Last updated: 29 April 2022

PRIVACY NOTICE

Your privacy and keeping you informed on processing your personal data is important to us. This Privacy Notice provides you information on how we collect and process personal data of our clients, potential future clients and our business contacts.

Data controller: Berggren Oy
Address: Eteläinen Rautatiekatu 10 A, PL 16, 00100 Helsinki
Phone: +358 10 227 2000
Email: tietosuoja@berggren.fi


1. Data controller and processors

Berggren Oy is the data controller for the data collected and processed as described in this privacy notice.

Berggren Oy uses the following processors, subject to appropriate safeguards in agreement with said processors, in processing the personal data collected hereunder:

  • Server infrastructure provider (currently Equinix)
  • Email, office application provider (currently Microsoft)
  • CRM provider (currently Hubspot Inc)
  • Foreign attorneys for the purpose of carrying out assignments outside Finland (various)
  • Financial application provider (currently Visma)
  • Document management system provider (currently M-Files)
  • HR software provider (currently Sympa Oy)
  • Recruitment software provider (currently Talentadore Oy)
  • For offering and maintaining a whistleblowing channel 
    • Keskuskauppakamari (service provider)
    • Haltu Oy (maintenance, subprocessor for Keskuskauppakamari)
    • Silverskin Information Security Oy (security partner, subprocessor for Keskuskauppakamari)
    • Upcloud Oy (platform provider, subprocessor for Keskuskauppakamari)

Personal data is only transferred outside the EU/EEC to countries without an adequate level of data protection subject to standard contractual clauses (SCC) or other appropriate safeguards as foreseen under Article 46 of the General Data Protection Regulation (”GDPR”). Data subjects have the right to request a copy from Berggren Oy of the annexes to the aforementioned standard contractual clauses.

2. Categories of personal data and legal basis for processing

Category of personal data and primary data sources

Purpose of use

Legal basis for processing

Removal of personal data

Client contact person information, such as name, email, address, phone number(s), employer, title or position as provided by you as registered person or the company represented by you

Providing services for the client, managing client relationship, providing information to client relating to client relationship

Processing is necessary for performance of contract between Berggren and client (GDPR Article 6(1)(b))

Upon ending of client relationship unless a legal obligation or the need to defend Berggren’s interests requires that the personal data is stored for a longer period

Carrying out conflict checks, anti-fraud/money laundering checks or other obligatory clearances required under applicable ethical standards or legislation

Processing is necessary for the purposes of the legitimate interests pursued by the controller, (GDPR Article 6(1)(f))

Potential new client contact person information, such as name, email, address, phone number(s), employer, title or position as provided by you or as available public sources such as company website

Marketing and sales efforts with regards to potential new clients, i.e. soliciting a business relationship with the client

Processing is necessary for the purposes of the legitimate interests pursued by the controller, (GDPR Article 6(1)(f))

At the latest one year after the data has been collected, if the new potential client does not become a new client

Participants (contact information) of our webinars and events as provided in the webinar or event registration

Marketing and sales efforts with regards to potential new clients, i.e. soliciting a business relationship with the client

Processing is necessary for the purposes of the legitimate interests pursued by the controller, (GDPR Article 6(1)(f))

At the latest one year after the data has been collected, if the new potential client does not become a new client

IP address of persons visiting the website in accordance with the cookie policy

Preventing malicious misuse of website

Processing is necessary for the purposes of the legitimate interests pursued by the controller, (GDPR Article 6(1)(f))

At the latest one year after visit to website unless a legal obligation or the need to defend Berggren’s interests requires that the personal data is stored for a longer period

Information concerning inventors and creators of designs, e.g. name, address

Prosecuting and managing patent and design applications and patents and designs

Processing is necessary for performance of contract between Berggren and inventor/inventor’s employer (GDPR Article 6(1)(b))

Upon ending of client relationship unless a legal obligation or the need to defend Berggren’s interests requires that the personal data is stored for a longer period

Information for recruitment purposes of potential employees: name, contact information, individual identifying number in HR system

Launching and handling the recruitment process for the applicant

Processing is necessary for performance of contract between potential employee and Berggren Oy (GDPR Article 6(1)(b))

All this personal data will be removed within 12 months of the applicant submitting the application to Berggren Oy

Information for recruitment purposes of potential employees: any personal information submitted by applicant in open fields of recruitment form and in annexes provided by the applicant

Launching and handling the recruitment process for the applicant

Processing is necessary for performance of contract between potential employee and Berggren Oy (GDPR Article 6(1)(b))

All this personal data will be removed within 12 months of the applicant submitting the application to Berggren Oy

Information for the purposes of maintaining a mandatory whistleblowing channel including name and position of the person handling a notification and, if provided by a person filing a notification, name of  the person filing and contact details (not mandatory).

Maintaining mandatory whistleblowing channel and processing notifications.

Processing is necessary for fulfilling a legal obligation of Berggren Oy (GDPR Article 6(1)(c)) 

The data shall be removed once legal obligations of Berggren Oy have been fulfilled and if no need to store the data exists



3. Data security

Berggren Oy protects the personal data described in this privacy notice with appropriate technical and organisational measures, and obligates its processors to do the same. The company maintains a high level of data security to protect the confidentiality of the personal data (and other client data) collected and processed in its operations, including safeguards against data breaches, unlawful processing of personal data, accidental or unlawful alteration, destruction, or disclosure of said data. The measures undertaken by the company, such as encryption of data and limiting access to personal data have been implemented based on a risk analysis regarding the likelihood of and potential impact of data breaches, the sensitivity of the personal data processed hereunder, the way that the personal data is stored/kept, and advancements in data security technology. Processing of your personal data is limited to personnel who needs to access data for the purposes above while we provide our services. We provide training to our personnel regarding privacy, data protection and security.


4. Rights of data subjects

Under the GDPR, data subjects have the following rights (as more closely provided under Article 15-21 of the GDPR:

  1. Right of access: data subjects have the right to request whether their personal data is being processed, as well as access to said personal data
  2. Right to rectify: data subjects have the right to request the data controller to rectify any errors or omissions in their personal data
  3. Right of removal: data subjects have the right to request the data controller to remove any of their personal data that is no longer needed for the purpose for which it was collected or processed, regarding which the data subject objects to processing and there is no legitimate basis for the processing, which is being processed unlawfully or must be removed to satisfy a legal obligation
  4. Right to restrict processing: the data subject has the right to restrict the processing of his or her personal data in the event the accuracy or veracity of the personal data is disputed, if the personal data is being unlawfully processed, if the data controller no longer needs the personal data but the data subject legitimately objects to the removal of the personal data, or if the data subject objects to the processing but it has not yet been determined whether there is a legitimate basis for said processing
  5. Right to object: the data subject has the right to object to the processing of his or her personal data to the extent said personal data is being processed subject to Article 6(1)(f) of the GDPR, in which case the data controller must in order to continue processing show that there is a legitimate basis for the processing of said personal data
  6. Right to data portability: data subjects have the right to receive a copy of the personal data relating to them and to have said personal data transferred to another data controller in so far the legal basis for the processing of said personal data is Article 6(1)(b) of the GDPR
  7. Right to notify data protection authority: data subjects have the right to complain about the processing of their personal data to the appropriate data protection authority, which with regards to Finland is the Data Protection Ombudsman (https://tietosuoja.fi/en/office-of-the-data-protection-ombudsman)

 

5. Contact details

The person responsible for data protection at Berggren Oy is LLM Suvi Julin (suvi.julin@berggren.fi).

In general, the contact information for data protection at Berggren Oy is tietosuoja@berggren.fi. Data subjects can contact this adddress if they wish to exercise their rights as data subjects or require more information about the personal data practices and policies of Berggren Oy.

 

6. Amendments to this privacy notice

Berggren Oy updates its privacy practices and policies from time to time. Berggren Oy may amend this privacy notice by posting a new, updated version of the notice on its website. In the event substantial changes are made, Berggren Oy endeavours to notify data subjects either with a notice on its website or by sending a separate notification via, e.g., email.