Your privacy is important to Avance. This policy describes how Avance Attorneys Ltd (“Avance” or “we”) as controller process personal data in the context of our provision of legal services to our clients, recruitment processes and in relation to our newsletters, seminars and other similar activities.
Types of personal data, purposes of processing and the grounds for processing such data
Below is a short summary of the types of personal data that we process and the purposes of such processing, as well as the legal grounds that we have for doing this.
|Type of personal data||Purposes of processing||Grounds for processing|
|Personal data of our clients’ representatives. This information comprises the name and position of individual persons with our client, contact information, language preferences, dietary restrictions, and specific areas of interest.||Providing legal services to our clients.
Marketing activities, such as sending newsletters on legal topics of interest or inviting to seminars and other events organized by us.
|Legitimate interest in providing legal services to our clients.
Legitimate interest in developing our client relations.
|Personal data required by applicable Know Your Client regulations and conflicts of interest verifications concerning our clients and their representatives and owners. This information comprises the name and position of individual persons, contact information, passport copies, information on political connections, ownership interests and other information required by KYC regulations.||Fulfilling our regulatory duties, such as KYC duties and our duty to avoid conflicts of interests under applicable laws and regulations. The purposes of KYC duties include, primarily, the prevention of money laundering and financing of terrorist activities.||Processing is necessary for compliance with a legal obligation binding on us.|
|Client matter related personal data, such as data relating to customers of our clients, counterparties to our clients and other third parties. The personal data can comprise various types of personal data from contact information to sensitive personal data, depending on the client matter at hand.||Providing legal services to our clients.||Legitimate interest in providing legal services to our client.|
|Personal data of job applicants and prospective job applicants received in job applications and in the course of the interview process, as well as in the context of networking prior to a formal job application process. This data includes the applicant’s name, contact information, information on their education and past work experience and any other information that they decide to give us as part of their job application, CV, cover letter and any accompanying documentation, or in the context of networking.||Internal recruitment purposes.||Consent, where consent has been requested and obtained.
Legitimate interest in considering the data subject for recruitment.
|Personal data of our potential clients’ representatives or owners, of individuals who have attended an event organized by us and representatives of other interest groups. This data includes the name, position and contact information of the person.||Marketing purposes, such as sending newsletters and other legal updates, inviting to seminars or other events organized by us.||Legitimate interest in building relationships with persons who have attended an event organized by us and other interest groups.
Consent, where consent has been requested and obtained.
How do we obtain your personal data?
Personal data of clients’ representatives. We obtain personal data of our clients’ representatives from our clients. Personal data required for Know Your Client purposes we obtain partly from our clients and partly from public sources and databases such as the Companies Register. We obtain personal data relating to conflicts of interest searches from our prospective clients and from public sources, such as the websites of the relevant companies.
Personal data relating to client matters. We obtain personal data relating to client matters primarily from our clients, but also from various other sources in the ordinary course of handling the legal matter in question. The sources where we may obtain personal data relevant for a client matter include, for example, third party witnesses, documentation and information obtained from public sources such as various public databases (free or payable) or our client’s counterparty’s representatives.
Personal data relating to job applicants. We obtain personal data relating to job applicants and prospective job applicants primarily from the applicants themselves, for example, as part of their cover letter, CV and any accompanying documentation, or in the course of interviews or in the context of networking prior to a formal job application process. We may also obtain personal data of job applicants and prospective job applicants from other sources, such as from references identified by the applicant.
Personal data relating to marketing. We obtain personal data for marketing purposes from the individuals themselves, e.g., when signing up for an event organized by us, as well as from public sources, such as the website of the company or other entity that they represent.
For how long do we retain your personal data?
As a general rule, we only retain your personal data for as long as it is relevant for the purpose(s) for which such data was collected. When personal data is no longer relevant for such purpose(s), we erase the data unless we have a legal obligation under applicable laws or regulations to retain such data for a specific period of time.
As a general rule, we retain personal data of our clients’ representatives for the duration of the client matter and for a period of one year from the date of last contact. The data retention periods can vary by data category and we may have a statutory obligation to retain certain data for a specific time period. For example, under applicable regulatory rules and guidelines, we should retain client matter related documentation even after the termination of the matter in question. Therefore, in line with Finnish Bar Association guidelines, we retain such materials for the duration of the client matter and for at least 10 years thereafter. As a further example, we also retain personal data required by Know Your Client regulations and conflict of interest rules for the duration of the client matter at hand and the statutory retention period thereafter. The exact time periods and procedures for data destruction vary by data category and the purpose of the processing.
We retain personal data related to job applications for the duration of the recruitment process in question and for two years thereafter, unless you withdraw your consent or object to our processing of your personal data at any time prior to that.
We retain personal data that is processed for marketing purposes for as long as the data remains relevant for the purpose for which it was collected and as long as our legitimate interest remains valid, unless you object to our processing of your personal data at any time. We retain personal data processed on the basis of consent until the consent given has been withdrawn or until the personal data no longer is relevant for the purpose for which it was collected.
Who receives your personal data?
We use third party service providers to process certain personal data on our behalf. This includes primarily IT systems and service providers.
Apart from the use of such service providers, we transfer personal data relating to our clients and to the client matters that we handle to third parties solely as required by applicable laws or regulations and as necessary to provide legal services to our clients. Recipients of personal data in this context include, primarily, our clients, their counterparties and their counsel, courts and public authorities, witnesses and any other counsel, service providers and experts assisting our client on the same matter.
As part of our Know Your Client obligations, we may be obliged to transfer personal data to the Finnish Bar Association or relevant public authorities, as required by applicable laws and regulations.
Apart from the use of processors of personal data described above, we do not transfer personal data of job applicants or personal data processed for marketing purposes to third parties.
Transfer of personal data outside the EU or the EEA
We primarily process your personal data within the EU and the European Economic Area (“EEA”).
However, we may in the future engage service providers that process personal data on our behalf on servers located outside the EU or the EEA. The level of data protection may be lower outside of the EU and the EEA than within those geographical areas. Therefore, any transfer of personal data processed by us outside of said geographical area will only take place under the safeguards applicable under the GDPR, including the EU model contracts for the transfer of personal data to third countries. The model contracts can be found here.
Your rights with regards to your personal data
You have various rights with regard to your personal data that we process as described in this policy. These rights include, in particular, the rights described below. However, these various rights may be subject to certain qualifications, such as arising from applicable laws or regulations by public authorities, which qualifications are not fully described below. Certain exceptions to the rights may also arise from the confidentiality and other obligations that we have as a law firm subject to the Rules of the Finnish Bar Association. Therefore, we encourage you to contact us at info(at)avance.com if you have any questions concerning your rights.
- Right to access your personal data: You have the right to obtain confirmation from us whether your personal data is being processed. You also have the right to access your personal data and to obtain certain information, such as the purposes of processing your personal data and the types of personal data involved.
- Right to rectification: You have the right to request us to rectify inaccurate personal data concerning you.
- Right to erasure: You have the right to request us to erase personal data concerning you in certain situations, such as if the data is no longer necessary for the purposes for which it was collected, if processing such data is unlawful or if the data was processed based on consent and you withdraw your consent.
- Right to restriction of processing your personal data: You have the right to restrict processing of your personal data, for example, for the period that is required for us to verify the accuracy of your personal data if you contest the accuracy of the personal data.
- Right to object to processing your personal data: You have the right to object to processing your personal data for direct marketing purposes. You are also entitled to, on the grounds of your particular situation, object to processing of your personal data that we do based on our legitimate interest.
- Right to data portability: You may have the right to obtain your personal data in a structured, commonly used and machine-readable format and to transfer the data to another controller, if we process your personal data based on your consent or because it is necessary for performance of a contract that we have entered with you or in order to enter a contract with you. For this right to be available to you, our processing of your personal data must take place by automated means.
- Right to withdraw your consent: To the extent we process your personal data based on your consent, you have the right to withdraw your consent at any time. You can do so by sending an email to info(at)avance.com or by mail addressed to Privacy / Avance Attorneys, Mannerheimintie 20 A, 00100 Helsinki. Withdrawing your consent does not affect the lawfulness of processing of your personal data based on consent before its withdrawal.
- Right to make a complaint with the data protection authorities: You have the right to make a complaint with the data protection authorities concerning our processing of your personal data. You can make the complaint with the data protection authority of the EU member state where you have your permanent residence or where you work, or where you find that a potential breach with regard to your personal data has occurred. In Finland, the relevant data protection authority is the Data Protection Ombudsman: https://tietosuoja.fi/en/home
We have implemented technical and organizational safeguards to ensure that appropriate data security and confidentiality of your personal data as understood under the applicable legislation and good data security practices is ensured. This means, for example, measures to prevent unauthorized access to or processing of your personal data.
How to exercise your rights and to contact us
If you have any questions concerning this policy or processing of personal data by Avance, or if you wish to exercise your rights explained above, please contact Avance:
- via email at info(at)avance.com; or
- by regular mail addressed to Privacy / Avance Attorneys Ltd, Mannerheimintie 20 A, 00100 Helsinki.
Date: 25 May 2018