Privacy notice of Lukander Ruohola HTO Attorneys at Law Ltd.
This privacy notice explains how we collect and process your personal data, especially when providing legal services to you.
Lukander Ruohola HTO Attorneys at Law Ltd. is the controller of the personal data for the purposes described in this notice.
Contact information: Business ID 0983872-3, Yliopistonkatu 15 B, 20100 Turku, Finland; tel. +358 10 320 8400, toimisto@lrhto.fi.
Legal grounds for processing your personal data
We process your personal data on the following grounds set out by the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, “GDPR”):
- your explicit consent;
- performance of an agreement to which you are a party (e.g. an assignment or an employment agreement);
- compliance with the statutory obligations (e.g. fulfilling the employer obligations of Lukander Ruohola HTO Attorneys at Law Ltd. and our duties in relation to anti-money laundering and client identification); and
- our legitimate interest in offering legal services to our clients.
In case we process special categories of personal data (e.g. data that reveals your racial or ethnic origin) in connection to our legal services, the processing of such data is done based on the grounds listed above or in order to protect the essential interests of the data subject, to prepare for legal proceedings or to defend a legal claim.
The purpose of processing personal data of the data subject is to enable us to serve our current and potential clients, to market and improve our services, to collect statistics on and monitor the use of our services and to fulfil our statutory obligations.
Registers and types of personal data collected
We collect and store your personal data in separate registers listed below. The description of each register includes a statement of purpose and examples of collected data.
- Client Register consists of personal data that we need in order to identify our clients and to manage and develop the client relationship. Such data may include the name, address, telephone number, profession and other contact details and information related to the identification of the client.
- Personal Data Register concerning Assignments consists of the personal data of our personnel and the clients in connection with specific assignments. This information is collected and processed for the purpose of completing the assignments in accordance with the legislation in force. Such data may include contact details of the persons taking care of the assignments, clients’ contact details or other data related to the assignment, including data on special categories of personal data.
- Marketing Register consists of personal data that we collect from our current or potential clients, former employees, students, student associations and participants of our webinars and other events as we market or give out information on our services. Such collected information may include name, address, telephone number, profession and the like.
- Personal Data Register concerning our Website consists of personal data that we collect from the visitors to our website. This information is collected and processed in order to develop our website and ensure its functionality. Such data may include cookies, the information about the browser used, the time spent on the website and the route the visitor took to get to the website.
- Recruitment Register consists of personal data that we collect from potential employees or recruited employees and that we process in relation to recruitment decisions. Such data may include contact details of the job applicants and the data they have provided to us in their applications.
- Employee Register consists of personal data of our current employees, which we collect and process in order to fulfil our obligations as an employer. Such information may include the contact details of our employees.
- Premises Security Register consists of personal data of the persons visiting our premises, which we collect to ensure the safety of our premises. Such data may include, for example, recordings from the video surveillance system.
Recipients of personal data
We may, and in some cases we will, transfer your personal data to our contracting partners who will process your personal data on our behalf in accordance with a personal data processing agreement between us and the processor.
We may transfer or disclose your personal data if we are required to do so by competent authorities or other third parties under applicable laws. However, we will not disclose your personal data to third parties unless we have to do so for the reasons stated above or in order to comply with statutory obligations.
Transfer of personal data abroad
We try to avoid transferring your personal data to countries outside the EU/EEA. If, however, we need to transfer your personal data to countries outside the EU/EEA, we ensure that your personal data remains protected by measures of data protection required by data protection legislation, such as EU Commission’s standard contractual clauses.
We use third party tools on our website, and while some service providers, for example Google Analytics, may be situated in countries outside the EU/EEA, we ensure the required level of data protection at all times.
Retention of personal data
We keep your personal data for as long as it is necessary in order for us to fulfil the purposes described in this privacy policy, to ensure the provision of our services and to comply with the requirements of applicable legislation or the rules of the Finnish Bar Association.
The period for which the personal data is stored is determined by the purpose for which the data is processed. Personal data related to client relationship and assignments is kept for as long as required by applicable laws or the Code of Conduct for Attorneys-at-Law of the Finnish Bar Association. Retention periods for personal information vary greatly. We erase your personal data when we no longer have a need or legal grounds for processing it.
Protection of personal data
We protect your personal data against unauthorised access and illegal processing by implementing organizational and technical measures, such as passwords, access restrictions and internal operational instructions. We also have required firewalls in place to protect personal data.
Your rights as a data subject
| Right to access personal data | In accordance with personal data legislation, you have the right to review the data we have collected on you or the fact that we have not collected any data on you. |
| Right to request rectification of personal data | You have the right to request that we rectify erroneous data on you. |
| Right to request erasure of personal data | You have the right to request that we erase your personal data if there exist no legal grounds for processing that data. |
| Right to request restriction of personal data processing | You may request that the processing of your data be restricted on the grounds provided by law. |
| Right to object | You have the right to object to us processing your personal data for direct marketing, distance selling or for other marketing purposes or for market research and opinion polls. |
| Right to data portability | If you have provided us with your personal data and the data is processed with your consent, you have the right to acquire such information in a machine-readable format and the right to request that the data be transmitted to another controller. |
| Right to withdraw the consent | If the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. However, the processing of your personal data prior to the withdrawal of the consent will not become illegal, even if the consent is withdrawn. |
| Right to lodge a complaint with the supervisory authority | You have the right to lodge a complaint with the competent supervisory authority if you are of the opinion that we have not complied with the data protection regulations applicable to our operations. The relevant national authority is the Data Protection Ombudsman (www.tietosuoja.fi). |
Miscellaneous
The processing of personal data may in some cases be based on a statutory obligation of the controller and in some cases on a contractual requirement. The processing of personal data is based on a statutory obligation, for example, when we have the legal requirement to identify our client and the party to the assignment or when the processing is related to our employer obligations.
If, based on a statutory obligation and a contractual requirement, we request you to provide us with your personal data and you do not provide us with such data, it may be impossible for us to render services to you or our services may not meet your expectations. In such cases, we are not responsible for any direct or indirect consequences that you may suffer due to your refusal to provide us with such data.
Our activities do not include automated decision-making and profiling.
Where personal data is obtained
We obtain personal data from you when you use our services and when you disclose such data to us on the basis of your consent. We may also collect and update personal data from the register of our contracting partners and from authorities and companies providing services related to personal data, such as our sub-contractors who provide services to us.
Further information
Should you have any questions related to our data protection policies or if you wish to exercise your rights, please contact us at toimisto@lrhto.fi.
We reserve the right to update this privacy notice by publishing it on our website or by reporting it through other electronic means.
This privacy notice was last updated on 10 February 2021.
