Data file description and data protection statement

This is Athensmed Oy’s data file description and data protection statement in accordance with the EU’s General Data Protection Regulation (GDPR). This statement was written on May 6, 2021. The most recent amendments were made on May 6, 2021.

1. Controller

Athensmed Oy

Töölönkatu 7 A 4,

00100 Helsinki

Business ID 2602802-8

[email protected]

2. Contact information for matters pertaining to the data file

Contact us by e-mail at [email protected] or by phone on +358 50 359 6835 if you have any questions or feedback regarding the data file.

3. Name of the data file

Athensmed customer and marketing register

4. Purpose of processing personal data

The purpose of the data file is to maintain Athensmed’s customer and marketing register as well as manage and process correspondence and funding applications. The data can be used for operational development, statistical purposes and marketing purposes. The data will not be used for automated decision-making or profiling.

5. Data file content

The data file may include the following data on customers: name, job title, company/organization, contact details (telephone number, e-mail address, address), website addresses, IP address, account names/profiles in social media services. Data on companies and their contact persons, such as Business ID, names of contact persons, contact details and job titles. Other data related to the customer relationship and services ordered, such as data on information necessary for making investment decisions, past and existing agreements and other data related to investment activities.

The IP addresses of the website’s visitors and the cookies necessary for service functionality are processed based on legitimate interests, including the information security and collecting statistical information on website visitors inasmuch such data can be considered to constitute personal data. Separate consent is requested for third-party cookies where necessary.

6. The regular information sources of the data file

The data stored in the data file is obtained from the customer in the form of completed funding applications and information entered in contact forms, by e-mail, by telephone, through websites and social media services used by the customer, agreements, customer meetings and other situations in which customers disclose their information. Information on companies and other organizations can also be collected from public sources, such as websites, directory services and other companies.

7. Regular disclosures of data and transmission of data outside the EU or EEA

Data is not regularly disclosed to third parties. Data may be published subject to the customer’s separate consent. As a rule, Athensmed does not transmit or disclose customers’ personal data outside the European Union or the European Economic Area. If necessary, the data can be transmitted by the controller outside the EU or EEA in the manner stipulated by the Personal Data Act.

8. Storage period for personal data

Personal data shall be stored for as long as they are necessary for maintaining the customer relationship, managing the website and social media and carrying out accounting activities. Data shall be deleted within five (5) years of the end of the customer relationship or the data no longer being necessary.

9. Access to, amendment of and removal of data

Data subjects shall have the right, as stipulated by the Personal Data Act, to access the data on them in the personal data file. When requested by a data subject, we shall make the necessary amendments to the personal data or remove incorrect or outdated data. To request access to and updating of personal data, data subjects shall contact the controller in writing.

Data subjects have the right to request the removal of data on them from the data file (“the right to be forgotten”). Data subjects also have the other rights stipulated by the EU’s General Data Protection Regulation, including the restriction of the processing of personal data in certain circumstances. Such requests shall be submitted to the controller in writing.

The controller may request the party submitting such a request to verify their identity if necessary. The controller shall respond to customers within the time period stipulated by the GDPR (as a rule, within one month).

10. Security of the data file

The processing of the data file shall be carried out with due care and data processed with the help of information systems shall be appropriately secured using solutions such as firewalls and technical means generally accepted in the field of information security. Data that is maintained manually is located in premises that cannot be accessed by unauthorized parties. The controller shall ensure that the stored data, access rights to servers and other information that is critical to the security of personal data is handled in strict confidence and only by those employees and parties whose job description includes it.

11. Amendments to the data protection statement

In the event that the controller will amend the data file description and data protection statement, such amendments shall be published in the data file description and data protection statement with the date of the amendment shown. In the event of significant amendments, we may also inform data subjects in other ways, such as by e-mail or by posting a notice about the matter on our website.