Privacy Statement

1. General

This privacy statement describes how Kvarn Capital Oy (”Kvarn”, ”we” or the ”controller”) processes personal data. This privacy statement applies to the processing of personal data related to the products and services Kvarn provides through its digital customer portal, as well as Kvarn’s risk management, customer relationship management, communications and contact with its customers and potential customers, registration for events, website and marketing, including electronic direct marketing, as well as personal data processed in recruitment. Where applicable, this privacy statement applies to the processing of personal data with companies belonging to the same group as Kvarn Capital Oy.

The companies belonging to the same group as Kvarn Capital Oy may act as joint controllers referred to in the data protection legislation when processing personal data for common purposes. As joint controllers, they together decide how and for what purposes personal data are processed. The group companies have agreed that Kvarn Capital Oy is responsible for carrying out all the duties of a joint controller imposed by the data protection legislation, and the data subjects may contact Kvarn Capital Oy in questions related to joint controllership.

We adhere to applicable data protection legislation in all processing of personal data. Data protection legislation refers to valid data protection legislation such as the EU General Data Protection Regulation (2016/679) and the Data Protection Act of Finland (1050/2018). Any data protection concepts that are not defined in this privacy statement are interpreted according to the data protection legislation.

“Personal data” refers to information concerning any natural persons (“data subjects”) that directly or indirectly enables a person to be identified as defined in more detail by the GDPR.

Our customer portal and web pages may also contain links to external websites and services operated by other organisations and not managed by us. This privacy statement does not apply to their use and we therefore recommend that you read their own privacy statements separately. We are not responsible for the data protection practices of other websites or external services.

2. Controller and contact details

Controller: Kvarn Capital Oy, Business ID: 3288803-2, Address: Eteläesplanadi 24, FI-00130 HELSINKI, Finland, Email: team@kvarncapital.com

3. Purpose and legal basis for processing personal data

We only process personal data necessary for each of our specific purposes. The purposes and legal bases for processing personal data are:

provision of products and services, signing and managing customer contracts (a contractual relationship or its preparation, a legitimate interest)
managing customer relationships and execution and verification of transactions (a contractual relationship, a legitimate interest)
identification and verification of customers (compliance with a statutory obligation)
customer service and communications (a legitimate interest, a contractual relationship)
invoicing, credit decisions and debt collection (a legitimate interest)
marketing, including market research, other marketing promotion and analyses, as well as the production of statistics (a legitimate interest)
direct marketing, including electronic direct marketing and telemarketing, as well as the planning of advertising and marketing and measuring their impact, as well as combining and updating personal data for direct marketing purposes, and sending newsletters (a legitimate interest, consent)
management and protection of our website (a legitimate interest)
improving the user experience of our website and other services and tracking our website traffic (consent)
internal and group-level reporting and other administrative measures (compliance with a statutory obligation)
taking care of liability for defects, as well as processing complaints and taking care of legal proceedings and administrative procedures (compliance with a statutory obligation)
prevention of irregularities and their investigation, as well as ensuring information security and the security of people and goods (compliance with a statutory obligation)
taking care of other statutory obligations (e.g. measures related to accounting and taxation) and reporting obligations
filling vacancies, the recruitment process, including the processing of applications and interviews (a legitimate interest)
the arrangement of events and communications (consent, a legitimate interest)

When we process personal data based on a legitimate interest, we have evaluated the benefits and possible disadvantages of the processing for the data subject and estimated that the rights and benefits of the data subjects do not override our legitimate interest. On request, we can provide more information about the processing of personal data based on a legitimate interest.

In accordance with the legal requirements, the processing of personal data required for sending newsletters and other electronic direct marketing is based on the data subject’s consent.

4. Processed personal data and information sources

Data group	Examples of data content
Basic information about an individual	The identification information and contact details of a customer or a representative (first name and surname, social security number or date of birth, email address, phone number, nationality, language, address information)
Information about legal person customers	The full names, dates of birth and nationalities of the members of the legal person’s board of directors or a similar body
Information required based on regulatory requirements	Investor information (investing experience and expertise, as well as the nature of the investment activities) Financial position (education, profession, family relations, information about the investment position) PEP status Tax domicile Information related to customer classification and risk assessment Normal monetary transactions, the origin of assets to be transferred The beneficial owners of assets, the customer’s representatives and their identification information Information about the beneficial owner (first name and surname, social security number, email address, phone number, nationality, address information)
Information required for interacting with us	IDs, identification methods Funds, portfolio information, account information
Information about products and services, as well as about customer communications and contacts	Information about processed purchases and information related to contracts, customer/user accounts and customer communications Information related to customer profiles (customer number, products and services used by the customer and any other information related to the customer profile) Any piece of personal data provided to us as part of communication, e.g. by email or through our web pages
Information related to marketing (including direct marketing), as well as the consents and refusals of the data subject	The contact details of customers and potential customers for marketing purposes and information collected in connection with possible meetings, events and functions Consents and refusals concerning direct marketing Information about using electronic services and content, such as subscribing to newsletters
Online identifiers	IP address, language selection, device and browser information, cookie information (more information available in our cookie banner)
Information required when registering for events	Name and contact details of the participant and the name of the company they represent Name and contact details of the participant and the name of the company they represent
Recruitment information	Surname, first name, contact details Information concerning the job applied for provided by the applicant in the application form and its attachments Degree and education information Information about work experience and expertise Information about current and previous job titles, including the employer Possible references

We collect personal data directly from the data subject – for example, when the data subject interacts with us or purchases our products or services themselves or on behalf of their organisation, registers in the customer portal, visits our website or other electronic services, subscribes to our newsletter, submits us a contact request, orders or downloads material they have requested, registers for an event or otherwise contacts us. In recruitment, we mainly receive personal data from the applicant themselves.

We also receive personal data from other external sources such as private register services, public registers maintained by the authorities and credit registers.

We may also receive personal data from other companies belonging to the same group.

5. Retention of personal data

We retain the personal data as long as is necessary for the purposes defined in the privacy statement and always as long as required by law (e.g. responsibilities and obligations related to accounting and reporting), or if it is necessary for legal proceedings or settling a dispute. When the purpose has expired, the personal data are deleted or anonymised within a reasonable period.

As a rule, we retain the data for the period necessary for providing the agreed service or product. We retain the personal data for the duration of the customer relationship, and when this relationship has ended, we will delete the unnecessary data. However, we may retain some of the personal data for a longer period if this is necessary for us to pursue our legitimate interest related to managing or defending legal claims or to fulfil our statutory obligations.

As a rule, we retain the personal data of potential customers for two years from obtaining the data or from the previous contact. If the potential customer has given their consent to the processing of personal data, we will retain the data for five years from the previous contact unless the potential customer has withdrawn their consent.

In recruitment, we retain the personal data for at most two years from making the recruitment decision. When this time has elapsed, we will delete the data from our information systems.

We retain the personal data related to newsletter subscriptions until the individual cancels their subscription. The individual with the newsletter subscription has the opportunity to cancel their subscription in connection with each received newsletter.

In the case of statutory obligations, we retain the personal data as long as is necessary to fulfil the statutory obligation in question. For example, the Accounting Act obliges us to retain the data related to the accompanying files of accounting records for six years after the end of the financial year. According to the Law on the Prevention and Fight against Money Laundering and Terrorist Financing, we must retain each customer’s identifying information for five years from the end of the transaction in the case of both regular and casual customers.

Statistics that do not contain information that could be associated with a natural person are retained indefinitely.

On request, we can provide additional information about the retention practices for personal data.

6. Processors and recipients of personal data

Personal data may be disclosed or otherwise processed with companies belonging to the same group as the controller as required by the data protection legislation for the purposes described in this privacy statement.

We may also use various service providers and other third parties to process personal data, such as providers of technical or server hosting solutions or accounting and financial administration services. Group companies may also process personal data on behalf of another group company.

When processing personal data with other parties, we use contracts required by the data protection legislation.

Personal data may be disclosed to third parties in situations required by law or the authorities or to address misuse and ensure security. In addition, we may have to disclose personal data in connection with legal proceedings.

If the controller or a company belonging to the same group is a party to a merger, asset deal or another M&A transaction, personal data may be disclosed to the parties of the transaction or parties assisting in it.

On request, we can provide additional information about the parties that process and receive personal data.

7. Transferring personal data outside the European Economic Area

When transferring personal data outside the European Union or the European Economic Area, we ensure a sufficient level of security for the personal data by, for example, agreeing on any matters related to processing the personal data as required by the data protection legislation, such as by using the standard contractual clauses adopted by the European Commission, including any relevant additional protective measures if they are deemed necessary.

On request, we can provide additional information about the transfers of personal data and the protective measures applied.

8. Protection of personal data

Information security and the protection of personal data are a key priority for us. We use appropriate technical and organisational protective measures to safeguard personal data. Access to personal data is restricted to authorised parties. Parties processing personal data have an obligation of confidentiality concerning matters related to the processing of personal data.

9. Cookies and tracking

We collect, process and analyse data about the use of our web pages. We use cookies to provide our customers with services and products, offer them a secure web environment, prevent misuse, conduct marketing measures, enable a better customer experience, follow website analytics and offer the most useful content possible. Our visitor can use the settings in our website’s cookie banner to select whether they accept the use of cookies. If the visitor does not allow the use of cookies, some features of the website and services may be unavailable.

10. Automated decision making and profiling

The processing of personal data may contain automated decision making. Decision making is automated when a decision is made solely automatically without any individuals engaging in it, and when this decision has legal effect or significantly affects the data subject in a similar manner.

If the product or service purchased by the data subject contains such decision making, it is explained in connection with the purchase. If the decision-making process is completely automated, the controller ensures that the data subject may submit the matter for manual review and decision making.

The processing of personal data may also contain profiling. Profiling refers to automated processing of personal data in which the data are used to predict certain personal characteristics. For example, we conduct profiling when we calculate necessary customer and risk classifications or need it for sales, marketing or communications.

In certain situations, the data subject has the right to object to using their personal data for automated decision making and profiling based on a specific personal situation at any time.

11. Rights of data subjects

Data subjects have certain rights to their own personal data, which are defined by the data protection legislation. The application of these rights in each situation depends on the purpose and situation of using the personal data.

Right of access. The data subject has the right to receive confirmation on whether their personal data are being processed, as well as other information on the processing of their personal data as defined by the data protection legislation. The data subject has the right to receive a copy of their personal data.
Right to rectification. With certain limitations, the data subject has the right to request the rectification or erasure of incorrect or inaccurate data.
Right to erasure. The data subject has the right to request the erasure of their personal data as defined by the data protection legislation. If requested, we will erase the personal data unless the legislation or another applicable ground for exception in accordance with the data protection legislation requires us to retain it.
Right to restriction of processing. In accordance with the data protection legislation, the data subject has the right to request the restriction of the processing of their personal data in certain situations.
Right to data portability. The data subject has the right to request the transfer of their personal data to another controller. As a rule, the right to data portability applies to personal data that the data subject has provided to the controller in a structured and machine-readable format, and when the processing of the personal data is based on the data subject’s consent or a contract, and/or when the processing is automated.
Right to object. In accordance with the data protection legislation, the data subject has the right to object to the processing of their personal data, including profiling, based on a legitimate interest. We may refuse the request if the processing is necessary for the purposes of compelling legitimate interests pursued by the controller or a third party. However, the data subject always has the right to object to the processing of their personal data if they are processed for direct marketing purposes or for profiling related to direct marketing.
Right to withdraw consent. If the processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw their consent for the processing of their personal data. Withdrawing consent does not affect the processing based on this consent before its withdrawal.

Exercise of rights

Please contact us if you have any questions about the processing of your personal data.

You may send us a request concerning the rights of the data subject by letter or email using the contact details provided in this privacy statement.

We may confirm the identity of the party making the request before processing it. We will reply to your request within a reasonable period, usually within a month of receiving the request and confirming the identity. If we must refuse the request, we will notify you of this separately.

12. Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that their personal data have been processed in violation of the data protection legislation.

The contact details of the Finnish Data Protection Ombudsman are availablehere

13. Changes to the privacy statement

We may have to change this privacy statement from time to time. The changes may also be due to amendments to the data protection legislation. We therefore recommend that the privacy statement be reviewed regularly to be aware of any changes. The most recent version is available on our website. This privacy statement was published on 10.12.2022.