Data Protection Statement – Clients and Other Cooperation Partners

Last updated: 2 December 2024


Introduction

Siili Solutions Plc and its group companies ("Siili") place the highest value on protecting the privacy of its cooperation partners and is committed to processing personal data carefully and responsibly. This Data Protection Statement (“Statement”) informs data subjects about how Siili processes the personal data of responsible persons and contact persons of clients, suppliers, and other cooperation partners. Personal data refers to any information related to an identified or identifiable person, a data subject. Data subjects under this Statement include the responsible persons and contact persons of Siili’s cooperation partners. A separate subcontractor data protection statement applies to processing of personal data of the subcontractors belonging to Siili’s subcontractor partner network.

Siili is the data controller of its cooperation partners’ personal data. As the data controller, Siili is responsible for personal data processing and defines the purposes and means of processing.

Siili processes personal data in accordance with all applicable laws, as well as Siili’s Data Protection Policy, Information Security Policy and guidelines derived from them.


Personal Data Collection Methods and Sources

Siili primarily receives personal data directly from the cooperation partner or the data subjects themselves.

Online behavior is monitored through activities on Siili's websites and communication behavior from responses to Siili's messages.

Personal data may also be obtained from other reliable external sources such as authorities and trade register.

 

Personal Data Collected and Processed

Siili may process the following personal data:

  • Basic Data – First and last names, business contact information (telephone, email, mailing address), location, language.
  • Work-related Data – Represented partner/organization, information related to work tasks such as position, role, and the unit the person works in.
  • Communication-related Data – Newsletter and other subscription memberships, event registrations and participation (including special dietary needs), meetings, and any relevant correspondence necessary for managing the partnership.
  • Direct Marketing Permissions and Prohibitions – Individual’s direct marketing permissions or prohibitions.
  • Cooperation Partner Feedback to Siili: Responses to surveys directed to partners and open feedback.
  • Online Behavior Monitoring Data: Data collected via cookies such as the pages visited, the operating system of the person's computer, and browser type.
  • Communications Behavior Monitoring Data – Actions such as opening, clicking, or transitioning to Siili's website from an email sent by Siili.


Siili may also process information concerning the modification or update of the above categories.

 

Legal Bases and Purposes of Data Processing

Siili processes personal data for predefined purposes based on contract, legal obligation, consent or Siili’s legitimate interests. Siili ensures that its interests can be considered legitimate and conducts an evaluation of the lawfulness of its interests.

Personal data is processed to enable marketing, sales, and the provision and production of services, manage cooperation relationship, and develop business.

If a data subject voluntarily provides dietary or allergen information for specific meetings or event registrations, Siili processes this data only for arranging the catering for the meeting or event and deletes the data when it is no longer necessary.

The table below provides more information on the legal bases and purposes of processing.

 

 

Personal Data Category

Legal Bases

Purposes

Basic Data

Contract (e.g., client relationship),
consent (e.g., subscribing to newsletters or other communications),
Siili’s legitimate interests: personal data is necessary for marketing, sales, and providing and producing services, managing cooperation relationships, and developing business.

 

Enabling marketing, sales, and the provision and production of services, managing partnership relationships, maintaining personal data, developing business, arrangements and communications related to events and meetings, other communications such as surveys, informational and news purposes, distribution of white papers, contests, direct marketing, identification and engagement of potential employees or subcontractors.

 

Work-related Data

Contract (e.g., client relationship),
consent (e.g., registering for an event),
Siili’s legitimate interests: personal data is necessary for marketing, sales, and providing and producing services, managing cooperation relationships, and developing business.

 

Enabling marketing, sales, and the provision and production of services, managing cooperation relationships, maintaining personal data, developing business, arrangements and communications related to events and meetings, other communications such as surveys, informational and news purposes, distribution of white papers, contests, direct marketing, identification and engagement of potential employees or subcontractors.

 

Communication-related Data

Contract (e.g., client relationship),
consent (e.g., subscribing to newsletters or other communications),
Siili’s legitimate interests: personal data is necessary for marketing, sales, and providing and producing services, managing cooperation relationships, and developing business.

 

Enabling marketing, sales, and the provision and production of services, managing cooperation relationships, developing business, arrangements and communications related to events and meetings, other communications such as surveys, informational and news purposes.

Direct Marketing Permissions and Prohibitions

Legal obligation,
Siili’s legitimate interests: personal data is necessary to identify individuals to whom direct marketing is or is not allowed.

Carrying out direct marketing in compliance with the law and respecting the choices of the data subjects.

Cooperation Partner Feedback to Siili

Siili’s legitimate interests: processing feedback is necessary for developing Siili's business operations and services, and planning, implementing, and developing communication and marketing.

Developing internal business operations and services, and planning, implementing, and developing communication and marketing.

Online Behavior Monitoring Data

Consent,
Siili’s legitimate interests: using essential cookies is necessary for the proper functioning of Siili’s website and services.

 

Cookies are employed to personalize website content and advertisements according to your preferences, facilitate social media functionalities, analyze website visits and usage patterns, and overall improve the website's performance. For further details on how Siili uses cookies, please refer to Siili’s Cookie Statement.

Communications Behavior Monitoring Data

Siili’s legitimate interests: personal data is necessary for managing, targeting, developing, and monitoring marketing, sales, and communication.

Managing, targeting, developing, and monitoring marketing, sales, and communication.

 

Personal data may also be processed based on Siili's legitimate interest to prevent and investigate misuse and issues, as well as to comply with legal requirements. Siili may process personal data also for defending its legal rights, carrying out a trial or authority process and the execution of an authority order.

In addition, personal data can be processed for reporting and analytics based on Siili’s legal obligation or legitimate interest. If identification of an individual person is not necessary considering the purpose, Siili ensures that personal data is processed in such a form that data subjects are not identifiable from the report or other result.

 

Disclosures of Personal Data

Siili may disclose personal data to the following recipients

  • Siili Group Companies: Personal data may be shared with companies within the Siili Group, based on Siili’s legitimate interest. These companies process personal data in accordance with this Statement or their own statement, substantially similar to this one.
  • Service Providers and Subcontractors: Personal data may be disclosed to Siili’s service providers and subcontractors who process personal data on behalf of Siili. Through appropriate contractual arrangements, Siili ensures that personal data is processed in accordance with this Statement and applicable laws.
  • Business Partners: Personal data may be disclosed to trusted third parties, such as training providers, external advisors, and auditors, based on Siili’s legitimate interest.
  • Authorities, Legal Processes, and Legislation: Siili discloses personal data to competent authorities as required by mandatory legislation. Personal data may also be disclosed in connection with legal processes or as a response to the requests by authorities based on law, court order, court proceedings, or authority process, in compliance with applicable laws.
  • Mergers and Acquisitions: In the event that Siili decides to sell, merge, or rearrange its business, such actions may include disclosing personal data to potential or actual purchasers and their advisors. If the disclosure of personal data is necessary in such a situation, Siili will share only the necessary personal data and only as permitted by applicable legislation.

 

Data Transfers Outside of the European Economic Area

Siili may transfer personal data to Siili Group companies located outside of the European Economic Area (EEA) for arranging Siili Group’s operations. Siili may transfer personal data also to its clients, cooperation partners, service providers and subcontractors located outside of the EEA for the purposes described in this Statement.

When personal data is transferred outside of the EEA, Siili uses appropriate transfer basis (such as standard contractual clauses approved by the European Commission and possible supplementary measures) to ensure an adequate level of data protection.

 

Data Retention

Siili retains personal data for as long as it’s necessary for the initial or compatible purposes for which the personal data have been collected. Retention periods are determined based on mandatory legislation and common industry practices.

Typically, personal data is retained for 10 years from the last transaction or related communication in cases where there has been a cooperation agreement between Siili and the company represented by the data subject. In other cases, personal data is typically retained for three years from data collection.

Siili may also delete personal data that is no longer needed for its intended purpose during the course of the cooperation relationship. Information that becomes unnecessary, outdated, or for which there is no longer a valid reason for processing, will be anonymized or securely destroyed.

More information about personal data retention periods and deletion practices can be found in Siili’s Data Retention Policy. Detailed information on the retention of personal data collected with cookies is available in Siili's Cookie Statement.

 

Data Security

Siili employs appropriate organizational and technical measures to guard against accidental and/or unlawful access, alteration, and destruction, or other processing, including unauthorized disclosure and transfer of personal data.

These measures encompass (without limitation) proper firewall arrangements, malware detection, appropriate encryption of telecommunication and messages, as well as the use of secure and monitored equipment and server rooms. Data security is of special concern when third parties provide and implement IT systems.

Data security requirements are diligently observed in IT system access management and monitoring of access to IT systems. Siili personnel, processing personal data as part of their tasks, are trained and properly instructed in matters of data protection and data security.

For more information on Siili’s data security practices, please refer to Siili’s Information Security Policy.


Automated Decision-Making

Siili does not make decisions about data subjects through automated decision-making.

 

Data Subject Rights

Data subjects have the following rights according to data protection legislation:

  • Right to obtain information on the processing of personal data: The data subjects have the right to be informed of the collection and processing of their personal data.
  • Right of access to their data: The data subjects have the right to receive confirmation from the controller on whether or not the controller is processing personal data that concerns them. If data concerning the data subject is being processed, the controller must provide the data subject with a copy of the personal data being processed.
  • Right to rectification of their data: The data subjects have the right to demand the rectification of inaccurate personal data concerning them and to have incomplete personal data completed.
  • Right to the erasure of data: In certain cases, the data subjects have the right to have the controller erase data concerning them without undue delay.
  • Right to restriction of processing: The data subjects can request the controller to restrict the processing of personal data concerning them.
  • Right to object to the processing of data: The data subjects have the right to object to the processing of their personal data on grounds relating to their particular situation when a processing is based on legitimate interests pursued by the controller or a third party.
  • Right to data portability: The data subjects have the right to receive the personal data that they have provided to the controller in a structured, commonly used, and machine-readable format and, if desired, transmit that data to another controller.
  • Right not to be subject to a decision based solely on automated processing: The data subjects have the right to demand human involvement in decisions that concern them.
  • Right to file a complaint to the data protection authority: The data subjects have the right to file a complaint with the national data protection authority (in Finland, the Data Protection Ombudsman) or other data protection authority within the EU or EEA if they have experienced that personal data have not been processed lawfully.

 

If Siili processes certain personal data based on the data subject’s consent, they have a right to withdraw their consent at any time.

Data subjects have the right to opt out of targeted direct marketing. Each electronic direct marketing message offers the data subject the opportunity to opt out of receiving further direct marketing communications.

Data subjects can exercise their rights by contacting dataprotection@siili.com.

Data subjects may not be able to exercise their rights in all situations. For instance, the basis for data processing has an impact on the data subjects’ possibility to exercise their rights (e.g., if the processing is based on legal obligation, it is not possible to erase the data upon the request of the data subject).

 

Changes

Siili may change or amend this Statement as necessary, and therefore it is recommended that you revisit this Statement regularly. Substantial changes will be announced on Siili's website and/or communicated to data subjects directly.


Contact Information

For questions related to data protection, you can email Siili's data protection team at dataprotection@siili.com.