ASIAJOTOIMISTO NIEMI & PUHAKKA OY PRIVACY POLICY
1. DATA CONTROLLER
Asianajotoimisto Niemi & Puhakka Oy
Business ID: 3332720-2
Teknobulevardi 3–5, 01530 Vantaa, Finland
2. CONTACT PERSON FOR DATA PROTECTION MATTERS
Mikko Puhakka, Managing Director
Tel. 050 371 9681
mikko.puhakka@aanp.fi
3. PERSONAL DATA COLLECTED AND PROCESSED AND PURPOSES OF PROCESSING
Our firm collects and processes personal data only when there is a lawful basis for doing so under the EU General Data Protection Regulation (“GDPR”). Personal data is collected and processed only to the extent and in the scope necessary for the relevant purpose of processing.
In connection with enquiries received by our firm and the establishment and handling of assignments, we collect and process personal data necessary for conflict checks, identification of persons related to the assignment, handling of assignments, invoicing, and maintaining client relationships. Such data may include, as applicable and as necessary, for example:
– name,
– date of birth and/or personal identity code and/or Business ID,
– the person’s connection to the matter and information provided by the person regarding the matter,
– postal and email address,
– telephone number,
– invoicing address,
– position in a company or other organisation,
– credit information,
– income and asset information,
– employer,
– occupation,
– insurance information,
– health information,
– marital status,
– information on the number of dependants.
Where necessary, we store a copy of the document used to verify the identity of the client or the client’s representative.
We also collect and process personal data necessary for fulfilling our statutory obligations (including the Accounting Act and the Act on Preventing Money Laundering and Terrorist Financing). Such data may include, as applicable, information on a person’s business activities, financial status, and political exposure.
On our website, we use cookies for marketing and customer acquisition purposes. Cookies are used to track visitor traffic and to develop the website and marketing.
In connection with recruitment, we collect and process personal data relating to job applicants and other persons related to the recruitment process (for example recruitment consultants and referees). Such data may include, as applicable, the names, postal and email addresses and telephone numbers of applicants and other related persons, the applicant’s date of birth (if provided by the applicant), the applicant’s photograph (if provided by the applicant), assessments made of the applicant by persons involved in the recruitment process and other similar data, as well as other information provided to us by the applicant.
When dealing with our stakeholders (for example courts, authorities, accounting firms, audit firms, IT and communications service providers, and other partners), we collect and process the contact details of stakeholders’ representatives and contact persons necessary for day-to-day dealings (e.g. name, email address and telephone number, position in a company or other organisation).
4. LEGAL BASES FOR PROCESSING PERSONAL DATA
The GDPR legal bases for processing personal data in our firm’s operations include, as applicable:
– our firm’s and/or our client’s legitimate interest,
– performance of an assignment agreement (in relation to client personal data),
– compliance with the data controller’s legal obligations, and
– the data subject’s consent.
5. SPECIAL CATEGORIES OF PERSONAL DATA
Due to the nature of legal services, the personal data we process may also include special categories of personal data as referred to in Article 9 of the GDPR (“sensitive personal data”). We process such data only when and to the extent there is a legal basis under Article 9 of the GDPR. We may process special categories of personal data, for example:
– where processing is necessary for the establishment, exercise, or defence of legal claims, or
– where the data subject has given explicit consent for one or more specified purposes, or
– where processing is necessary for compliance with obligations and the exercise of specific rights of our firm or a person employed by our firm in the fields of employment law, social security, and social protection.
6. SOURCES OF PERSONAL DATA
We collect personal data from the following sources:
– from the data subject,
– from our clients,
– from the client’s counterparty, witnesses and other natural persons and legal entities related to the assignment,
– from courts, the police, the Finnish Patent and Registration Office, the Digital and Population Data Services Agency and other authorities,
– from number, address and contact information service providers,
– from credit information companies,
– from insurance companies,
– from websites (e.g. companies’ websites and contact details published therein).
7. RETENTION OF PERSONAL DATA
The retention period for personal data is determined in accordance with the GDPR and other legislation applicable to our operations, as well as the Code of Conduct for Attorneys-at-law.
As a general rule, we retain personal data only for as long as necessary for the purposes of processing.
According to the guidelines of the Finnish Bar Association, assignment material, including personal data contained therein, must generally be retained for 10 years after the end of the assignment.
For assignments within the scope of the Act on Preventing Money Laundering and Terrorist Financing, we are required to retain documents and information relating to customer due diligence and transactions for five years after the end of a permanent customer relationship, and in the case of occasional transactions for five years after the completion of such transaction.
We retain accounting records and correspondence relating to business transactions in accordance with the Accounting Act for six years from the end of the year in which the financial year ended.
8. PROCESSORS OF PERSONAL DATA
External service providers used by us who collect and/or process and/or store personal data on behalf of and for our firm (data processors) include, among others, accounting and audit firms, IT and communications service providers, and marketing agencies. A written agreement has been concluded with all data processors defining the processor’s obligations in accordance with the GDPR.
Some of the data processors we use may transfer personal data outside the European Economic Area (“EEA”). In such cases, prior to the transfer, we ensure that the data protection legislation of the recipient country ensures an adequate level of protection pursuant to a decision of the European Commission, or that the processors have committed to the European Commission’s approved standard contractual clauses.
9. DISCLOSURE OF PERSONAL DATA
We disclose personal data to third parties only where disclosure is necessary for the purposes of processing and provided that the recipient has a right and lawful basis under the GDPR to process the disclosed personal data. In connection with providing legal services, personal data is typically disclosed (however only to the extent and in the scope necessary for the relevant purpose) to, among others, the following parties:
– the client,
– the client’s counterparty, witnesses and other persons related to the assignment,
– courts and authorities, including supervisory authorities,
– the Finnish Bar Association,
– insurance companies,
– counsel used in handling the assignment,
– number, address and contact information service providers and the Digital and Population Data Services Agency for acquiring and verifying address and contact details of persons we seek to reach, and
– distribution companies (name and address data) for mailing letters and other shipments.
10. TECHNICAL AND ORGANISATIONAL MEASURES TO PROTECT PERSONAL DATA
Personal data processed by our firm is primarily in electronic form and to a limited extent in paper form.
Personal data is accessible only to persons whose work duties require processing of personal data. Persons processing personal data are subject to confidentiality obligations.
Electronic personal data is stored and processed on servers, systems, databases and devices protected with personal usernames and passwords and appropriate information security software. We manage usernames and passwords using software specifically designed for secure use and management. When communicating by email with our clients and stakeholders, we use secure email where necessary.
The servers, systems and databases used for processing electronic personal data are maintained by external IT and communications service providers. Such providers are committed to protecting personal data with appropriate technical and organisational measures. In practice, this includes, among other things, that:
– servers and devices on which personal data is stored are located in locked and monitored premises and protected with appropriate information security software, and
– appropriate back-up procedures are in place.
Paper-based personal data is stored in locked and monitored premises accessible only to designated persons.
11. YOUR RIGHTS
11.1 Right of access
You have the right to obtain confirmation as to whether or not we process personal data concerning you. You have the right to access personal data concerning you and to receive a copy of such personal data. We may, however, restrict these rights based on legislation and/or the rules of the Finnish Bar Association. If you request more than one copy, our firm may charge a reasonable fee based on administrative costs.
11.2 Right to rectification
You have the right to request that we rectify inaccurate and incorrect personal data concerning you without undue delay. You have the right to have incomplete personal data completed, for example by providing additional information.
11.3 Right to erasure (“right to be forgotten”)
You have the right to request the erasure of personal data concerning you in the following situations:
– Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed, and there is no other acceptable reason for retaining it.
– Processing is based on your consent and you withdraw your consent, and there is no other lawful basis for processing.
– You object to the processing and there are no overriding legitimate grounds for the processing.
– Your personal data has been processed unlawfully.
Your right to erasure is restricted, and this right does not apply, for example, where our firm has a statutory obligation to retain your personal data or where processing is necessary for the establishment, exercise or defence of legal claims.
11.4 Right to restriction of processing
You have the right to request restriction of processing of your personal data in the following situations:
– If you contest the accuracy of your personal data. Processing will be restricted for the period during which we can verify the accuracy.
– If your personal data has been processed unlawfully and you oppose erasure and request restriction instead.
– If we no longer need your personal data for the purposes of processing, but you require it for the establishment, exercise or defence of legal claims.
11.5 Right to object to processing based on legitimate interests
Where processing is based on our firm’s and/or our client’s legitimate interest, you have the right at any time to object to the processing on such grounds. In such cases, we may no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if processing is necessary for the establishment, exercise or defence of legal claims.
In practice, handling a legal assignment always entitles a law firm and its client to process personal data of the counterparty and other persons related to the assignment regardless of any objection.
Where personal data is processed for direct marketing purposes, you have the right to object at any time to processing for such marketing, including profiling insofar as it relates to such direct marketing. If you object, your personal data may no longer be processed for these purposes.
11.6 Right to withdraw consent
Where processing is based on your consent, you have the right to withdraw your consent at any time.
11.7 Exercising your rights
If you wish to exercise the rights listed above, please send a written request to our firm. Where necessary, we may ask you to specify your request and verify your identity before processing your request. We will respond as soon as possible, and in any event within the time limits set out in the GDPR (generally within one month).
You also have the right to lodge a complaint with a data protection authority if you consider that we have not processed your personal data in accordance with applicable data protection legislation. In Finland, the competent data protection authority is the Data Protection Ombudsman www.tietosuoja.fi.