At Stewicon we value and respect the privacy and the security of your personal data. This notice (“Privacy Notice”) describes how we collect and process your personal data, how we share the data we collect, and what your rights are regarding processing. All personal data is processed in accordance with the General Data Protection Regulation (EU 2016/679, “GDPR”) and other applicable Finnish data protection laws.

This Privacy Notice applies to personal data that we collect about our clients, webpage visitors or other persons that contact us, as well as external third parties.

What personal data do we collect?

We may collect and process the following personal data relating to you:

• Basic data (name, date of birth, contact details, organization and title, personal identification number, email address)
• Know Your Customer data and information required for check of potential conflict of interest (e.g. ID or passport information, political exposure and beneficial ownership)
• Data relating to correspondence with Stewicon (visits on Stewicon’s premises, event participation and related data, appointment bookings, responses to client surveys, feedback, and marketing prohibitions)
• Invoicing and billing information
• Information relevant for the handling of our client assignments (personal data relating to the client, the client’s family members or other beneficiaries, employees, business partners and/or counterparties, and special categories of data to the extent necessary for the handling of an assignment)

Please note that when we provide legal services, we do generally need to process personal data relating to you. Any failure by you to provide personal data may cause us not being able to carry out our services.

How do we collect the data?

The personal data we process is primarily collected from you directly, through emails, via website and other communication and documentation you provide to us. We may also collect and process personal data from counterparties or their counsels, government agencies, credit information service providers and publicly available sources such as websites and official registers

Why do we process the data?

We will process personal data to be able to provide services to our clients. In that context, we process personal data to identify our clients, complete anti-money laundering procedures and conflict checks. We also process personal data to manage and administer our client assignment and business relationships, internal reporting, processing of payments, billing, collection, accounting, auditing and relevant services, business development, recruiting, marketing and sales. Furthermore, we process personal data if necessary for defending or enforcing our rights such as responding to legal claims. If you consent to our analytics cookies, we also process analytics data to help us run our website more efficiently.

Your personal data will not be subject to automated decision making.

Legal grounds for processing personal data

We process personal data on the following legal grounds:

• Legal services: When providing legal services, personal data is used based on legitimate interest for corporate clients and agreement execution for private individuals.

• Statutory duties: Data is used to fulfil anti-money laundering and client identification requirements.

• Third parties: Data from external parties (e.g., suppliers) is processed based on legitimate interest to execute agreements.

• Communication and marketing: Personal data may be processed to correspond with you via email and other communication channels. We may also process your personal data for the purpose of marketing our services to you e.g. by sending newsletters and event invites.

• Consent: Your consent, which you can withdraw at any time. If the consent is withdrawn, we may not be able to continue our business relationship or continue providing services to you. Kindly note that the withdrawal of consent will not affect the lawfulness of processing before the withdrawal.

How do we protect your data?

Our business relies on confidentiality, and we have implemented and maintain appropriate technical and organizational security measures to protect your personal data to ensure data security and compliance with normal industry standards. We restrict access to your data to such personnel who have a need to access it for the purpose for which it was collected.

Will we disclose and transfer your personal data?

Our main rule is to not disclose your personal data to any third parties unless we are permitted or required to do so either by law or if an obligation is placed on us by the authorities, if we are involved in a merger or acquisition, in order to assert or defend against legal claims, or for the handling of our client’s assignment, which may involve disclosure of personal data to counsels, advisors and other third parties involved in the assignment, including parties based outside the EEA. We may also disclose your personal data to third parties, if there is a legitimate interest for the disclosure of your personal data (e.g. a joint event with a third party).

We have also entered into agreements with certain service providers who may process your personal data on our behalf as part of their service. We have entered into the appropriate agreements with these service providers to ensure the appropriate processing of personal data

Transfers of personal data

We primarily process your personal data within the EU/EEA. In some cases the parties who we use to process personal data on our behalf are based outside the EEA. Whenever we, or our third-party service providers, transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring that your personal data is only transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission or the transfer takes place under standard contractual clauses approved by the European Commission. Where applicable, appropriate risk assessments will be carried out by us.

For how long do we retain your personal data?

We retain your personal data only for as long as necessary for our operations and as required by the law. The data retention period can vary by data category and Stewicon may have a statutory obligation to retain certain data for a specific period. Due to this, the exact periods and procedures for data destruction vary by data category.

Cookies and analytics

We use cookies and similar technologies, which are small files or pieces of text that download to a device when a visitor accesses our website. As our website is powered by an external cooperation partner (E Nyman Design), you can find more information about viewing the cookies dropped on your device here.

Your rights as a data subject

The applicable data protection legislation provides you with the following rights regarding the processing of your personal data:

Right to access: You have the right to review data that we have hold about you. Please note, that we may deny such access on grounds provided by law.

Right to lodge a complaint: You have the right to submit a complaint regarding the violation of your rights under the applicable data protection laws to the Finnish supervisory authority i.e. the Office of the Data Protection Ombudsman (tietosuoja@om.fi).

Right to rectify and erasure: You may ask us to correct or remove personal data relating to you and that you think is inaccurate. You may also request that your personal data is erased if e.g. the personal data is no longer necessary for the purposes for which it was collected, the processing is unlawful, or the personal data must be erased to enable us to comply with a legal requirement.

Right to restrict processing: You have the right to request the processing of your personal data to be restricted, for example, during the period we verify the accuracy of your personal data and where you have contested the accuracy of your personal data or when we no longer your personal data but they are required by you for the establishment, exercise or defence of legal claims.

Right to object: You are entitled to object to certain processing of personal data, including for example processing of your personal data for marketing purposes or when we otherwise base our processing of your personal data on our legitimate interest.

Right to data portability: To the extent that you have provided data to us that is processed based on your consent or a contract, and the processing is carried out by automated means, you are entitled to obtain such data primarily in a machine readable format and are entitled to transfer such data to another data controller, where technically feasible.

Right to withdraw consent: In cases where we are processing your personal data based on your consent, you have the right to withdraw your consent to such processing at any time.

Controller and Contact Person

Stewicon Ltd (Business ID: 3018378-4) operates as the controller of the personal data described in this Privacy Notice.

If you have any questions or comments concerning the processing of your personal data, or if you would like to exercise any of your rights as a data subject, please contact:

Stefan Wikman

Hovrättsesplanaden 11 A 21

65100 Vasa

+358 40 769 8223

stefan.wikman@stewicon.com

Updates to this Privacy Notice

We may occasionally make changes to this Privacy Notice. All such changes will be posted on this page.