Your privacy is very important to Borenius Attorneys Ltd, no matter if you are our current or prospective client or any other kind of business contact. With this Privacy Notice, we want to make you aware of how we collect and process your personal data as a data controller.
We process personal data in accordance with all laws that apply to the protection of personal data, including the GDPR, i.e. the European Union’s General Data Protection Regulation 2016/679 GDPR (“Data Protection Laws”). We process personal data for the purposes of identifying our client, checking for conflicts of interest, handling assignments, managing client relationships and marketing, amongst others. In accordance with the Data Protection Laws, those persons whose personal data we process are entitled to obtain information on the personal data we process and to use their rights based on the GDPR as further described in this Privacy Notice.
We do our best to ensure that your personal data is processed lawfully and in a transparent manner, and to ensure that your personal data is safe, accurate and up to date.
You may help us in keeping your personal data up to date by reviewing and updating your contact details as well as your marketing preferences. You can do this by clicking the link we include in every newsletter you receive from us. If you have any additional updates, please contact our GDPR team at firstname.lastname@example.org.
We apply the appropriate technical and organisational measures to ensure that your personal data is safe with us. These measures include, for example, data processing agreements and non-disclosure agreements that we have concluded with our vendors and business partners. In addition, besides having a dedicated GDPR team to help in solving GDPR-related issues in our operations, we train our employees and advise our clients on GDPR issues.
Legal basis and purposes for processing your personal data
Our main duty as a law firm is to provide legal services to our clients, and this is the main purpose for which we process personal data. We also use personal data to develop our services and to manage our business relationship with our clients. When we provide legal services and manage client assignments and the business relationships we have with our clients, we act as the data controller, and the processing of personal data is necessary for the purposes of our legitimate interests or for the fulfilment of a contract.
Sometimes processing is necessary to ensure that we as a law firm can comply with our legal obligations (for example identifying our clients or screening data against sanction lists). This partially applies in situations where our duties are based on applicable laws or guidelines issued by the Finnish Bar Association, such as when we e.g. process data that we need in the know-your-client process and to conduct conflict of interest research.
You may also give your consent for the processing of your personal data for one or more specific purposes (for example in relation to invitations to events and seminars).
How do we collect personal data and how do we use it?
We primarily collect personal data from the data subject him/herself when we manage our client assignments and provide legal services. We obtain personal data e.g. through the know-your-client process and by conducting conflict of interest researches or when we communicate with or meet the data subjects. We collect personal data that relates to e.g. identification, which includes personal data such as basic identifying information, contact details and matter-related background information provided to us directly by our clients (either natural persons or companies), their representatives or their counterparties.
We also collect personal data when we manage our marketing activities and communicate with the data subjects for the purposes of marketing. We collect personal data e.g. in order to send invitations to our seminars and events, or to send out our newsletters or other news relating to our services and firm.
We also collect personal data via our website as follows:
Job applications / recruitment data (https://www.borenius.com/careers/). Any personal data that you submit in connection with a job application is saved separately to our recruitment system. Please see our separate notice on job applications (https://www.borenius.com/privacy-notice-for-job-applicants/).
Newsletter (https://www.borenius.com/contacts/). You can subscribe to our newsletter to receive event invitations and news regarding our services and the firm. You can unsubscribe at any time to stop receiving this information.
Alumni (https://www.borenius.com/careers/alumni/). As a former Borenius employee, you are part of our alumni network. We appreciate the opportunity to stay in touch and keep exchanging ideas with our former colleagues. You may join our alumni network and update your contact details in Borenius’ alumni register.
As mentioned above, we primarily process personal data we have obtained directly from you. When necessary, we may also collect or update personal data from publicly available sources or from commercial databases.
What types of personal data do we process?
We may process personal data of the following categories:
- Basic identifying data, including name and contact details (such as email address, telephone number and address); title and association with the client entity, such as work tasks and title; personal identification number, where appropriate
- Identifying information about our private clients, company representatives and beneficial owners; identifying information as provided for in the Finnish Act on Preventing Money Laundering and Terrorist Financing (444/2017) (for example name, date of birth, personal identification number, citizenship, passport copy, and information to determine the client’s financial status and level of political influence)
- Client information, including information regarding the contractual relation between the client and us; personal data that is received while we provide our services or that we need for invoicing (for example email messages and other communications, documents, name, email address, title, position, employer’s name)
- Information provided to us for the purposes of attending meetings and events (for example name, email address, dietary requirements)
- Information about whether you have consented to or opted out of receiving direct marketing
- Automatically collected data, i.e. data collected by our website cookies as specified above and e.g. information about whether you have opened and read an email message we have sent you.
Where do we store personal data?
We primarily process personal data on servers located within the EU/EEA.
However, we may need to transfer your personal data from a location within the EU/EEA to a third country. With regard to transfers of personal data to countries where the local data protection legislation does not provide an adequate level of data protection, we will implement appropriate safeguards under the GDPR to ensure that your personal data remains protected and secure. Such international transfers of personal data will be based on the standard contractual clauses approved by the European Commission. To learn more about the appropriate safeguards we use, please contact our GDPR team at email@example.com.
Will data be transferred or disclosed to third parties?
We will not disclose personal data to any third parties unless we are required to do so under applicable laws, to prepare for legal proceedings or to defend a claim, or in order to provide services to our clients.
We use partners and service providers in connection with business activities that require the processing of personal data, and as such, personal data will be transferred to and processed by third-party providers (data processors) that provide services to Borenius Attorneys Ltd. All of these partners and third-party service providers must comply with our written data processing agreements, and they must implement appropriate technical and organisational measures to ensure the protection of your personal data. Furthermore, they may not process any personal data transferred to them for any other purposes than for providing services to us. The only employees with access to your personal data will be those employees who need to process your personal data.
How long we retain specific personal data depends on the personal data concerned and the purposes for its processing. We will retain personal data at least for as long as needed in order to carry out the purposes of processing mentioned above, such as in order to perform our contractual or statutory obligations or in order to manage the business relationship between us and the data subject or the entity represented by the data subject.
The retention periods are determined in accordance with the following criteria:
- Related personal data will be retained for as long as our legitimate interest can reasonably be considered valid. The validity of this legitimate interest is determined by, for example, communications between us and the data subject.
- Ultimately, we will retain the personal data of our clients’ representatives for the entire duration of the contract we have concluded with the data subject or with an organisation represented by the data subject.
- Statutory retention periods and the retention periods defined in the Finnish Bar Association’s rules may also apply. For instance, the Finnish Act on Preventing Money Laundering and Terrorist Financing requires for identifying information regarding our clients to be retained for a period of five years following the end of our regular client relationship.
- Related personal data will be deleted if the data subject withdraws their consent or objects to the processing of their personal data for direct marketing purposes.
When your personal data is no longer needed, your personal data will be destroyed in a secure way or irrevocably anonymised.
What are your rights regarding your personal data?
The GDPR ensures that the data subject has a number of rights and that the data subject can exercise these rights in many cases to govern the processing of their personal data. The extent of the data subject’s rights is subject to the legal basis provided for processing the relevant personal data, and the data subject must provide identification in order to exercise the said rights. Where we have reasonable doubts concerning the identity of the natural person making the request referred to below, we may request you to provide additional information that we require to confirm your identity.
You can use your rights by contracting our GDPR team at firstname.lastname@example.org.
- Right of access: You have the right to request access to the personal data relating to you. This includes e.g. the right to be informed of whether or not personal data about you is being processed, what personal data is being processed, and the purpose of the processing.
- Right to rectification: You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. You may also request the completion of any incomplete personal data relating to you.
- Right to object: You are entitled to object to certain processing of your personal data, and we may be obliged to comply with your request unless we can demonstrate compelling legitimate grounds for further processing of such personal data.
- Right to opt out of marketing communications: Each of our marketing emails includes instructions on how you can opt out (unsubscribe) of future marketing, but you can also opt out at any time by contacting us as specified above.
- Right to erasure: You may request the erasure of your personal data, and we are obliged to comply with your request e.g. in the event that the relevant personal data is no longer required for the purposes for which it was collected, or where we have unlawfully processed the relevant personal data.
- Right to restrict processing: Under certain statutory situations, we may be obliged to restrict the processing of your personal data.
- Right to withdraw your consent: In cases where we have been processing your personal data based on your consent, you have the right to withdraw your consent to such processing at any time.
- Right to data portability: In certain cases, you have the right to receive any personal data we process in a structured, commonly used and machine-readable format, where this is technically feasible.
If your personal data relates to our client work, there may be situations where our confidentiality and other obligations under the applicable legislation and the respective rules established by the Finnish Bar Association may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights.
We do not engage in any kind of automated individual decision-making.
We do not process any personal data that is included in the special categories of personal data (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, health data, etc.).
In the event that you consider the way in which we process your personal data to be in breach of the applicable legislation, you may lodge a complaint with the national supervisory authority regarding our processing of your personal data. If you are located in Finland, your local data protection authority is the Data Protection Ombudsman (Tietosuojavaltuutettu) (www.tietosuoja.fi).
If you have any questions regarding the processing of your personal data, please feel free to contact our GDPR team at email@example.com.
This Privacy Notice was updated in May 2018. We reserve the right to update and amend this Privacy Notice. Unless otherwise provided in mandatory applicable legislation, we may not personally notify the data subjects of any changes we make to this Privacy Notice. We kindly ask that you review this Privacy Notice from time to time for possible changes.