DIGITAL SOLUTIONS WITH A CREATIVE MINDSET

privacy policy for customer and prospect register

This privacy policy has been modified latest on: 11.9.2018

1. data controller

   Make Helsinki Oy (Business ID 2369795-5) (“Make Helsinki”) Address: Köydenpunojankatu 13, 00180 Helsinki Telephone:
   +358 50 3278276

2. person responsible for personal data matters

   name: Joonas Turunen email: joonas@makehelsinki.com

3. NAME AND PURPOSE OF REGISTER

   1. Name of the Register is Make Helsinki Oy’s Customer and Prospect Register. This policy applies to persons
      who are representatives or employees of Make Helsinki’s customers or customer prospects. Each such person
      is defined in this policy as a “person”.
   2. Provision of the Personal Data for the purposes of provision of Make Helsinki’s products and services and
      performance of a contract is obligatory. If Make Helsinki does not have the data it requests, it may not
      be able to provide the customer with Make Helsinki’s products and services.
   3. In order for Make Helsinki to comply with legislation, Make Helsinki and its customer might have entered
      into a data processing agreement regarding Make Helsinki’s processing of customer’s Personal Data (“DPA”)
      when Make Helsinki is the processor of such Personal Data. In such case, the terms of the DPA prevail over
      the provisions in this policy and the person shall contact his/her employer or other organization regarding
      the matters related to his/her Personal Data.

4. Purposes for Processing and Legal Basis for Processing

   1. The purposes for processing of Personal Data are as follows:

      1. Provision of Make Helsinki’s products and services and performance of a contract, or in order to
         take steps prior to entering into a contract. Use of Make Helsinki’s contractual rights. “The
         legitimate interests pursued by Make Helsinki” is the legal basis for processing of the Personal
         Data for these purposes.
      2. Development of Make Helsinki’s products and services and Make Helsinki’s business. “The legitimate
         interests pursued by Make Helsinki” is the legal basis for processing of the Personal Data for
         this purpose.
      3. Taking care of data security. “Legal obligations” is the legal basis for processing of
         the Personal Data for this purpose.
      4. Preventing fraud. “The legitimate interests pursued by Make Helsinki” is the legal basis
         for processing of the Personal Data for this purpose.
      5. Marketing of Make Helsinki’s products and services, within the boundaries set by law. When consent
         is required according to legislation for marketing, “consent” is the legal basis for processing
         of the Personal Data for this purpose. When legislation does not require consent for marketing, “the
         legitimate interests pursued by Make Helsinki” is the legal basis for processing of the Personal
         Data for this purpose.

   2. The legal basis for the processing of Personal Data:

      1. “Consent”. Consent to the processing is the legal basis for the processing of Personal
         Data to the extent mentioned above in Section 4.1. If a person withdraws a consent given to the processing
         of Personal Data when the legal basis of processing is “consent”, the withdrawal of consent
         does not affect the lawfulness of the processing based on consent before its withdrawal.
      2. “Legal obligations” is the basis for processing of the Personal Data to the extent mentioned
         above in Section 4.1.
      3. “The legitimate interests pursued by Make Helsinki” is the basis for processing of the
         Personal Data to the extent mentioned above in Section 4.1. Make Helsinki has considered that Make
         Helsinki’s legitimate interests are not overridden by the interests or fundamental rights and freedoms
         of the persons.

         Such legitimate interests exist as there is a relevant and appropriate relationship
         with the person and/or its organization, such as a customer relationship with Make Helsinki. The
         interests and fundamental rights and freedoms of the persons are respected, as no special categories
         of Personal Data are processed and the persons can expect Make Helsinki’s processing activities.
         Provision of Make Helsinki’s products and services and performance of a contract would not be possible
         without using the Personal Data. Make Helsinki’s security methods described in Section 10 are maintained
         by Make Helsinki in order to protect the data from unauthorized access.

5. CONTENT OF REGISTER and categories of Personal Data

   1. “Personal Data” means any information relating to an identified or identifiable natural
      person. An identifiable natural person is one who can be identified, directly or indirectly, in particular
      by reference to an identifier such as a name, an identification number, location data, an online identifier
      or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
      social identity of that natural person.
   2. The register includes the following data. Whether or not the data actually constitutes Personal Data depends
      on whether the data can be considered Personal Data according to the definition above. For example, if the
      data identifies only an organization such as a company, the data is not Personal Data.

   1. Customer and Prospect History

      1. The number of deals associated with the person;
      2. Became a customer date – the date that a contact’s lifecycle stage changed to customer;
      3. Became a lead date – the date that a contact’s lifecycle stage changed to lead;
      4. Organization name – the name of the person’s organization;
      5. Create date – the date that the contact was created; and
      6. Days to close – the days that elapsed from when a contact was created until they closed as a customer.

   2. Contact Information

      1. Email address;
      2. First and last name(s);
      3. Job title;
      4. Phone number;
      5. Website URL – the person’s organization website; and
      6. IP address.

   3. Analytics History

      1. Dates and times of visiting Make Helsinki’s website page(s);
      2. Website page(s) visited, referring site(s) (the known source through which the person found Make
         Helsinki’s website);
      3. The campaign responsible for the first or last touch creation of the contact;
      4. Number of page views;
      5. Number of visits; and
      6. Time first seen – the time and date when the person first interacted with Make Helsinki (website
         visit, form submission, manual contact creation or import.

6. SOURCES OF PERSONAL DATA

   Sources of the Personal Data are:

   1. Person or the person’s organization;
   2. Marketing data sources;
   3. Personal Data collected when visiting Make Helsinki’s webpages; and
   4. Usage of Make Helsinki’s products and services.

7. Recipients or Categories of Recipients of Personal Data

   Personal Data may be transferred to the following different parties:

   1. Make Helsinki’s subcontractors e.g. in ICT, customer and prospect management, payment and financial services
      field, who process the Personal Data on Make Helsinki’s behalf for the purpose of providing services to Make
      Helsinki and with whom Make Helsinki has entered into data processing agreements.
   2. One of the subcontractors is HubSpot Ireland Limited who provides Make Helsinki with e.g. CRM and related
      services.
   3. The subcontractors may use also their affiliates and/or subcontractors in the processing of the Personal
      Data.
   4. HubSpot Ireland Limited’s current subcontractors are listed at: https://legal.hubspot.com/sub-processors-page

8. Transfers of Personal Data to Third Country

   1. Make Helsinki and its subcontractors might transfer the Personal Data to countries outside the European Economic
      Area (EEA) and European Union (EU) (“Third Country”) for the purposes set out in this policy.
   2. The legal basis for the transfer of Personal Data to Third Countries is Make Helsinki’s or the subcontractors’
      Binding Corporate Rules, European Commission’s Standard Contractual Clauses for the transfer of Personal
      Data to processors established in third countries (“Standard Contractual Clauses”), the EU-U.S. Privacy Shield
      Framework, alternative data export mechanisms for the lawful transfer of Personal Data (as recognized under
      EU data protection laws) or other legal basis.

9. Period for Which Personal Data will be Stored

   1. Information regarding the contractual relationship is processed for the time until claims related to the
      contractual relationship expire. Main rule according to Finnish law for claims related to the contractual
      relationship to expire is three years.
   2. Information regarding the contractual relationship can be processed for longer than the above-mentioned time
      period, if the Personal Data in question is necessary for the establishment, exercise or defence of legal
      claims.

10. METHODS HOW REGISTER IS SECURED

    The Personal Data processed by Make Helsinki is secured by using the following methods and principles:

    1. locks at Make Helsinki’s premises;
    2. electrical surveillance systems of Make Helsinki’s premises and equipment;
    3. firewall, anti-malware and spam filtering systems;
    4. personal user rights;
    5. limited number of superusers;
    6. professional knowledge of Make Helsinki’s personnel; and
    7. Make Helsinki’s policies and guidelines relating to Personal Data matters.

11. Right of access

    1. The person has the right to get information on which Personal Data on the person is being processed by Make
       Helsinki or information that no such Personal Data is being processed.
    2. Where such Personal Data is being processed by Make Helsinki, Make Helsinki shall provide the person with
       a copy of the Personal Data and the following information:
       1. the purposes of the processing;
       2. the categories of Personal Data concerned;
       3. the recipients or categories of recipients to whom the Personal Data will be or has been disclosed;
       4. where possible, the period for which the Personal Data will be stored;
       5. the existence of the right to request from Make Helsinki rectification or erasure of Personal Data
          concerning the person or to object or restrict the processing of the Personal Data;
       6. the right to lodge a complaint with a supervisory authority;
       7. where the Personal Data is not collected from the person, any available information as to the source
          of the Personal Data;
       8. the existence of automated decision-making, including profiling, and meaningful information about
          the logic involved, as well as the significance and the envisaged consequences of such processing
          for the person; and
       9. where the Personal Data is transferred to a Third Country as defined in Section 8 or to an international
          organization, information of the appropriate safeguards relating to the transfer.
       10. For any further copies requested by the person, Make Helsinki may charge a reasonable fee based on
           administrative costs.
    3. For any further copies requested by the person, Make Helsinki may charge a reasonable fee based on administrative costs.

12. Right to Data Portability

    At the person’s request, if Make Helsinki processes the Personal Data based on the person’s consent or based on
    a contract with the person and if the processing is carried out by automated means:

    1. Make Helsinki will provide the person with his/her the Personal Data which he or she has provided to Make
       Helsinki, in a structured, commonly used and machine-readable format; or
    2. On the person’s request and if technically feasible, Make Helsinki will transmit such Personal Data in the
       same format directly to another controller.

13. Rectification AND right to lodge complaint with supervisory authority

    1. Make Helsinki shall, at the person’s request, without undue delay rectify inaccurate Personal Data contained
       in Make Helsinki’s Personal Data register. Taking into account the purposes of the processing, the person
       may have incomplete Personal Data completed, including by means of providing a supplementary statement.
    2. If Make Helsinki does not take a legally required action regarding the person’s Personal Data on the person’s
       request, Make Helsinki shall inform the person without delay and at the latest within one month of receipt
       of the request of the reasons for not taking action and on the possibility of lodging a complaint with a
       supervisory authority and seeking a judicial remedy. Please note that the person may bring the matter to
       be handled by the Data Protection Ombudsman.
    3. The person has the right to lodge a complaint to the supervisory authority. The contact details of the Finnish
       supervisory authority are:Office of the Data Protection Ombudsman
       Visiting address:
       Ratapihantie 9, 6th floor, 00520 Helsinki
       Postal address: P.O. Box 800, 00521 Helsinki, Finland
       E-mail:
       tietosuoja@om.fi

14. Right to object processing

    The person has the right to object, on grounds relating to his/her particular situation, to the processing of
    Personal Data which is based on either of the following legal basis for processing when the processing has been
    found necessary for the purposes of the legitimate interests of Make Helsinki. The person however does not have
    the right to object if Make Helsinki demonstrates compelling legitimate grounds for the processing which override
    the interests, rights and freedoms of the person or for the establishment, exercise or defence of legal claims.

15. Right to Restriction of Processing

    1. ‘Restriction of processing’ means the marking of stored Personal Data with the aim of limiting its use in
       the future.
    2. If the person requests, Make Helsinki must restrict processing in the following situations:
       1. the accuracy of the Personal Data is contested by the person, for a period enabling Make Helsinki
          to verify the accuracy of the Personal Data;
       2. the processing is unlawful and the person opposes the erasure of the Personal Data and requests the
          restriction of its use instead;
       3. Make Helsinki no longer needs the Personal Data for the purposes of the processing, but the Personal
          Data is required by the person for the establishment, exercise or defence of legal claims; or
       4. the person has objected to processing, but verification whether the legitimate grounds of Make Helsinki
          override those of the person is still ongoing.
    3. In the situations listed above, Make Helsinki can only process the Personal Data:
    4. 1. with the person’s consent or for the establishment, exercise or defence of legal claims;
       2. for the protection of the rights of another natural or legal person;
       3. for reasons of important public interest of European Union or of a European Union member State; and
       4. to store the Personal Data.

16. Right to be forgotten

    1. The person has the right to have his/her Personal Data erased at his/her request if one of the following grounds applies:
       1. the Personal Data is no longer necessary for the purposes for which it was collected or otherwise
          processed; the person
       2. withdraws consent on which the processing is based and where there is no other legal ground for the
          processing; the person
       3. objects to the processing in accordance with Section 14; the Personal Data has been processed unlawfully;
          the Personal Data
       4. has to be erased for compliance with a legal obligation in Union or Member State law to which Make
          Helsinki is subject; or
       5. the Personal Data has been collected in relation to the offer of information society services.
    2. However, Make Helsinki does not have to erase the Personal Data to the extent Make Helsinki still needs to process the Personal Data:
       1. for exercising the right of freedom of expression and information;
       2. for compliance with a legal obligation which requires processing by law to which Make Helsinki is
          subject or for the performance of a task carried out in the public interest or in the exercise of
          official authority vested in the controller;
       3. for reasons of public interest in the area of public health in accordance with legal requirements;
       4. for archiving purposes in the public interest, scientific or historical research purposes or statistical
          purposes in accordance with legal requirements; or
       5. for the establishment, exercise or defence of legal claims.

17. Automated decision-making and profiling

    1. The person shall have the right not to be subject to a decision based solely on automated processing, including
       profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
    2. Such automated decision-making is not used by Make Helsinki at the moment.