Privacy Notice Customer Relations, Sales, Marketing and Vendor Management Updated 12 October 2022 The purpose of this privacy notice is to give you information regarding how we at WasaGroup process the personal data of our customers, prospects, subcontractors, and other business partners and their representatives with whom we have a business relationship or aim to develop one. 1. Data controllers WasaGroup Oy (2253159-0) WasaCon Oy (1772160-5) WasaPlan Oy (2321167-9) Each WasaGroup company is responsible for the processing of its personal data in its own activities for the purposes and on legal bases set out in this privacy notice and may use the necessary personal data collected by other WasaGroup companies for the same purposes. 2. Contact details in privacy matters As a data subject you may contact WasaGroup in all privacy matters using the following contact information: WasaGroup Oy / Privacy Matters PL 171 65101 VAASA Tel. 010 425 7700 The contact information of WasaGroup Data Protection Officer: firstname.lastname@example.org 3. For what purpose and on what basis do we process your personal information? The processing of personal data is based on a customer or co-operation agreement (in situations where you are as a data subject the party of the agreement and data processing is related to the execution of the agreement) or legitimate interest of WasaGroup (e.g. customer and partner relationship management, direct marketing, debt collection) based on a customer relationship, other appropriate connection or an agreement between WasaGroup and customer. The purposes of processing personal data are: To manage, develop, analyze and create statistics of the relationship between WasaGroup and customers and partners Communication with customers (incl. feedback and customer satisfaction surveys) Implementation of sales and marketing events To implement opinion and marketing surveys and to organize prize competitions and draws Direct marketing, targeting online advertising To plan and develop business operations and services Vendor management and supervision Receivables management and debt collection To identify users and management of access rights Detecting, preventing and investigating of misuse, fraud or other crimes Analysis, segmentation and statistics for above mentioned purposes. 4. What type of information we collected and where do we collect data? We process following information on decision makers and contact persons of our customers and partners (incl. newsletter subscribers, individuals who have requested a quote or submitted a contact request, and participants of events, website visitors): Name, title, company, postal address, e-mail address, phone number Information regarding the individual’s right of representation and signature Customer history (e.g. contacts, participation in the events, customer satisfaction surveys, feedback) Direct marketing permissions and prohibitions Marketing measures (incl. segmentation) their use and the information provided in connection with them, e.g. newsletter subscription Information regarding the use of the website and electronic services (such as usernames and passwords), such as browsing and search data, cookies, IP addresses Possible other information relevant for the purposes of the register. We collect following data on potential customer companies’ or organizations’ decision makers and contact persons: Name, title, company, postal address, e-mail address, phone number Information about individual’s duties and position in business life or a public office Direct marketing permissions and prohibitions. Personal data is collected from data subject by phone, in meetings, or by other equivalent means. Data is also collected in connection with the conclusion of the customer or collaboration agreement and during the contractual relationship obtained from the customer and/or partner and otherwise obtained information based on business interactions. Personal data can also be collected and updated from public and private registers. 5. Who do we share your personal data and may information be transferred outside the EEA? Personal data is not regularly transferred outside WasaGroup and is not transferred outside the EEA area. However, we use HubSpot service and Google Analytics’ data. Related to these services, information is transferred e.g. to the United States. The data of HubSpot service is stored on servers located in the EU, but some the data processing functions of the service are performed outside the EEA area, e.g. from Canada. The transfer of data to Canada is carried out based on the adequacy decision issued by the EU Commission. The level of data protection may be lower outside the EEA than in the EEA. Unless the country to which the data is transferred, such as the United States, has received the EU Commission’s adequacy decision, WasaGroup Group applies other appropriate protective measures to ensure the protection of personal data, for example by applying standard contract clauses in accordance with the European Commission’s decision on the transfer of personal data to third countries. WasaGroup uses the services of external service providers, e.g. to maintain newsletter mailing lists, customer and partner information, and to process event participant information. According to the data protection agreement, each service provider processes personal data only to the extent that it is necessary to provide the service. 6. How do we protect information and how long we retain it? Only those employees who, on behalf of their work, have the right to process said information. Each user has their own username and password for the system. The information is collected in databases that are protected by firewalls, passwords and other technical means. The databases and their backups are located in locked rooms and only certain pre-designated persons can access the data. WasaGroup ensures the implementation of data protection through the data processing agreements concluded with its subcontractors that process personal data. Personal data is stored as long as is necessary due to the purpose of the personal data. Basically, customer data is stored for ten years after the end of the customer and/or contractual relationship in order to fulfil possible responsibilities and obligations (except when legislation requires data to be stored longer). Personal information collected from decision-makers and contact persons of potential customer companies and organizations is permanently stored within the limits of legislation. WasaGroup assesses the necessity of data storage regularly, and in addition WasaGroup takes reasonable measures to ensure that incompatible, out-of-date or incorrect personal data is not stored in the register. 7. Your rights as a data subject related to data processing The requests related to the data subjects rights should be sent to the address mentioned in the section 2. As a data subject, you have the following rights: Right of access, rectification and erasure You are entitled to obtain information of your personal data processing, a right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification and erasure of your data. Right to prohibit direct marketing You have the right to prohibit the processing of your data for market and opinion research or related profiling. In addition, you can prohibit direct marketing at any time by reporting the prohibition to the e-mail address mentioned in section 2 or cancel the newsletter you subscribed by using the link in the e-mail message. Right to object and right to restrict processing You have the right to object or demand restriction of the processing or transmission of your data. Right to lodge a complaint with a supervisory authority If you consider that the processing of personal data relating to you infringes the data protection regulation, you have the right to lodge a complaint with a supervisory authority. You may lodge your complaint in the EU Member State of your habitual residence, place of work or place of the alleged infringement.