Privacy Statement

1. Data controller

Privilo Oy

Business ID: 34044928-3

Helsinki, Finland

Contact person: Titta Penttilä

Email: Privilo@privilo.fi

2. What personal data do we collect and process, for what purposes, and on what legal basis?

We collect and process personal data for the purposes of providing services and for our business operations in accordance with this privacy statement and the applicable laws. Personal data refers to information directly or indirectly related to an identifiable or identified individual.

We primarily offer services to businesses and organizations and the processed personal data mainly relates to employees or other representatives of our clients, subcontractors, and partners. However, if necessary for an assignment, we may also process other personal data, such as our client’s client information, information related to counterparties, or information about individuals otherwise related to the assignment.

We primarily collect personal data directly from the individual or from the individual’s employer, which could be our client, partner, or subcontractor. Contact details of potential clients, partners, and subcontractors may also be collected from public sources such as social media or online services (e.g., LinkedIn), directories, or the websites of companies and organizations.

2.1   Providing services, handling assignments and managing client relationship

We collect and process personal data for the following purposes related to providing services and managing client relationship:

  • Receiving, managing, and handling inquiries and requests for offers or quotations
  • Providing services, managing/working on assignments, and related communication and collaboration
  • Financial administration such as invoicing, debt collection, taxation, and accounting
  • Customer service and handling feedback and complaints
  • Execution of data subject’s rights

The legal bases for processing personal data include our legitimate interests (e.g., ensuring smooth collaboration, managing assignments, and securing our business interests), the performance and preparation of contracts, and compliance with legal obligations (e.g., accounting).

We process following categories of personal data:

  • Client’s or potential client’s contact person data, such as name, contact details (e.g., email address and phone number), employer details, job title, and information included on client’s trade register extract.
  • Data related to the signatory of the contract or the person accepting the offer, such as name, if necessary, date of birth or personal identification number (e.g., for credit sales or debt collection from a private entrepreneur), position within the organization, and information included on the trade register extract.
  • Interaction and other correspondence related data, such as personal data provided by our clients relating to the assignment or during its course.
2.2  Sales, marketing, development and market research

We collect and process personal data for the following purposes related to marketing and development:

  • Sales and marketing of services to existing and potential clients
  • Sending and managing newsletters and other communications
  • Marketing, organizing, and managing events, webinars, and podcasts
  • Obtaining, utilizing, and publishing references or recommendations
  • Obtaining feedback and conducting surveys and market research, and related analysis
  • Analysis and development of products, services, and business operations
  • Anonymizing personal data

The legal basis for processing personal data is our legitimate interest in promoting our business, acquiring new clients, and developing existing client relationships through marketing and communication.

Individuals have the right to object to the processing of their data for marketing purposes by contacting us (privilo@privilo.fi).

We process following categories of personal data:

  • Name and contact details such as name, email address, phone number, and social media account information.
  • Employment data such as employer’s name and contact details, as well as job title or position within the organization.
  • Client relationship data such as information related to assignments and communications.
  • Events and communications data such as registrations, preferences, areas of interest, newsletter subscriptions, or other interaction related details.
  • Consent information such as consents and withdrawals related to marketing, newsletters, references, and recommendations.
  • Feedback and market research data such as customer satisfaction survey responses, feedback, market/marketing research data, and complaints.
2.3  Websites, cookies and social media

Privilo Oy’s website (www.privilo.fi) uses only cookies necessary for the website to function, which do not require user consent.

We collect and process personal data on our social media platforms (e.g., LinkedIn, Instagram), if you follow, comment, share, or like our posts, or send us messages, for the following purposes:

  • Marketing and sales of our services
  • Managing and administering customer relationships, as well as communication
  • Developing our services and operations

The legal basis for processing personal data is our legitimate interests (including marketing, customer acquisition, increasing data protection awareness, and business development).

We process the following categories of personal data:

  • Social media contact details such as public account and profile information
  • Interaction data such as comments, likes, shares, follows, and messages

Personal data is not transferred away from the social media platforms unless we specifically notify otherwise. However, we may process data outside of social media platforms anonymously, so that it can no longer be linked to an individual. Social media providers apply their own terms and privacy policies to their services (including data retention periods), for which we are not responsible.

2.4   Legal obligations, fraud, legal claims and business transactions

We may also process personal data for:

  • Compliance with legal requirements (e.g., accounting and tax)
  • Execution of requests from competent authorities within the limits set by applicable law
  • Prevention, management, and investigation of misconduct, such as fraud
  • Information security management
  • Preparation, prosecution, or defense of legal claims
  • Insurance (e.g., filing for compensation related to damage)
  • Business transactions (e.g., mergers or business transfers)

The legal basis for processing personal data depends on the purpose of the processing, either compliance with a legal obligation or our legitimate interests (e.g., business continuity, managing misconduct and security threats).

We only process data that is necessary for the purpose in question, but depending on the purpose, the data processed may include information from any of the data categories mentioned in this statement.

2.5  Procurement of services from suppliers and cooperation with partners

We collect and process personal data related to procurement and cooperation with partners for the following purposes:

  • Selecting and assessing suppliers and partners, contacting, sending requests for offers or cooperation models, managing and handling those
  • Managing and administering procurement assignments or cooperation relationships
  • Handling of invoices and complaints/feedback, accounting, taxation, and financial management

The legal bases for processing personal data are our legitimate interests (e.g., ensuring smooth cooperation, and safeguarding our business), performance and preparation of contracts, and compliance with legal obligations (e.g., accounting).

We process the following categories of personal data:

  • Contact information of suppliers or partners (or potential ones) such as name, contact details (e.g., email address and phone number), employer information, job title, role related to cooperation
  • Data related to signatories of contract or person providing an offer such as name and personal information included in the trade register extract
  • Interaction and other correspondence related data, such as personal data provided by our suppliers or partners concerning the services or cooperation they provide to us.

3. Do we share your personal data?

We share your personal data in the following circumstances:

  • to the cloud service provider: We use an international, reliable cloud service for processing personal data (e.g., storage and backup of information related to assignments), which may involve the transfer of personal data outside the EU/EEA. The cloud service provider processes personal data on our behalf in accordance with a separate data processing agreement and ensures that any transfers of data outside the EU/EEA are carried out in accordance with the EU General Data Protection Regulation (GDPR), for example, by relying on the EU-US Data Privacy Framework (transfers to the United States) or by using the EU Commission’s Standard Contractual Clauses.
  • to the financial management software provider: We use software and services provided by a supplier for financial management purposes (e.g., invoicing, accounting). The supplier processes personal data (e.g., information on invoices) on our behalf in accordance with a separate data processing agreement.
  • to the accounting firm and accountant: We use an accounting firm for financial management purposes (e.g., accounting, taxation), which processes personal data (e.g., information on invoices).

In addition, we may disclose personal data in the following situations:

  • to authorities if legislation obliges us to disclose information and only within the limits permitted by law.
  • in connection with business reorganization or transaction (e.g., mergers or sales of business).
  • to have fraud and other misconduct investigated.
  • to legal advisor and/or court, for example, to prepare, pursue, or respond to legal claims.
  • to an insurance company, for example, to claim insurance compensation.
  • upon a written request or demand from the client, supplier, or partner to whose data is in question.

4. How long do we retain personal data?

We retain personal data for as long as necessary for the purposes for which the personal data is processed.

  • Personal data related to our client relationship is deleted when the statutory limitation period for claims and complaints related to a specific customer relationship or service has expired. This period is typically ten years.
  • Personal data related to supplier and partner relationship is deleted one year after the termination of the contractual relationship, unless there is a pending lawsuit or other claim.
  • Our marketing targets companies/organizations, and we retain the contact details of individuals as long as they are relevant to the marketing directed at the respective company/organization. We delete the information when it is no longer needed for marketing purposes or if the individual has objected to the processing of their data for marketing purposes.
  • Data processed for business and service development purposes is retained for a maximum of one year, after which the data may be processed in anonymous form without being able to be associated with an individual.

Notwithstanding the above, personal data may be retained for a longer period if required by law (e.g., accounting, taxation).

5. What are your rights and how can you exercise them?

You have the right to:

  • request clarification on whether we process your personal data and to access the information concerning yourself.
  • receive information on how we process your personal data.
  • demand correction of incorrect or incomplete personal data.
  • object to the processing of data for direct and other marketing purposes.
  • withdraw your consent if the processing of personal data and/or our electronic direct marketing is based on your consent.
  • lodge a request with us to object to the processing of personal data when we process your personal data based on our legitimate interests.
  • in certain situations, demand that we restrict the processing of your personal data.
  • in certain situations (e.g., when the personal data is not necessary for the purposes for which it was collected or the processing is unlawful), have the right to request the erasure of personal data concerning yourself.
  • lodge a complaint about the processing of personal data to the competent supervisory authority, (in Finland please see: www.tietosuoja.fi), if you believe that the processing of your personal data is not lawful.

If you would like more information about your rights and how to exercise them, or if you wish to exercise your rights, please contact us (privilo@privilo.fi).

6.How can the privacy statement be updated?

We may change and update our privacy statement as our services and business evolve and change, if those changes impact the processing of personal data. In addition, changes in legislation may require changes to the statement. The changes will take effect when we have published the updated privacy statement on our website. We ask you to review the content of this privacy statement regularly.

This version 1.0 was published on May 2nd, 2024.