Siirry sisältöön
Kotiranta & Co Attorneys | Asianajotoimisto
Kotiranta & Co Attorneys | Asianajotoimisto

Privacy Policy

Description

Kotiranta & Co stores, uses and handles personal data under this Privacy Policy (the “Policy”) in accordance with applicable legislation, including the General Data Protection Regulation (2016/679; the “GDPR“) and other applicable national data protection laws and other legislation in Finland (“Data Protection Law“).

Summary Notes

  • As a general rule, we collect, store, use and process personal data for the purpose of providing legal services.
  • We do not, as a general rule, disclose personal data to third parties. Where disclosure is required under applicable law or by an official obligation, we assess each request individually to determine whether disclosure is lawful.
  • We act in accordance with the Finnish Attorneys Act (496/1958), the rules and guidelines of the Finnish Bar Association, and other applicable national and European regulations.
  • We use secure and confidential methods for storing personal data, including encryption where appropriate. We may engage certain service providers to process personal data on our behalf as part of their services. In such cases, we have entered into written agreements to ensure that all processing is carried out lawfully and in accordance with this Policy and applicable data protection legislation and guidance.
  • We do not use personal data for automated decision-making that produces legal effects or similarly significant consequences for individuals.

Data Controllers

Kotiranta & Co Asianajotoimisto Oy
Kotiranta & Co Attorneys Ltd
Kotiranta & Co Advokatbyrå Ab
Aleksanterinkatu 44
00100 Helsinki, Finland
t. +358 20 728 0830
helsinki(at)­kotirantaco.fi
VAT: FI23177714

Kotiranta & Co Asianajotoimisto Pohjoinen Oy
Kotiranta & Co Attorneys North Ltd
Kotiranta & Co Advokatbyrå Nord Ab
Hallituskatu 20 A 3f
96100 Rovaniemi, Finland
t. +358 20 728 0835
rovaniemi(at)­kotirantaco.fi
VAT: FI31385484

Kotiranta & Co Attorneys Ltd (the “Parent Company”) and its subsidiary Kotiranta & Co Attorneys North Ltd (the “Subsidiary”) act together as joint controllers in accordance with Article 26 of the General Data Protection Regulation (GDPR). Both entities operate under the joint name “Kotiranta & Co Attorneys | Asianajotoimisto”. For the purposes of this Policy, they are jointly referred to as “Kotiranta & Co”.

The Parent Company and the Subsidiary jointly determine the purposes and means of processing personal data within the operations of Kotiranta & Co. Personal data is shared between the Parent Company and the Subsidiary where this is necessary for the management and performance of client assignments, for administrative purposes, or to meet statutory obligations.

The Parent Company has the primary responsibility for ensuring compliance with the obligations set out in the GDPR and applicable data protection laws. This includes, among other duties, fulfilling the information requirements described in Articles 13 and 14 of the GDPR, maintaining appropriate safeguards, and implementing procedures to ensure lawful processing.

The Subsidiary processes personal data in accordance with this Policy and under the supervision and guidance of the Parent Company. Both entities may collect and store personal data independently where required for local operations, provided that such processing remains consistent with this Policy.

Requests to exercise data subject rights under Articles 15 to 22 of the GDPR should primarily be addressed to the Parent Company using the contact details provided in this Policy. The Parent Company will coordinate the handling of such requests with the Subsidiary where appropriate.

Contact Details in Privacy Matters

Kotiranta & Co Attorneys Ltd
helsinki(at)­kotirantaco.fi
t. +358 20 728 0830

Scope of the Privacy Policy

This Policy describes how we process personal data in connection with:

  • Client work and other aspects of the client relationship
  • Inquiries from potential new clients
  • Recruitment
  • Any metadata such as cookies on the Kotiranta & Co website (www.kotirantaco.fi) or within correspondence
  • Kotiranta & Co’s statutory duties, such as those related to anti-money laundering and client due diligence
  • Marketing
  • Other matters related to the business of Kotiranta & Co
Kotiranta & Co strives to ensure that the personal data processed is accurate and kept up to date in accordance with legal obligations. We kindly ask you to assist us in fulfilling this obligation by notifying us promptly of any changes to your personal information or preferences. You may do so by contacting us at helsinki(at)­kotirantaco.fi.

Your Rights

Subject to the limitations set out in the GDPR and applicable Data Protection Law, you may at any time exercise your rights in relation to the personal data that Kotiranta & Co processes about you.

  • Right to access and rectification: You have the right to request access to personal data concerning you. This includes the right to obtain confirmation as to whether or not your personal data is being processed, information on the categories of data processed, and the purposes of such processing. You also have the right to request that any inaccurate or incomplete personal data be corrected or completed without undue delay.
  • Right to object: You have the right to object to certain types of processing of your personal data. This applies, for example, where Kotiranta & Co processes your data for marketing purposes or where the processing is based on legitimate interests.
  • Right to erasure: You have the right to request the erasure of your personal data if, for example, the data is no longer necessary for the purposes for which it was collected, if the processing is unlawful, or if deletion is required to comply with a legal obligation. Personal data provided by you will be erased without undue delay unless Kotiranta & Co has a lawful reason or obligation to retain it.
  • Right to data portability: If the processing of your personal data is carried out automatically and based on your consent or on a contract between you and Kotiranta & Co, you may request that such data be provided to you in a structured, commonly used and machine-readable format. You may also request that the data be transmitted directly to another controller where this is technically feasible.
  • Right to withdraw consent: Where the processing of your personal data is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of any processing carried out before the withdrawal.
  • Opt-out from marketing: You have the right to opt out of receiving marketing communications from Kotiranta & Co at any time. Each marketing message includes an option to decline future communications, and you may also contact Kotiranta & Co directly to opt out.

Please note that in some circumstances professional confidentiality obligations and other legal requirements under Finnish law and the rules of the Finnish Bar Association may limit Kotiranta & Co’s ability to disclose, erase or otherwise process personal data connected to client work. These obligations take precedence over certain rights of access or deletion.

If you have questions or concerns regarding how we process your personal data, or if you wish to exercise any of your rights, you may contact us at helsinki(at)­kotirantaco.fi.

If you are not satisfied with our response, you also have the right to lodge a complaint with a national supervisory authority. In Finland, the competent authority is the Office of the Data Protection Ombudsman, whose website can be found at www.tietosuoja.fi.

Personal Data

Categories of personal data collected by Kotiranta & Co:

  • Name, date of birth, company, title, position, address, language, language preferences, email-address, phone number and other related information.
  • Special categories of personal data, for example copies or originals of passports, health information, or biometric data, where such data is required for the performance of legal services or for compliance with legal obligations
  • Documents and correspondence, including their contents, that you have provided to Kotiranta & Co, which may include sensitive or confidential legal materials.
  • Documents and correspondence, including their contents, received from other parties or public authorities in connection with a legal matter, which may also include sensitive or confidential information.
  • Recruitment-related data such as job applications, curricula vitae, references, and other information provided in connection with a recruitment process.
  • Metadata and other technical information included in correspondence or communications exchanged with Kotiranta & Co.
  • Metadata and cookie data automatically generated when visiting Kotiranta & Co’s website (www.kotirantaco.fi), such as IP address, operating system, internet browser type and version, and other similar technical identifiers. However, Kotiranta & Co purposefully avoids the collection of all such data when possible.

Processing, Using and Collecting Data

Kotiranta & Co complies with the rules and guidance of the Finnish Bar Association, including the obligation of professional confidentiality. The principal purpose of collecting, storing, using and handling personal data is to support the operations of Kotiranta & Co as a law firm and to ensure the proper performance of our legal services.

  • Client work: Kotiranta & Co collects, stores, handles and uses personal data connected with client relationships of both the Parent Company and the Subsidiary. Data may be obtained through email, mail, other forms of telecommunication, discussions, phone calls, public records, as well as from opposing or third parties. Personal data may also be created by Kotiranta & Co during the provision of legal services. In certain cases, data may be supplemented with publicly available information, for example through search engines, professional websites, industry publications, or social media. Personal data is shared and used between the Parent Company and the Subsidiary for the management, performance and conclusion of client assignments, as well as to meet the legal obligations of Kotiranta & Co. The processing of such data is based on the provision of confidential legal services. Depending on the situation and type of legal service provided, the legal basis for processing may include documented consent, contractual necessity, compliance with a legal obligation, legitimate interest, or the performance of a public task related to legal services.
  • Sensitive data: Kotiranta & Co collects, stores, handles and uses sensitive personal data when necessary for the provision of legal services. Such data is primarily collected directly from clients but may also be obtained from other sources such as opposing parties or public authorities. The processing of sensitive personal data is based on documented consent, contractual necessity, a legal obligation, legitimate interest, a public task related to legal services, and/or the exception provided under Articles 9(2)(f) and 9(3) of the GDPR concerning the establishment, exercise or defence of legal claims and the obligations of professional secrecy.
  • Personal Data Relating to Criminal Convictions and Offences: Kotiranta & Co may collect, store, use and handle personal data relating to criminal convictions and offences when necessary to provide legal services. The processing of such data is carried out under Article 10 of the GDPR and on the same legal grounds described in the section “Client Work” above.
  • Acquiring clients: Kotiranta & Co may collect, store, handle and use personal data from potential or prospective clients through email, mail, other communications, discussions, internet, search engines, public records, public authorities and third parties. Data may be shared and used between the Parent Company and the Subsidiary for the purpose of evaluating or initiating potential client relationships or fulfilling legal obligations. The processing of such data is based on documented consent, contractual necessity, a legal obligation or legitimate interest.
  • Recruitment: Kotiranta & Co collects, stores, handles and uses personal data of applicants and candidates during recruitment processes. Data may be obtained through email, mail, phone calls and other communications. The data is used and shared between the Parent Company and the Subsidiary for recruitment purposes and to comply with applicable legal obligations. Processing is based on documented consent or legitimate interest, depending on the situation.
  • Metadata: Kotiranta & Co may collect, store and use metadata and cookies derived from the use of Kotiranta & Co’s website (www.kotirantaco.fi), emails and other digital communications. Such processing supports the functioning of our services, fraud prevention, network security and other legitimate interests. The website is designed to minimise unnecessary data collection. However, certain metadata, such as IP addresses and functional cookies, are required for technical functionality and may be temporarily stored on our server. Emails sent to Kotiranta & Co may also contain metadata that is automatically stored. The processing of such information is based on documented consent, contractual necessity, compliance with a legal obligation or legitimate interest.
  • Statutory duties: Kotiranta & Co is subject to statutory obligations relating to anti-money laundering and client due diligence. We collect, store and use such personal data to meet our legal obligations under Finnish law and the rules and guidance of the Finnish Bar Association. This includes duties set out in, among others, the Finnish Attorneys Act (496/1958) and the Act on Preventing Money Laundering and Terrorist Financing (444/2017). The legal basis for such processing includes documented consent, contractual necessity, compliance with a legal obligation, legitimate interest and/or the performance of a public task.
  • Events or marketing: In connection with events or marketing activities, such as events for clients or students, Kotiranta & Co may collect, store and use photographs or video recordings of attendees. Such material may be used internally for documentation purposes or externally for marketing, including on Kotiranta & Co’s website, social media platforms, or printed publications. External use of identifiable images or recordings will only take place with the explicit consent of the individuals concerned. Consent may be withdrawn at any time.
  • Other matters: Kotiranta & Co may collect, store, handle and use personal data for other purposes related to its business operations when necessary to perform legal services or comply with legal obligations. Such processing is based on documented consent, contractual necessity, compliance with a legal obligation, legitimate interest and/or the performance of a public task.

Data Storing

Personal data is used, shared and stored within both the Parent Company and the Subsidiary. Kotiranta & Co stores, uses and handles personal data only for the purposes for which it was originally collected and as described in this Policy. Access to personal data is limited to authorized employees whose duties require them to process such data in the course of their work.

Personal data is not stored, used or handled longer than is necessary for the specific purpose or as required by law, by professional obligations, or under the rules and guidelines of the Finnish Bar Association. Kotiranta & Co complies with all applicable statutory retention periods as well as its own internal retention policies.

Kotiranta & Co does not disclose personal data to any third parties without a legitimate reason connected to client work, unless required by applicable law, for the preparation or defense of legal claims, or for the performance of legal services on behalf of clients.

In certain cases, personal data may be transferred to or processed by third-party service providers acting on behalf of Kotiranta & Co as data processors. Such transfers are limited to the personal data necessary for the service to be properly provided. All third-party service providers are required to comply with Kotiranta & Co’s instructions, applicable data processing agreements, and other binding contracts. These providers must also apply appropriate technical and organizational measures to ensure the security and lawful processing of personal data.

Kotiranta & Co has implemented suitable technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure or loss. Access is restricted to authorized personnel only. Internal policies and procedures are in place to ensure secure processing of personal data, and Kotiranta & Co follows the data security guidance issued by the Finnish Bar Association.

Where applicable, Kotiranta & Co may also agree with clients on specific procedures for data handling, storage or transfer to ensure compliance with contractual and statutory confidentiality obligations.

Data Retention

Kotiranta & Co retains personal data only for as long as necessary for the purposes described in this Policy. To fulfil our obligations under the rules of the Finnish Bar Association, personal data is retained for at least ten (10) years from the date of completion of the assignment, or for such longer period as is required by the nature of the client relationship or the engagement.

Typically, client data in legal work is retained for at least ten (10) years, recruitment data for three (3) years after the recruitment process ends, and cookie data only temporarily but up to one (1) year.

Location of Data

Kotiranta & Co primarily hosts and processes personal data on servers located within the European Union (EU) and the European Economic Area (EEA). In certain circumstances, it may be necessary to transfer personal data to countries outside the EU or EEA. When such transfers occur, Kotiranta & Co ensures that they are performed in full compliance with the GDPR and other applicable data protection laws. Appropriate technical, contractual and organisational safeguards are implemented to ensure that your rights and personal data remain adequately protected.

Where a transfer of personal data to a non-EEA country is required, Kotiranta & Co relies on legally recognised transfer mechanisms under the GDPR. These clauses require the recipient to process personal data in accordance with a level of protection that is essentially equivalent to that provided within the EU.

You may request additional information regarding the safeguards applied to international data transfers by contacting Kotiranta & Co through the contact details provided in this Policy.

Changing the Policy

Kotiranta & Co may update this Policy from time to time to reflect changes in our practices or legal requirements. The latest version will be available at www.kotirantaco.fi. If the website is not functional, the latest version will be provided upon request from helsinki(at)­kotirantaco.fi.

This Policy was last updated on 7 October 2025.