Privacy Notice 

1. Controller

 Vestra Group Ltd, Business ID 3180459-7, and its group companies Vestra Advisors Ltd, Business ID 3180461-8, and Vestra Optima Ltd, Business ID 3252127-3, (“Vestra” or “we”)

 

2. Contact Details

 Correspondence address:

Aleksanterinkatu 15 B
FI-00100 Helsinki
Finland
privacy@vestra.fi
Contact person:
Tomas Lodenius

3. General Information

 This privacy notice applies to our processing of personal data as a controller. It sets out how we process personal data relating to representatives of our customers and their counterparties as well as our suppliers, marketing recipients and other interest groups. The word “you” refers to the aforesaid individuals whose personal data are processed by us.

 We adhere to the General Data Protection Regulation (2016/679) (“GDPR”) and other applicable Finnish data protection legislation in our processing of personal data.

 

4. Purpose of Processing

 We process personal data on our customers and potential customers to provide and promote our services and to maintain the customer relationships. We process personal data on our suppliers and other interest groups to maintain our business relationships with them. Personal data may also be processed for planning, carrying out and developing our services and business operations.

 We have a legitimate interest in processing your data for the reasons set out above. This legitimate interest relates to the relationship that we have with you (through your task or position). In some cases, we process personal data to comply with our contractual obligations towards you. Furthermore, we process personal data to comply with legal obligations (relating to e.g., bookkeeping, customer identification and prevention of money laundering) and to maintain conflict-of-interest procedures. Sometimes, the legal basis for our processing relates to claims handling, debt collection and legal proceedings. In addition, we may process personal data based on your consent.

 

5. Processed Data

 We may process the following information on you (as applicable):

 

·       Name and contact details

·       Title

·       Date of birth and/or personal identification number, nationality, and other customer identification data (including, without limitation, copies of identity documents and indications of status as a politically influential person)

·       Organisation, including its contact, registration, representation, beneficiary, financial, funding and activity information

·       Information relating to meetings, services and correspondence and other assignment data

·       Information relating to invoicing

·       Event invitations and information, including dietary preferences

·       Marketing messages

·       Marketing opt-outs and opt-ins

 

6. Data Sources

 The information is usually collected directly from you or from other representatives of your organisation or their counterparts. Information may also be collected from publicly available information sources, such as corporate websites, social media, contact and KYC information service providers, trade registers, land registers and credit registers. Sometimes we create the personal data ourselves, for example in relation to events arranged by us or in connection with our communication with you.

 

7. Data Disclosures

 As a main rule, we do not disclose personal data to third parties without your consent. In certain situations we may, however, be required to disclose data on you for example to authorities or other third parties when such disclosure is mandatory under applicable law (for example to address criminal activities, security issues or suspected money laundering or terrorist financing).

 We may also involve service providers in our processing of personal data (for example in relation to IT, KYC, accounting and marketing services). As regards such service providers we take contractual measures to ensure that your personal data are processed and protected appropriately and in compliance with applicable laws and this privacy notice.

 

8. Data Transfers

 As a main rule, your personal data are not transferred to countries outside the European Union or the European Economic Area. If and to the extent we transfer your personal data outside the EU/EEA, we arrange for adequate protection for such transfers through contractual arrangements with our service providers based on the EU standard contractual clauses or through other appropriate safeguards.

 

9. Data Security

 We and any service providers involved in the processing of personal data take appropriate technical and organisational measures to protect personal data against unauthorised access and accidental or unlawful destruction, alteration, disclosure, transfer or other unlawful forms of processing.

 The data are collected into databases protected by firewalls, passwords and other technical measures. The databases and their backup copies are maintained in locked premises and can be accessed only by designated individuals. Each user has a personal username and password to the systems where personal data are kept.

 

10. Data Retention

 Personal data are retained only for as long as necessary for the purposes of the processing. The exact data retention periods and procedures for data removal vary by data category. As a main rule, we retain data for ten (10) years.

 

11. Rights of Data Subject

 As a data subject, you have the right to:

 

·       access the personal data concerning you that we process (certain exceptions apply)

·       demand rectification of any erroneous or obsolete data

·       demand the removal of your data in certain situations (please note, however, that we need personal data on you in order to provide our services to you and often we are not allowed to delete personal data on our customer relationship)

·       withdraw your consent where processing is based on consent (withdrawing your consent does not affect the lawfulness of processing carried out before such withdrawal)

·       object to processing (when processing is based on our legitimate interest, you should indicate the specific personal reasons for your request; in case we do not have legitimate grounds for continued processing of such data, we will cease processing the data after your objection)

·       request restriction of the processing of your data

·       lodge a complaint with the supervisory authority

 

All requests and demands concerning the above should be submitted in writing to the contact person mentioned under Section 2 above.

 

In addition, if you do not wish to receive electronic direct marketing you can opt-out by contacting the contact person mentioned above or by using the unsubscribe functionality included in the direct marketing messages.

 

12. Changes to Privacy Notice

 This privacy notice was last updated on 27 April 2022.

 We may update this privacy notice from time to time to reflect changes in our data processing principles and activities. The updated privacy notice is made available on our website or otherwise.