Privacy Notice

This Privacy Notice contains information required by the EU General Data Protection
Regulation (hereinafter the General Data Protection Regulation) and the national legislation
for a data subjects mentioned below and for the supervisory authority. The registers
described below are shared by Loihde Group companies described below.

Loihde Oyj (0747682-9), Silmukkatie 6, 65100 Vaasa

Loihde Trust Oy (0863729-2), Atomitie 5, 00370 Helsinki

Loihde Cloudon Oy (2487158-0), Atomitie 5, 00370 Helsinki

Loihde Advance Oy (1645592-3), Hevosenkenkä 3, 02600 Espoo

Loihde Factor Oy (2586213-3), Kirkkokatu 21, 90100 Oulu

Data Protection Officer, Antti Hemmilä, Atomitie 5, 00370 Helsinki

+358 40 515 3993

privacy@loihde.com

Marketing and Communications, Customer- and Partner Relations

• Tracking, targeting and personalisation of website, social media and other communications
  
  
• Delivery of newsletters and investor communications, marketing
  
  
• Organising marketing, training and investor events
  
  
• Opinion polls and market surveys
  
  
• Responding to contact requests in various communications channels
  
  
• Customer service and customer relationship management
  
  
• Enabling and administering services and subcontracting
  
  
• Planning, development and targeting services and subcontracting
• Complying with statutory obligations

Consent

Processing of personal data may be based on the data subject's consent, for example, on a
consent to direct electronic marketing given by the data subject. Data subjects may also
subscribe to newsletters with their consent.

Legitimate interests

The processing of personal data can sometimes be justified due to the legitimate interests of
the controller or a third party. The use of legitimate interests as a basis for processing
requires particularly careful consideration of the data subject's rights and interests.

Preparing for and carrying out contract

Personal data may be processed in the course of negotiating a contract, for the purpose of
fulfilling contractual obligations and for the purpose of administrating contract or contractual relationship (including invoicing).

• Person´s name and contact details
  
  
• Person´s company or other organisation, position, and the contact details of the company or other organisation
  
  
• Data concerning the person’s hardware, such as the brand of the computer or mobile device
  
  
• Data concerning the person’s software, such as the maker of the internet browser or operating system
  
  
• Person’s current IP address, the IMEI code or other comparable identifying code of the device
  
  
• Data concerning the use and sessions of use of Loihde’s website and social media channels
  
  
• Data concerning the contracts signed by the person’s company or other organisation
  
  
• Data concerning mailing list subscriptions
  
  
• The customer feedback or customer survey responses given by the person as well as the competition results related to the user

Personal data is stored for the purpose of marketing and communications as long as the data subject indicates that they want to receive the content offered by Loihde. If the data subject cancels their content subscription, their personal data is will be erased unless Loihde has a legal basis for continuing to store the data.

Personal data will be stored as long as the data subject or the company represented by the data subject has a customer relationship with Loihde Group company. After the customer relationship has ended, data will be erased or anonymised latest after ten years, unless longer retention period is required by applicable legislation.

Personal data is collected from the data subject themselves through Loihde´s website and social media channels, by phone or through another communication channel as well as through the chat function on Loihde’s website.

The data subject also provides data in connection with the delivery of Loihde’s services and by using Loihde’s services. Personal data can be collected from Loihde’s customers, supplier and other partners. Personal data is also collected when the user logs in or verifies their identity using third-party services—such as Twitter, LinkedIn or Facebook—in accordance with the terms of those services.

Data is transferred between Loihde Group company (joint controllers).

Loihde has suppliers which process personal data for its account. Loihde makes appropriate
agreements on personal data processing with all such suppliers. The suppliers provide IT and
other support services and tools for the management of communication and marketing,
among other things.

Data may be transferred outside the EU or EEA. When data is transferred outside the EU or
EEA, the transfer is done using the European Commission’s standard contractual clauses or
some other transfer mechanism in accordance with legislation

If we are processing your personal data based on your consent, you have the right to withdraw you consent partially or completely at any time. Withdrawing your consent will not affect the processing of your personal data that took place prior to the withdrawal.

You have a right to receive confirmation from us on whether or not we process your personal data as well as to be informed about how we process your data, such as the purpose of processing and the categories of personal data that are being processed. You also have the right to receive a copy of the personal data concerning you that we are processing. If you request more than one copy, we may charge you a reasonable sum based on administrative expenses.

Loihde will erase your personal data at your request provided that Loihde has no obligation to retain the data based on obligations between the parties or based on applicable laws or regulations. In certain situations specified by the data protection legislation you also have the right to request restriction of the processing of their personal data, the right to object to the processing of their personal data as well as the right to have your data transmitted from one
system to another.

You have a right to have your inaccurate personal data rectified without delay as well as to have your incomplete personal data completed by providing additional data.

If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.

Whenever possible, personal data is encrypted in the systems we use and in data communications by using the encryption methods we have found to be effective.

Personal data is made physically secure by using secure facilities for devices as well as access control. Personal data can only be accessed by employees who require access to the data in order to carry out their duties. The employees processing personal data are bound by an obligation of secrecy.

The access management service makes it easy to restrict the access of outsiders to certain areas and to coordinate staff movements. The access management service is primarily used with the Loihde ID application that brings access rights to the user's phone. The distribution of access IDs is quick and easy.

Personal data processed

Company name, user name and e-mail address. The Loihde ID uses location information momentarily to ensure that the user is in the vicinity of the door at the time of the opening request. Location data is not collected. Control over all data is limited and access to the data is restricted and controlled.

Specific security measures

Restricted management, restricted and controlled access to data. Loihde Trust Ltd does not collect user location information.

Data retention period

Duration of the service.