Last updated: April 2021
The protection of your personal data is important to 3 Step IT Group Oy and its affiliated companies, hereinafter referred to as “3stepIT” or “we”. We are responsible, as a controller, for your personal data that we collect and process in connection with our activities. We may also act as a data processor and in that role process personal data on behalf of our contractual parties. Please note that this privacy notice does not cover personal data subject to processing activities we conduct as a processor. We kindly advise you to contact the data controller (e.g. our customer entity) for further information on the collection and processing of that specific data.
The purpose of this privacy notice is to inform you about:
- What personal data we collect about you.
- How we use your personal data and on which basis.
- Who we share your personal data with.
- International transfers of your personal data.
- For how long we retain your personal data.
- What actions we have taken to keep your data secure.
- What are your rights as a data subject and how you may exercise them.
- How you can contact us in case of questions related to this privacy notice.
Due to changes in our operations or the technology used, we may need to update our privacy notice from time to time. When this happens, we will revise this notice text and refresh it on our website.
1. What personal data do we collect?
In connection with our operations and during the lifecycle of business relationship with our customers, we collect various types of personal data, meaning any information that identifies or allows to identify you, including:
- data from your interactions with us, including visits to our internet websites or social media pages (connection and tracking data such as cookies, IP address), meetings, emails and other communication or correspondence with us.
- information about your device (IP address, technical specifications and uniquely identifying data).
- contact information, such as e-mail address, phone number, data relating to your role in your organization, and data relating to your habits and preferences, such as participation in our marketing events and areas of interest.
- login credentials used to connect to our products and data created from use of our products.
- identification information related to your role as authorized representative or beneficial owner of our customer entity (e.g. full name, identity (e.g. ID card, passport information, etc.), nationality, place and date of birth, gender, photograph).
- video surveillance data (CCTV data recorded when visiting our sites).
2. Whose personal data do we collect and from which sources?
We collect data of the following data subjects in connection with our operations:
- Contact persons or other representatives of our customers or customer prospects.
- Ultimate beneficial owners of our customers and their next of kins.
- Users of our products and services.
- Our website and social media page visitors and followers and participants to our webinars and events.
- Visitors to our sites.
We collect data either directly from you or indirectly, e.g. when the data collection is related to your role at our customer or customer prospect. If you provide us with third party personal data, please remember to inform the data subjects whose personal data you are sharing that we process their personal data and direct them to this privacy notice.
We obtain personal data indirectly from the following sources:
- Our customers.
- Our business partners.
- Public sources (e.g. company registers, LinkedIn, company websites, press).
- Third parties such as data brokers or databases (e.g. databases used in KYC or sanction screening).
3. On which basis and to which purposes do we use your personal data?
We collect and use your personal data to the extent necessary to carry out our operations and provide our services as well as to comply with any regulatory obligations in our activities. These purposes are defined in more detail below.
To comply with legal and regulatory obligations
We collect and use your personal data to comply various legal and regulatory obligations, such as:
- Anti-money laundering regulations and counter-financing of terrorism regulations, including Know Your Customer (KYC) obligations.
- Regulations relating to international financial sanctions and embargoes.
To fulfil our legitimate interest
We also use your personal data to fulfil our legitimate interests, which include the following:
- Provision and delivery of our products and services.
- Marketing and customer communication and development of our customer relationships.
- Development of our products and services.
- Security and safety of our IT and facilities.
Based on your consent
If processing of certain personal data requires your consent (e.g. cookies), we will inform you of this including details of the specific processing activity and request your consent to such processing. You may request to revoke your consent at any time.
4. Who do we share your personal data with?
Sharing of information within 3stepIT
We share personal data within 3stepIT for the purposes set out above, so e.g. for the purposes of complying with legal obligations or the purposes of marketing or providing our services to our customers.
Disclosing information outside 3stepIT
In order to fulfil some of the purposes described in this notice, we may disclose from time to time your personal data outside 3stepIT to:
- Service providers which perform services on our behalf (e.g. IT services, logistics, marketing, telecommunication, advisory and consulting).
- Our commercial partners, including our financing partners.
- Authorities or other public bodies, if we are required by law to disclose such data.
- Certain regulated professionals such as lawyers or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to actual or proposed purchaser of the companies or businesses of the 3stepIT.
5. International transfers of personal data?
As some of our affiliates, service providers, and partners are located outside the European Economic Area, we may need to transfer personal data outside the European Economic Area in order to carry out our operations. Transfers of this kind are done according to the requirements of the applicable laws, and by following the applicable safeguards for the transfers, e.g. based on adequacy decisions on the level of data protection adopted by European Commission, or using standard contractual clauses approved by European Commission.
6. For how long do we retain your personal data?
Personal data is deleted or returned once it is no longer needed for its purpose. The retention periods are defined based on e.g. the following factors:
- Requirements set forth in applicable laws and regulations; and
- Other requirements related to the purpose of the processing in question, e.g. operational requirements, such as proper account maintenance and management, security reasons, or responding to legal claims or regulatory requests.
7. How do we secure your data?
We apply appropriate technical and organizational measures to keep your personal data secure. We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data. Your data can only be accessed by persons for whom it is necessary in relation to their work.
We may outsource our processing of personal data to external service providers. In such events we enter into appropriate agreements with the providers in order to ensure that your personal data is processed in accordance with this privacy notice and any applicable laws.
8. Your rights as a data subject
In accordance with applicable regulations and where applicable, you have the following rights:
- To access: you can obtain information relating to the processing of your personal data, and a copy of such personal data.
- To rectify: where you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified accordingly.
- To erase: you can require the deletion of your personal data, to the extent permitted by law.
- To restrict: you can request the restriction of the processing of your personal data.
- To object: you can object to the processing of your personal data, on grounds relating to your particular situation. You have the right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
- To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
- To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.
If you wish to exercise the rights listed above, please send your request to our Data Protection Office, the contact information of which is provided at the end of this notice.
Please include a scan/copy of your proof of identity for identification purpose when required.
In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.
9. How to contact us?
Company responsible for this privacy notice:
3Step IT Group Oy Limited Liability Company registered in Finland
Registration number: 2087590-4
Office address is: Mechelininkatu 1A Helsinki 00180, Finland
The general phone number is +358 10 525 3200
Data Protection Office: dpo(at)3stepit.com
If you have any questions relating to our use of your personal data under this privacy notice, please contact our Data Protection Office at the contact details provided above, or use the contact form provided on our website: tell us a bit about your enquiry and we will pass it to the right expert.
By allowing all cookies, we can enhance your experience. This means helping you find the right information quickly and tailoring content to your needs. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click ‘Manage preferences’ on the main cookies notice provided to you when landing to our website for more information on the data collected by our cookies and to adjust your preferences regarding the cookies used. You can use your browser settings to delete cookies that have already been set at any time.
Data register descriptions documents
Here are the detailed descriptions of our data registers that are covered in this Privacy Notice: