Privacy statement

Updated 16.9.2024

We only process your personal data within the framework of the General Data Protection Regulation and other applicable legislation and respect your right to privacy.

The purpose of this privacy policy is to tell you what personal data Susiluoto Oy (“Susiluoto” or “We”) processes and for what purpose and in what way it is processed, as well as to tell you about your rights regarding the personal data we process about you.

This privacy policy applies to you if you are in a client or assignment relationship with us.

Who is the data controller?

Susiluoto Attorneys Ltd (2033897-3)
Uudenmaankatu 16 A, 00120 Helsinki

Contact person for data protection matters
Mari Lampenius
09-6869110, info@susiluoto.com

Whose personal data do we process?

This Privacy Notice applies to you if you are our client or a representative, board member, owner or employee of our corporate customer (“Client”),

How is your personal data processed?

What information we may collect about you?

Name of the Client and/or name, date of birth, contact information, personal identity code of the representative and other information necessary to identify the customer.
Information related to the Know-your-client procedure as required by anti-money laundering legislation, such as a copy of an identity document
Quality of the assignment
Personal data of the customer’s counterparties or other parties or people related to the case.
Payment and invoicing information, including insurance information
Other personal data received in connection with the performance of the assignment concerning, for example; the client’s marital status, family relationships, job, assets and debts.

Depending on the assignment, we may also process personal data belonging to special categories of personal data, such as data on health and trade union membership. In addition, we may process your personal data related to criminal convictions and misdemeanours and related precautionary measures.

We will only process this information about you only:

where necessary for the establishment, exercise or defence of a legal claim;
if the customer has given their explicit consent to the processing of this data
The processing concerns personal data that the customer has expressly made public
the processing is necessary to protect the vital interests of the data subject or of another person in a situation where the data subject is physically or legally prevented from giving his or her consent;
other legal obligation.

How do we collect your information?

As a rule, your personal data is collected from you.

We may also collect your information from credit information registers, associations or trade registers or other public registers, other public sources or authorities, or we may receive it from other parties involved in the assignment.

Why do we process your data and what is the legal basis for the processing?

We process your personal data in order to initiate and manage the assignment (e.g. conflict of interest checks, KYC process under the Anti-Money Laundering Act, e-mail and other correspondence with the Client and the counterparty or authority, invoicing) and to fulfil our legal obligations as a limited liability company engaged in licensed legal activities.

We may also process your personal data to develop and maintain our own business and customer relationships, for example by contacting you via a newsletter.

The processing of personal data required for the performance of assignments is primarily based on compliance with the legal obligations of attorneys (Advocates Act, Code of Conduct for Attorneys-at-Law, Anti-Money Laundering Act).

When we process the personal data of our private clients, our processing is also based on the performance of an agreement between the private client and Susiluoto.

To the extent that the processing of personal data is not based on a legal obligation or the performance of an agreement, the processing is based on Susiluoto’s legitimate interest in carrying out assignment work and the client’s legitimate interest in using an attorney in civil and criminal proceedings, contract negotiations, and in the supervision of its rights.

The processing of your personal data is also based on Susiluoto’s legitimate interest when we process your personal data in order to develop and maintain our business and Client relationships, for example, by contacting you via a newsletter.

You have the right to object to processing operations concerning you on the basis of your particular personal situation, where we are processing your personal data on the basis of legitimate interest. You can contact us at info@susiluoto.com if you wish to object to the processing of your data. You must specify the specific situation on the basis of which you object to the processing.

To whom is your data disclosed?

We will only disclose your data to third parties if it is necessary in connection with the performance of the assignment or to fulfil our legal obligations, for example when we disclose data to the Finnish Bar Association or authorities.

If it is necessary to disclose your data outside the EU/EEA in order to carry out the assignment, we will ensure that the disclosure of your data takes place in accordance with the General Data Protection Regulation by ensuring that we comply with the European Commission’s equivalence decisions or, where applicable, appropriate safeguards, such as standard contractual clauses drawn up by the European Commission, codes of conduct approved by the supervisory authority or certification mechanisms. In exceptional cases, the disclosure of data outside the EU/EEA may also be possible in special situations in accordance with Article 49 of the GDPR, for example if the transfer is necessary for the establishment, exercise or defence of a legal claim or if you have given your explicit consent to it.

We use external service providers who may process personal data on our behalf as part of their service (e.g. ICT service provider, assignment management system, electronic signature service) only for the purposes mentioned in this privacy policy. In these situations, we have contractually ensured that the service providers only process your data in accordance with applicable data protection regulations and this privacy policy.

With regard to these service providers, personal data may also be transferred on servers outside the EU/EEA. If personal data is transferred outside the EU/EEA, it will be ensured that the processing of personal data is adequately protected and processed in accordance with this agreement. Protection may include, for example, an adequacy decision by the European Commission or appropriate contractual clauses, such as model clauses approved by the European Commission and other appropriate safeguards.

How long do we keep the data?

Your personal data will be stored for as long as it is necessary for the management of the assignment and Client relationship, also taking into account the legislation binding on us and the instructions issued by the Finnish Bar Association. Data collected under Anti-Money Laundering Act is stored for 5 years. Necessary material concerning assignments is stored for at least 10 years after the end of the assignment in accordance with the Finnish Bar Association’s archiving guidelines. After that, we store the data to the extent necessary for conflicts checks or if necessary because of the nature the document (e.g. a will) and for the legal protection of our employees.

How have we protected your personal data?

Personal data in electronic form is protected by generally acceptable and reasonable technical means, such as firewalls and passwords. Materials containing personal data in the register, which are not in electronic form, are located in locked premises to which unauthorised access has been prevented.

Only the Data Controller or a service provider acting on its behalf and a member of the staff of Susiluoto or acting on behalf of the Data Controller has access to the personal data processed in the register in accordance with the access rights granted by Susiluoto. We also require our service providers to take appropriate measures to protect the confidentiality and security of personal data.

Susiluoto takes into account the legislation and regulations of the authorities applicable to it, as well as the guidelines of industry associations on ensuring the confidential processing of personal data.

What are your rights in relation to the processing of personal data?

You have the right to check what information about you has been stored. This request may be refused on legitimate grounds. As a rule, the exercise of the right is free of charge.

You have the right to request that incorrect information about you be rectified. In addition, in certain situations, you have the right to request the erasure of data concerning you or to request the restriction of processing on legitimate grounds.

To the extent that you have provided us with data yourself and it is processed on the basis of your consent or contract, you generally have the right to receive such data in a machine-readable format and the right to transfer this data to another controller.

If you have any questions regarding the processing of your personal data, please contact us at info@susiluoto.com.

If you consider that we have not complied with the applicable data protection regulations in our operations, you have the right to lodge a complaint with the competent supervisory authority.

The competent supervisory authority in matters related to the processing of the customer’s personal data is the Office of the Data Protection Ombudsman, Lintulahdenkuja 4, 00530 Helsinki, tel. 029 566 6700, tietosuoja@om.fi.

Changes to the Privacy Statement

We may change or update this Privacy Notice, for example, in the event of changes in regulations, case law or our own practices. The up-to-date privacy policy can be found on our website or you can read it at our office.

Who can you contact about data protection?

For all questions related to data protection, please contact us by email at info@susiluoto.com.