PRIVACY POLICY

This is the register and privacy policy of Noren Ltd in accordance with the Finnish Personal Data Act (Sections 10 and 24) and the EU General Data Protection Regulation (GDPR). Last updated on June 4, 2019.

1. Introduction

This privacy policy describes how we collect, process, and protect personal data in our operations. It is important to us that you can trust us to handle your personal data carefully, transparently, and with respect for your privacy. We comply with the General Data Protection Regulation (GDPR) and other data protection legislation in all our activities and always strive to follow the best privacy practices.

2. Processed personal data and purposes of processing

We collect and use your personal data only for the following specifically defined purposes. Below you can also see a list of the types of personal data processed for each purpose. Some of the processed personal data may be sensitive. If a registered person does not want to provide some personal data, the services provided by the data controller may not be fully available.

Maintenance of customer relationships

  • Contact person’s name and contact information
  • Information related to the customer relationship, such as orders placed

Conducting surveys

  • Participant’s name and contact information
  • Information about participation in the survey
  • Information about participation in the survey’s lottery and rewards
  • Participant’s responses, photographs, and other materials provided in the survey

Development of services

  • Name and contact information
  • Information about participation in service development
  • Information about participation in service development’s lottery and rewards
  • Participant’s responses, photographs, and other materials provided in the survey

Recruitment

  • Name and contact information
  • Information contained in the job application and curriculum vitae
  • Language skills, education, and other information related to skills and qualifications
  • Information collected during the recruitment process, such as interview notes and comments from references
  • LinkedIn address and profile information

3. Legal basis for processing personal data

Data protection legislation requires that all processing of personal data is based on one of the legal bases provided by the General Data Protection Regulation. We process your personal data based on the following legal bases:

Legitimate interest
Legitimate interest is the legal basis for processing personal data related to contact forms and recruitment. When legitimate interest is used as the legal basis, we assess the legitimate interest in relation to the rights of the data subjects in accordance with the requirements of data protection legislation and ensure that the processing does not cause undue harm or risk.

Consent
In certain situations, we process your personal data only if we have obtained explicit consent from you. For example, the processing of personal data in the context of a survey is based on consent. You can withdraw your consent at any time by contacting us using the contact information provided at the end of this privacy policy.

4. Sources of personal data

Personal data is primarily collected directly from the data subject themselves. Personal data relating to the data subject can also be collected from companies managing research panels, registers maintained by the research client, and public registers maintained by authorities or organizations. Personal data can also be obtained from other group companies, as described in the section “Disclosures of personal data”.

 

5. Disclosures and transfers of personal data

We handle your information confidentially and do not, for example, sell, rent, or unnecessarily disclose your personal data to third parties.

5.1 Disclosures of personal data

A disclosure refers to an event where the data controller (in this case, Noren) provides personal data to a third party, and this third party uses them for their own purposes. Consent for the transfer of data to third parties is obtained from the data subject. Personal data may be disclosed to the following entities:

  • To Noren’s client company in connection with an assignment.
  • Contact information of customer organization’s contacts may be disclosed to other companies within the Bravedo group.

5.2 Transfers of personal data
A transfer of personal data refers to a situation where the data controller provides personal data to a third party for processing on behalf of the data controller. For example, the use of cloud services requires the transfer of personal data to a service provider who acts as a data processor.

The data we collect may be stored and processed outside the European Economic Area, for example, when the service provider we use is located or stores data outside the European Economic Area. The service provider we use is contractually committed to ensuring that sufficient data protection level is guaranteed in all processing of personal data.

6. Protection of personal data

We protect your personal data against loss, unauthorized access, and misuse by using appropriate technical and organizational security measures. Examples of such measures include the use of firewalls, encryption techniques, backups, and secure facilities.

Access to your personal data is internally restricted through electronic and physical access control, as well as through practices related to granting and monitoring system access rights. Your personal data can only be processed by employees who have the right to do so within the scope of their duties. In research studies, we anonymize the collected data after collection so that individuals cannot be identified from the research results.

 

7. Retention periods for personal data

We retain your personal data only for as long as necessary to fulfill the purposes defined for their processing, unless the law requires us to retain them for a longer period. The storage period for personal data collected in research studies is indicated to the registered individuals in connection with the research consent form.

After the retention period has expired, the data is either deleted by overwriting it from backups and system background information after a certain period or made unidentifiable by permanently transforming the data into a form where an individual is no longer identifiable.

8. Rights of Registered Individuals

8.1 Right to Information about the Processing of Your Personal Data
You have the right to receive information from us about the processing of your personal data in a concise, transparent, easily understandable, and available format, in clear and simple language. The purpose of this statement is to fulfill your right to information and describe how and why we process personal data. We provide additional information on the processing of personal data by email if necessary.

8.2 Right of Access to Information
You have the right to receive confirmation from us of the personal data concerning you that we process. This allows you to assess and verify the lawfulness of the processing. Additionally, you have the right to request and obtain a copy of the personal data we process.

8.3 Right to Data Portability
In certain situations, you have the right to have the personal data you provided to us transferred directly to another data controller in a commonly used and machine-readable format. This right exists when we process such data based on your consent or a contract and the processing is automated (digital) in nature.

8.4 Right to Rectification
Our goal is to keep your personal data up to date and promptly correct or complete any inaccurate, incomplete, or erroneous personal data. You have the right to request that we rectify inaccurate or incorrect personal data concerning you or complete any incomplete data.

8.5 Right to Restrict Processing
Restricting processing means that, in addition to retaining personal data, the restricted personal data may only be processed

  • With your consent
  • To establish, exercise, or defend a legal claim
  • To protect the rights of another natural or legal person
  • For important reasons of public interest of the European Union or a member state.
    This right exists in the following situations:
  • You contest the accuracy of your personal data, in which case the processing will be restricted for a period during which the accuracy of the data is verified
  • The processing is unlawful, but you oppose the erasure of the data
  • We no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise, or defense of legal claims
  • You have objected to the processing based on the legitimate interests of the data controller, and verification is pending whether the legitimate grounds of the data controller override your interests.

8.6 Right to Object to the Processing of Personal Data
In certain situations, you have the right to object to the processing of your personal data, that is, to request that your data not be processed at all. In situations where we process your personal data for the performance of a task carried out in the public interest, the exercise of official authority, or for the purposes of legitimate interests pursued by the data controller, you can object to the processing on grounds relating to your particular situation.
In such cases, the processing of the data must be ceased unless

  • We demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or
  • The processing is necessary for the establishment, exercise, or defense of legal claims.
    However, if your data is processed for direct marketing purposes, you can always object to the processing without providing any specific reasons. After the objection, your data must no longer be processed for the purposes of direct marketing.

8.7 Right to Erasure of Data and Right to be Forgotten
In certain cases, you have the right to be forgotten, which means you have the right to have some of the personal data we process about you completely erased. This right applies, for example, in situations where the processing of personal data is based on your consent, and you withdraw your consent.
8.8 Right to Withdraw Consent
When we process your data based on your explicit consent, you have the right to withdraw your consent at any time. If you withdraw your consent, the processing or retention of your personal data will no longer continue unless there is another legal basis (such as a statutory obligation) requiring the continuation of the processing.

8.9 Right to Lodge a Complaint with a Supervisory Authority
In addition to the aforementioned rights, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data does not comply with the requirements of data protection legislation. A complaint can be made, for example, in a situation where your rights as a data subject described in this statement are not properly fulfilled. The supervisory authority responsible for data protection in Finland is the Office of the Data Protection Ombudsman.

8.10 Exercising Your Rights
If you have any questions regarding the above-mentioned rights or if you wish to exercise your rights, please contact us using the contact information provided at the end of this statement.
We will respond to all requests without undue delay, at the latest within one month of receiving the request. If, for any reason, we are unable to fulfill your request, we will also inform you of the reasons for the refusal within one month of receiving the request.

9. Data Controller and Contact Information

Data Controller’s Contact Information
Noren Oy
Business ID 2740559-3
Mikonkatu 13 A, 4th floor, 00100 HELSINKI

Contact Person for Data Protection Matters

annakerttu.aranko@noren.fi
+358(0)50 437 0186

10. Updates to the Statement

We continuously develop our privacy practices, which is why we may occasionally change this privacy statement. If necessary, we can also notify you directly of any changes.

The statement was last updated on May 15, 2023.