Privacy Policy

This Privacy Policy explains how we process the personal data of individuals who are members of our stakeholder groups or visitors to our website. Our group subsidiaries process personal data in their own registers, and the processing practices are described in each subsidiary’s own privacy policy.

1. Controller

The controller (hereinafter “Controller”) is

Harjavalta Oy
Business ID: 0132526-1

Please address any questions regarding the processing of personal data to: contacts@harjavaltagroup.fi.

2. What do we mean by the different terms?

“Data Subject” means the person whose personal data is processed by the Controller in its personal data file.

“Personal Data” means any information relating to an identified or identifiable natural person, i.e. the data subject, such as name, address, email, telephone number, title and transaction history.

“Stakeholders” means contacts of companies and other entities (hereinafter “company”) with whom the Data Controller has a relationship (for example, contacts of investment targets, representatives of companies providing services to the Controller and co-investors) or other contact (for example, social decision-makers and journalists in the context of public relations activities).

By “Website Visitor” we mean persons other than those defined above who visit our website if, as a result, they are technically identifiable by the Controller, for example through the use of cookies or other tracking technologies.

3. For what purposes do we process your personal data?

The Controller processes the personal data of data subjects for the following purposes (one or more at the same time):

  • stakeholder relationship management, analysis and development
    • The Controller may process your personal data for the management, analysis and development of the stakeholder relationship with the company you represent.
  • stakeholder communication
    • The Controller may process your personal data in its stakeholder communications, for example, to send you information, news or invitations to Controller events related to the Controller’s business.
  • developing services
    • The Controller may process your personal data to develop its services, for example by using your feedback or analytics data collected from the use of the website.

The legal basis for the processing of personal data is the following subparagraphs of Article 6 of the EU General Data Protection Regulation:

  • processing is necessary for the performance of a contract to which you or the company you represent is a party or for the performance, at your request, of pre-contractual measures;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where your interests requiring the protection of your personal data or your fundamental rights and freedoms override such interests;
  • you have given your consent to the processing of your personal data for one or more specific purposes; and/or
  • processing is necessary for compliance with a legal obligation of the Controller.

The Controller processes your data to perform a contract with you or with a company you represent (e.g. services that the Controller orders from a company).

The Controller has legitimate interests in the conduct of its business, such as the right to promote the success of its business and to make a societal influence, and the Controller may use your contact information to communicate with you on the basis of legitimate interests. Other legitimate interests of the Controller that may justify processing your personal data include the further development of the business and the investigation of possible misconduct.

If the processing is not based on a contractual need or a legitimate interest, the Controller may ask for your consent for other types of processing of personal data, such as processing of data classified as sensitive (for example, accessibility or dietary data in relation to the Controller’s events).

The Controller may also process your personal data where required to do so by law, for example on the basis of the retention obligation under the Accounting Act.

4. What types of data can we process?

The personal data collected by the Controller may include, but are not limited to, the following types of information and any changes made to them:

4.1. Basic information on all Data Subjects

  • first name and surname
  • contact details (postal address, email address and/or telephone number)
  • communications to the Data Subject and activities related to those communications (such as clicking on personalised links that may appear in an email and responding to invitations)
  • information about cookies and similar activities sent to the Website Visitor’s terminal equipment (such as computers and mobile devices) and the data collected through them, insofar as the person can be identified on the basis of this information
  • any recordings of customer service calls, as well as recorded emails and other messages related to customer service
  • choices and actions relating to the rights of the Data Subject

4.2. Further information on business representatives

  • the name and other necessary identification data of the company which the Data Subject represents in relation to the Controller
  • title and/or job description
  • language

4.3. Sensitive personal data

  • where the Data Subject voluntarily and with their own consent provides the Controller with sensitive personal data (such as health information relating to accessibility or dietary requirements for participation in the event).

5. What sources do we use to collect your personal data?

The Controller receives a large part of your personal data from you at the beginning and during the stakeholder relationship and from your activities on our website.

The Controller also receives personal data and updates thereof from public authorities and organisations that provide services for obtaining and updating personal and credit data, as well as from public directories and other public information sources, such as company websites.

The Controller receives personal data about the representatives of companies from their colleagues, i.e. the main contact person of the company may also disclose personal data about other persons related to the stakeholder relationship of the Controller to the Controller.

6. Who can we share your personal data with?

The Controller will not give, sell or otherwise disclose your personal data to third parties, unless otherwise stated below.

The Controller may share your personal data with third parties providing services to the Controller. These services may include, for example, investment and financial management services, software services, communication services and event production.

The protection of your personal data is important to the Controller, and we do not permit such parties to use the data for any purpose other than to provide the agreed services to the Controller, and we require the parties to protect the personal data of data subjects in accordance with this Privacy Policy and applicable law.

The Controller may share your personal data with other carefully considered partners with whom the Controller jointly manages and implements projects, such as joint events (for example, companies belonging to the same group as the Controller).

The Controller may share your personal data with carefully considered third parties, for legitimate reasons, for their joint or independent purposes. Data may be shared for such purposes only where the intended use by the third party is not incompatible with the purposes of use set out in this Privacy Policy. In principle, a very limited amount of data will be shared, mainly the name and contact details of the individual for the purposes of contacting him/her, for the purposes of the contact methods permitted by law.

The Controller may share your personal data in the context of a business acquisition or other business reorganisation, or on the order of a court or similar competent authority, or at the request or direction of a tax or other authority.

7. Do we transfer your personal data outside the EU?

The Controller may use resources and servers located around the world, including software located in the United States, in the course of its business. The Controller may therefore transfer your personal data outside Finland and possibly also to countries outside the EU with different data protection laws.

In these cases, the Controller will ensure that there is a legal basis for the transfer and that the personal data are protected, for example by using standard contractual clauses and processing agreements approved by the relevant authorities (where applicable), and by requiring compliance with appropriate technical and other data protection measures.

8. How long do we process your personal data?

The Controller will process your personal data for as long as the Controller has any of the grounds for processing described in Section 3 of this Privacy Policy in force, and for a reasonable period thereafter.

9. How can you exercise your rights in relation to your personal data?

As a Data Subject, you have various possibilities to influence the processing of your personal data. As a general rule, we will comply with your request within one month. Please contact us at the contact details provided in section 1 of this Privacy Policy to exercise your rights. Your rights include (the extent of these rights depends on the basis on which your personal data are processed):

a) The right of access to personal data collected about you. In practice, this is done by providing you with a report on the personal data we have collected about you in a personal data file, based on your valid and identified request.

b) The right to request the rectification or erasure of personal data collected about you. If you notice any errors or omissions in your data, you can submit a request for rectification.

c) The right to request the deletion of personal data collected about you. We are obliged to delete the personal data you have requested from our personal records if one of the following criteria is met and no other law or regulation imposes an obligation to retain the data:

  1. the personal data are no longer needed for the purposes for which they were processed;
  2. you withdraw your consent and there is no other lawful basis for the processing;
  3. you object to processing on grounds relating to your particular personal situation and there is no legitimate ground for the processing or you object to the processing of your personal data for direct marketing purposes;
  4. your personal data has been unlawfully processed;
  5. your personal data must be erased in order to comply with a legal obligation under European Union law or Finnish law to which the controller is subject; or
  6. your personal data has been collected in connection with the provision of information society services, such as subscriptions to the Controller’s digital information services.

d) The right to request restriction of the processing of personal data collected about you. You may request the Controller to restrict the processing of your personal data if:

  • you contest the accuracy of your personal data held by the Controller;
  • the processing is unlawful and you request a restriction of use instead of deletion;
  • the Controller no longer needs that personal data for the purposes of processing, but you need it to establish, exercise or defend a legal claim;
  • you have objected to the processing of personal data pending verification of whether the legitimate grounds of the Controller override your grounds.

e) The right to object to the processing of personal data concerning you. Where the Controller processes your data on the basis of a legitimate interest, you have the right to object to the processing of personal data concerning you on grounds relating to your particular personal situation. All Data Subjects on the personal data files covered by this Privacy Policy have the right to object to the processing of their personal data for direct marketing purposes.

f) The right to transfer the information you provide from one system to another. If the automated processing of your personal data is based on consent or on a contract, you have the right to receive the personal data you have provided to the Controller in a structured, commonly used and machine-readable format, and the right to transfer those data to another controller.

g) The right to withdraw consent. If all or part of your personal data is processed in this register on the basis of your consent, you have the right to withdraw your consent.

h) The right to lodge a complaint with a supervisory authority. If a potential disagreement between you and the Controller regarding the processing of your personal data cannot be settled amicably, you have the right to refer the matter to the Data Protection Authority for a decision by the Office of the Data Protection Ombudsman.

10. Which country’s laws apply to the processing of your data?

Finnish legislation and EU legislation directly applicable in Finland, such as the EU General Data Protection Regulation, apply to the personal data files of the Controller and the processing of personal data contained therein.

11. How can we update this Privacy Policy?

The Controller is constantly developing its business and this may also mean development measures related to the processing of personal data. We will update the Privacy Policy as necessary to reflect changing practices. Changes may also be based on changes in legislation. We recommend that you read the contents of the Privacy Policy regularly.

If the Controller starts processing your personal data for a purpose other than that for which your personal data was originally collected, we will notify you of this and the updated Privacy Policy before such further processing. For any other changes, we will inform you on our website when the Privacy Policy is updated.