The Company applies and is committed to comply with the national personal data legislation, the EU General Data Protection Regulation (2016/679) and other applicable legislation related to data privacy and processing of personal data. The data protection objectives, responsibilities and policies of the Company have been defined in accordance with the applicable legislation.
The data protection management of the Company is created by defining data protection principles and policies, implementing practices and preparing documentation, and communicating such principles, practices and policies to the employees of the Company. The Company is committed to the obligation of accountability by applying the required privacy governance, practices and processes and data privacy documents.
2. General principles of processing personal data
The Company defines, as set out in the applicable legislation, all required details related to the processing of personal data before the collection of the personal data, and Company follows the principles relating to the processing of personal data. The Company is committed to being in compliance with the principles and to being able to demonstrate compliance with them in accordance with the obligation of accountability by applying the required privacy governance, practices and processes and data privacy documents.
Considering the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Company implements appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the applicable legislation on data processing and privacy. Furthermore, the appropriate technical and organizational measures are implemented for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures of the Company ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
These technical and organizational measures are designed to implement data protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards in to the processing to meet the requirements of the applicable legislation. The measures implemented by the Company are reviewed and updated from time to time.
At all times, the Company collects and processes personal data only in accordance with and for the purposes of the respective privacy statement, including data subject’s consent, and within the limits of applicable legislation. Any personal data, whether sensitive or not, shall be deleted from the registers immediately after the processing is no longer required under the applicable legislation. The Company will ensure that all processed personal data is correct, up-to-date and shall be disclosed to third parties based on an explicit consent or other legal right in accordance with the applicable legislation.
3 Privacy Governance
The Company has implemented a data protection and privacy governance model to comply with the obligations related to data processing and protection of personal data. The procedure is reviewed and updated time to time and as required by the applicable legislation or the changes in the Company. The Company carries out actively general risk assessments concerning data protection matters as part of the annual data protection review program.
The Company has appointed a Data Protection Officer in accordance with the applicable legislation. The Data Protection Officer shall inform and advise the data controller , the data processor  and the employees who carry out processing of their obligations pursuant to the applicable legislation, to monitor compliance with the applicable legislation and to cooperate with the governmental supervisory authority  and to act as a contact point for the Data Subjects.
The Company instructs, trains and informs its employees on data protection issues. The persons (DPO, management of the Company) in charge of data protection define and plan guidelines, instructions, training and informing as part of their tasks in the annual data protection review program
The Company provides information to data subjects in accordance with the requirements of the applicable legislation. The Company is committed to guarantee the enforcement of the rights of the data subjects in accordance with the applicable legislation.
4 Organizational arrangements in data security
The Company implements data security arrangements that are in accordance with the good practices generally applied in the industry for processing and storing data. The data security arrangements and solutions are reviewed and updated as a part of the Company’s Annual Data Protection Review Program.
The Company guarantees that its employees and other persons involved in the processing of personal data are bound by appropriate confidentiality obligations.
If the data protection is suspected or found to be compromised, the matter will be investigated without any delay. The Company will also inform the data subject about such breach or alleged breach, provided that it is appropriate in order to take remedial measures or to limit the damage.
The implementation and effectiveness of the data protection practices and processes are evaluated in accordance with the measurements defined by the Company. The data protection practices and processes, the resourcing of the Company and data protection documents are continuously developed and improved as part of the Privacy Governance Model and the annual data protection review program.
 Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
 Data controller or controller (“rekisterinpitäjä”) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.
 Data processor or processor (”henkilötietojen käsittelijä”) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of and in accordance with the guidance provided by the controller.
 Governmental supervisory authority means an independent public authority which is established by a Member State pursuant to the EU’s General Data Protection Regulation (Art 51).