European Union general data protection regulation ((EU) 2016/679) compliant version

Effective date: 25 May 2018


Data Controller:

Siili Solutions Oyj, Finnish Business ID 1979903-5 (below also "Siili")  

Address: Ruoholahdenkatu 21, 00180 Helsinki, Finland


Contact in Data File Related Matters:

Mailing address as above.


Data File:

Customer Contact Data File


Data Subjects:

Employees and other representatives of actual and prospect customer companies (together "Customer Companies" included partners) of Siili and other companies belonging to the same group of companies with Siili ("Siili Group")


Legal Basis for the Processing and Purpose of Use of Customer Contact Data:

Processing of personal data ("Customer Contact Data") is based on:

  1. Siili legitimate interests as processing of Customer Contact Data is an obligatory enabler for conducting Siili Group business activities in compliance with any applicable laws;
  2. Contractual relationships either directly with the data subjects or indirectly with the Customer Companies that the data subjects represent; and/or
  3. Consent received from the data subject for processing of Customer Contact Data belonging to special categories (cf. section "Customer Contact Data Content (Data Attributes and Information)" below).

The data subject may at any time withdraw the consent to which the processing of Customer Contact Data is based on.

The purposes for processing and use of the Customer Contact Data include the following items:

  1. Marketing, sales, production and provisioning of Siili Group services and products;
  2. Managing relationships with Customer Companies and customer contact persons;
  3. Business development and reporting within Siili Group;
  4. Development of Siili Group services and products;
  5. Development of Siili Group IT environment and applications;
  6. Invoicing, taxation and other necessary financial transactions;
  7. Collecting and processing feedback from the Customer Companies and customer contact persons; and
  8. Securing compliance with all applicable laws as well as establishing and exercising Siili Group legal rights (including claims) and defending Siili Group against legal claims.



Customer Contact Data Content (Data Attributes and Information):

Identification and general contact data attributes such as:

  • Name;
  • Mailing address;
  • Email address;
  • Telephone numbers;

Information concerning allergies or dietary requirements and expectations for organizing refreshments and catering e.g. in customer meetings, receptions and trainings including those of Siili Academy (this information may contain health information and is therefore special category personal data and can be collected and processed with the consent of the data subject only);

Information related to Customer Companies such as:

  • Customer Company name;
  • Position and/or title within Customer Company

Information necessary for invoicing and execution of other financial transactions related to Customer Companies and customer contact persons;

Information related to business transactions and activities between Siili Group and Customer Companies into which customer contact person has participated to or is otherwise related to (i.a. information concerning participated Siili Academy trainings as well as direct marketing permissions and opt-outs);

Information concerning business feedback and expectations of Customer Companies and customer contact persons towards Siili Group;

Digital behavioral data related to visits to and use of Siili Group digital services;


Sources of Customer Contact Data:

Customer contact persons themselves (including their digital behavior in Siili Group digital services), Customer Companies and other representatives of them, Siili Group employees and external resources supporting Siili Group business processes (e.g. service providers).


Disclosures and Transfers of Customer Contact Data and Transfer of Customer Contact Data to countries outside European Union or the European Economic Area:

Customer Contact Data are not generally disclosed (to another controller for independent use) unless required by the mandatory law such as to authorities. As an exception, personal data related to Siili Academy training (i.a. participation and course information) can be disclosed to our trusted business partners for provisioning training certifications and maintaining information on them.

If Customer Contact Data is transferred to/from external data processors (subcontractors or vendors including other companies belonging to Siili Group) to be processed on behalf of Siili, appropriate data processing agreements, as required by the applicable laws, are executed to secure lawful and appropriate processing of Customer Contact Data.

Exceptionally, Customer Contact Data may need to be transferred to purchaser or potential purchaser of Siili Group business or part of it. Such sharing does not occur regularly, but should it be necessary, only smallest possible amount of Customer Contact Data will be transferred and always in the limits of applicable legislation.

Customer Contact Data may due to necessary technical and practical processing requirements be transferred outside EU and/or EEA (incl. Switzerland). Should such international transfer occur, it would only be executed as allowed by and in accordance with applicable laws. Due to small coverage of EU Commission adequacy decisions, EU Commission standard contractual clauses (e.g. of type controller to processor, EU Commission decision 2010/87/EU) would be typically used as appropriate safeguards for these international personal data transfers. In some cases, also US/EU Privacy Shield arrangement would be relied on. Copies of the standard contractual clauses would be available through the contact details mentioned above.

Customer Contact Data can be transferred from Finland to the following countries for processing:

o        All European Union member states;

o        United States of America;


Security Principles of the Data File:

Customer Contact Data is protected by organisational and technical measures against accidental and/or unlawful access, alteration, and destruction or other processing including unauthorized disclosure and transfer of Customer Contact Data.

Such measures include (without limitation) proper firewall arrangements, malware detection, appropriate encryption of telecommunication and messages as well as use of secure and monitored equipment and server rooms. Data security is of special concern when third parties (e.g. data processing subcontractors) providing and implementing IT systems and services are retained.

Data security requirements are duly observed in IT system access management and monitoring of access to IT systems. Siili Group personnel processing Customer Contact Data as part of their tasks is trained and properly instructed in data protection and data security matters.


Right to Object Processing of Customer Contact Data

In accordance with the law the data subject has at any time the right to object the processing of Customer Contact Data:

  1. On the grounds of the lawfulness of Siili data processing being based on Siili legitimate interests; and
  2. For direct marketing purposes (unsubscribe from the direct marketing).

In order to use these rights, the data subject shall contact the above-mentioned contact persons in writing (incl. e-mail). However, the request may be declined or restricted where allowed or required under the law.


Other Rights of Data Subject:

In accordance with the law the data subject has at any time the right to:

  1. Access the Customer Contact Data and based on request, receive a copy of it and related other supplementary information concerning Customer Contact Data processing as specified in the law;
  2. Request, purposes of Customer Contact Data processing allowing:
    1. Inaccurate Customer Contact Data to be corrected;
    2. Incomplete Customer Contact Data to be amended; and
    3. Obsolete or outdated Customer Contact Data to be deleted;
  3. Be forgotten by Siili, if:
    1. Customer Contact Data are not any more necessary in relation to the purposes of Siili data processing;
    2. The Customer Contact Data have been unlawfully processed by Siili;
    3. The data subject withdraws consent on which the processing of Customer Contact Data is based and where there is no other legal ground for the processing;
    4. The processing has been based solely on legitimate interests of Siili which the data subject has objected and no overriding legitimate grounds for the processing have been established; or
    5. The data subject has objected processing for direct marketing (concerns only such Customer Contact Data that is solely used for direct marketing and for no other purpose).
  4. Restrict the processing of the Customer Contact Data if:
    1. The data subject contests the accuracy of the Customer Contact Data;
    2. The processing is unlawful, and the data subject opposes the deletion of such Customer Contact Data;
    3. The data subject has objected to processing of Customer Contact Data on the sole lawful basis of Siili legitimate interests and pending the investigation if the legitimate interests of Siili override those of the data subject; or
    4. Siili no longer needs the Customer Contact Data for its purposes of uses, but Customer Contact Data are required by the data subject for the establishment, exercise or defense of legal claims;
  5. Receive the Customer Contact Data, which the data subject has provided to Siili (but not other Customer Contact Data including those that are generated by Siili or provided by any third parties), in a structured, commonly used and machine-readable format and have the right to transmit those data to other data controller; or
  6. Lodge a complaint with a supervisory authority (in Finland Data Protection Ombudsman);

The data subject may at any time withdraw the consent to which the processing of Customer Contact Data is based on.

In order to use these rights, the data subject shall contact the above-mentioned contact persons in writing (incl. e-mail). However, the request may be declined or restricted where allowed or required under the law.


Retention period of Customer Contact Data:

Generally, Siili retains the Customer Contact Data for ten years from the last business activity completed between Siili Group and customer contact person.

This general retention rule is based on i.a. laws regulating expiration of debts, possible long warranty periods related to Siili Group services and products as well as traditionally long-lasting business relationships between Siili Group and Customer Companies. Also, possible needs related to litigation purposes justify such retention of the Customer Contact Data.

However, the above retention rule is always subject to differing requirements included in any mandatory laws applicable to Customer Contact Data. Therefore, in some cases, retention period may be shorter or longer than the above-mentioned.

Notwithstanding the above, the retention of Customer Contact Data may always be extended due to existing or imminent need of any company belonging to Siili Group to establish or exercise legal claims or defend itself against legal claims related to Customer Contact Data.


Provision of Customer Contact Data:

Provision of Customer Contact Data is voluntary but necessary to commit to and proceed with any business activity between Siili Group and customer contact person and/or Customer Company.

Failing to provide Customer Contact Data prevents or may prevent Siili from committing to an/or proceeding the mentioned business activity.