1. General information
This privacy statement describes how Lexia Attorneys Ltd (Business ID: 2159920-0), hereinafter referred to together as “Lexia”, process the personal data of its clients; what personal data does Lexia collect, for which purposes the data is used, to which parties the data can be disclosed, and how data subjects can influence the processing. The privacy statement also provides information on the obligations to be met by Lexia in the processing of personal data.
Lexia protects the privacy of data subjects and complies with the General Data Protection Regulation (EU) 2016/679 (GDPR), as well as other applicable data protection legislation and the best practices for data processing in all its processing of personal data. Ensuring data protection is an integral part of all Lexia business operations.
This privacy statement applies to the processing of personal data collected through the www.lexia.fi website, other Lexia online services, marketing, contacts, and events. (There is a separate privacy statement for the processing of the personal data of Lexia customers.)
“Personal data” means any information relating to a natural person (data subject) who can be identified, directly or indirectly, as defined in the GDPR. Data from which a data subject cannot be identified, directly or indirectly, is not considered personal data.
Our website may include links to third-party web pages/websites and services operated by other organisations. As they are not controlled by us, this privacy statement is not applicable to their use. Therefore, we encourage you to consult their privacy policies. We cannot be responsible for the privacy policies and practices of other sites (even if you access them using links from our website). We offer these links only as additional information to serve you better.
2. Data controller and data protection officer
Data controller: Lexia Attorneys Ltd (Business ID: 2159920-0)
Address: Lönnrotinkatu 11, 6th floor, FI-00120 Helsinki
Contact information: email@example.com, tel. +358 10 4244 200
3. Purposes and legal basis for processing personal data
We only collect personal data that is relevant and necessary for the intended purpose. We collect personal data for the following purposes: newsletter subscriptions, event registrations, opinion polls, tracking and optimisation of website use, and to respond to contact requests. In addition, we process personal data to manage the events organised by Lexia alone or in collaboration with other possible partners.
The purpose of the processing may also be to design and develop business operations or perform marketing, maintenance and development of services, quality assurance, direct marketing, and opinion and market research for the group’s other companies.
The above-mentioned personal data processing is based on the legitimate interest of Lexia in informing of and developing its business activities, and thereby providing better service to the users of its services.
By processing personal data, we also strive to improve and ensure the security of our services, risk management and prevention and detection of malpractices. These are based on our statutory obligation.
Furthermore, digital direct marketing directed on the basis of personal private personal data (and not for instance to a person’s business e-mail) is based on consent.
For event and opinion poll purposes, we may inquire about your preferences or wishes, but we do not require this information to be provided. In that case, the processing of the data provided by you is based on your consent.
4. Categories of personal data, information content and sources of personal data
Lexia collects only such personal data that is relevant and necessary for the purposes described in this privacy statement.
The following data concerning the data subjects will be processed:
|Category of personal data||Examples of information content|
|Identification and contact information||Name, phone number, e-mail address, company representative name, title, business ID|
|Electronic identification information||IP address, electronic communication identification information, our website search and browsing information, browser and operating system information, network behaviour, log information (e.g. time and date), and statistics and other user analyses generated on the basis of such data|
Please see the Cookies section below
|Consents and prohibitions given by the data subject||Data relating to the data subject’s consent to digital direct marketing (e.g. newsletter) or to other consent to the processing of personal data, as well as to the withdrawal of the above-mentioned consents and the prohibitions of the data subject.|
|Marketing events and opinion polls||Wishes and preferences, participation information|
|Other voluntary data provided by the data subject||Information that the data subject has provided, for instance, in connection with contact requests, feedback or other communications|
As a general rule, personal data is collected from data subjects themselves in connection with marketing or contact requests or through the website.
Personal data may also be collected from the community on behalf of which the data subject is acting or through the community website.
5. Retention of personal data
Lexia only retains personal data for as long as necessary to fulfil the purposes defined in the privacy statement, unless there is a requirement to store it longer under the legislation (for instance due to responsibilities and obligations concerning specific legislation, accounting obligations or reporting obligations) or in case Lexia needs the data for the establishment, exercise or defence of legal claims or to handle a similar disagreement.
The retention period and retention criteria vary depending on the categories of personal data and on the purpose of each special category of personal data.
Consents and prohibitions shall be retained for their period of validity.
Personal data relating mainly to marketing and opinion polls shall be retained for a maximum of twelve (12) months from the marketing purpose for which it was collected. The data can be used later for other marketing purposes.
Google Analytics cookies expire in 26 months from the first time the user visited our website. With regard to ClickDimensions cookies, the cuvid cookie expires in 2 years from the first time the user visited our website. Cusid and Cuvon cookies expire in 30 minutes from the start of a visit (session). Users are also able to delete these cookies manually from their browser settings.
With regard to communities, the retention of data subjects’ personal data is linked to the time that the data subject is acting as a representative of Lexia’s stakeholder community. Personal data will be erased within a reasonable time after leaving such role.
When personal data is no longer needed for the purposes specified above, the data will be erased within a reasonable period of time unless the legislation binding Lexia obliges to retain the data for a longer period of time.
6. Recipients of personal data
Lexia may transfer personal data internally between its group companies.
In accordance with this privacy statement, Lexia may outsource the processing of personal data to service providers or subcontractors, such as IT suppliers and accountancy offices. Lexia provides adequate contractual obligations to ensure that personal data is processed in a proper and lawful manner.
The following parties are involved in the processing of personal data:
- Microsoft Oy (as well as other companies belonging to the group)
- Google Inc.
We may disclose contact information to our collaboration partners within the limits of the applicable legislation and the rules of proper professional conduct for advocates. As a general rule, no data is regularly disclosed to third parties.
In special cases, personal data may be disclosed to authorities when obliged or authorised by legislation.
In addition, in emergency situations or other unforeseen circumstances, Lexia may be required to disclose data subjects’ personal data in order to protect the lives and health of persons as well as property. Furthermore, in case Lexia is involved in legal proceedings or other dispute resolution procedures, it may have to disclose personal data concerning data subjects.
In case of a merger, acquisition or other business arrangement in which Lexia is involved, it may have to disclose data subjects’ personal data to third parties. In such cases, the privacy of the data subject will be safeguarded. Furthermore where necessary, the data subject will be duly notified of these arrangements.
7. Transfer of personal data outside the European Union or the European Economic Area
If personal data is transferred outside the European Union or the European Economic Area (for instance when it is necessary for the management of customer relationships), Lexia will ensure the adequate level of protection for personal data, for instance, by agreeing on matters related to the confidentiality of personal data and its processing required by data protection legislation, for example, by using the standard contractual clauses by the European Commission.
8. Data protection principles and security of processing
Lexia processes personal data in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Lexia uses appropriate technical and organisational measures in order to keep the data secured, including the use of firewalls, encryption techniques, secure IT equipment facilities and appropriate management of access control, guidance for the personnel participating in the processing of personal data and guidance for subcontractors.
Contracts and other documents to be stored in original form are kept in a locked space with limited access granted only to those parties which are entitled to access the data.
Based on the Finnish Employment Contracts Act (55/2001) and contractual terms of confidentiality, all parties processing personal data are bound by professional secrecy regarding personal data processing matters. Furthermore, legal professional privilege covers confidential communications with Lexia’s clients.
In accordance with this privacy statement, the company may outsource the processing of personal data to service providers or subcontractors, in which case the company will ensure, with adequate contractual obligations, that personal data is processed properly and lawfully.
Our website uses a TLS-encrypted connection, which means that all personal data is encrypted in electronic form. In the browser, this can be seen from the green padlock icon on the left side of the address bar. Any manual material will be kept in a locked space that is only accessible to individuals who are entitled to access them and will be destroyed in a secure manner.
Data obtained via website traffic trackers is protected by a TLS-encrypted connection. Data obtained through Google Analytics and the ClickDimensions service is stored and processed by the service providers on their own servers. Signing into Google Analytics and ClickDimensions linked to the Lexia website requires logins and, at Lexia, these logins are only granted to a limited number of authorised staff.
Any manual material in Lexia’s possession will be kept in a locked space that is only accessible to individuals who are entitled to access them and will be destroyed in a secure manner.
9. Rights of data subjects
Data subjects have rights under data protection legislation.
Right of access to personal data and right of inspection
The data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her is being processed.
The data subject shall have the right to inspect and view data concerning him or her and, upon request, the right to obtain the data in a written or electronic form.
Right to rectification and right to erasure
The data subject shall have the right to request the rectification of incorrect or inaccurate data concerning him or her. Furthermore, the data subject shall have the right to request the erasure of his or her data.
Moreover, the data controller shall on its own initiative delete, correct and complement any personal data which is discovered to be incorrect, unnecessary, incomplete or outdated for the intended purposes.
Right to data portability, right to restriction of processing and right to object to processing
The data subject shall have the right to request the transfer of his or her data to another controller.
In addition, the data subject shall have the right, under conditions defined by data protection legislation, to request the restriction of processing of his or her personal data. Moreover, in situations where personal data suspected to be incorrect cannot be corrected or removed, or if the removal request is unclear, the company will limit the access to such data.
The data subject shall have the right to object to the use of his or her data for a certain type of processing. The data subject shall have the right to prohibit the disclosure and processing of his or her data for direct marketing purposes.
Right to withdraw consent
Where personal data processing is based on separate consent given by the data subject, the data subject shall have the right to withdraw his or her consent to processing of his or her personal data. The withdrawal shall not affect the lawfulness of processing based on consent performed before the withdrawal.
You have the right to unsubscribe to newsletters. You can submit your request via the unsubscribe link at the bottom of the newsletter or by sending a cancellation notice to firstname.lastname@example.org.
All requests to exercise any of these rights should be made in writing and submitted using the above-mentioned contact details. The request must be accompanied by sufficient identification information. The request will be responded to within a reasonable time and, where possible, within one month of the request and the verification of identity. In order to be able to fulfil the above-mentioned requests, the company may request additional information. If the data subject’s request cannot be met, the refusal shall be communicated to the data subject in writing.
10. Right to lodge a complaint with a supervisory authority
The data subject shall have the right to lodge a complaint with a data protection authority if the data subject considers that the processing of personal data relating to him or her infringes current legislation.
11. Cookies and other similar tracking technologies
Through Google Analytics, Lexia does not receive information on the user’s IP address. Instead, it receives anonymous data, and thus is unable to directly identify the user. Google Analytics generates anonymous reports from data obtained through cookies, such as the number of visitors, the website from which the visitor arrives to the Lexia website, the duration of the website visit, whether or not the user has visited the website before, and which pages of the website the visitor visits.
With the help of website traffic monitoring, we develop our website in order to make it better than before and to deliver a better user experience. If you wish, you can prevent Google Analytics from gathering information about you. For further information on this, please consult the Google website.
Furthermore, we use other third-party services and cookies on our website, too, to enable the content of our website to be shared on social media. These service providers include Facebook, Twitter and LinkedIn.
At all times, you are able to disable, manage, and delete cookies through your browser or mobile device settings.
12. Amendments to the privacy statement
Lexia is constantly developing its services and, due to this, may be required to modify and update this privacy statement accordingly. Amendments may also be carried out due to changes in data protection legislation. We encourage you to review the content of this privacy statement regularly.
The privacy statement was published on 24 May 2018; version 1.1
|1.1||Chapter 4: examples of data to be collected added||28 May|