PRIVACY POLICY AND DATA PROTECTION STATEMENT

This statement on the processing of personal data complies with the EU General Data Protection Regulation (GDPR) (679/2016).

Ensimetri Ltd.’s PRIVACY POLICY AND DATA PROTECTION STATEMENT

Data Controller:  Ensimetri Ltd. (Business ID: 2943900-9)

Contact information: Kalevantie 2, 33200 Tampere, Finland, Tel. +358 50 565 8000, Email: toimisto(at)ensimetri.fi

Contact for Data Protection Matters: Marko Lehtimäki, puh. 050 555 2055, sähköposti: marko.lehtimaki@ensimetri.fi

Name of the Personal Data Register: Customer and Stakeholder Group Register

Legal Basis and Purpose of Processing Personal Data

The legal basis for processing personal data includes:

• The data subject’s consent to the processing of personal data
• A contract in which the data subject is a party
• The data controller’s legitimate interest in managing customer relationships and providing and delivering services related to the organization’s activities, including organizing events. Personal data is processed only to the extent necessary to fulfill these purposes and in a manner that the data subjects can reasonably expect when providing their data.
• Personal data is collected for:
• Maintaining customer and stakeholder group relationships
• Developing services
• Analysis (grouping and reporting)
• Assessing customer experience and satisfaction The data is also used for communication about services and events

Regular Sources of Information

The personal data processed is regularly obtained from the following sources:

• The data subject themselves
• The Finnish Trade Register
• Publicly available sources

Information is collected when a customer or stakeholder group relationship begins, during registration, when using our services, or in connection with events we organize. Personal data is primarily collected directly from the data subject. Personal data may also be obtained from other registers and public sources within the limits permitted by law. Data is not used for automated decision-making or profiling.

Personal Data Processed

The data controller collects only such personal data from data subjects that is relevant and necessary for the purposes described in this privacy policy.

The following information may be processed:

• General contact information: name, organization, address, email, and phone number, and for business advisory clients also date of birth
• Additional information provided by the client (e.g., gender, nationality, employment and education history)
• Service interaction data
• Data related to customer feedback and surveys
• Information related to direct marketing and customer communications
• Service usage data across different service channels

Collection of Website Visitor Data (ensimetri.fi and learn2earn.ensimetri.fi)

• Our website collects visitor data to improve the functionality and user experience of the site. The collected data may include IP address, browser type, device information, time of visit, and pages visited.
• IP addresses may only be processed for technical maintenance and security of the website. IP addresses are not used to identify users or for marketing purposes and are not permanently stored in the website database.
• Data is collected through cookies and similar technologies. Analytics data is processed in statistical form, and individual users are not identified.
• The legal basis for processing visitor data is our legitimate interest in developing and securing our website operations. Marketing-related cookies are used only with the user’s consent.
• We use third-party services (e.g., Google Analytics 4, YouTube) that act as data processors on behalf of the controller. Data is not stored longer than necessary.
• Users have the right to access their personal data, request correction or deletion, and object to the processing of their data. Cookie settings can be managed at any time through the website’s cookie settings.

Use of an AI Chatbot and Visitor Data

• Our website (ensimetri.fi) uses an AI-based chatbot. When using the chatbot, technical data may be processed, such as IP address, user’s geographic location (country and region), device operating system, browser, and session time.
• The data is used to enable the chatbot’s functionality, prevent misuse, improve service quality, and for statistical purposes.
• Messages entered into the chat are processed to generate responses. Users are advised not to enter personal or sensitive information into the chatbot.
• Chat content is not used to train AI models.
• The legal basis for processing is the legitimate interest of the website operator.
• Data is stored only for as long as necessary to ensure the operation and security of the chatbot.
• Data may be processed in third-party services acting on behalf of the controller.

Disclosure of Personal Data

Personal data is not regularly disclosed to other parties.

However, contact information may be shared to the extent necessary with:

• Co-organizers of events
• Funders of publicly funded projects
• Other similar representatives of public administration

Data may also be disclosed to authorities, experts, financial institutions, or similar parties based on the client’s consent in order to carry out actions related to the client’s service needs. Personal data may also be transferred between systems essential for managing customer relationships (e.g., newsletters, event management systems).

Personal data is not disclosed to third parties for marketing purposes.

Transfers of Personal Data to Third Countries

Personal data is not transferred outside the European Union (EU) or the European Economic Area (EEA). Any possible transfers will take place only in accordance with the safeguards required by EU data protection legislation.

Protection of Personal Data

The data controller processes personal data in a manner designed to ensure appropriate security of personal data, including protection against unauthorized processing and accidental loss, destruction, or damage.

The data controller uses appropriate technical and organizational safeguards to ensure this, including:

Kaikilla henkilötietoja käsittelevillä työntekijöillä on työsopimuslain (55/2001) ja niitä täydentävien salassapitosopimusten perusteella vaitiolovelvollisuus rekisteröityjen henkilötietojen käsittelyyn liittyvistä asioista.

• Firewalls
• Encryption technologies
• Secure facilities for equipment
• Appropriate access control
• Careful management of system user accounts
• Guidance for personnel involved in processing personal data

All employees who process personal data are bound by confidentiality obligations under the Employment Contracts Act (55/2001) and supplementary confidentiality agreements.

Data Retention Period

Personal data is stored only for as long as necessary to fulfill the purposes described above and in accordance with applicable legislation. After this period, the data will be deleted.

Retention periods follow statutory obligations, taking into account, among others, financing and accounting legislation. When a contractual relationship ends, the retention period is determined by the purpose of use and applicable legislation.

Rights of the Data Subject

Every individual in the register has the right to:

• Access the data stored about them
• Request correction of incorrect data
• Request completion of incomplete data

If a person wishes to review the data stored about them or request corrections, the request must be submitted in writing to the data controller. The data controller may ask the requester to verify their identity.

The data controller will respond within the time period defined in the GDPR (generally within one month).

Providing and allowing the processing of certain data may in some cases be a prerequisite for using services. The data controller reserves the right to suspend services or deny access to services if the data subject does not provide information essential for the service or requests its deletion.

Changes to the Privacy Policy

The data controller continuously develops its operations and may therefore need to modify and update its data protection practices. Changes may also be based on amendments to data protection legislation.

If the changes include new purposes for processing personal data or otherwise significantly change the policy, the data controller will notify users in advance and request consent where necessary.