Data Protection Statement – Clients and Business Contacts 

Last updated: 1 June 2026

 

Introduction

Siili Solutions Plc and its group companies ("Siili") are committed to protecting personal data and processing it in a transparent, responsible and secure manner.

This Data Protection Statement (“Statement”) explains how Siili processes personal data of individuals acting as contact persons or representatives of clients, suppliers, other cooperation partners, and potential business partners. Personal data refers to any information related to an identified or identifiable natural person (data subject). Data subjects under this Statement typically include individuals acting in a professional capacity in connection with Siili’s business activities.

Siili is the data controller of personal data covered by this Statement and determines the purposes and means of processing.

Siili processes personal data in accordance with applicable data protection legislation, as well as its internal data protection and information security policies.

A separate subcontractor data protection statement applies to processing of personal data of subcontractors belonging to Siili’s subcontractor partner network.

 

Personal Data Collection Methods and Sources

Siili collects personal data from multiple sources.

Personal data is often obtained directly from the data subject or the organization they represent (e.g. through contact forms, event registrations, content downloads or other interactions).

Personal data may also be obtained from publicly available professional sources, professional networking platforms, third-party data providers and prospecting tools, cooperation partners, and referrals provided by Siili employees or business contacts. In addition, personal data may be obtained from other reliable or official sources such as authorities and trade register.

Siili may also collect information about online behaviour and interactions, such as activities on Siili’s websites and engagement with Siili communications (e.g. responses to messages or interaction with content).


Personal Data Collected and Processed

Siili may process the following personal data:

  • Contact and Professional Information – First and last names, business contact information (phone number, email, mailing address), organization and company information, job title, role and business unit, location, language, publicly available professional profile information, identifiers used in Siili’s systems (e.g. CRM contact identifiers).
  • Relationship and Interaction Data – Records of meetings, communications and correspondence, event registrations, participation and related information, content downloads and interactions with materials, notes and records related to business interactions, information about engagement with Siili (e.g. responses, participation), limited information derived from interactions (e.g. inferred professional interest in Siili’s services or content), records of professional communications and interactions, including communication metadata and, where applicable, limited content of business-related communications.
  • Direct Marketing Permissions and Prohibitions – Records of marketing consent and preferences, opt-in and opt-out information, records of unsubscribe actions, communication preferences (where available).
  • Cooperation Partner Feedback to Siili Responses to surveys, feedback collected through events, surveys, meetings or other interactions, open feedback and comments, aggregated or analysed feedback results (where applicable).
  • Online Behavior Monitoring Data – Data collected via cookies (e.g. pages visited, browsing activity), device and technical information (e.g. operating system, browser type), IP address and approximate location, website usage patterns and interactions.
  • Communication Engagement Data – Information about interactions with emails and communications (e.g. opens, clicks, responses), information about responses or replies to communications, participation in campaigns and communications, transitions from communications to websites and content, engagement-related metadata, information about responses or replies to communications.

Siili may also update and maintain personal data included in the above categories, including combining or supplementing information from different sources, to ensure that the information remains accurate and up to date.

 

Legal Bases and Purposes of Data Processing

Siili processes personal data for predefined purposes based on contract or pre-contractual steps, legal obligation, consent or Siili’s legitimate interests.

Where processing is based on legitimate interests, Siili has assessed that the processing is proportionate and that the rights and freedoms of individuals are not overridden. This includes, for example, B2B prospecting, relationship management and certain marketing activities.

Personal data is processed to enable marketing, sales, and service delivery, to identify and contact potential business clients, to manage relationships, and to support business development.

Personal data may also be used to maintain accurate and up-to-date contact information, including updating and combining data from different sources where appropriate.

Siili may use automated processing and analytical tools to support its business operations, for example by improving communication, understanding engagement and developing services, in a proportionate manner.

If dietary or allergen information is voluntarily provided for events, it is used only for organising catering and deleted when no longer needed.

The table below provides more detailed information on legal bases and purposes of processing.

 

Personal Data Category

Legal Bases

Purposes

Contact and Professional Information

- contract or pre-contractual steps (e.g. client relationship, responding to inquiries)
- consent (e.g. subscribing to communications or event participation)
- legitimate interests (e.g. marketing, sales, service delivery, relationship management and business development)

- enabling communication and contact with clients and potential clients
- supporting sales, marketing and service delivery activities
- managing and maintaining business relationships
- organising events, meetings and related communications
- maintaining and updating contact information
- supporting general business development and operations

Relationship and Interaction Data

- contract or pre-contractual steps (e.g. managing client relationships and interactions)
- consent (e.g. participation in events or communications where applicable)
- legitimate interests (e.g. managing relationships, maintaining interaction history, supporting sales and marketing activities and developing business)

- managing and maintaining business relationships and interactions with clients and potential clients
- recording and maintaining interaction history (e.g. meetings, communications and engagement)
- supporting sales activities and relationship development
- improving the relevance and effectiveness of communication and marketing
- maintaining accurate and up-to-date contact information
- analysing engagement in a proportionate and business-relevant manner to support business development

Direct Marketing Permissions and Prohibitions

- legal obligation (e.g. compliance with direct marketing rules)
- legitimate interests (e.g. maintaining records of permissions and prohibitions and ensuring compliant marketing practices)

- managing and respecting individuals’ marketing preferences
- ensuring that direct marketing is carried out in compliance with applicable laws
- maintaining records of permissions and prohibitions

Cooperation Partner Feedback to Siili

- legitimate interests (e.g. improving services, developing business operations and planning communication and marketing)

- collecting and analysing feedback to improve services and operations
- developing business processes, communication and marketing
- supporting planning and decision-making

Online Behavior Monitoring Data

- consent (e.g. cookies and similar technologies)
- legitimate interests (e.g. use of essential cookies and ensuring functionality of services)

- analysing website usage and performance
- improving website functionality and user experience
- personalising content and communications where applicable
- supporting marketing and analytics activities

- where applicable, supporting relationship management for identified contacts in a limited and proportionate manner

Communication Engagement Data

- legitimate interests (e.g. managing and improving communication and supporting sales and relationship management activities)

- monitoring and analysing engagement with communications
- improving the relevance and effectiveness of communication and marketing
- supporting sales and relationship management activities

 

Personal data may also be processed based on Siili's legitimate interest for purposes such as preventing and investigating misuse, ensuring the security and proper functioning of systems and services and managing risks related to business operations.

In addition, personal data may be processed where necessary for the establishment, exercise or defense of legal claims, as well as for compliance with applicable legal obligations and authority requests.

Personal data may also be used for reporting, analytics and business development purposes. Where possible, such data is aggregated or otherwise processed in a way that does not allow the identification of individual persons. Where identification is necessary, processing is limited and proportionate to the purpose.

 

Disclosures of Personal Data

Siili may disclose personal data to the following recipients:

  • Siili Group Companies: Personal data may be shared with companies within the Siili Group, based on Siili’s legitimate interest in organising and managing its business operations. These companies process personal data in accordance with this Statement or their own substantially similar data protection statements.
  • Service Providers, Subcontractors and Technology Providers: Personal data may be disclosed to Siili’s service providers, subcontractors and technology providers who process personal data on behalf of Siili (e.g. IT systems, communication tools and other business support services). Through appropriate contractual arrangements, Siili ensures that personal data is processed in accordance with applicable laws and this Statement. Professional networking platforms and other technology providers may also process personal data in accordance with their own privacy practices where applicable.
  • Business Partners: Personal data may be disclosed to trusted business partner (e.g. training providers, external advisors and auditors) where necessary for providing services, organising events or supporting business operations, based on Siili’s legitimate interest.
  • Authorities and Legal Processes: Personal data may be disclosed to competent authorities where required by law. Personal data may also be disclosed where necessary for the establishment, exercise or defense of legal claims or in connections with legal proceedings or authority processes.
  • Mergers and Acquisitions: In the event of a merger, acquisition or other business arrangement, personal data may be disclosed to potential or actual purchasers and their advisors, to the extent permitted by applicable law and limited to what is necessary.

 

Data Transfers Outside of the European Economic Area

Siili may transfer personal data to Siili Group companies located outside of the European Economic Area (EEA) to Siili Group companies, service providers, subcontractors, technology providers, business partners and clients for the purposes described in this Statement. Such transfers may take place, for example, when using IT systems, communication tools, professional networking platforms or other services that involve processing of personal data outside the EEA.

When personal data is transferred outside of the EEA, Siili ensures that appropriate safeguards are in place to protect the data. These safeguards may include, for example, standard contractual clauses approved by the European Commission and, where necessary, supplementary measures to ensure an adequate level of data protection.

 

Data Retention

Siili retains personal data for as long as it’s necessary for the purposes for which it was collected or for compatible purposes. Retention periods are determined based on applicable legislation, contractual requirements and common industry practices.

The retention period depends on the nature of the relationship with the data subject. For example:

- personal data related to active client and cooperation relationships may be retained for a longer period and as long as such relationship remains active
- personal data related to potential clients and other contacts may be retained for a limited period (e.g. up to 5 years), subject to periodic review

In general, personal data may be retained for up to 10 years from the last transaction or related communication where there has been a contractual relationship, unless a shorter retention period is justified.

Personal data is regularly reviewed to ensure that it remains relevant and is not retained without a valid purpose. Data that is no longer necessary, outdated or no longer relevant will be deleted, anonymised or otherwise securely processed.

Further information on the use of cookies and related retention practices is available in Siili's Cookie Statement.

 

Data Security

Siili implements appropriate technical and organizational measures to protect personal data against accidental or unlawful access, alteration, loss, destruction, or disclosure.

These measures include, for example, access controls, encryption, monitoring of systems and communications, and other security measures appropriate to the nature of the processing and risks involved.

Siili uses trusted service providers and technology solutions and ensures through contractual and organisational measures that personal data is protected in accordance with applicable data protection and security requirements.

Access to personal data is restricted to authorised personnel who need the data for their work tasks, and personnel are trained and instructed on data protection and information security practices.

 

Automated Decision-Making

Siili does not use automated decision-making that produces legal effects or similarly significant effects on individuals.

However, Siili may use limited automated processing and profiling to support its business operations, such as managing communications, analysing engagement and improving services.

 

Data Subject Rights

Data subjects have the following rights under applicable data protection legislation:

  • Right to be informed: to receive information about how their personal data is collected and processed.
  • Right of access: to obtain confirmation as to whether personal data concerning them is processed and, where that is the case, to receive a copy of the data.
  • Right to rectification: to request correction of inaccurate personal data and completion of incomplete data.
  • Right to the erasure: to request deletion of personal data in certain circumstances.
  • Right to restriction of processing: to request that processing of personal data is restricted in certain situations.
  • Right to object: to object to processing based on legitimate interests on grounds relating to their particular situation.
  • Right to data portability: to receive personal data provided to Siili in a structured, commonly used and machine-readable format and to transmit that data to another controller, where applicable.
  • Right not to be subject to automated decision-making: to request human involvement in decisions that have legal or similarly significant effects.
  • Right to lodge a complaint: to file a complaint with a competent data protection authority (in Finland, the Data Protection Ombudsman) or another authority within the EU or EEA.

If personal data is processed based on consent, the data subject has a right to withdraw their consent at any time.

Data subjects also have the right to object to direct marketing at any time. Each electronic direct marketing message provides an opportunity to opt out of further marketing communications.

Data subjects can exercise their rights by contacting dataprotection@siili.com.

Please note that the availability of certain rights depends on the legal basis for processing. For example, where processing is based on a legal obligation, it may not be possible to erase the data upon request.

 

Changes

Siili may update this Statement from time to time to reflect changes in its data processing practices or applicable laws. The latest version will always be available on Siili’s website.

 

Contact Information

If you have any questions regarding data protection or this Statement, please contact Siili's data protection team at dataprotection@siili.com