information in an appropriate context. If your information is being disclosed to a third party (e.g. invoicing), you will find more information about the disclosure in the service’s privacy policy and/or its terms and conditions when you, for example, move to the service provider’s website.  

The transfer of data to our subcontractors and service providers is done within the framework of our contracts. 

The information on the patient register and information regarding your use of healthcare services will not be transferred outside the EU/EEA area.  

In some circumstances, the transfer of data may include transferring your personal data to another country. If you use our services outside the European economic area or outside the United Kingdom, keep in mind that this could mean the transfer of your data to countries outside the European economic area / the United Kingdom, where data protection laws may not be as strict.  

When we transfer personal data to other companies within the SYNLAB group or to our service providers, we make sure that the arrangement complies with data transfer agreements or mechanisms that aim to make sure that your personal data is protected (under the conditions accepted by the European Commission for this purpose).


Your personal data will only be stored for as long as it is necessary to comply with the obligations of the contractual relationship, statutory obligations or to establish potential legal claims or to defend against legal claims. The storage times are determined according to the purpose for which your data is used. You may receive more information on the data storage times when you are informed about the service. The storage of data pertaining to healthcare services is determined by the existing legislation. You can read more about the legislation from the Privacy policy for the patient register.  

Information security measures are used to prevent unauthorised processing of personal data as well as the destruction, loss or accidental or unauthorised editing of personal data. We protect your personal data using different technical and organisational measures, and we evaluate the level of protection constantly. These measures include firewalls, monitoring the technical environment, continuous maintenance of staff competence, planning data processing, guidance and monitoring, access management, management of user access and use, auditing, how we choose our partners, agreements on processing personal data with our partners, defining roles and responsibilities, responding immediately to process deviations and feedback, implementing corrective measures and monitoring metrics. 


In accordance with data protection legislation, you have the right to inspect your personal data and request corrections to it and the right to exert some other rights with regard to your personal data in situations where we are designated as the controller.  In cases where we provide a service for another healthcare service provider, you need to seek your rights from the service provider with which you have a patient care relationship.  

You may also object to the processing of your personal data when the processing concerns a legitimate interest or direct marketing. You can withdraw your consent to our services whenever you want by informing us of your desire to do so. After you have successfully withdrawn your consent, we will no longer process your data for the purpose for which the consent was given. However, we may still have legal obligations to store your data or the consents you have given. 

In some cases, you may request that your data be deleted.Your data cannot be deleted if we are under a legal obligation to store your data (see the Privacy policy for the patient register). We will delete your data when we no longer have a reason to store it. For various reasons, you may also request to limit the processing of your personal data. 

Do note that to fulfill the obligations mentioned above, we need to receive the necessary information on your use of our services and verify your identity adequately. The easiest way to file a request is by delivering a written request form (by filling out a SYNLAB form or an informal form) to any SYNLAB office, where you need to prove your identity with a personal identification document containing your photo.  

If you wish to exert any of your rights mentioned above, contact us as described in the section 6 (Contacts) and you will receive guidance according to your situation.   

You also have the right to lodge a complaint on the processing of your personal data to a national authority. In Finland, this authority is the Office of the Data Protection Ombudsman. Further information at 


We are happy to receive questions, comments and requests concerning this data protection policy and the processing of personal data.Contact our local data protection officer Mirella Miettinen. 

by e-mail: 
by mail: Kivihaantie 7, FI-00310 Helsinki / Finland 
by phone: +358 50 536 0414 


Any amendments made later to this data protection policy will be published on the company website at

Remember to check any amendments regularly.  

Updates made to our data protection information 

  • Updated information related to marketing / 16 January 2023
  • Added data management to statutory rights / 16 January 2023
  • Updated information related to cookies / 16 January 2023
  • Publication of different language versions (Swedish, English) / 6 June 2022 
  • Complemented and clarified information regarding the personal data that is processed, the legal basis of the use of data and descriptions for the ways personal data is processed / 17 January 2022
  • Data protection officer’s contact information / 17 January 2022

We want to ensure that your visit to our website is pleasant and smooth. Therefore, our website stores “cookies” on your device that we use to collect information on your use of the website.


Cookies are small text files that are stored on your device when you visit the site. Cookies are sent back to the original site or to another site that uses the same cookie whenever you visit the site afterwards. Cookies enable our systems to recognise the user’s device and provide pre-settings immediately. As soon as the user enters the platform, a cookie is sent to the their device’s hard drive.


Cookies are used for the following purposes:

  • Cookies enable the website to recognise the user’s device and target website content according to the user’s interests.
  • They help us improve our website and offer you better and more appropriate services.
  • Cookies enable us to recognise your device whenever you revisit our site.
  • They store information on what you usually do on our site which allows us to adjust the site according to your personal needs. Where it is permitted, we may, for example, show you targeted ads based on your interests and accelerate the processing of your queries.

By using our website, you accept that we may store cookies on your device as described below, and use the information we acquire through such cookies according to this cookie policy unless you have disabled cookies in your browser settings. You can read more about cookies at: and


There are two main types of cookies: first party cookies and third party cookies. First party cookies are cookies set by the website you are visiting. These are used to recognise your device when you revisit the site and to remember your settings when browsing the site. We primarily use first party cookies. Third party cookies are cookies set by the service provider on behalf of the website operator. These cookies are used by the service provider to recognise your device when visiting other sites. Third party cookies are usually used for web analytics or advertising purposes.


The following tables explain what kind of cookies we use and why.

The cookies listed on this table are used on the Health Folder login page and on the Health Folder page.

NameDomainDescriptionAdditional information
PHPSESSIDwebsite hostPHP session ID
__cfduid.addtoany.comThe __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.Cloudflare ID for the Add to Any plugin
__utma.static.addtoany.comUsed to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics.Google Analytics ID for the Add to Any plugin
cookie_notice_acceptedwebsite hostHas user accepted the cookie noticeCookie Notice plugin cookie to present a cookie notification if cookies have not been accepted yet

The following cookies are used on the Health Folder login page and on the Health Folder page:

Name of the cookie Purpose Expires
ASP:NET_SessionId (.NET) This cookie is used by the (Microsoft ASP.NET) technology. Its purpose is to ensure the functionality of an online application on a website. OutSystems (Java) technology may also use this cookie to ensure the functionality of a website. At the end of the session 
osVisitor When the end user first accesses the website, a unique identifier is created for the user for cookie management purposes.   
OutSystems platform does not associate the ID with the actual username of the web application’s user. 
Does not expire
osVisitor Whenever an end user accesses the website and there is no associated cookie for the user, a new cookie is created along with a unique ID for the end user. This cookie expires after 30 minutes. If the end user accesses the website after 30 minutes, a new unique ID is created for the user.  
OutSystems platform does not associate the ID with the actual username of the web application’s user. 
30 minutes
pageLoadedFromBrowserCache Some parts of a web application may use this cookie to improve the end user experience. The purpose of the cookie is to ensure the smooth functioning of a web application whenever the end user uses their web browser’s “back” button to navigate the website. At the end of the session
DEVICE_ORIENTATION This cookie is used to save the orientation of the user’s mobile device to enable the GetDeviceOrientation function of the OutSystems platform.  
OutSystems platform does not associate the ID with the actual username of the web application’s user. 
360 days 
DEVICES_TYPE This cookie is used to save information on the end user’s mobile device type to enable the OutSystems platform to adapt its user interface according to the device type. OutSystems platform does not associate the ID with the actual username of the web application’s user. 360 days 
DEVICE_BROWSER This cookie is used to save web browser information to enable the GetBrowser function of the OutSystems user interface.  
OutSystems platform does not associate the ID with the actual username of the web application’s user. 
360 days 
DEVICE_OS This cookie is used to save a device’s operating system information to enable the GetOS function of the OutSystems user interface. OutSystems platform does not associate the ID with the actual username of the web application’s user. 360 days 
RT This cookie is used to calculate download speed; data collected from LifeTime Analytics.  
OutSystems platform does not associate the ID with the actual username of the web application’s user. 
10 minutes
<web screen name>:<generated id>: <initial tab> Some parts of a web application may use this cookie to improve the end user experience when scrolling subpages on a website At the end of the session 
<User Provider Name> This cookie is used to manage login information in a web application. 10 days 
<User Provider Name>.sid This cookie is used to manage the end user session in a web application. At the end of the session 
OutSystems platform external cookies: 
CookiesNoteShown This cookie is used to manage the cookie notice so that the user only needs to accept the cookie policy once. 5 years 

Cookies may be used for customer profiling and for marketing purposes to enable targeted marketing. They can also be used to send surveys on our services to improve them.  

SYNLAB is not responsible for the publication of cookies by third parties. You can find more information on third party cookie policies on the websites of the relevant parties. If you do not want to use cookies, you can disable them in your browser settings. If you only want to accept our cookies but not our service providers’ and partners’ cookies, select the “block third party cookies” setting (or the equivalent setting in your browser settings).


This website uses the Google Analytics web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 (”Google”).   Google Analytics also uses cookies, small text files, that are stored on your device and used to analyse your use of the website.   The data collected by the cookie on your use of a website is typically sent to Google’s server in the United States and stored there.   If the IP address anonymisation has been activated on this site, Google will truncate your IP address in the EU countries and other countries within the European economic area. Your entire IP address will only be transferred in exceptional situations to Google’s server in the United States, where it will be truncated. Google will use this information on our behalf to analyse your use of the website, to compile reports on the site’s activity and for other purposes pertaining to services related to website and internet usage that Google delivers to us. The IP address transmitted by your browser as part of Google Analytics is not conflated with other Google data. You may disable cookies in your browser settings. Do note, that by doing so, you may be unable to use some of our website’s functions. You can prevent Google from collecting and processing data generated by a cookie regarding your use of a website (such as your IP address) by downloading and installing a plugin to your browser at:


We use the Hotjar plugin to collect feedback. The plugin enables us to monitor the use of our website and create statistics based on that. The plugin will store an ID in your browser’s cookies, but it cannot be used to personally identify you. You can read more about Hotjar’s data protection and GDPR policies and what information it collects from here.


When you visit the SYNLAB website for the first time on your device, a cookie consent box will pop up, asking you whether you want to accept all cookies, block all cookies or edit the cookie settings to your liking. If you agree to the use of cookies, we can use the data in targeting our marketing.

Most browsers allow you to manage cookies to an extent (e.g. notifications on new cookies, blocking cookies and deleting cookies). Further information at


We use the Apsis One marketing automation platform on our website as a tool to support our email marketing.

The Apsis One Tracking Script collects information from the people who visit the website (what page(s) they visited, did they subscribe to the newsletter).

Tracking this kind of data helps us to carry out customer-friendly email marketing and other marketing on our website.

If a website visitor has given their consent for marketing either by subscribing to the SYNLAB newsletter or by giving the consent when they used SYNLAB’s services, the website visitor data can be linked to the email address that was provided by them when they gave their consent. The data that can be linked to the profile through Apsis One in this case may include, in addition to the aforementioned information on what pages were visited and was the newsletter subscribed to, statistics about opening marketing emails.