Data Privacy at Aval

Date of creation: 26 February 2021

1 – Aval’s data protection principles


We are committed to protecting personal data of our customers and stakeholders in all of our operations to the best of our ability. Our data protection principles are the following:

    • Personal data is processed lawfully, fairly and transparently in relation to the data subject
    • Personal data is processed confidentially and securely
    • Personal data is collected and processed for a specific, defined and lawful purpose
    • Personal data is collected only to the amount necessary with regard to the purposes of the processing
    • Personal data is only used for the purposes which they were collected
    • Personal data is never used for direct marketing
    • Personal data is generally not disclosed to third parties, except for clearly specified purposes to certain service providers
    • Personal data is updated when required and inaccurate personal data is erased without delay
    • Personal data is stored in an identifiable form only for the time it is necessary for the purposes of processing the data

In this notice, we describe personal data protection at Aval in general. Separate register-specific policies are available on request from the contact person set forth in section 3.

2 – Controllers


Aval Ltd
Eteläranta 6 A 9
00130 Helsinki
(hereinafter ”we”)

3 – Contact person in register matters


CEO Simo Valtti
[email protected]
+358 10 7341102

4 – Which are the purposes of the processing of personal data and the legal basis for the processing?


The purpose of processing personal data in our customer register is:

    • performance and development of our services,
    • fulfilment of our contractual obligations and rights,
    • management of customer relations, and
    • fulfilment of our legal obligations.

The ground for processing of personal data in the customer register is our legitimate interest regarding the customer relationship and/or other factual connection, the performance of a contract, compliance with our legal obligations and consent. To the extent that we process personal data of persons under the age of 13, the processing is based on consent of their guardian. The ground for processing of personal data of stakeholders and cooperation partners is our legitimate interest, and/or customer relationship or fulfilment of a contract. The purpose of processing personal data of stakeholders and cooperation partners is:

    • communication
    • management, maintenance and development of customer- and cooperation relationships; and
    • production, providing and developing of services

Data is not processed for automated decision-making.

5 – What information do we process?


In connection with our customer register, we process the following personal data:

    • basic information of the data subject*, such as name, date of birth, social security number, profession or title, customer number and language of communication;
    • contact details of the data subject*, such as e-mail address, telephone number, address;
    • information related to an agreement, such as information on past and current agreements and correspondence with the customer/data subject, as well as other contacts;
    • information necessary for the management of the customer relationship and/or information collected directly from the data subject based on consent, such as bank contact information, tax information, information related to assets and property, salary information, information on guardianship or representation, information on health care as well as other corresponding information; and
    • information about the company and the company’s contact persons, such as business ID, names of the contact persons, titles and contact details

The personal information marked with an asterisk is a prerequisite for the establishment of our customer relationship. We cannot provide the service without the necessary personal information. Regarding the business customer and stakeholder register, we process the following personal data:

    • The company’s business ID or other identification or the organization, name, address;
    • Decision-maker and/or the contact person’s name and e-mail address;
    • Information related to the customer relationship or cooperation partnership, information with other factual connection or based on a contract relationship, such as services acquired, including information on start and termination dates, information related to the delivery of products, identification information related to the use of services as well as information on the usage of services and benefits provided;
    • Information regarding invoicing and collection
    • Position or profession;
    • Information on desired forms of communication and information on changes of information;
    • Allocation data based on information in the Trade Register and other registers

6 – From where do we collect the data?


For the customer register, we obtain data primarily from the following sources: from yourself, your potential representatives, your bank, the population register, authorities, credit information companies and other equivalent trustworthy sources. In addition, personal data may also be collected and updated for purposes described in this notice from publicly available sources and authorities or other third parties, within the limits of the applicable legal framework. Such updating of information will be performed manually. For the stakeholder and cooperation partner register, data is collected on a regular basis in connection with concluding agreements, use of the service or otherwise directly from you. Personal data may be collected and updated based on publicly available data sources, such as a company’s website, the trade register, the credit information register and other public and private registers.

7 – To whom do we disclose and transfer data and do we transfer data outside the EU or the EEA?


We disclose personal data regularly within Aval group of companies within the boundaries of the assignments trusted by the clients to Aval. We disclose personal data to third parties only to the extent necessary for achieving the purposes of processing. We disclose data to the following actors: to credit institutions, banks and insurance companies announced by the data subject itself, providers of auditing and accounting services, as well as to authorities (such as the Financial supervisory authority, the Digital and Population Data Services Agency and the Tax Administration). We use subcontractors who process personal information on our behalf. We have outsourced IT management to an external service provider, who manages and protects the servers storing the personal data. In principle, personal data is not transferred outside the EU or the EEA. In case data is transferred outside the EU or the EEA, the customer will be notified about the transfer in advance and the transfer will be duly protected both technically and with respect to confidentiality and data protection agreements.

8 – How do we protect and for how long do we store the data?


Only those of our employees who have the right to process customer data as a part of their work duties are entitled to use the system containing personal data. Each user has a personal username and password to access the system. The data is collected in databases protected by firewalls, passwords and other technical means. The databases and their backups are located in locked spaces and can only be accessed by certain, in advance designated individuals. When contractors performing specified tasks on behalf of Aval are processing personal data (eg. managing customer relationships, maintaining, managing and developing the data systems and monitoring security), they are bound by an obligation of confidentiality and a data protection agreement. These contractors process personal data on assignment of Aval and on behalf of Aval. Aval stores customer data in the customer data register in accordance with the Act on Investment Services as well as customer identification information according to the Act on Money Laundering during the customer relationship and for five (5) years after the termination of the customer relationship. Other information regarding the customer is stored for the time necessary given the nature of the information, generally for the duration of the customer relationship and for five (5) years from the termination of the customer relationship. We assess the need for storing personal data regularly, taking into account applicable legislation. Moreover, we will take reasonable measures to ensure that the personal data pertaining to the data subject and stored in the register is not incompatible, out of date or inaccurate. We will rectify or erase such data without delay.

9 – Which are your rights as a data subject?


You have the right to obtain information on the processing of personal data, to have access to the processed personal data and to have your data transferred from one system to another, and to demand the rectification or erasure of inaccurate, outdated, unnecessary or unlawful data. To the extent the processing activities are based on consent, you also have the right to withdraw your consent or alter it. The withdrawal of consent does not affect the lawfulness of processing activities performed before the withdrawal. As a data subject, you have the right to obtain information on personal data breaches which cause a high risk. You have the right to object to the processing of personal data or to request a restriction on the processing of your data, as well as to lodge a complaint with the supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman: For specific personal reasons, you also have the right to object to processing activities regarding yourself, when the ground for processing is a legitimate interest. In connection with your demand, you must identify the specific situation on the basis of which you object to the processing. We may refuse a request for objection only on grounds prescribed by law.

10 – Who can you contact?


All communications and requests concerning this notice shall be presented in writing or personally to the contact person assigned in section three (3).

11 – Changes to the Privacy Notice


In case we revise this notice, the changes will be visible and dated in the notice. In case the changes are substantial, we may inform about these by other means, such as by e-mail or by publishing a notification on our website. We recommend that you visit our webpage regularly and take note of any changes to this notice.