Privacy Notice

1. Data Controller

Applex Attorneys Ltd
Rautatienkatu 21 C, 33100 Tampere
Finland

tel. +358 10 2999 471
info(at)applex.fi

2. Purposes of processing personal data

Applex Attorneys Ltd (data controller) processes personal data in accordance with applicable data protection legislation, including EU General Data Protection Regulation (2016/679) and the Finnish Data Protection Act (1050/2018).

The purposes of processing are:

  • managing customer and other co-operation relationships and customer services
  • managing assignments related to legal services
  • fulfilling the rights and obligations of the customer or other stakeholder and the data controller
  • identifying customers and conducting conflict-of-interest research
  • processing of personal data concerning stakeholders (suppliers, job applicants, other co-operation partners)
  • processing of personal data of website visitors for the purpose of ensuring and developing the functionality of our website
  • processing of personal data for the purposes related to the data controller’s products and services including developing, providing, fulfilling, and marketing of products and services

Furthermore, personal data in our registers are processed in accordance with requirements of data protection legislation for Applex Attorneys Ltd’s communication to stakeholders, such as newsletters, electronic communication, electronic direct marketing and invitations. Applex Attorneys Ltd provides inter alia business law services, other legal services and dispute resolution services, and provides related education events and newsletters.

3. Legal basis for processing of personal data

Legal basis for processing of personal data are legal obligations of the data controller, contract, consent and legitimate interests of the data controller. Processing is also based on guidelines and regulations issued by the Finnish Bar Association.

Legal obligations of the data controller are the legal basis for processing, for instance, when the data controller processes personal data for the purpose of identifying customers and performing conflict of interest research in connection with the assignments. Legal obligation to process personal data also arises from the applicable accounting and taxation legislation.

Personal data is also processed when the data controller carries out pre-contractual measures at the request of the data subject (such as handling inquiries, requests for offers, and orders made by the data subject) and for the performance of the contract between the data subject and the data controller (such as making an employment contract with a job applicant).

The legitimate interest of the data controller is the legal basis for processing of personal data when there is a material connection between a data subject and the data controller. Such material connection is formed, for example, when the data subject has on its own initiative contacted the data controller, or when the data controller, for example, processes the data subject’s personal data in connection with a business or co-operation matter between the data subject’s employer and the data controller. Also, personal data of job applicants are processed on the basis of legitimate interests of the data controller.

On basis of its legitimate interest, the data controller may also save to its customer register personal data of potential customers and their contact persons and representatives which can be, on reasonable grounds, expected to be interested to acquire products and services provided by the data controller.

The data controller’s electronic direct marketing may be sent to data subjects who have given their voluntary consent to electronic direct marketing. When the data subject is requested to give his or her consent, he or she will be simultaneously informed that withdrawal of consent is possible easily and at any time. In addition, in accordance with applicable data protection legislation, electronic direct marketing can also be sent to recipients for whom the data controller can reasonably consider that the products or services marketed have essential connection with the customer’s or potential customer’s area of responsibility or work.

Withdrawal of consent may be done by giving a notice to the data controller or by clicking the cancelling option, which can be found in every marketing message (“Unsubscribe” link), whereupon personal data of the data subject will be removed from the data controller’s list concerning subscribers of electronic direct marketing.

4. Categories of personal data processed

The register includes personal data of the following persons:

  • Customers of the data controller and their representatives and contact persons
  • Representatives and contact persons of the data controller’s subcontractors and suppliers
  • Potential customers
  • Other stakeholders (job applicants, co-operation partners)
  • Persons related to assignments

The following personal data of the data subjects, relevant on the basis of the above mentioned purposes of processing, are processed, such as:

  • Name
  • E-mail address
  • Phone number
  • Company and title
  • Name and business ID of the company and contact person
  • Additional information provided by the data subject themselves (such as personal data disclosed in the CV and job application by applicants)
  • Personal data processed on a case-by-case basis in connection with assignment (such as emails, documents, other communication)
  • Information based on customer relationship, such as contact history, feedback and follow-up information
  • Information needed for identifying a person as provided for in the Finnish Act on Preventing Money Laundering and Terrorist Financing (444/2017) (such as name, date of birth, personal identification number, address, citizenship, information related to the document used for identity verification, and information to determine financial situation and political influence of a person)
  • The data controller may, based on the data subject’s explicit consent, collect and process information about the data subject’s food allergies during event registration. The information collected regarding food allergies may indicate the data subject’s health information or religious beliefs. The processing of food allergy information is necessary to provide safe and suitable food and drink to participants at events.

5. Regular information sources of the register

Personal data has been primarily obtained from the following information sources:

  • Directly from the data subject himself/herself for the purpose of managing customer relationship and assignments
  • Directly from the data subject himself/herself in connection with job application and recruitment process
  • Directly from the data subject himself/herself in connection with other co-operation partnership
  • Insurance companies, courts and authorities
  • public/commonly available sources (such as internet or Trade Register)
  • the data subject’s employer or other representative of the data controller’s customer, business or co-operation contact or contract party
  • Companies’ information is checked from Suomen Asiakastieto Oy’s and similar registers in business contexts, hence reports may include data concerning companies’ representatives
  • In connection with attending events organized by the data controller or its co-operation partners
  • In connection with handling assignments, personal data may also be obtained from sources other than directly from the data subject, such as information about individuals related to the assignment provided by the client or witnesses.

6. Recipients of personal data

In principle, the data controller will not disclose personal data of the data subjects to third parties, except when authorities in accordance with legislation require to do so or mandatory laws stipulate this.

Despite the above stated, in connection with implementing its technical services, the data controller uses reliable service providers which process personal data on behalf of the data controller on basis of data protection agreement required by data protection legislation. The service providers will process the personal data, for which the data controller is responsible for, in accordance with the data controller’s documented instructions.

The data controller may also disclose personal data to other data controller or a third party if agreed with the data subject on a case-by-case basis.

In addition and pursuant to requirements of the applicable data protection legislation, the data controller may disclose contact information of a data subject to data controller’s co-operation partners for example when the data controller organizes a customer or education event together with such co-operation partner. Such co-operation partner is responsible for processing of personal data for its own part.

Personal data may be transferred outside the European Union or the European Economic Area in accordance with data protection legislation, if the information systems and software services used for processing technically require it. For example, the data controller uses Hubspot for sales and marketing activities, which involves transferring personal data outside the European Union or the European Economic Area (such as the United States). The data controller ensures an adequate level of data protection in accordance with the requirements of applicable data protection legislation, also in situations where personal data are transferred outside the European Union or the European Economic Area, by following the adequacy decisions issued by the European Commission, under Data Privacy Framework for transfers to the United States, or if necessary, using the standard contractual clauses approved by the European Commission for personal data transfers, together with the necessary supplementary safeguards.

7. Retaining personal data

The data controller will process and retain personal data only as long it is required by legal obligations or it is necessary for the purposes of processing determined in advance. Personal data which has become redundant, i.e. personal data which the data controller no longer has legal basis or legal obligation to retain or process, will be deleted on regular basis in accordance with the data controller’s own data protection policy.

In accordance with the guidelines issued by the Finnish Bar Association, information related to assignments is retained for at least ten years after the completion of the assignment.

The Act on Preventing Money Laundering and Terrorist Financing (444/2017) requires that all documents and information related to customer due diligence and customer transactions be retained in a reliable manner for a period of five years after the end of the permanent customer relationship or the conclusion of an occasional transaction.

Personal data, which are part of the accounting records, are retained for six years from the end of the year during which the fiscal year has ended, in accordance with the Finnish Accounting Act (1336/1997).

Personal data may be retained for longer periods if and when it is necessary for the preparation, response, and defense of legal claims.

8. Rights of the data subject

The data subject has the following rights, applicable on case-by-case basis.

Right to withdraw consent

On basis of Article 7 of the EU General Data Protection Regulation (679/2016, ”GDPR”) , the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Right of access by the data subject to his or her data

On basis of Article 15 of the GDPR, the data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and certain information concerning data processing stipulated in the Article.

Right to rectification

On basis of Article 16 of the GDPR, the data subject has the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking in to account the purposes of processing, the data subject has the right to have incomplete personal data completed, including means of providing a supplementary statement.

Right to erasure

On basis of Article 17 of the GDPR, the data subject has the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay, and the data controller will have the obligation to erase personal data without undue delay, provided that requirements stipulated in the Article are fulfilled.

Right to restriction of processing

On basis of Article 18 of the GDPR, the data subject has the right to obtain from the data controller restriction of processing, provided that requirements stipulated in the Article are fulfilled.

Right to data portability

On basis of Article 20 of the GDPR, the data subject has the right to receive data concerning him or her, which he or she has provided to the data controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, in cases where processing is based on consent or contract and the processing is carried out by automated means.

When exercising the above described right to data portability, the data subject has the right to have personal data transmitted directly from one data controller to another, where technically feasible.

Right to object

On basis of Article 21 of the GDPR, the data subject has the right to object, on grounds relating to his or her particular situation, at any time processing of personal data concerning him or her and having its legal ground on the legitimate interest of the data controller, including profiling. The data controller will no longer process personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time of processing data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

Right to lodge a complaint with a supervisory authority

If the data subject considers that the data controller is infringing applicable legislation concerning personal data processing and data protection, the data subject has the right to lodge a complaint with a supervisory authority. The supervisory authority in Finland is the Data Protection Ombudsman, www.tietosuoja.fi.

Responsibilities of the data controller arising from the rights of the data subject

The data controller will inform the data subject about all measures that have been taken on basis of a request made pursuant to Articles 15-22, without undue delay and in any case within one month having received such a request. The time limit may be prolonged for at most two months where needed, taking into consideration quantity and complexity of the requests made. The data controller will inform the data subject about such possible prolongment within one month having received the request, as well as about the reasons for delay. If the data subject has presented his or her request electronically, the information must be provided electronically when possible, unless the data subject requests otherwise.

If the data controller does not carry out the measures based on the data subject’s request, the data controller must immediately and at the latest within one month since having received the request, notify the data subject about the reasons for this, as well as about the possibility to lodge a complaint with a supervisory authority and to use other legal remedies.

Exercising rights

You may exercise your above stated rights by contacting the data controller via sending an e-mail to the e-mail address info(at)applex.fi. We aspire to provide a reply as soon as possible and, where needed, provide you with additional instructions or ask additional questions based on your request.

Please note that prior to fulfilling a request we have a right as well as an obligation to verify your identity, due to which we must be able to recognize you in an adequate manner.

Legislation applicable to our activities and rules of the Finnish Bar Association may prevent us from executing your request.

If your request is manifestly unfounded or excessive, we may charge a reasonable fee for administrative costs to carry out your request or refuse to act on the request.

9. Processing of personal data and profiling

The data controller does not use automated decision-making, such as automated profiling, as part of processing personal data.

10. Cookies

Cookies are used on the data controller’s website to enhance the user experience. Some cookies are essential for the website to function. According to legislation, the data controller may store cookies on the data subject’s device if it is necessary for the operation of the website. The use of all other cookies requires the consent of the data subject.

The data subject can make choices on the website regarding the purposes for which cookies are collected. In accordance with the data subject’s choices, the data controller may use cookies for customizing the website, analyzing visitor numbers, marketing purposes, and supporting social media features. Some cookies are set by third parties.

11. General description of appropriate technical and organizational security measures of the data controller

The data controller complies with the data security guidelines published by the Finnish Bar Association.

The data controller has implemented, among others, the following technical and organizational security measures:

  • Training on data security, data protection, and the processing of personal data is provided to the data controller’s employees.
  • The data controller has a data security policy approved by senior management.
  • The data controller has given its employees binding written instructions and orders concerning the processing of personal data and data protection, which the employees are committed to following.
  •  External data security audits, the results of which are documented, are organized at regular intervals.
  • The physical premises in use are locked and otherwise protected. All materials covered by attorney-client privilege are secured.
  • Software and services used in legal practice are intended for business use.
  • Devices are under device management, and an access management solution is in use.
  • Information on devices and tools is encrypted.
  • Devices that are no longer supported with updates are decommissioned and replaced with new ones.
  • Wireless networks are protected.
  • Used passwords are sufficiently long and complex, changed as needed, and care is taken to prevent others from accessing them.
  • The granting of user IDs is restricted according to the job description. Access to documents is limited to those individuals who need or may need access to confidential information or files for their work tasks.
  • Agreements required by applicable data protection legislation regarding the processing of personal data and data security requirements have been made with external service providers. Access rights of service providers’ personnel to personal data are limited to an appropriate level.
  • Security software and firewalls are in order. Updates are installed without delay.
  • Backups are made regularly. Devices and media containing backups are encrypted and carefully stored.
  • The security of the electronic communication channels used corresponds to the level required by the communicated information. Encryption of messages and material is used when necessary, especially if the content is particularly sensitive or the client requires encrypted communication. If necessary, clients are advised to submit material using a protected method.
  • Documents and other materials are stored, preserved, archived, and destroyed in a data-secure manner.
  • All devices containing information are decommissioned and emptied in a data-secure manner. This also applies to storage and network services in use.

The data controller will revise its technical and organizational security measures, processing operations, information systems and equipment on regular basis and, amongst other things, assess risks related to processing of personal data for example when introducing new technology.

12. Changes to this Privacy Notice

This Privacy Notice has been last updated on 10 April 2024.

The data controller may change this Privacy Notice.

If you have any questions regarding the processing of your personal data by the data controller, please contact us by email at info(at)applex.fi or by phone: +358 10 2999 471.