Julius Tallberg Corporation (Business ID: 0114668-5) and its group companies
Suomalaistentie 7, 02270 Espoo
(from hereafter ”Tallberg Group” or ”Controller”)
By letter or email to email@example.com. Use “Data privacy matters” as the message’s headline. When you contact the controller, your matter will be handled by the contact person appointed by us.
3) The grounds and purpose for the processing of personal data
At the Tallberg Group, the processing of personal data is primarily based on a stakeholder, customer or cooperation relationship – in particular, a contract between the parties, a statutory obligation or a legitimate interest.
The controller engages in the ownership, sales, leasing, development and maintenance operations of properties (and adjacent targets, incl. parking spaces and warehouses), among other things. The controller collects and thus processes personal data to implement contracts related to its business operations or to carry out actions preceding the contract – such as taking care of obligations and rights related to the ownership, sales and leasing of properties, as well as property management and maintenance. Personal data is also processed for communications related to customer and cooperation relationships.
In addition, personal data is processed for communications between persons of stakeholder groups, as well as the processing of personal data of shareholders, to enable shareholders’ registration at annual general meetings, for example. The controller may also have a statutory obligation to process personal data. The statutory obligation may be based on accounting legislation, company legislation, liability, procurement, land use and construction, occupational safety obligations or taxation legislation, for example. We can store the personal identity codes of our partners who have signed leases or other contract or other people required in the leasing operations based on the Data Protection Act (1050/2018).
Within legal boundaries, the controller, any possible joint controllers or contractual parties or a group belonging to the same group may have the right to use personal data for polls or customer satisfaction surveys, or other similar addressed items, such as direct marketing, based on legitimate interest, for example. The data subject has the right to prevent direct marketing. Regardless of the restriction, information related to their customership may be sent to the data subject if it is necessary to carry out a service or legal obligation.
4) Personal data to be processed
We collect and process the following personal data:
- First and last name
- Company, organisation, agency, title
- Contact details: address, email address and telephone number
- Personal identity code
- Number of shares and votes, voting information, information about participating in meetings
- Age and language
- Information about bans on business operations, debt arrangements and being a target of international sanctions and information required in the Act on Preventing Money Laundering and Terrorist Financing
- Information related to the lease or another contract between the parties (incl. lease period, information about the rent amount and deposit, possible additional fees, for example, for electricity, information about reviewing the rent rate and information about the property/spaces leased)
- Payment method and invoicing information
- Communications between the parties, feedback and complaints
- Data collected in development projects and investment projects (incl. information specified in the Act on the Contractor’s Obligations and Liability when Work is Contracted Out and names, companies, statutory professional/qualification information and contact details of those participating in a project)
- Information required for identifying assets (such as the registration document of a vehicle)
- Other possible information related to the management of the customer relationship, cooperation or subject matter
- Possible marketing permissions and restrictions
In accordance with the Act on the Contractor’s Obligations and Liability when Work is Contracted Out, the Occupational Safety and Health Act and the Tax Procedure Act, a list maintained on those on a construction and renovation site and a joint construction site may include the following information: name of the construction site or project; name of main contractor; names of subcontractors; name of the orderer/developer; first and last names, as well as business IDs/personal identity codes (or a similar foreign proof of identification); facial photograph; the nature of the employment or service relationship; home state; address; telephone number; email address; date of birth; tax number; A1 or E101 certificate or other grounds for a foreign employee’s right to work (incl. residence and work permits); employer; the employer’s business ID; the representative’s name and contact details in Finland in case of sent employees; the employee’s signature on completed orientation and other training; the start and end date of the work on-site; completed working hours and days, as well as the return date of an expired access permit and any possible bans on business operations of the supervisor; responsible building contractor; occupational safety coordinator; those undertaking the construction project; contact persons; employees; and independent contractors.
5) Source of personal data
Personal data is usually collected from the data subject (for example, in connection with cooperation, legislative actions incl. actions related to corporate legislation, meetings and other communications). In addition, personal data necessary for the execution of services determined in cooperation agreements may be received from partners, officials, and public data sources and registers, from a person’s employer, colleagues and the person themselves, as well as from information services within the boundaries of the law.
For example, in development projects and investment initiatives, data regarding construction sites is collected from service providers, the main contractor, employers, colleagues or the person themselves, public sources of data and data services.
6) Disclosure, transfer and recipients of data and related processing procedures
Personal data may be transferred or disclosed to third parties, for example, the authorities, within the boundaries allowed and obligated by valid legislation.
Companies of Tallberg Group may process personal data in accordance with valid data protection legislation. With selected partners, we have signed deals that include the processing of personal data on behalf of Tallberg Group or its companies. Thus, personal data may be transferred to subcontractors, such as accounting firms, payment service providers and other service providers (e.g. service providers of rent management systems or other IT systems), technical managers or facility services companies that process personal data on behalf of the controller in accordance with confidentiality obligation and binding data protection legislation and contract.
For example, the controller uses the EcoReal Oy service for the technical management of the properties. EcoReal Oy processes related personal data as determined above. Euroclear Finland Oy’s electronic service is used for the communications of stakeholders and executing actions in accordance with corporate legislation. For further information, please contact: https://www.euroclear.com/legal/en/privacy.html. The data connection from the user’s browser to Euroclear Finland Oy’s service is SSL encrypted. Share and shareholders’ register information is public. The controller uses the services of the Intrum Group for debt collection. Intrum Group processes related personal data. For further information, please contact: https://www.intrum.fi/fi/ratkaisut-yrityksille/tietoja-meista/privacy-terms/. In the above-mentioned situations, the data subject usually does business directly with the appointed partners.
In its email communications and for its website platform, the controller uses cloud-based systems provided by third parties where the personal data is stored. In addition, personal data is stored in electronic cloud-based services of other third-party service providers. In these cases, personal data may also be stored on servers outside Europe. The service providers are included in the USA Privacy Shield system, which has been seen to fulfil the minimum requirements demanded by the GDPR.
If the controller is a party to a merger, acquisition or another corporate transaction, we may disclose personal data to a third party involved in the corporate transaction. In this event, we will ensure the confidentiality of all personal data.
No automatic decision making will be made based on the personal data.
7) Retention period of personal data
Personal data is processed primarily for the duration of the customer relationship or cooperation, and for a reasonable period afterwards. Accounting information related to contractual relationships specified in the legislation will be stored for the period specified in the accounting legislation. Information collected based on a contract may usually be stored for ten years from the end of the contractual relationship and the fulfilment of the obligations resulting from them.
Legislation specifies certain periods for storing information related to leasing. They are: i) information related to leases and property management invoicing: a minimum of 6 years from the end of the year during which the financial period came to an end and ii) information related to real estate transactions, leases and property management invoicing and taxation: a minimum of 10 years from the end of the financial period.
Share and shareholders’ registers will be stored for the period specified in legislation, and at least for a minimum period of 10 years from the termination of the ownership. Information collected based on the Land Use and Building Act, the Act on the Contractor’s Obligations and Liability when Work is Contracted Out, the Occupational Safety and Health Act and the Tax Procedure Act will be stored for a period of 6 years after the end of the year in which the construction site or work was completed or ended, or for another period specified in the legislation.
8. Data security
We use administrative, organisational, technical and physical protective measures to protect the personal data we collect and process. The measures we use include data encryption, firewalls, safe premises and systems that are protected with limited access rights for appointed people in the scope required by their work duties. Our security measures have been planned to maintain an appropriate level of data confidentiality, integrity, usability, fault resilience and resettability.
However, if there is a data security breach that will probably negatively affect a person’s privacy regardless of the protective measures, we will report the breach as required in the applicable legislation to all possibly affected parties, as well as the authorities, if so required by the application of data protection legislation as soon as possible.
9. Rights of the data subject
The rights of the data subject are based on the General Data Protection Regulation. The rights include in certain cases the right to access personal data and the right to rectify or erase data. The data subject may exercise their rights in the situation defined in legislation. There may be restrictions to exercising the rights in full.
Any claims regarding the data subject’s rights must be made in writing to the controller’s contact person. Situations related to the use of the rights are reviewed on a case-by-case basis, and a separate solution will always be provided. Any request by a data subject to exercise their rights will primarily be responded to within one month (1) of receiving the request. The request is free-of-charge. If the request is obviously unreasonable or unfounded, especially if such requests are repeated, a reasonable fee may be collected from the data subject, or the controller can refuse to perform the request. The data subject only has the right to request actions of data concerning themselves.
Additional information about the rights:
Right of access by the data subject
The data subject has the right to obtain from the controller confirmation of whether or not personal data concerning him or her are being processed, and where this is the case, access to the personal data. The data subject’s right to access data may be limited or refused as stated in the legislation if the disclosure of the information would have a negative effect on the rights and freedom of others. Such rights that must be protected include any trade secrets of the controller or the personal data of another person.
Right to rectification and erasure
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate or erroneous personal data concerning them. If requested by the data subject, the controller must erase personal data regarding the data subject unless it must not be erased if the processing is necessary for the controller to execute a statutory obligation specified in applicable legislation or to create, present or defend a legal claim.
Right to object and the right to restriction of processing
The data subject shall have the right to obtain from the controller the restriction of processing based on special grounds related to their situation when data is processed based on legitimate interest. The data subject does not have the right to object to the processing of personal data when the processing is based on a contract between the controller and the data subject. If the data subject has objected to the processing of their personal data on grounds related to their special personal situation, the data subject must identify a special situation based on which they will object to processing based on a legitimate interest. The controller may continue the processing of personal data despite the objection if there is a significant and well-grounded reason for the processing that supersedes the interests, rights and freedom of the data subject, or if it is necessary in order to create, present or defend a legal claim. At any time, the data subject has to right to object to the use of their personal data in direct marketing. If the data subject objects to the use of their personal data in direct marketing, the data may no longer be processed for this purpose.
At the request of the data subject, the controller must restrict the active processing of the personal data if the data subject denies the validity of the personal data. In this case, the processing must be restricted until the controller can verify the validity of the data. During the restricted processing, the data can only primarily be stored. The data can also be processed to create, present or defend a legal claim, or to protect the rights of another natural person or juridical person, or for reasons concerning important general interest. Before the restriction is lifted, the data subject must be notified.
Right to data portability
For the personal data delivered by the data subject that are processed with automatic data processing and based on the contract between the controller and the data subject, the data subject has the right to receive this information primarily in a machine-readable format and to transfer the personal data from one controller to another if technically possible.
10) Requests related to exercising the rights of the data subject
In questions related to the processing of personal data and exercising the rights of the data subject, the data subject may contact the controller.
A request concerning the right to rectify or any other requests concerning exercising the rights of the data subject to the controller must be made in writing either by email or mail using the contact details provided in section 2. The controller may ask the data subject to sufficiently specify the data or processing to which the data subject’s request relates.
To ensure that the personal data is not related to any other person than the person to whom the data relates, the controller may request the data subject to deliver the inspection request signed if necessary. The controller may also request the data subject to verify their identity with an official proof of identification or some other reliable method.
11) The right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with the authorised supervisory authority if the data subject thinks that their matter has not been resolved by communicating with the controller. However, the aim is to primarily resolve the matter through a dialogue involving both parties.
In Finland, the local supervisory authority is the Data Protection Ombudsman. More information on the website: www.tietosuoja.fi
12) Documents completing the general privacy statement
The policy has been updated on 15 April 2019.