SOTAMAA & CO ATTORNEYS LTD – PRIVACY NOTICE
This Privacy Notice contains basic information about the personal data we collect about our clients and the ways we use that data. In this Privacy Notice you will also find basic information about Your rights regarding your personal data.
This Privacy Notice portrays how we process our clients’ personal data for the purposes of, inter alia, identifying the client, conducting inquiries to determine the possible conflict of interest, and managing the clients’ assignments. We always process personal data in accordance with the applicable legislation. Our firm is also bound by the rules and regulations given by the Finnish Bar Association. These regulations establish certain further obligations regarding collecting, storing and processing of personal data designed to protect privileged information.
The purpose of this Privacy Notice is to provide the necessary information required by applicable legislation, primarily as laid out in article 13 of the General Data Protection Regulation, “GDPR” (Regulation [EU] 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).
The personal data of parties other than our clients is processed according to applicable law and along the principles presented below, where applicable.
1. CONTROLLER OF THE PERSONAL DATA
Sotamaa & Co Attorneys Ltd
Register number 170199-0
Aleksanterinkatu 48 A
2. CONTACT PERSON REGARDING THIS PRIVACY NOTICE
Sotamaa & Co Attorneys Ltd
Aleksanterinkatu 48 A
The contact person is not a Data Protection Officer as defined in the General Data Protection Regulation.
3. WHAT TYPES OF PERSONAL DATA DO WE PROCESS?
The purpose for which the personal data is used determines the types of personal data we process. Pursuant to the assignment, we process personal data relevant for the purpose of identifying the client, managing the assignment, invoicing, and maintaining the client relationship. We have the legal obligation to collect and store certain types of information. Such obligations follow primarily from the Finnish Accounting Act (1336/1997), The Finnish Act on Detecting and Preventing Money Laundering and Terrorist Financing (444/2017, further referred to as “the Money Laundering Act”) and the rules and regulations of the Finnish Bar Association.
We process, inter alia, the following personal data regarding our clients:
- The client’s or their official representative’s name and personal identity number, contact details, invoicing details, employer, profession or job title, position in the company
- A copy of the documentation used for identifying the client
- If the assignment falls within the scope of application of the Money Laundering Act, we will process the personal data required in the legislation, e.g. necessary information about the client’s business actions, economic position and political influence
- Other relevant information e.g. credit information, health information or information related to insurances
4. HOW DO WE USE THE PERSONAL DATA?
We collect and process personal data for, inter alia, the purpose of conducting the assignment and taking care of the client relationship. This means that the legal basis for processing the personal data is legitimate interest as laid out in subsection f of Article 6 in the GDPR. In this case legitimate interest means that the personal data is processed in order to maintain the relationship with the client and fulfil the assignment the client has initiated.
We process personal data also in order to comply with our legal obligations, in which case the legal basis for processing the data is the necessity for compliance with a legal obligation as laid out in subsection c of Article 6 in the GDPR. We are legally obliged to, inter alia, take certain measures in order to prevent money laundering and financing of terrorism. Should we become aware of a suspected case of money laundering upon conducting an assignment, we are obliged to take measures to examine the matter and possibly make a report to the relevant authorities.
We may process personal data for the purposes of marketing. If we process personal data for marketing purposes, the legal basis for processing the data is legitimate interest as laid out in subsection f of Article 6 in the GDPR. Your personal data will not be transferred outside the European Union or European Economic Area without your consent.
5 HOW DO WE COLLECT THE PERSONAL DATA?
The data we process is given to us primarily by the client in connection with the assignments. The data can also be obtained from various directories, registers and other public sources of information, such as the Population Information System and credit information registers.
6 HOW LONG DO WE STORE THE PERSONAL DATA?
Regarding the time limits for storing personal data, we comply with the obligations laid out in legislation and the Finnish Bar Association’s rules and regulations.
The personal data will be stored for as long as necessary for conducting the assignment. After that all data related to assignments (including clients’ personal data) is stored for ten years, in accordance with the regulations of the Finnish Bar Association.
If the assignment falls within the scope of application of the Money Laundering Act, we are legally obliged to store the data related to the identity and business operations of the client for the period of five years after the termination of the client relationship. This obligation also follows from the regulations of the Finnish Bar Association.
7 HOW DO WE PROTECT THE PERSONAL DATA?
All personal data is processed confidentially and with utmost care, in compliance with the attorneys’ binding obligations for secrecy and confidentiality. We protect the personal data in accordance with the guidelines of the Finnish Bar Association concerning data protection.
Technical and organizational safeguards are in place to ensure the security of all personal data. This means, inter alia, protecting the personal data from unauthorized and illegal processing, or accidental destruction of or damage to the data. Only our own employees and carefully selected service providers are allowed to access the data.
8 INFORMATION REGARDING YOUR RIGHTS
As a data subject, you have the following rights regarding your personal data:
a) Right to access the data. You have the right to know whether we are processing your personal data, and access personal data if it is being processed. We can deny the request to access the data on grounds laid out in legislation or the regulations of the Finnish Bar Association.
b) Right to request us to correct incorrect or deficient personal data. If your personal data that we process is incorrect, deficient or inaccurate, you have the right to request us to correct or specify the data. This can be done by providing us additional specifying information.
c) Right to erasure. You have the right to request the erasure of your personal data under the following conditions:
- The personal data is no longer necessary for the purposes they were originally collected for, and there is no other acceptable basis to store the data.
- The legal basis for processing the personal data is consent, and you wish to withdraw that consent. You can request the erasure of the data if there is no other legal basis for processing the data.
- You object processing the personal data and there is no acceptable basis for processing the personal data.
- The data has been processed illegally.
The right to request erasure is restricted. The right is not applicable if we have a legal obligation to store the data or it is necessary to process the data for the establishment, exercise or defence of legal claims.
d) Right to restrict processing of personal data. You can request restricting the processing of your personal data if you contest the accuracy of the data or the lawfulness of the processing, or if you have objected to our right to process the data.
e) Right to object the processing of the personal data when the legal basis for processing is legitimate interest. This means that you always have the right to object to the processing of your personal data for purposes of, e.g., direct marketing or marketing-related profiling.
Each request to exercise the rights laid out above is evaluated individually. The request to exercise the rights shall be sent to the contact person in writing. If necessary, we may require you to verify your identity before processing the request. We will reply to the request as soon as possible and not later than within the time limit provided by the GDPR (generally within one month).
You always have the right to make a complaint to the data protection authority, should you suspect that we have not processed your personal data in compliance with the applicable data protection legislation. In Finland the competent data protection authority is the Data Protection Ombudsman (https://tietosuoja.fi/en/home).