NORDIC LAW OY’S PRIVACY NOTICE

(updated on 27.4.2019)

This Privacy Notice describes Nordic Law’s practices when it processes personal data of its external data subjects. Thus, with this this Privacy Notice we provide you with the information Articles 13 and 14 of the GDPR require of us. We provide our personnel similar notices separately.

We have a unilateral right to modify this Privacy Notice. The modifications take effect immediately when we post the up to date version of our Privacy Notice to our website. 

Controller:

Nordic Law Oy
0947087-7
Erottajankatu 5 A 6, 00130 Helsinki

 

Contact person:

Max Atallah
Senior Associate Lawyer, CIPP/E
+358 40 527 46 76
max.atallah@nordiclaw.fi

Purpose for processing
Legal basis for processing
Data subjects and personal data processed
(a)    Client relationships Contract  to perform the contracts to which we are a party Clients: (i) contact details, (ii) data related to our relationship, (iii) other data disclosed to us
(b)    Business partner relationships Contract  to perform the contracts to which we are a party Business partners and potential business partners: (i) contact details, (ii) data related to our relationship, (iii) other data disclosed to us
(c)    Direct marketing Our legitimate interest  to manage and develop our client relationships and further develop our business operations
NB! You have a right to opt-out of direct marketing each time we provide marketing to you.
Clients and potential corporate clients: (i) contact details, (ii) data related to our relationship, (iii) other data disclosed to us
(d)    Recruiting Our legitimate interest  to manage our jobseekers and possibly employ them NB! You have a right forbid us from processing your personal data. Jobseekers: (i) contact details, (ii) data related to our relationship, (iii) other data disclosed to us, (iv) videos and pictures, (v) CV data
(e)    Managing of contacts and social media Our legitimate interest  to manage contacts made to us NB! You have a right forbid us from processing your personal data. Contacts: (i) contact details, (ii) data related to our relationship, (iii) other data disclosed to us
(f)    Managing our newsletter Our legitimate interest  to manage newsletter subscriptions
NB! You have a right forbid us from processing your personal data.
Subscribers: (i) contact details
(g)    Compliance with legal obligations  Legal obligations  to comply with several legal obligations, e.g. KYC and AML/CTF Clients and potential clients, business partners and potential business partners: (i) data related to our legal obligations
(h)    Cookies and other such technologies Consent  Consent based on Act on Electronic Communications Services (917/2014) Visitors of our websites: (i) IP addresses
Purpose for processing
Sources of information
See purposes (a), (c) and (g) above (i) Data subjects themselves, (ii) Business partners, (iii) Courts and other authorities, (iv) Public sources, such as the internet, postal services, Trade Register and population register
See purpose (b) above (i) Data subjects themselves, (ii) Business partners, (iii) Public sources, such as the internet, postal services, Trade Register and population register
See purpose (d), (e) and (f) above (i) Data subjects themselves
See purpose (h) above (i) Cookies and other such technologies

We may transfer your personal data to third parties (e.g. to data storage service providers), as it is a part of normal business operations. When personal data is transferred to third parties, we ensure that we conclude adequate personal data processing agreements and safeguards in relation to the data transfers.

Your personal data may be transferred to our business partners, data storage service providers and communications services providers, accounting and auditing services providers and relevant authorities.

We may transfer personal data outside the EU and the EEA. When doing so, we ensure adequate safeguards for the data transfer, such as the Commission’s standard contractual clauses and adequacy decisions as well as other similar arrangements.

Purpose for processing
Retention period
See purpose (a) aboveNecessary data shall be retained for as long as it necessary for us to handle our client relationships.
See purpose (b) aboveNecessary data shall be retained for as long as it necessary for us to handle our business partner relationships.
See purpose (c) aboveNecessary data shall be retained until you opt out of direct marketing or we have an impression that you no longer want to receive our direct marketing.
See purpose (d) aboveNecessary data shall be retained for a period of twelve (12) months once we receive the relevant job application.
See purpose (e) aboveNecessary data shall be retained for a period three (3) years following the last time you were in contact with us. And for social media contacts the data shall be retained for as long as you delete your personal data from our social media pages
See purpose (f) aboveNecessary data shall be retained for as long as the data subject wants to receive our newsletter.
See purpose (g) aboveNecessary data shall be retained for as long as we have a legal obligation to hold on to that data.
See purpose (h) aboveData retention period depends on each cookie and other technologies.

We inspect the necessity of the personal data stored regularly and keep records of the inspections.

The data subject has a right to use all of the below mentioned rights. The contacts concerning the rights shall be submitted to the contact details stated in Section 2. The rights of the data subject can be put into action only when the data subject has been satisfactorily identified.
Right
Description
Right to inspect The data subject has the right to inspect what, if any, data the controller has stored of her/him.
Right to rectify and erasure The data subject has a right to request the controller to rectify or erase the personal data concerning the data subject on the grounds provided by law.
Right to restriction of processing The data subject can request the controller to restrict the processing of the personal data concerning the data subject on the grounds provided by law.
Right to data portability The data subject shall have the right to receive the personal data concerning her/him, which he/she has provided to the controller, in a structured, commonly used and machine-readable format where the processing is based on consent or a contract.
Right to object Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning her/him for such marketing. Where personal data are processed on the basis of the legitimate interests of the controller, the data subject shall have the right to object the processing of personal data concerning her/him for such purposes in accordance with the law.
Automated individual decision-making, including profiling The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Right to withdraw consent Where the legal basis for the processing of personal data is the consent of the data subject, the data subject shall have the right to withdraw her/his consent.
Data subject shall also have the right to lodge a complaint with a competent supervisory authority, if the data subject considers that the processing of personal data relating to her/him infringes data protection laws.

We use e.g. the following data security measures: (i) personal data access is limited; (ii) we protect data with anti-malware, antivirus and other such software; (iii) each category of data has been assigned with a responsible party; (iv) we use up-to-date and reliable systems and services to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (v) we use up-to-date and reliable systems and services to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (vi) we regularly assess and evaluate our personal data processing activities.