Disclosures in accordance with the Data Act

This web page contains information that each 3 Step IT entity providing services to its customers’ (“3stepIT”) is required to disclose as a data processing service provider in accordance with regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules on fair access to and use of data (Data Act).

Jurisdiction

Data processing services that 3stepIT provides to its customers are subject to the jurisdiction of the country where the 3stepIT entity that has entered into the service agreement with the customer has its head office. Below a list of all such 3stepIT entities providing services to customers.

Please note that this information is provided only for the purposes laid out in Article 28 of Data Act and does not in any way affect the interpretation or the terms concerning governing law in the service agreement between 3stepIT and customer.

3 Step IT entities providing asset register and related additional services

3Step IT Oy – Finland
3 Step IT Sweden AB – Sweden
3 Step IT AS – Norway
3Step IT A/S – Denmark
3 Step IT Inc. – USA
3 Step IT Corp. – Canada

Technical, organizational and contractual measures to prevent international governmental access or access conflicting with Union law or national law of member states

3stepIT has implemented comprehensive technical and organizational measures and holds ISO 27001 certification. These include robust access controls, regular security audits, continuous monitoring, incident response protocols, employee training programs, and strict data protection policies to ensure the highest standards of information security and compliance. 3stepIT chooses reliable vendors when using external service providers. 3stepIT ensures that external service providers use appropriate encryption methods and do not have access to encryption keys if a risk of international governmental access is present.

Switching to another service provider or transferring customer’s data

This section includes information about switching to another service provider and transfer of data in practice. Please note that customer must always comply with the terms applicable to switching to another service provider or transferring the data as set out in the service agreement.

After receiving customer’s request to switch to another service provider or to have the exportable data transferred to customer, 3stepIT compiles the customer’s exportable data (excluding data categories listed in the last section).

The compiled data package will be sent to customer’s representative by email. If the data package cannot be sent by email, 3stepIT will enable the customer to download the data package by granting access to a file sharing system of 3stepIT’s choosing.

The data package will be provided in a standard workbook format.

Information categories that are included in the exportable data and digital assets

Exportable data

Information about customer’s leased assets (e.g., device model, serial number) which have been uploaded to asset register.
Information about the services and service agreement (e.g., lease period, device supplier).
Information about customer’s usage of the asset register (e.g., change log).
Information specific to customer and its organization (e.g., cost center, device user, pick up location).

Digital Assets

3stepIT does not currently provide its customers with digital assets that would be exportable under the Data Act.

Information categories that are excluded from the exportable data

The below information categories are 3stepIT’s or its group companies’ trade secrets, intellectual property or they are related to the integrity and security of the service and are excluded from the exportable data.

Technical logs and other technical information about the asset register, its use or functioning.
Information about 3stepIT’s or its group companies’ business model, financing operations or data concerning decision making relating to such.