Skip to content
Services for foreign companies
Guide
Customer service
search
public
Services keyboard_arrow_down
Price list
About us keyboard_arrow_down
Cooperation keyboard_arrow_down
Employee data management
Valtti+
Valtti card
Employee Management
Cardholder
Reporting and monitoring
Reliable Partner
Valvoja
Report
Building Site Register
Reliable Partner Sustainability Report
Digital signing
Signspace
Other services
Luotettava työntekijä
Zeckit
Reliable Partner Trust Badge

Streamline your daily operations with our services

Through the free customer portal, you can access our services and manage your company’s orders and information.

Read more about the customer portal
Get to know us
Vastuu Group
News
Customer releases
For Partners
Partner Program
Vastuu Group APIs
News
Partner releases
Choose language
Finnish
English
Swedish
Services keyboard_arrow_down
Employee data management
Valtti+
Valtti card
Employee Management
Cardholder
Reporting and monitoring
Reliable Partner
Valvoja
Report
Building Site Register
Reliable Partner Sustainability Report
Digital signing
Signspace
Other services
Luotettava työntekijä
Zeckit
Reliable Partner Trust Badge
Price list
About us keyboard_arrow_down
Get to know us
Vastuu Group
News
Customer releases
Cooperation keyboard_arrow_down
For Partners
Partner Program
Vastuu Group APIs
News
Partner releases
Choose language
Finnish
English
Swedish
Services for foreign companies
Guide
Customer service

Data protection

We process and protect your personal data in accordance with data protection legislation and best practices for the processing of personal data. Below you will find information on how Vastuu Group processes your personal data in our capacity as data controller and how you can exercise your rights as a data subject.

Trust Services  

Last updated: 15 May 2026

General information on the processing of your personal data in Trust Services

In this section, you will find information on how we process your personal data in our Trust Services. These include the following services:

  • Customer portal for the administration of Trust Services and customer service;
  • Valtti service, which processes employee data;
  • Valttikortti ID Card and related services;
  • Luotettava Kumppani (Reliable Partner) service and related business information services, such as Valvoja; and
  • The Work Site Register and other work site management services.

Please note that this notice explains the processing of your personal data carried out by Vastuu Services Oy as the data controller in the Trust Services. If you wish to know how a client company of Vastuu Services Oy using Trust Services processes your personal data when that client company acts as the data controller, please contact that company directly.

If you are a holder of Valttikortti ID Card, you can also check the details of your Valttikortti and employment relationship associated with it in the Cardholder Service.

Data controller and contact details

Vastuu Services Oy (business ID 3496594-3)
Hevosenkenkä 3
02600 ESPOO

Customer service contact details:
Telephone: 0600 301 339 (€0.99/min + local call charge)
Email: asiakaspalvelu@vastuugroup.fi

For matters relating to data protection, please contact us primarily by email at tietosuoja@vastuugroup.fi.

Vastuu Services Oy is part of the Vastuu Group.

 

Customer portal, service management, customer service and billing

When do we process your data as a data controller?

Vastuu Services Oy processes your personal data as a data controller when

  • you register, log in or otherwise use our customer portal;
  • you use Trust Services as a registered user;
  • you act as your organisation’s contact person or other representative in connection with entering into agreements or placing orders, managing services or invoicing; or
  • you contact our customer service or your details are included in a contact made to customer service.

Data subjects

Data subjects are registered users of Trust Services, persons who have contacted customer service or been named in a contact, as well as contact persons and representatives of client companies.

Purposes, legal bases and retention periods for the processing of personal data

We process your personal data for the purposes of customer relationship management, providing customer support, customer communications and invoicing, as well as for providing, maintaining, quality-assuring, tracking and monitoring the use of our products and services, and for developing them and our operations.

The table below provides details of the purposes for which we process your personal data, the categories of personal data we process, and the legal basis on which we process your personal data.

Purposes of processing

Legal basis

Categories of personal data

Creating and maintaining a customer account to provide and manage services

Legitimate interest: provision of services

Personal data that may be added to the customer account information in the customer portal, such as:

  • Personal email addresses and telephone numbers for contact and billing details
  • Customer representative’s user account details
  • Details of any service-specific contact persons

Identification of the customer representative and verification of their authority to act on behalf of the customer

Legitimate interest: preventing misuse of services

Details of the customer representative and the identification process:

  • Name of the customer representative and the person in charge
  • Email address
  • Personal identification number and date of birth
  • ID verification event details and verification method
  • Country
  • Position within the company and verification method

Creation and maintenance of user accounts for users added by the customer

Legitimate interest: provision of services

 

User account details:

  • User name
  • Email
  • Phone number
  • Username and password
  • Organisations associated with the user and their details
  • User type and access rights

Checking the customer’s designated representatives against sanctions lists

Legal obligation: compliance with sanctions regulations
  • Name and date of birth of the person responsible
  • Information on any matches on sanctions lists
  • Information on processing of the hit

Concluding contracts and service orders, providing purchase paths, managing service orders, targeting service recommendations and proposed actions to the customer’s users

Legitimate interest: provision of services, order management
  • Customer and user account details required to place a service order
  • Order status information and transaction times
  • Service-, customer- and user-specific order history data
  • Customer order levels and access rights
  • Information on the validity of customer employees’ training and qualifications

Billing and licence management

Legitimate interest: invoicing for services

Personal data included in the customer’s billing information, such as:

  • Billing contacts and their contact details
  • Other customer references containing personal data
  • The name of the Valttikortti cardholder for whom the Valttikortti was ordered (Valtti service invoices)
  • The pseudonymous identifier (UID) of the person placing the order

Accounting

Legal obligation: compliance with the Accounting Act
  • Billing contacts and their contact details
  • Other customer references containing personal data
  • Name of the Valttikortti cardholder for whom the Valttikortti was ordered (Valtti service invoices)

Technical maintenance and administration of services, user login to services and session management, logging of service usage to investigate errors and problems, to monitor and supervise service usage, and to prevent misuse

Legitimate interest: provision of services, investigation of errors, prevention of misuse
  • Customer account details (where necessary)
  • User account details (where necessary)
  • Valttikortti card details (where necessary)
  • Log data relating to the use of services, which may include information about users

Customer service (telephone, chat, email)

Legitimate interest: provision of services

Details of customers and potential customers’ contact persons, service users and persons who have contacted customer service:

  • Name
  • Email address
  • Telephone number
  • Job title and other organisational details relating to the individual
  • Customer account details
  • User account details
  • Communication content and identifiers (emails, messages, tickets, chat conversations, call recordings and feedback)

Customer and user communications

Legitimate interest: provision of services
  • Customer account contact details
  • User account details
  • Mailing list subscription details
  • Information on sent customer and user messages and whether they have been opened

Use of essential cookies in services to enable certain service functionalities

Legitimate interest: provision of services
  • Information required by essential cookies, which may include information about the user (see the website’s cookie policy for further details)

Monitoring and analysing the use of services using optional cookies and analytics to develop services

Consent: optional cookies
  • Information collected via optional cookies regarding the use of services, which may include information about the user (see the website’s cookie policy for more details)

Development of products, services and operations

Legitimate interest: development of services

The following data, with personal data minimised and/or in anonymised or pseudonymised form:

  • Log data relating to the use of services, which may contain information about users
  • Service-specific and service usage data relating to users, communication content and identifiers (emails, messages, tickets, chat conversations, call recordings and feedback)

 

Customer data is generally retained for two years following the termination of the contract.

The retention period for customer service chat messages is three months, for call recordings seven months, and for tickets three and a half years. Service log data is generally retained for six months from the date the log entry was created.

Accounting records are retained for six years or for any other statutory retention period. Data relating to sanctions monitoring is retained for ten years from the date of any sanctions check.

Sources of personal data

We verify the details of client companies’ persons in charge from public registers via official data resellers. We use third-party authentication services in certain situations to verify the identity of a client company’s representative.

Our client companies define the users authorised to use their client accounts and services within their accounts. This provides us with information about the users of the client company’s services. When registering, the user provides other personal data concerning themselves. The client’s users add the contact details of the client’s contact persons to the client account.

We collect information about the use of our services whilst they are being used, for example to resolve any issues that may arise. The usage data collected may also include some personal data relating to users.

When you contact our customer service, we collect the information necessary to handle and resolve the matter, primarily from you.

We obtain the information required to check for sanctions from a third party that provides a sanctions screening service.

Regular disclosures of personal data to data controllers

The regular disclosures of personal data to data controllers are described below

Valttikortti ID card and other Valtti services that process employee data

When do we process your data as a data controller?

Vastuu Services Oy processes your personal data as a data controller when

  • you have or are issued with a Valttikortti;
  • you undertake training provided by Vastuu Services Oy; or
  • Vastuu Services Oy receives information regarding your training or qualifications from its contractual partners, such as training service providers or qualification awarding bodies.

Data subjects

Data subjects are Valttikortti ID card holders and/or individuals who have completed training provided by Vastuu Services Oy, and/or for whom Vastuu Services Oy receives training or qualification information from training service providers or certification bodies acting as its contractual partners.

Purposes, legal bases and retention periods for the processing of personal data

We process your personal data to produce and deliver the Valttikortti ID card, to verify your identity, and to keep your Valttikortti details available for verification by Vastuu Services Oy’s customers who use Valttikortti for identification.

We process your personal data relating to your trainings and qualifications in order to compile this information for your current employers who use Vastuu Services Oy’s services, and to provide you with Vastuu Services Oy training courses ordered by your employers. Your employer manages the disclosure of your training and qualification data to its contractual partners within our services

The table below provides details of the purposes for which we process your personal data, the categories of personal data we process, and the legal basis on which we process your personal data.

Purposes of processing

Legal basis

Categories of personal data

Storage and processing of cardholder and Valttikortti ID card data within the Valtti service, as necessary for the production and use of the Valttikortti

Legitimate interest: provision of the service, assisting customers in fulfilling their statutory obligations
  • Cardholder’s name, nationality, personal identification number or equivalent foreign identifier, date of birth, photograph, email address, mobile phone number, sector of employment
  • Cardholder’s tax number, country of residence and type of employment (only for Valttikortti card types that use a tax number)
  • Employer’s name, business ID or equivalent foreign identifier, and country of registration
  • Valttikortti PIN code, expiry date and image
  • Valttikortti status (active/inactive)
  • Valttikortti’s unique identification details
  • Valttikortti change details

Delivery of Valttikortti ID card

Legitimate interest: provision of the service
  • Cardholder’s name
  • Delivery address

User identification in the Cardholder service

Legitimate interest: provision of the service, prevention of misuse
  • User name
  • ID verification details and method
  • Personal identification number
  • Nationality used for identification

Verification of employment and the Valttikortti ID card in the Cardholder service

Legitimate interest: provision of the service, prevention of misuse
  • Cardholder’s name
  • Valttikortti image
  • Date of confirmation of employment and Valttikortti
  • Nationality used for identification

Provision of Valttikortti ID card and cardholder details via interfaces and services that use the Valttikortti as an identifier

Legitimate interest: provision of the service, assisting customers in fulfilling their legal obligations, prevention of misuse
  • Valttikortti image
  • Valttikortt’s identifier
  • Cardholder’s first name, surname, tax number, date of birth, photograph
  • Employer’s name, business ID or equivalent foreign identifier, country of registration
  • Valttikortti status (active/inactive)
  • Date of change to Valttikortti status
  • Information on whether the Valttikortti has been verified

Importing data on training courses and qualifications provided by third parties and ordered via the Valtti service into the Valtti service, and compiling this data in the service for the employers for persons that completed the training

Legitimate interest: provision of the service, assisting customers in fulfilling their statutory obligations
  • Name
  • Tax number
  • Date of birth
  • Type of qualification, identification and validity details
  • Name as stated on the qualification card
  • Issuer of the qualification
  • Details of changes

Importing data on training courses and qualifications provided by third parties into the Valtti service and compiling this data in the service for employers for persons that completed the training

Consent
  • Name
  • Tax number
  • Date of birth
  • Type of qualification, identification number and validity details
  • Name as stated on the qualification card
  • Issuer of the qualification
  • Details of changes

Providing trainings produced by Vastuu Services Oy and importing completion data into the Valtti service, as well as compiling this data in the service for employers for persons that completed the training

Legitimate interest: providing the service, assisting customers in fulfilling their statutory obligations
  • Name, date of birth and contact details of the training participant
  • ID verification event details and verification method
  • Contact details
  • Training completed
  • Date of completion
  • Status of completion (completed/in progress)

 

Information regarding the issued Valttikortti ID card is retained for 20 years from the end of the calendar year in which the Valttikortti’s validity period expired.

Information regarding expired qualifications is stored for two years from the end of the year in which the qualification expired.

Sources of personal data

Your employer orders the Valttikortti ID card for you. We receive the information to be printed on the Valttikortti from your employer. We ask you to check your employment details and Valttikortti information in the Cardholder Service before confirming your Valttikortti.

We also use strong authentication services provided by third parties to verify the cardholder’s identity.

Your employer may order training courses provided by Vastuu Services Oy for you. In this case, we will receive your details for the training from your employer.

We receive your training and qualification data from our contractual partners who provide training services or award qualifications, and who have entered into an agreement with Vastuu Services Oy regarding the disclosure of this information for display to your employers and, in turn, to your employers’ contractual partners.

Regular disclosure of personal data to data controllers

In this section, we explain the disclosure of Valttikortti ID card data and training and qualification data to other data controllers. Regular disclosures and transfers of your personal data to data processors and public authorities are described later in this data protection notice.

Disclosures of Valttikortti data to data controllers. We disclose your Valttikortti data to your employer. Your Valttikortti data may also be disclosed to customers of Vastuu Services Oy who accept the Valttikortti for identification. Customers using Vastuu Services Oy’s services may retrieve and store the Valttikortti cardholder’s personal data in their own information systems, particularly when the cardholder works or is due to work at the customer’s construction site, shipyard or other work site. The cardholder’s personal data is disclosed for the following purposes:

  • to comply with the obligations under the Occupational Safety and Health Act or regulations, for example to verify the validity of photo ID, compile a work site person register, verify tax number registration and/or to carry out site induction training or check qualifications;
  • for purposes under the Tax Procedure Act, for example, to submit employee notifications to the tax authorities;
  • to fulfil other statutory or contractual obligations and to ensure that subcontractors operate in accordance with their contracts;
  • to carry out access control or supervision; and/or
  • to ensure compliance with quality, operational or similar systems.

The transfer of personal data to another controller’s personal data register takes place between services provided by Vastuu Services Oy or via APIs in such a way that the employee’s data is disclosed in exchange for the reading of Valttikortti identifiers or in another manner where the contractual relationship between the employer/data subject and the other data controller and the purpose of use of the data have been identified.

Disclosure of education and qualification data to data controllers. Your education and qualification data will be disclosed to your employer. Your employer manages any further disclosure of this data within our services.

Luotettava Kumppani (Reliable Partner)

When do we process your data as a data controller?

Vastuu Services Oy processes your personal data as a data controller when

  • you act as a responsible person for a company or are the beneficial owner of a company that uses Luotettava Kumppani (Reliable Partner) service; or
  • your personal data is otherwise included in the data or material that a company using Luotettava Kumppani (Reliable Partner) service submits to Vastuu Services Oy for the compilation and/or publication of Luotettava Kumppani (Reliable Partner) service’s content.

Data subjects

Data subjects are responsible persons, beneficial owners or other individuals of companies using Luotettava Kumppani (Reliable Partner) service whose personal data is included in the data or material processed for Luotettava Kumppani (Reliable Partner) service.

Purposes, legal bases and retention periods for the processing of personal data

We process your personal data to provide Luotettava Kumppani (Reliable Partner) service and to keep its data content available to customers using Vastuu Services Oy’s business information services, for example for their statutory purposes or for supplier background checks. The personal data required to provide the service is determined by which version of Luotettava Kumppani (Reliable Partner) service the company has taken into use.

The table below provides details of the purposes for which we process your personal data, the categories of personal data we process, and the legal basis on which we process your personal data.

Purposes of processing

Legal basis

Categories of personal data

To fulfil the obligation to provide information required by the Act on the Contractor’s Liability (1233/2006), obtaining an extract from the register of associations, foundations or the commercial register (including details of responsible persons) and a search for business prohibition information from a data source, storage and processing to produce and distribute a contractor’s liability report to parties obliged to verify the information

Legitimate interest: provision of the service, assisting customers in fulfilling their statutory obligations and managing supplier risk

  • Name, date of birth, nationality and place of residence of the person in charge
  • Position within the organisation
  • Business connections
  • Information on any business prohibitions
  • (Trade Register extracts prior to 2014: personal identification number)

Retrieval of information on beneficial owners from a data source and sharing of such information with parties obliged and/or entitled to verify it, so that the user of the information compiled by the service can fulfil their obligations under sanctions regulations and any applicable anti-money laundering legislation, and obtain information on the background of the supplier company for the purpose of managing supplier risks

Legitimate interest: provision of the service, assisting customers in fulfilling their statutory obligations and managing supplier risk
  • Name, date of birth, nationality and place of residence of the beneficial owner
  • Information on shareholding

Checking responsible persons and beneficial owners against EU, UN, UK and OFAC (US) sanctions lists, retrieving this information from data sources and sharing it with the party obliged to verify it, so that the user of the information compiled by the service is enabled to comply with sanctions regulations and other relevant sanctions

Legitimate interest: providing the service, assisting customers in fulfilling their legal obligations and managing supplier risk

  • Name, date of birth, nationality and place of residence of the responsible person and the beneficial owner
  • Information on whether the person is included on the aforementioned sanctions lists

Retrieving the customer’s responsible person data and information on business prohibitions from data sources and sharing it with parties obliged to verify such information to enable supplier due diligence and compliance with legislation

Legitimate interest: provision of the service, assisting customers in fulfilling their statutory obligations and managing supplier risk
  • Name of the responsible person
  • Position
  • Date of commencement of role
  • Business connections, including bankruptcy information: 1-year history
  • Information on business prohibitions

Storage and processing of certificate and qualification data added by the customer to the service for the purpose of sharing the data with parties requiring it (may contain personal data)

Legitimate interest: provision of the service, assisting customers in fulfilling their legal obligations and managing supplier risk
  • Name
  • Qualification information
  • Certificate identification number
  • Person’s photograph
  • Other personal data included in the information added by the customer

Storage and processing of ESG data added by the customer to the service for the purpose of producing a sustainability report and distributing it to parties requiring the information

Legitimate interest: provision of the service, assisting customers in fulfilling their legal obligations and managing supplier risk
  • Other personal data contained in the information added by the customer

Storage and processing of legal compliance data added by the customer to the service for the purpose of producing a compliance report for the customer and distributing it to parties requiring the information

Legitimate interest: provision of the service, assisting customers in fulfilling their legal obligations and managing supplier risk
  • Other personal data included in the information added by the customer

 

Powers of attorney and agreements relating to Luotettava Kumppani (Reliable Partner) service are retained for five years following the termination of the customer relationship.

The information compiled by Luotettava Kumppani (Reliable Partner) Contractor’s Liability Information service regarding the customer companies, including details of responsible persons, is retained indefinitely in accordance with the guidelines of authorities.

As a general rule, we do not store personal data contained within Luotettava Kumppani (Reliable Partner) Financial and Sanctions Information service. For example, we only display information on beneficial owners and personal data related to sanctions checks as up-to-date information directly from the data source. We store certificate, qualification and other sustainability-related information added by the customer to the service for the duration of the customer relationship.

Open responses stored in Luotettava Kumppani (Reliable Partner) Sustainability Report and Legal Compliance Report services, and any personal data they may contain, are stored for three years after the end of the customer relationship.

Sources of personal data

We verify the details of responsible persons and beneficial owners of customer companies, as well as business prohibitions, from public registers via resellers of official data.

We obtain the information required to check sanctions from a third party that provides a sanctions checking service.

We obtain personal data contained in other information or supplementary information within the Reliable Partner service either from the company itself or from data sources acting as contractual partners of Vastuu Services Oy, which may include, for example, industry associations and insurance companies.

Regular disclosures of personal data to data controllers

In this section, we explain the disclosures of data contained in Luotettava Kumppani (Reliable Partner) service to other data controllers.

The regular disclosures and transfers of your personal data to data processors and public authorities are described later in this data protection policy.

The business information contained in Luotettava Kumppani (Reliable Partner) service and the personal data included therein are available to Vastuu Services Oy’s client companies via Vastuu Services Oy’s business information services (e.g. Valvoja, Raportti PRO and Yrityshaku) and their APIs. Luotettava Kumppani (Reliable Partner) Contractor’s Liability Information service reports may also be provided via the business information services of Vastuu Services Oy’s partners.

We enable the verification of customer agreements (powers of attorney) relating to Luotettava Kumppani (Reliable Partner) service, the details of their signatories, and the customer’s extract from the Trade Register at the time of signing, for the data sources of the Luotettava Kumppani (Reliable Partner) service.

Automated Decision-Making

We do not use your personal data to make automated decisions, such as profiling, that have legal effects on you or otherwise significantly affect you.

Regular disclosures and transfers of personal data

Disclosures to data controllers

Disclosures to other data controllers are described separately above for each service.

Transfers of data to processors

We use certain services provided by third parties in our service provision. In such cases, these service providers may process personal data. We enter into an agreement with service providers regarding the processing of personal data. The service providers we use will only process your personal data in accordance with our instructions and solely for the purposes described in this privacy policy. We may transfer your personal data to processors, for example, to carry out the following tasks:

  • service providers carrying out software development and maintenance work;
  • providers of cloud service environments or other third-party web-based services (such as for example cloud services infrastructure, billing, chat functions);
  • service providers assisting with customer service; and
  • identification event intermediaries and other third-party cloud-based solutions utilised as part of the provision of Trust Services.

Disclosures to authorities

We may disclose personal data on the basis of a binding order issued by a competent authority, or where we consider a disclosure to an authority to be justified in order to investigate suspected misuse of our services.

Transfers outside the EEA

We use service centres located within the European Economic Area (EEA) to provide our services. As a general rule, personal data is not transferred outside the EEA, but limited transfers are necessary to carry out certain functions. In such cases, we endeavour, where possible, to limit the personal data transferred and ensure that the personal data is protected by appropriate safeguards required by law, which may include, for example, the European Commission’s standard contractual clauses for the transfer of personal data.

Protection of personal data

Vastuu Services Oy’s information security management system is ISO 27001 certified. The information security management system is regularly audited by an independent third party. Vastuu Services Oy implements appropriate technical and organisational security measures to protect the personal data it processes, in compliance with applicable personal data legislation and its certified information security management system.


Other services provided by Vastuu Group  

Last updated: 15 May 2026
You can find the data protection notices for the following Vastuu Group services on the services’ own pages:

SignSpace

You can find the SignSpace data protection notice here.

Linnunmaa Lex Legal Compliance

You can find the data protection notice for the Linnunmaa Lex Legal Compliance service here.

Zeckit

You can find the data protection notice for Zeckit service here.


Customer register, website visitors, sales and marketing communications

Last updated: 15 May 2026

Customer register, website visitors, sales and marketing communications

In this section, you will find information on how the Vastuu Group processes your personal data as part of the Vastuu Group’s customer register, when you visit the Vastuu Group’s website, as part of the sales and marketing communications for our services, and when we target advertising to you using platforms provided by third parties.

Data controllers and contact details

Vastuu Group Oy (business ID 3509280-6)
Vastuu Services Oy (business ID 3496594-3)
SignSpace Oy (business ID 3496593-5)
Linnunmaa Lex Oy (business ID 2734590-6)
Data Farm Oy (business ID 3198587-7)

Hevosenkenkä 3
02600 ESPOO

Customer service contact details:

Telephone: 0600 301 339 (€0.99/min + local call charge)
Email: asiakaspalvelu@vastuugroup.fi

For matters relating to data protection, please contact us primarily by email at tietosuoja@vastuugroup.fi.

All the companies listed above are part of Vastuu Group.

When do we process your data as a data controller?

We process your personal data as a data controller when

  • you are a contact person, representative or user of our services;
  • you contact our customer service;
  • you register for our events;
  • you respond to our surveys or provide feedback;
  • you provide us with your contact details for the purpose of marketing our services;
  • we obtain your contact details from professional contact data providers or third parties offering data compilation services for the purpose of marketing our services;
  • we receive your contact details from a customer of our business information services who requests your company to start using Vastuu Group’s services;
  • you visit the Vastuu Group website; or
  • we target advertising to you using platform services provided by third parties.

Data subjects

Data subjects include Vastuu Group customers’ contact persons, representatives and users, those who have contacted our customer service, visitors to our events, those who have provided feedback and responded to surveys, persons in decision-making positions at potential client companies, visitors to Vastuu Group’s websites, and visitors to third-party websites who have been targeted by Vastuu Group’s advertising.

Purposes and legal bases for the processing of personal data

We process data held in Vastuu Group’s customer register to maintain the customer relationship and to market our services related to the services ordered by the customer, unless the data subject has opted out of direct marketing.

We process contact details compiled for direct marketing purposes for the direct marketing of our services, unless the data subject has opted out of direct marketing.

If you have accepted the use of optional cookies on our website, we process your data using web analytics to optimise the functioning of our website and to develop the marketing of our services.

We target our adverts to you on third-party websites using advertising platforms provided by third parties, provided that you have consented to the use of optional cookies on these websites. We also use third-party platforms to process information about how you interact with our adverts on third-party websites.

In the table below, you will find information on the purposes for which we process your personal data, the categories of personal data we process, and the legal basis on which we process your personal data.

Purposes of processing

Legal basis

Categories of personal data

Maintaining, compiling, supplementing and managing customer contact details in order to maintain customer relationships and to target marketing communications and sales based on this information

Legitimate interest: managing and developing the customer relationship, and targeting marketing and sales
  • Name
  • Contact details (email, telephone)
  • Person’s role in the company
  • Company/organisation name and contact details
  • Mailing list subscription details
  • Opt-outs regarding direct marketing and customer communications
  • Pages viewed by the user on the website and brochures requested
  • Information about customer or direct marketing messages sent by email and whether the message has been opened
  • Information about the user profile
  • Information regarding communication with the data subject, such as the content and send times of messages
  • Other information relevant to the purpose of the register, such as notes from meetings and information collected regarding website usage in connection with the use of the service that can be linked to the data subject, such as the user’s IP address, time of visit, pages visited, browser type used, the web address from which the user accessed the website, and the server from which the user accessed the website

Collection, compilation, supplementation and management of contact details of potential customers’ contacts for the purpose of targeting marketing communications and sales based on the data

Legitimate interest: acquiring new customer relationships and targeting marketing and sales
  • Name
  • Contact details (email, telephone)
  • Person’s role within the company
  • Company/organisation name and contact details
  • Mailing list subscription details
  • Opt-outs regarding direct marketing and customer communications
  • Pages viewed by the user on the website and brochures requested
  • Information about customer or direct marketing messages sent by email and whether the message has been opened
  • Information about the user profile
  • Information regarding communication with the data subject, such as the content and send times of messages
  • Other information relevant to the purpose of the register, such as notes from meetings and information collected regarding website usage in connection with the use of the service that can be linked to the data subject, such as the user’s IP address, time of visit, pages visited, browser type used, the web address from which the user accessed the website, and the server from which the user accessed the website

Direct marketing (email, telephone)

Legitimate interest: direct marketing of services related to those ordered by the customer, as well as direct marketing of services related to the role of the company’s contact person, provided that the individual has not opted out of direct marketing

Consent: in other cases, consent
  • Name
  • Contact details (email, telephone)
  • Person’s role within the company
  • Company/organisation name and contact details

Use of website analytics via optional cookies to optimise the functioning of Vastuu Group’s websites and to develop the marketing of our services by monitoring and analysing website usage

Consent: cookies
  • Information collected in connection with website usage that can be linked to the data subject, such as the user’s IP address, time of visit, pages visited, browser type used, the web address from which the user accessed the website, and the server from which the user accessed the website

Targeting of advertising on third-party platforms and websites, and the development and optimisation of advertising (in particular LinkedIn, Google Ads, Meta Platforms)

Consent: cookies

Depending on the service provider and platform:

  • Identification data: IP addresses, device and browser identifiers, cookie identifiers, advertising identifiers
  • Behavioural data: visits to Vastuu Group’s pages, ad targeting based on website browsing history, conversion events, user data collected by the service provider for ad targeting purposes
  • Location data: approximate location data based on IP address or device settings
  • Technical information about the device and browser: device type, operating system, browser version
  • Data related to ad display and measurement: clicks, impressions, conversions, attribution data

 

Sources of personal data

We obtain information about our customers’ contact persons and users directly from the data subject and our customers. We may also supplement this information with data extracted from public sources, such as the Trade Register, or other contact information service providers. We do not use contact details from the Trade Register for direct marketing.

We obtain information about our potential customers’ contact persons either directly from the data subject, from professional marketing contact information providers or third parties offering compilation services of such data, or from a customer of our business information services who requests that your company starts using Vastuu Group’s services.

If you have consented to the use of optional cookies on our website, we collect information about your use of the Vastuu Group website during your visit using web analytics.

If you have consented to the use of optional cookies on third-party websites, we may target our advertising to you based on information compiled about you by a third-party advertising platform. In addition, we process information obtained through third-party platforms regarding how you interact with our adverts on third-party websites.

Automated decision-making

We do not use your personal data to make automated decisions that have legal effects on you or otherwise significantly affect you.

Regular disclosures and transfers of personal data

Disclosures to data controllers

We do not disclose personal data collected for the purposes described above to other data controllers.

Transfers of data to processors

We use certain services provided by third parties to maintain our customer contact details and to organise our sales and marketing activities. In such cases, these service providers may process personal data. We enter into an agreement with service providers regarding the processing of personal data. The service providers we use will only process your personal data in accordance with our instructions and solely for the purposes described in this data protection notice. We may transfer your personal data to processors, for example, to carry out the following tasks:

  • providers of cloud service environments or other third-party web-based service providers (such as CRM systems);
  • service providers carrying out software development and maintenance work;
  • service providers assisting with customer service; and
  • service providers assisting with direct sales and bookings.

Transfers outside the EEA

We use cloud services provided by third parties for processing, where the processing of personal data may take place partly outside the European Economic Area (EEA). We select a service centre located within the EEA for the processing of personal data whenever this option is available, and we endeavour, where possible, to limit the personal data transferred. We ensure that personal data is protected by appropriate safeguards required by law, which may include, for example, the European Commission’s standard contractual clauses for the transfer of personal data.

Protection of personal data

Vastuu Group’s information security management and governance system is ISO 27001 certified. The information security management system is regularly audited by an independent third party. Vastuu Group implements appropriate technical and organisational security measures to protect the personal data it processes, in compliance with applicable personal data legislation and its certified information security management system.

Data subject rights

You can read about your rights as a data subject here. You always have the right to opt out of direct marketing for our services by notifying us either as provided in the direct marketing message or by contacting our customer service.


Vastuu Group’s other corporate functions  

Last updated: 15 May 2026
You can find the data protection notices for the following Vastuu Group corporate functions below:

Recruitment

You can find the Vastuu Group recruitment data protection notice here.

Vastuu Group’s whistleblowing channel

Last updated: 15 May 2026

In this section, you will find information on how we process your personal data in connection with reports made via the Vastuu Group whistleblowing channel.

Data controller and contact details

Vastuu Group Oy (business ID 3509280-6)
Hevosenkenkä 3
02600 ESPOO

Customer service contact details:

Telephone: 0600 301 339 (€0.99/min + local call charge)

Email: asiakaspalvelu@vastuugroup.fi

For matters relating to data protection, please contact us primarily by email at tietosuoja@vastuugroup.fi.

Vastuu Group Oy is the operating parent company of Vastuu Group. Vastuu Group Oy handles all reports submitted to the Vastuu Group’s whistleblowing channel concerning companies belonging to the Vastuu Group.

When do we process your data as a data controller?

Vastuu Group Oy processes your personal data as a data controller when:

  • you submit a report to the Vastuu Group whistleblowing channel; or
  • personal data concerning you is included in a report submitted to the whistleblowing channel.

Data subjects

Data subjects are current or former employees of Vastuu Group, its group companies, subcontractors, customers or other stakeholder organisations, or other individuals who submit a report via Vastuu Group’s whistleblowing channel or whose data is included in a report submitted via the whistleblowing channel.

Purposes, legal bases and retention periods for the processing of personal data

Vastuu Group operates a whistleblowing channel through which you can report suspected misconduct relating to Vastuu Group’s operations. Through the whistleblowing channel, you can confidentially report suspicions concerning breaches of legislation falling within the scope of the Act on the Protection of Whistleblowers or of Vastuu Group’s ethical guidelines. The whistleblower has the option to make a report under their own name or anonymously.

The table below provides information on the purposes for which we process your personal data, the categories of personal data we process, the legal basis on which we process your personal data, and how long we retain your personal data in each situation.

Purposes of processing

Legal basis

Categories of personal data

Retention period

Organisation of the whistleblowing channel and processing of reports submitted via the channel.

Personal data is processed in order to implement the whistleblowing channel required by the Act on the Protection of Whistleblowers (1171/2022).

Legal obligation

Whistleblower

Reports may be made either by name or anonymously. The whistleblower may include personal data about themselves in the report (such as name, contact details, location, financial information, etc.), or the circumstances of the reported incident may be such that the whistleblower can be indirectly identified on the basis of this information.

The person who is the subject of the report

The report may contain information about the person who is the subject of the report, or their behaviour or circumstances, as well as other personal information (such as name, location, financial details, images, etc.). The information may also include data belonging to special categories of personal data (such as health data).

Witnesses and other third parties

A report or investigation file may contain the name, contact details and other information relating to bystanders.

Report handlers

Contact details (name, username) and log data.

Personal data deemed unnecessary for the investigation of the report will be deleted without undue delay.

Data designated for retention will be retained for the five years required by law, after which it will either be deleted or the retention of the report will be extended for as long as necessary, based on a case-by-case assessment.

Organisation of the whistleblowing channel and processing of reports submitted via the channel.

Personal data is processed to implement internal control within the Vastuu Group by receiving reports via the whistleblowing channel regarding issues other than breaches of legislation, such as breaches of the Vastuu Group’s ethical guidelines, so that corrective measures can be taken where necessary.

Legitimate interest (receiving reports of issues other than breaches of the law and rectifying such issues; implementing internal control)

As above.

As above.

 

Sources of personal data

Personal data is collected from the reporter when the whistleblowing channel is used. In addition, during the investigation of a case, the data controller collects necessary information relating to the report from the parties concerned and from persons and entities involved in the events.

Automated decision-making

No automated decision-making is used in the processing of reports.

Regular disclosure and transfer of personal data

The data controller shall not disclose personal data received via the whistleblowing channel to third parties for any reason other than a legal obligation to disclose binding on the data controller or for the purpose of investigating the suspected breach described in the report.

The data controller may use subcontractors for the processing of personal data. The Central Chamber of Commerce is responsible for the technical implementation and maintenance of the whistleblowing channel service on behalf of the data controller. The Central Chamber of Commerce does not process reports on behalf of the data controller.

Transfers outside the EEA

Personal data will not be transferred outside the European Economic Area.


Data subject rights 

Last updated: 15 May 2026

Data subject rights

You have a number of rights regarding the processing of your personal data, which we explain in more detail below.

The rights available to you depend on the personal data being processed and the legal basis for processing it. Not all of the rights described below are available in all situations. For example, you may not have the right to have your personal data erased if the data is being processed for a purpose required by law.

Exercising your rights is free of charge. However, we may refuse unfounded or unreasonable requests or charge you a reasonable processing fee, which will be notified to you in advance.

If you have any questions about your rights as a data subject or wish to exercise your rights, please contact Vastuu Group’s Data Protection Officer using the contact details provided below.

Right of access to personal data and right to rectify your data

You have the right to check what personal data we process about you or to obtain confirmation that we do not process your personal data. If you believe that the personal data we process is incorrect, inaccurate or incomplete, you may submit a request to us to have the data rectified.

As a data subject, you have the right to access your personal data. However, the data subject’s right to access data may be restricted in certain situations, such as in the case of personal data reported under the Act on the Protection of Whistleblowers, if this is necessary and proportionate to ensure the accuracy of the report or to protect the identity of the whistleblower.

Right to erasure 

You have the right to have your personal data erased in certain situations. This right depends, among other things, on the basis for processing the personal data.

If our processing is based on consent, we will delete your personal data when you withdraw your consent.

If you object to the processing of your personal data on the grounds of a legitimate interest, we will assess the grounds for your request in relation to the legitimate interest. Based on this assessment, we will decide whether to cease processing your data and delete it if there are no longer grounds for processing.

Right to restrict the processing of your data

In certain situations, you have the right to request a temporary restriction on the processing of your personal data. Temporary restriction means that we will retain your data but will not delete or otherwise process it without your consent, or for the purpose of establishing, exercising or defending legal claims.

The right to object to the processing of your personal data

In certain situations, you have the right to object to the processing of your personal data.

For example, you may object to the processing of your personal data for direct marketing purposes, in which case we will no longer process your data for this purpose.

You may also object, on grounds relating to your particular situation, to the processing of personal data based on legitimate interest. If you object to the processing of your personal data on the basis of a legitimate interest, we will assess the grounds for your request in relation to that legitimate interest. Based on this assessment, we will decide whether to cease processing your data and delete it if there are no longer grounds for processing.

Right to transfer personal data from one system to another

You may request the transfer of your personal data in situations where we process your personal data on the basis of consent or a contract, and you have provided the personal data to us yourself.

In such cases, we will provide you with your personal data in a machine-readable format so that you can store it yourself or transfer it to another data controller (such as another service provider). Where technically feasible, we may also, at your request, transfer your personal data directly to another data controller.

Right to withdraw consent

Where the processing of your personal data is based on consent, you may withdraw your consent at any time. Withdrawing your consent does not affect the lawfulness of the processing of your personal data carried out on the basis of consent prior to its withdrawal. If you withdraw your consent, we will cease processing your personal data to the extent that such processing was based on your consent.

In specific situations, however, the law may require us to continue storing certain personal data, even if it was originally collected on the basis of your consent.

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority regarding the processing of your personal data.

In Finland, the supervisory authority is the Office of the Data Protection Ombudsman: www.tietosuoja.fi.

 

Contact and exercising data subjects’ rights

You can contact Vastuu Group’s Data Protection Officer for example regarding data protection related questions or to exercise your rights:

Email: tietosuoja@vastuugroup.fi

Postal address:
Vastuu Group Oy
Data Protection Officer
Hevosenkenkä 3
02600 Espoo