Privacy statement​
This is MBO Partners Oy’s data protection statement in accordance with the EU General Data Protection Regulation (GDPR), which describes how MBO Partners Oy collects and processes the personal data of its customers and potential customers or their contact persons, as well as user data collected by the www.mbopartners.fi website.
Updated: 12/09/2023
Data controller and contact information
MBO Partners Oy (“Controller”)
Business ID: 3168165-4
Salomonkatu 17 A, 00100, Helsinki
Purpose and legal basis of personal data processing
The purpose of personal data processing is:
- Managing customer relations and assignments;
- Sales, marketing and business development;
- Maintenance of the registrar’s website and development of the website’s service offering;
- mixed Customer identification (KYC) and data security.
According to the EU General Data Protection Regulation, the legal basis for processing personal data is:
- In terms of handling customer relations and assignments, sales, marketing and business development, the legitimate interest of the Controller (conducting and promoting business).
- In the case of private customers, the legal basis for handling the customer relationship and assignment is the contract between the customer and the Registrar.
- With regard to essential cookies used on the Controller’s website, the Controller’s legitimate interest (forwarding a message on a communication network). For other cookies used on the website, the legal basis for processing personal data is the data subject’s consent.
- With regard to customer identification (KYC), a statutory obligation (Act on Prevention of Money Laundering and Terrorist Financing (444/2017)).
Personal data is not used for automated decision-making or profiling.
Processed personal data groups​
MBO Partners Oy processes the personal data listed below:
- Information collected by cookies used on the website, such as IP address and other information collected by cookies.
- Information provided by the (potential) customer or this contact person, such as name, address, telephone number, e-mail address, company ID of the represented organization and other contact information that is needed, for example, for customer communication, customer identification and handling the order.
- Information related to the customer and the contractual relationship, such as information on completed assignments and assignment agreements.
Providing personal information for customer identification is based on a legal obligation. In other respects, providing personal data is not a statutory or contractual requirement. Providing certain information is, however, a prerequisite for entering into a contract between the Controller and the customer and providing services.
Personal data retention periods
The Controller keeps personal data only as long and to the extent that they are necessary and the Controller uses them for the purposes described above.
In principle, personal data is stored for the duration of the customer relationship. However:
- Personal data processed for customer identification (KYC) is stored in accordance with the Law on the Prevention of Money Laundering and the Financing of Terrorism for five (5) years from the end of the regular customer relationship.
- In order to fulfill its obligations according to the Accounting Act (1336/1997), the personal data contained in the accounting material is stored for ten (10) years from the end of the accounting period to which the accounting material applies.
- Information collected by cookies is stored as indicated in the cookie banner.
Regular sources of information
The personal data to be processed is obtained from the registered e.g. from messages sent via web forms, by e-mail, by telephone, via social media services, contracts, customer meetings and other situations where the data subject discloses personal data.
Contact information for companies and other organizations can also be collected from public sources, such as websites, directory services and other companies.
In addition, information is collected through the cookies used by MBO Partners Oy’s website.
Regular transfers of data and transfer of data outside the EU or EEA
As a general rule, personal data is not disclosed to other parties. However, the Controller may hand over personal data to the external service providers it uses, i.e. personal data processors, who process personal data on behalf of the Controller in accordance with the instructions given by the Controller. Such personal data processors are, for example, providers of technical services used by the Controller and service providers of cookies used on the Website of the Controller. The controller requires that personal data processors comply with data protection legislation and appropriate measures to protect personal data. Personal data processors do not have the right to use the personal data provided by the Registrar for their own purposes.
As a general rule, the controller does not transfer personal data outside the European Union or the European Economic Area. Some personal data processors used by the Controller are located outside the EU or EEA. In this case, the Controller ensures the level of protection of your personal data, for example by requiring the personal data processor to accept the standard clauses approved by the European Commission as part of the contract between the Controller and the personal data processor.
Rights of the registrant
The registered person can exercise the rights described in this section by contacting the Registrar either by mail or e-mail. The registrar informs about the measures implemented based on the request within one month of receiving the request. The registered person will also be notified if, for some reason, the Controller will not implement the registered person’s request.
Using the rights is basically free of charge. In order to exercise the data subject’s rights, the controller may have to request additional information from the data subject in order to identify the data subject in a sufficient manner.
The right to access personal data
The registered person can ask the Controller for information on whether personal data concerning him or her is being processed. The registered person can ask the Controller for information about the personal data collected about him and to gain access to it.
The right to correct and delete data
The registered person can ask the Controller to correct or supplement the registered person’s personal data, if they are inaccurate, incorrect or incomplete. The registered person can ask the Controller to delete the registered person’s personal data, for example, if the personal data is no longer necessary for the processing purposes for which it was collected. In all situations, the Controller cannot delete personal data, if it is a statutory obligation of the Controller to store them or there is another legal basis for their storage.
The right to restrict processing
The data subject can request the restriction of the processing of his personal data in certain situations defined in data protection legislation, such as when the data subject has denied the accuracy of his personal data, in which case the processing is limited to the time during which the Controller ensures the accuracy. Limiting the processing of personal data means that personal data can only be processed on very limited grounds defined in data protection legislation.
The right to object
The registered person can object to the processing of his or her personal data, if the processing is based on the legitimate interest of the Controller. In this case, the Controller may no longer process the personal data in question, unless the Controller can demonstrate that there is a significantly important and justified reason for the processing that overrides the data subject’s rights.
The right to withdraw consent
If the processing of personal data is based on consent, the data subject can withdraw the consent they have given at any time.
The right to transfer data from one system to another
Under certain conditions defined in the data protection legislation, the data subject can request the Controller to provide the data subject with such personal data that the data subject has provided to the Controller, and transfer these to another Controller.
The right to file a complaint with the supervisory authority
The registered person can file a complaint with the national supervisory authority if, in the registered person’s opinion, the Controller does not process personal data appropriately or implement the registered person’s rights in an adequate manner. A notification to the Finnish national data protection authority can be made at www.tietosuoja.fi/ilmoitus-tietosuojavalututetulle.
Other terms and conditions
The Controller’s website may contain links or embedded content from other websites. The Controller is not responsible for the content or security of other websites.
Changing the privacy statement
The Controller reserves the right to update the data protection statement if the processing of personal data by the Controller and/or the applicable legislation changes.
We recommend that you familiarize yourself with the content of the privacy statement regularly. Registrants will be notified of significant changes to the processing of personal data by e-mail.