Controller

Asianajotoimisto Salonen Oy LSL legal

Business ID 2591357-8

Temppelikatu 4 A

00100 Helsinki, Finland

+358 9454 2880

(register-related requests for information)

Contact person in register-related matters

Petra Lehtinen

Temppelikatu 4 A

00100 Helsinki

+358 9454 2880

Name of register

Advocacy customer register

_____________________________________________________________________________

Intended purpose for the register

The intended purpose for the register is to manage, plan, and execute commissions, to allocate activities for each commission, and to determine possible lack of impartiality when receiving commissions.

Only relevant customer data is collected in the register in accordance with the exclusivity of purpose principle. No identifying data is collected.

Only data for the declared purpose required in the handling of the customer’s commission is collected in the register. The register also manages the customer-specific marketing authorisations. This data, required by default, is used for the operations related to managing the customership.

Register lawfulness, fairness and transparency

In maintaining the customer register, controller shall adhere to the legitimate purposes of processing personal data. Controller shall emphasise the obligation to inform regarding the content of the register in their operations.

The register’s maintainer and processor shall undertake to comply with the obligations stated in the GDPR regulation of the European Union.

Data content of the register

• The law office’s current and past customers
• Customer name and contact information
• SSN or DOB if required
• Corporate customer’s contact person
• Actions taken
• Invoicing information
• Factual content of the commission according to legal classification
• Customers’ counterparties

Regular sources of information

The source of information for the register includes the natural person who provided the data and the data provided by this person. Controller is not responsible for any false information purposefully submitted to the register.

Grounds for data processing

Processing personal data is based on the customer relationship, commission provided to the controller by customer, or carrying out the rights and obligations related to agreements between controller and customer and to legislation.

In rare cases, processing may be based on a controller’s justified benefit, such as debt collection.

Customer’s personal data is transferred to the customer identification register maintained by controller in compliance with the Act on Detecting and Preventing Money Laundering and Terrorist Financing.

Regular destinations of disclosed register data

Register data is not regularly nor occasionally disclosed to anyone or for any purpose unless explicitly required by law.

Data transfer to outside the EU or ETA areas

Data warehousing and processing shall take place in the EU area. No data is transferred to outside the EU or ETA areas.

Data protection principles for the register data

Customer register data is classified as confidential. It will not be disclosed to outside parties without customer’s consent or explicit legal requirement. Customer data is only used by those who participate in commission execution. Controller’s executive-level persons make organisational decisions and allocate access rights to employees regarding customer register data to the extent that performing their work duties requires.

Customer register data is processed by using automatic data processing. Data residing on a computer is accessed by using user names or passwords.

Data security for the controller’s customer register, as well as the confidentiality, integrity, and usability of the personal data, are ensured by using appropriate technical and administrative measures. The data and the service are protected by, among others, a firewall, protected physical environment for the equipment, access control monitoring, access rights, encryption methods, and active monitoring. Personal data is protected from unauthorised access and from illegal or accidental access to or processing of data.

Customer folders are organised in line with the register and they are under constant supervision by the staff. The folders are stored in an appropriately locked space outside office hours.

Storing register data

Register data is only stored for as long as is required to carry out the purpose of processing, and for 10 years after the commission is closed. Exclusion register data remains in the register for a company’s operational period.

Data deletion and removal

Controller shall oversee that the register data for a natural person can be, if required, deleted, anonymised, and archived.

Data subject’s rights

1. Right to request access to data subject’s own data

Data subject has the right to verify what personal data has been stored in the register. Request for verification must be signed and sent in writing to the following address: Asianajotoimisto Salonen Oy LSL legal, Temppelikatu 4 A, 00100 Helsinki, Finland. The request must provide a name, SSN, postal address, and telephone number. The reply to this request is delivered to the customer’s address verified via the Population Register Centre. To the extent necessary, controller has the right to identify the customer prior to sending the information. The

request for verification can also be provided in person at the above-mentioned address.

2. Right to request data rectification or removal

Data subject has the right to request rectifying inaccurate personal data by notifying the controller in writing at the postal address mentioned in item 1.

3. Right to restrict processing of personal data

Data subject has the right to request rectifying inaccurate personal data by notifying the controller in writing at the postal address mentioned in item 1.

4. Right to object to processing of personal data

Data subject has the right to object to processing of personal data by notifying the controller in writing at the postal address mentioned in item 1.

5. Right to data portability

Data subject has the right to request that the controller transfer personal data concerning him or her to another system in a structured, commonly used and machine-readable format. This right only applies to data provided by the data subject personally. Requests for data transfers must be made by notifying the controller in writing at the postal address mentioned in item 1.

6. Right to withdraw consent

Data subject has the right to restrict the controller from processing personal data concerning him or her for the purposes of direct advertising, distance selling and other forms of direct marketing, market surveys and opinion polls, vital records, and genealogy.

Restriction requests must be submitted by notifying the controller in writing at the postal address mentioned in item 1.

7. Right to make a complaint to a supervisory authority

Data subject always has the right to make a complaint to a supervisory authority regarding the way in which personal data concerning him or her is processed. The complaint is filed according to official instructions directly to a competent authority, which is the Data Protection Ombudsman in Finland.