Last updated: April 2023


The protection of your personal data is important to 3 Step IT Group Oy and its affiliated companies, hereinafter referred to as “3stepIT” or “we”. This Privacy policy applies to personal data that you give us when visiting our website, using our Asset management services, using our other services and/or portals, interacting with us in meetings, social media, emails, physical visits to our premises and other means of communication. We are responsible, as a controller, for your personal data that we collect and process in connection with our activities.


We may also act as a data processor and in that role process personal data on behalf of our contractual parties. Please note that this privacy policy does not cover personal data subject to processing activities we conduct as a processor, such as data customer processed when using our Asset Management systems. In cases where 3stepIT acts as a processor, we kindly advise you to contact the data controller (e.g., your organization) for further information on the collection and processing of that specific data, who will manage your request from there.


Please note that if you interact with 3 Step IT Group Oy either through, or on behalf of your organization, then certain personal data may be subject to your organization’s privacy policy.


The purpose of this privacy policy is to inform you about:


  • What personal data we collect about you;
  • How we use your personal data and on which basis;
  • Who we share your personal data with;
  • International transfers of your personal data;
  • For how long we retain your personal data;
  • What actions we have taken to keep your data secure;
  • What are your rights as a data subject and how you may exercise them;
  • How you can contact us in case of questions related to this privacy policy.


Due to changes in our operations or the technology used, we may need to update our privacy policy from time to time. When this happens, we will revise this Privacy Policy and refresh it on our website.



In connection with our operations and during the lifecycle of business relationship with our customers, we collect various types of personal data, meaning any information that identifies or allows to identify you, including:

  • data from your interactions with us, including visits to our internet websites or social media pages (connection and tracking data such as cookies, IP address), meetings, emails and other communication or correspondence with us;
  • information about your device (IP address, technical specifications and uniquely identifying data);
  • contact information, such as name, e-mail address, phone number, data relating to your role in your organization, and data relating to your habits and preferences, such as participation in our marketing events, potential co-development projects and areas of interest;
  • usage data including information used to connect to our products and data created from use of our products;
  • identification information related to your role as authorized representative or beneficial owner of our customer entity (e.g., full name, identity (e.g., ID card or other personal ID, passport information, etc.), nationality, place and date of birth, gender, photograph);
  • login information (e.g., account credentials provided to customers, data relating to logins);
  • video surveillance data (CCTV data recorded when visiting our sites).




We collect data of the following data subjects in connection with our operations:

  • Contact persons or other representatives of our customers or customer prospects;
  • Ultimate beneficial owners of our customers and their next of kins, significant owners;
  • Users of our products and services;
  • Our website and social media page visitors and followers and participants to our webinars and events.
  • Visitors to our sites.
  • For recruitment related data, please refer to Privacy policy for Recruitment

We collect data either directly from you or indirectly, e.g., when the data collection is related to your role at our customer or customer prospect. If you provide us with third party personal data, please remember to inform the data subjects whose personal data you are sharing that we process their personal data and direct them to this privacy policy. You further warrant and represent that you have the necessary rights to provide such personal data to us.

We obtain personal data indirectly from the following sources:

  • Our customers;
  • Our business partners;
  • Public sources (e.g., company registers, LinkedIn, company websites, press);
  • Third parties such as data brokers or databases (e.g., databases used in marketing, KYC or sanction screening).




We collect and use your personal data to the extent necessary to carry out our operations and provide our services as well as to comply with any regulatory obligations in our activities. These purposes are defined in more detail below.

To comply with legal and regulatory obligations


We collect and use your personal data to comply various legal and regulatory obligations, such as:

  • Anti-money laundering regulations and counter-financing of terrorism regulations, including Know Your Customer (KYC) obligations;
  • Regulations relating to international financial sanctions and embargoes.
  • Export control obligations set forth in relevant international and national export control regulations.

To fulfil our legitimate interest


We also use your personal data to fulfil our legitimate interests, which include the following:

  • Provision and delivery of our products and services;
  • Marketing and customer communication and development of our customer relationships;
  • Development of our products and services;
  • Security and safety of our IT and facilities.

Based on your consent


If processing of certain personal data requires your consent (e.g. cookies), we will inform you of this including details of the specific processing activity and request your consent to such processing. You may request to revoke your consent at any time.


Performance of Contract

We can collect and use your personal data to document and complete tasks in order to fulfil our contractual obligations towards you, i.a. providing and delivering our products and services to you.



Sharing of information within 3stepIT


We share personal data within 3stepIT for the purposes set out above, so e.g., for the purposes of complying with legal obligations or the purposes of marketing or providing our services to our customers.

Disclosing information outside 3stepIT


To fulfil some of the purposes described in this policy, we may disclose from time to time your personal data outside 3stepIT to:

  • Service providers which perform services on our behalf (e.g., IT services, logistics, marketing, telecommunication, advisory and consulting);
  • Our commercial partners, including our financing partners;
  • Authorities or other public bodies if we are required by law to disclose such data;
  • Certain regulated professionals such as lawyers or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to actual or proposed purchaser of the companies or businesses of the 3stepIT.



As some of our affiliates, service providers, and partners are located outside the European Economic Area, we may need to transfer personal data outside the European Economic Area to carry out our operations. Transfers of this kind are done according to the requirements of the applicable laws, and by following the applicable safeguards for the transfers, e.g., based on adequacy decisions adopted by European Commission, or using standard contractual clauses approved by European Commission.


Personal data is deleted or returned once it is no longer needed for its purpose. The retention periods are defined based on e.g., the following factors:

  • Requirements set forth in applicable laws and regulations; and
  • Other requirements related to the purpose of the processing in question, e.g., operational requirements, such as proper account maintenance and management, security reasons, or responding to legal claims or regulatory requests.




We apply appropriate technical and organizational measures to keep your personal data secure. We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data. Your data can only be accessed by persons for whom it is necessary in relation to their work.

We may outsource our processing of personal data to external service providers. In such events we enter into appropriate agreements with the providers to ensure that your personal data is processed in accordance with this privacy policy and any applicable laws.



In accordance with applicable regulations and where applicable, you have the following rights:

  • To access: you can obtain information relating to the processing of your personal data, and a copy of such personal data.
  • To rectify: where you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified accordingly.
  • To erase: you can require the deletion of your personal data, to the extent permitted by law.
  • To restrict: you can request the restriction of the processing of your personal data.
  • To object: you can object to the processing of your personal data, on grounds relating to your situation. You have the right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
  • To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
  • To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.

If you wish to exercise the rights listed above, please send your request to our Data Protection Officer, the contact information of which is provided at the end of this policy.

We may need to request specific information (such as copy of identification) from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to anyone who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.




Company responsible for this privacy policy:


3Step IT Group Oy, Limited Liability Company registered in Finland (Group acts as a contact point for all 3step IT Group companies in Privacy related requests)

Registration number: 2087590-4

Office address is: Mechelininkatu 1A Helsinki 00180, Finland

The general phone number is +358 10 525 3200

Data Protection Officer: dpo(at)

If you have any questions relating to our use of your personal data under this privacy policy, please contact our Data Protection Officer at the contact details provided above, or use the contact form provided on our website: tell us a bit about your enquiry and we will pass it to the right expert.



Cookies are pieces of data that websites store on your browser when you visit them. Cookies are used because they can give you a more personalised web experience. We use cookies on our website to target content and adverts, and to understand how people use our site. Cookies may contain personal data. Where we use cookies which collect your personal data, such collection is covered by this Privacy Policy.

By allowing all cookies, we can enhance your experience. This means helping you find the right information quickly and tailoring content to your needs. By Default, we enable only strictly necessary cookies required for the website to function and cannot be switched off. They are set in response to actions made by you such as setting your privacy preferences and to also help keep the website secure. These cookies do not store any personally identifiable information.

Because we respect your right to privacy, you can choose to allow performance, advertisement and functional types of cookies. Click ‘Manage preferences’ on the main cookies policy provided to you when landing to our website for more information on the data collected by our cookies and to adjust your preferences regarding the cookies used. You can use your browser settings to delete cookies that have already been set at any time.




Here are the detailed descriptions of our data registers that are referred in this Privacy Policy: