Privacy notice

1. Introduction

This privacy policy describes the principles according to which DataJaala Oy (hereinafter also "we"), as the data controller, collects and processes personal data that are particularly related to:
  1. customers and business partners (section 4.1 below),
  2. employees and recruitment (section 4.2 below), and
  3. shareholders (paragraph 4.3 below).

Personal data is any information related to an identified or identifiable person, such as a name, email address or photograph. Any reference to a gender in this privacy policy means all genders.

2. Controller and contact information

DataJaala Oy
Business ID: 3221994-7
Domicile: Helsinki, Finland
Strömbergintie 8 B 42

Use the above contact information also if you have questions about data protection issues. Our contact person responsible for data protection matters is Ilpo Suominen.

3. DataJaala as a data processor

We may also act as a data processor for an organization, person or legal entity that uses our services. In these situations, the purposes and principles of personal data processing are defined in the contract we conclude with the customer. In this case, we may not process the data for any purpose other than for the benefit of the customer in question and in accordance with the customer's instructions.

4. What personal data do we process, for what purpose, what is the legal basis for the processing and the applicable data retention period

We collect, store and process personal data only for predefined purposes and only on legal grounds. We process personal data mainly for the following purposes and on the following grounds:

4.1 Customers and business partners


Creating and maintaining customer and businessrelationships

Description of the processing

We process personal data for the conclusion and execution of contracts, such as sales contracts, subcontracting contracts and other partnership contracts.

During the customer or business relationship, we process personal data for usual purposes, for example providing services, usual correspondence and communication, invoicing, payments and collection.

Processed personal data
  • Name
  • Company/employer name
  • Job title/position in the organization
  • E-mail
  • Address
  • Telephone number
  • Offer and contract information
  • Billing information
  • Usual business correspondence
  • Information about marketing, event and invitation
Legal basis

Contract. The processing of personal data is necessary for the conclusion of a contract and for the implementation of a contract.

Legitimate interest. The purpose mentioned above is in accordance with our legitimate interests to manage the business relationship and we consider that, based on the relationship or your position between you and our company, it is processing that you can reasonably expect in a normal customer and business relationship and that does not conflict with your fundamental rights and freedoms.

Retention period

We do not store personal data longer than is necessary for the purpose of their use or as required by the contract or the law. Personal data can also be deleted in a situation where the data subject withdraws consent or requests the deletion of data (and there is no other legal basis for the processing).

4.2 Employees and recruitment


Employment matters and recruitment

Description of the processing

We collect, store and process personal data related to employees in order to fulfill the rights and obligations related to employment contracts and for usual personnel management purposes.

We process personal data related to recruitment so that we can process job applications and make decisions about open positions and ultimately offer work and enter into employment contracts.

Processed personal data
  • Name, address, telephone number, social security number, bank account, next of kin, employment contract, position and mandatory documents related to the employment relationship, information related to salary calculation and payment, sickness absence information
  • Name, e-mail, address, telephone number, information contained in the job application and resume, LinkedIn profile (with consent)
Legal basis

Employees. As an employer, we must meet the requirements set by employment contracts, legislation and authorities. Such processing of personal data is based on a legal obligation or the fulfillment of a contract. The processing of personal data is also necessary to realize our legitimate interests, so that we can fulfill our obligations as an employer. We believe that as an employee you can reasonably expect that we, as an employer, process your data as described in this statement. Taking into account the purposes mentioned above, your reasonable expectations and the nature of the data, we consider that this processing does not conflict with your fundamental rights or freedoms.

Recruitment. The processing of personal data of job seekers is necessary for the realization of our legitimate interests. When you apply for a position, we need to process your necessary personal data so that we can take you into account when making a decision to offer a job. When you send a job application, you can reasonably expect that we will process your personal data as described in this statement in connection with recruitment. Taking into account the purposes mentioned above, your reasonable expectations, the nature of the data and the fact that you can object to the processing of personal data based on a legitimate interest, we consider that the processing does not conflict with your fundamental rights or freedoms. When we offer a person a job, we have to process personal data also for the preparation of the contract.

Retention period

Employees. We do not store your data for longer than is necessary for its purpose or to fulfill the contract. Retention periods can also be based on applicable laws, such as the Employment Contracts Act and accounting and tax laws. We can also update the information if necessary. The following storage periods are also valid:

  • the information needed to write the employment certificate can be kept for 10 years after the end of the employment relationship;
  • payroll records can be kept for 10 years after the end of the accounting period;
  • travel, expense reimbursement and other payment receipts can be kept, e.g. for at least the current year and the following 6 years; and
  • general employment relationship information can be kept for the entire duration of the employment relationship and approximately 24 months after the end of the employment relationship due to the general time limit for filing a lawsuit.

Recruitment. We usually keep job applications for a maximum of about 24 months after the end of the recruitment process. Otherwise, we delete the information when we no longer need it for the original purpose. With the consent of the job seeker, we can also keep job applications and resumes for a longer period of time, if the applicant wants to save his application for future open positions.

4.3 Shareholders


Obligations according to the Companies Act

Description of the processing

Maintaining lists required by the law

Processed personal data
  • name and contact information
  • shareholdings
Legal basis

Legal obligation.

5. From which sources has the personal information been obtained

We receive personal data mainly from the person himself, for example when contacting us. In addition, we may collect personal data from other reliable sources. Examples of information obtained from these sources can be the websites of potential client companies and their contact information.

6. To whom personal data is shared

Your personal data is processed primarily by our staff when performing their duties. We may also use subcontractors in the processing of personal data. The subcontractors we use may not use your personal data for any of their own purposes. What information our subcontractor processes at any given time depends on the task and purpose for which we use that subcontractor. We may share personal data with others, especially in the following situations:
  1. Service providers and subcontractors. We use external service providers for e.g. cloud storage, financial management, payroll and other purposes (e.g. Google Workbench, Azure, AWS, Trello, Procountor Solo, Linkedin and Decklinks);
  2. Official and other legal reasons. We may also disclose information when required to do so by law, court or competent authority, or to respond to or prepare for a legal action;
  3. Business arrangements. We may also disclose information if we were involved in a merger or acquisition involving our company or business; and
  4. Consent of the data subject. We may also disclose information if the person has given their consent to the disclosure of information.

7. International transfers of personal data

Personal data is mainly located in Finland and the EU region. Personal data can be transferred outside the EU/EEA mainly in the situation if one of the service providers we use is located outside the EU/EEA. If personal data is transferred outside the EU/EEA area to a country that is not included in the EU Commission's decision on the adequate level of data protection, we ensure that the processing, transfer and storage of your data takes place on the grounds required by law and with sufficient protection mechanisms, such as standard contract clauses confirmed by the EU Commission. The standard contract clauses can be found here (part of the text is in English): The standard contract clauses have different modules for different situations, most likely we use module 2 (data controller-processor).

8. Retention periods

The retention periods for different types of processing operations are also described above in sections 4.1–4.3.

We do not store personal data longer than is necessary for the purpose of their use or as required by the contract or the law. Personal data can also be deleted in a situation where the data subject withdraws his consent or requests the deletion of his data (and there is no other legal basis for the processing). Data retention periods are also governed by legislation (e.g. accounting law, tax laws) and the expiration dates of deadlines related to presenting legal claims (e.g. the statute of limitations for filing a lawsuit).

The required storage time can vary, but typically it means a few years. The information needed to defend against legal claims may have to be stored for up to 10 years. Accounting documents are typically kept for 6-10 years.

9. Your rights

You have the following rights in relation to your personal data:

The right to access personal data

You have the right to receive confirmation from us as to whether we are processing personal data concerning you and to know what personal data concerning you we are processing (e.g. a copy of the data). In addition, you have the right to receive additional information about the basis of the processing of your personal data. However, the right to access personal data can be restricted based on legislation, the protection of privacy of other persons and the protection of trade secrets.

The right to correct data

You have the right to have your incomplete, incorrect or outdated personal data supplemented or corrected.

The right to request deletion of data

You have the right to request the deletion of your personal data. Your data will be deleted if there is no longer a legal basis for processing personal data.

The right to restrict processing

You may have the right to restrict the processing of your personal data. In this case, the controller generally does not process personal data other than by storing the data. You may have this right, for example, when you dispute the accuracy of your personal data, if the processing is against the law, or if you have objected to the processing of your personal data and are waiting for a response to the request for action in question.

Right to object

If we process your personal data based on our legitimate interest, you have the right to object to such processing based on your personal reasons.

The right to transfer data from one system to another

If we have processed your data on the basis of your consent or to fulfill a contract and the processing has taken place automatically, you have the right to receive the data you have provided us electronically in a commonly used machine-readable format so that the data can be transferred to another data controller.

Withdrawal of consent

If the processing of personal data is based on consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the legality of the processing of personal data that took place before the withdrawal. The processing of your personal data is based on consent, for example when you have given permission for electronic direct marketing by subscribing to our newsletter. The processing of non-necessary cookies on our website is also based on your consent. You can manage the cookie consents you have given yourself using the cookie tool on our website.

The right to prohibit direct marketing

You always have the right to object to the processing of your personal data for direct marketing purposes and the right to withdraw any consent you may have given for marketing purposes.

10. How you can exercise your rights

You can exercise your rights described above by contacting us, for example, using the contact information mentioned above. The use of your rights is basically free of charge for you. If you make a request electronically, we will deliver the information electronically as far as possible, unless you request otherwise. If necessary, we may ask you to verify your identity or specify your request.

You can easily ban e-mail marketing, for example, by clicking on the link in the header or footer of any email marketing message.

11. Complaint to the supervisory authority

If you believe that we do not process your personal data in accordance with this privacy statement or the applicable national and European Union data protection legislation, you can lodge a complaint with the supervisory authority if you wish. In Finland, the authority in question is the office of the Data Protection Commissioner (homepage:

12. Security

Personal data in electronic form is properly and carefully stored on servers that are protected by firewalls, passwords and other technical means in accordance with the general practices of the industry. Access to personal data in electronic form is limited by means of personal usernames and passwords. The personal information we collect and process is confidential, and we do not disclose it to anyone other than those who need the information in their work, or in accordance with this privacy policy to our partners or other recipients.

13. Cookies

We use cookies on our website so that we can offer the best possible user experience to the website visitor. Cookies are short text files that the web server stores on the user's terminal device. Cookies give us information about how users use our website. We may use cookies to develop our services and website, to analyze website usage, and to target and optimize marketing. Non-necessary cookies are processed only with the consent of the website visitor. Consent is given, it is revocable and it is managed using the cookie tool on our website, which opens to the visitor from the cookie banner on the side of the site. The cookie banner and the information it contains provide more detailed information about the cookies on our site.

14. Obligation to provide personal data and the consequences of not providing it

With regards to corporate and organizational customers, the processing of certain personal data is necessary, for example, for making offers and concluding and executing contracts, as well as for invoicing purposes.

When you are an employee, we need to process certain personal data to fulfill contracts and legal rights and obligations related to the employment relationship.

Providing information is not mandatory in recruitment situations. However, if you do not provide the necessary information, we may not be able to process your application.

15. Automated decision making and profiling

We do not make such automated decision-making and profiling that would have legal effects or other similar effects on the person.

16. Changes

We may make updates to this privacy statement as our operations, privacy principles or applicable legislation change. Unless otherwise stated, changes will take effect when we have posted an updated privacy statement on our website.

17. Privacy policy language versions

If there is a discrepancy in privacy policies written in different languages, then the privacy policy written in Finnish is the authoritative one.

Updated 2024-07-12