Privacy Policy and Description of the Register:
Combined privacy policy and register description document in accordance with the Finnish Data Protection Act (1050/2018) and the General Data Protection Regulation of the European Union (2016/679/EU).
Veho Oy Ab
Address: Tietosuoja, PL 1006, 01511 Vantaa
Contact details: [email protected]
At Veho Oy Ab, we are committed to complying with the EU General Data Protection Regulation and other privacy legislation, and to processing your personal data in accordance with good data protection practices. This privacy notice applies to all Veho Group companies in Finland, Sweden, Estonia, Lithuania, and Latvia that act as data controllers when processing personal data.
General information regarding processing of personal data
To the extent that we collect personal data in our operations, the processing complies with the Data Protection Act and other laws, regulations and official guidelines concerning the processing of personal data. Personal data refers to any information that can be linked to a specific person. This document describes in detail the procedures for the collection, processing and disclosure of personal data, as well as the rights of the customer, i.e. the data subject.
Purpose of personal data collection.
We collect personal data through the following channels and for the following purposes:
1. Managing customer relationships
We collect personal data provided by our customers to handle customer relationships. The legal basis for the processing of personal data is the customer relationship, contractual relationship, or legitimate interest as a provider of services.
We must collect personal data in order to identify the client and to fulfill our other legal obligations (such as combating money laundering).
The personal information collected relates to the identification of our customer, contact information and related background information. The personal data we use includes, for example, names, social security numbers, email addresses, phone numbers and addresses, as well as the usual information needed for invoicing.
We may process biometric data referred to in Article 9 of the GDPR for the purpose of unambiguous identification of a person (such as processing the face image and passport or ID card of the person to be identified). The legal basis for processing is the important public interest reason under Point 9(2)(g) of the GDPR which is defined in the union law or the law of a Member State, i.e. processing below as described in this statement for purposes consistent with the Act on Preventing Money Laundering and Terrorist Financing (444/2017).
We collect the personal data necessary mainly directly from data subjects and from public registers, such as the Trade Register and the Real Estate Register. In some cases, we collect personal data from a third party. The basis for the collection of personal data is the controller's contractual or customer relationship.
The above persons are referred as `customer` in this statement.
2. Statutory supervision
In accordance with Section 3, Clause 3 of the Act on the Prevention of Money Laundering and Terrorist Financing (444/2017, hereinafter referred to as the Money Laundering Act), customer information and other personal data under the Act are saved, stored and may be used to prevent, disclose or investigate money laundering and terrorist financing and the offence of obtaining property or criminal proceeds from money laundering or terrorist financing. Customer knowledge or other personal data obtained solely to prevent and disclose money laundering and terrorist financing is not used for purposes incompatible with these purposes.
In addition, we as every company based and operating in the EU, every EU resident, and every EU citizen is legally obligated to comply with applicable national and supranational sanctions and export control regulations. This particularly applies to the EU embargo Regulation (EU) No. 833/2014 (Russia) and Regulation (EU) No. 765/2006 (Belarus) and the embedded requirements and due diligence obligations.
3. Consent-based storage of data
In so far as the right to register based on the above laws or circumstances is exceeded, or there is no other legal basis, the Customer is specifically requested to consent to the storage, processing and storage of personal data.
3.1 The following information related to the Customer is processed or may be processed in the register data concerning the supervision of the Money Laundering Act:
3.2 If the controller does not receive the information referred to in section
3.1, the customer relationship cannot be initiated or continued, or the controller may not enter into an agreement or participate in legal activities with the Customer.
Data under the Money Laundering Act is stored for five (5) years, unless the further retention of such data is necessary to safeguard criminal investigation, pending litigation or the rights of the controller or its employed party. The necessity of further storage of data and documents will then be examined no later than three (3) years after the previous verification of the necessity of storage (Money Laundering Act, Section 4).
Other personal data will be deleted after there is no longer any need to store personal data. If the collection and storage of personal data has been based solely on the Customer's consent, personal data will be deleted at the request of the Customer.
Personal data is collected from the Customer himself or herself in connection with the entering into agreement and other events related to the contractual relationship, the fulfillment of the reporting obligation and the preparation of documents, otherwise when using the controller's services or otherwise directly from the Customer. Personal data may also be collected and updated, e.g. from population register and other official registers, as well as the land register, credit information registers, etc.
As a rule, personal data is not disclosed to any third party. Information related to customer relationship, including personal data, is, in principle, processed with full confidentiality and in compliance with applicable laws.
The controller may disclose personal data only within the limits of the legislation in force and within the limits of permitting, and for the purpose of implementing an agreement between the parties.
Data are not regularly transferred outside the European Union or the European Economic Area. However, data may be transferred or disclosed outside the European Union or the European Economic Area as permitted by law if the data are transferred to a country where the European Commission has established an adequate level of data protection or an adequate level of data protection can be guaranteed through contractual arrangements. Transfers outside the EU may also take place temporarily in connection with the use of various cloud services.
In connection with the outsourcing of the controller's information management, the processing of personal data may also be carried out by the controller's subcontractors, but only on behalf of the controller.
Only the controller's employees have access to the data for which it is necessary for the performance of work-related tasks. The data is collected in databases on servers that are protected by firewalls, passwords and other technical means.
To the extent that personal data is processed on behalf of the controller by his subcontractor, agreements between the controller and the subcontractor have ensured the organisation of appropriate safeguards and confidentiality and ensured that the processing of personal data complies with the requirements of data protection legislation.
Verification, access and transfer of data
The Customer has the right to check what information concerning him or her is stored in the Customer Register. The customer must submit a request for verification to the controller. Notwithstanding the foregoing, the Customer does not have the right to inspect information acquired in order to fulfill the reporting obligation laid down in the Money Laundering Act (Chapter 4, Section 3 of the Money Laundering Act). However, the Data Protection Ombudsman may, at the customer's request, verify the legality of the processing of this data.
The Customer has the right to have the customer data that he or she provides himself transferred to a third party in a structured and commonly used machine-readable format. However, the controller retains the transferred data in accordance with this Privacy Policy.
Correcting incorrect data
The Customer has the right to rectify personal data relating to him or her in the personal data file to the extent that it is incorrect.
Objection to or restriction of data processing and deletion of data
The Customer has the right to object to the processing of data concerning him or her for the purposes of direct advertising, distance selling and other direct marketing, market and opinion polls and the development of the controller's business, and to restrict the processing of data concerning him or her, as well as the right to have personal data already registered for that purpose deleted, even if the grounds for processing the data otherwise exist.
Withdrawal of consent
If the information in the register is based on the consent given by the Customer, consent can be withdrawn at any time by notifying the controller's representative mentioned in this statement. The request shall be based on the erasing of any information that is not retained or may be retained on the basis of the law or any other criterion mentioned in this Privacy Policy.
Procedure for the exercise of rights
An inspection, rectification or other request can be made by contacting the controller with the contact information mentioned in this statement.
Disagreements
The Customer has the right to refer the matter to the Data Protection Ombudsman if the controller does not comply with the Customer's rectification or other request.
The controller does not perform profiling on the Customer on the basis of personal data or use automated decision-making.
Version 1.0 9/2025