fbpx

Privacy Statement

This is a statement on the processing of your personal data pursuant to the EU’s General Data Protection Regulation (679/2016).

Controller

Strand Family Group Oy
Business ID: 3265773-6
address: Rantakatu 20, 21100 Naantali
email address: info@strand.fi

Communication regarding privacy matters

For all questions related to the processing of personal data and situations related to the exercise of your rights, data subjects should contact the controller in writing by sending an email to our customer service address: info@strand.fi

Basis and purpose of processing personal data

The legal basis for the processing of personal data is:

  • The consent to the processing of personal data provided by the data subject
  • The contractual relationship between the data subject and controller
  • Fulfilment of the controller’s statutory obligations
  • The controller’s legitimate interest based on, inter alia, the client relationship, marketing, service development, business planning, risk management, or the legitimate interest of a third party.

The purposes of processing personal data include, inter alia:

  • Managing client relationships and assignments
  • Providing, offering, developing, and ensuring the quality of services
  • Actions related to the execution of assignments involving the counterparty of the client or other relevant parties, including but not limited to negotiations, documentation, and communication necessary for fulfilling contractual obligations.
  • Marketing, including direct marketing, targeted marketing to clients and potential clients, and marketing planning
  • Business planning, as well as service reporting and analytics
  • Compliance with statutory obligations, including but not limited to tax legislation, legislation governing real estate agencies, and the Act on Preventing Money Laundering and Terrorist Financing

Regular data sources

The personal data processed is regularly obtained from the following sources:

  • The data subject themselves
  • The Trade Register
  • The Digital and Population Data Services Agency
  • Credit information registers
  • Other public, private, or commercial registers
  • Property management companies or other parties related to the assignment
  • The controller’s cooperation partners

Personal data being processed

The controller only collects personal data concerning the data subjects that is essential and relevant for the purposes explained in this privacy statement.

The following categories of personal data are primarily processed regarding the data subjects:

  • Identification and contact details (name of the individual, entity, and its representative, address, phone number, email address, business ID, date of birth/personal identification number, language, etc.)
  • Identification and identity verification information (passport, identity card, etc.)
  • Information and communication related to the client relationship and assignment management
  • Billing-related information (billing and payment details, collection information, credit check data, etc.)
  • Information related to client communication and marketing
  • Other voluntary information provided by the data subject (information provided by the data subject, e.g., in connection with contact requests, meetings, presentations, or feedback)

Disclosure of personal data

Personal data is disclosed and processed in accordance with the controller’s instructions by Strand Properties Oy, Strand Properties S.L., and their Brand Partners engaged in real estate brokerage, as well as by the member companies of the Leading Real Estate Companies of the World ® brokerage network, acting as personal data processors. These personal data processors may also disclose information to cooperating real estate brokers for the execution of assignments, in such cases only to the extent required for the brokerage process and in compliance with data protection legislation.

Under all circumstances, data is only disclosed when necessary for the intended purpose and the proper execution of services, such as to banks, the National Land Survey of Finland, or property management companies.

Personal data is also disclosed, as necessary, to the accounting firm for bookkeeping and financial administration purposes. Additionally, various service providers and third parties may be used in the processing of personal data, for example, for servers and other technical tools. Data may also be disclosed to business partners and clients in cases permitted by law.

The purchase price and other details related to the subject of the sale may also be disclosed to the Central Federation of Real Estate Agencies (Kiinteistönvälitysalan Keskusliitto ry), where the data is stored in the Price Monitoring Service (Hintaseurantapalvelu) used by real estate agents to the extent required by the service, and from which the information may be further disclosed to its clients. Otherwise, data is not primarily disclosed to external parties.

Furthermore, data may be disclosed to authorities as required by law.

Transfers of personal data to third countries

Personal data is not, as a rule, transferred outside the European Union (EU) or the European Economic Area (EEA). If such transfers are exceptionally carried out (for example, to execute an international real estate transaction or for data-related technical reasons), the controller ensures an adequate level of personal data protection in accordance with the requirements set out in data protection legislation. The default approach is that the controller enters into an agreement on the processing of personal data with the data processor located outside the EU/EEA, based on the European Commission’s Standard Contractual Clauses (SCCs). This agreement establishes a framework for high-level data protection also outside the EU/EEA.

The members of the Leading Real Estate Companies of the World ® network are subject to binding contractual obligations to safeguard their clients’ data protection. The network’s members must comply with the requirements of the EU General Data Protection Regulation (GDPR), and the network is committed to ensuring that data transfers outside the EU are carried out in compliance with EU data protection legislation.

Protection of personal data

The controller processes personal data in a manner that aims to ensure the appropriate security of the personal data, including their protection against unauthorised processing and accidental loss, destruction or damage.

The controller uses appropriate technical and organisational safeguards in order to achieve this goal; these include the use of firewalls, encryption techniques and safe equipment rooms, careful management of data system user IDs, and providing instructions to the personnel participating in the processing of personal data.

All employees processing personal data have a non-disclosure obligation for matters related to the processing of personal data of the data subjects based on the Employment Contracts Act (55/2001) and non-disclosure agreements that supplement it.

Retention period for personal data

The controller processes personal data only for as long and to the extent necessary and legally permitted in relation to the original or compatible purposes for which the data was collected. The purposes of personal data processing are described in the section «Basis and purpose of personal data processing.»

Client identification data required under anti-money laundering and counter-terrorist financing legislation is generally retained for five (5) years after the termination of the client relationship. Materials related to assignments are primarily retained for ten (10) years following the conclusion of the assignment, in accordance with the Guidelines for Good Brokerage Practices (Hyvän välitystavan ohje) issued by the Central Federation of Real Estate Agencies (Kiinteistönvälitysalan Keskusliitto ry). Personal data necessary for direct marketing is retained as long as direct marketing activities are intended to continue, unless the recipient has withdrawn their consent or objected to direct marketing.

The controller deletes personal data from the register after the retention period described above has expired or if the data subject has withdrawn their consent.

Profiling

Personal data will not be used for profiling or other automated decision-making.

Rights of the data subject

Right to request access to personal data

The data subject has the right to receive confirmation regarding whether personal data concerning them is being processed and, if it is, the right to receive a copy of their personal data.

Right to rectification

The data subject has the right to request that inaccurate and erroneous personal data concerning them be rectified. The data subject also has the right to supplement incomplete personal data by submitting the required additional information.

Right to erasure

The data subject has the right to request erasure of personal data concerning them if

  1. the personal data is no longer required for the purposes for which they were collected;
  2. the data subject withdraws their consent which the processing of personal data was based on, and no other legal basis exists for the processing; or
  3. the personal data has been unlawfully processed.

Right to restriction of processing

The data subject has the right to restrict the processing of personal data concerning them if

  1. the data subject contests the accuracy of their personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; or
  3. the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims.

Right to object

The data subject has the right to object, on grounds relating to their particular situation, at any time, to processing of personal data concerning them.

The controller shall no longer process the data subject’s personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to withdraw consent

The data subject has the right to withdraw the consent they have provided for the processing, without affecting the lawfulness of processing based on consent before its withdrawal.

Right to data portability

The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller.

Right to lodge a complaint with a supervisory authority

The office of the Data Protection Ombudsman, operating under the Ministry of Justice, is the national supervisory authority for personal data matters. You have the right to bring your case to the supervisory authority if you consider that the processing of personal data concerning you is in violation of applicable law.

Amending the privacy policies

The controller is continuously developing its activities and may therefore be required to amend and update its privacy policies when necessary. The amendments may also be based on changes in the legislation concerning data protection.

If the amendments include new purposes for the processing of personal data or otherwise introduce substantial changes, the controller will provide an advance notification of them and, if necessary, request consent.