Personal data means any information relating to a natural person (“data subject”) and enabling direct or indirect identification of said person. Personal data, data subject, data controller, data processor and other key terminology are specified in the General Data Protection Regulation (2016/679) of the EU (“GDPR”) which the Company complies with in any processing of personal data, alongside other applicable data protection legislation (hereinafter collectively referred to as “data protection legislation”). Ensuring data protection is integrated into all of the business operations of Innovestor.
Innovestor Oy is an investment service firm monitored by the Finnish Financial Supervisory Authority, providing licensed issuance services, reception and transmission of orders and supplementary services. Innovestor Ventures Oy and Innovestor Life Science Oy are registered alternative investment funds managers monitored by the Finnish Financial Supervisory Authority, managing alternative investment funds under registration. Innovestor Ignite Oy builds and produces corporate venturing services. Innovestor Finance Oy provides financing and business management consulting and investment activities.
|Innovestor Oy (business ID 2616018-4)
|Annankatu 12, FI-00120 Helsinki, Finland
3. Purposes of processing personal data and legal basis for the processing
The grounds and purposes of processing personal data include, but are not limited to, the following:
|Purpose of the processing
|Purpose of the processing
Implementation of contracts concerning the services and products provided by Innovestor (e.g. mandatory customer information, fees, notifications, feedback, communications, appointments and customer service)
|Contract or preparation thereof
|Fulfilment of statutory obligations, such as obligations arising from the Finnish Act on Detecting and Preventing Money Laundering and Terrorist Financing, the Finnish Act on Investment Services, Act on Whistleblower Protection, and contracts concerning the exchange of taxation-related information
|Statutory obligation (especially concerning Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
|Implementation of Innovestor’s projects and related obligations and duties
|Contract, statutory obligation, legitimate interest of the Company to engage in business operations in order to fulfil the needs of present and future customers and consent for participating in a specific project
|Risk management, ensuring safety and security and prevention of malpractice
|Statutory obligation to ensure the security of data, prevent malpractice, etc. and legitimate interest to protect the Company’s property and the safety of the personnel
|Maintenance, development, quality assurance and communication related to products and services
Planning and development of business operations
Targeted customer service regarding the Company’s services, customer communications, customer surveys and monitoring the use of services
Marketing and targeting of marketing to customers and potential customers as well as organisation and administration of campaigns
|The Company’s legitimate interest to inform present and potential future customers of products and services, develop the quality of products and services and market them
|Management of voluntary events and services
Electronic, personal direct marketing
|Consent for participating in a certain event or certain type of marketing (e.g. electronic direct marketing)
The data subject has the right to withdraw their consent (see Section 10 Rights of data subjects below)
|The Company’s legitimate interest to recruit employees, offer work to the data subject and manage recruitment-related matters
Insofar as the processing of personal data is based on the legitimate interest of Innovestor or a third party, we have assessed that the rights and interests of the data subjects do not supersede said legitimate interest.
4. Categories of personal data to be processed, data contents and sources of data
4.1 Categories of personal data to be processed
The following data of the data subjects shall be processed:
|Category of personal data
|Examples of data content
|4.1 Contact information
|Name, address, telephone number, e-mail address
|4.2 Identifying information
|Personal identification number, other similar national identifier, date of birth, copy of birth certificate (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
|4.3 Customer identification information required by the Act on Detecting and Preventing Money Laundering and Terrorist Financing
|Personal data, information concerning financial status, information concerning the origin of assets, actual beneficiaries (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
|4.4 Obligations concerning international exchange of taxation-related information
|Country of taxation, taxation identification numbers (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
|4.5 Identification information collected based on the Act on Whistleblower Protection
|Name, e-mail address, telephone number
|4.6 Customer transaction information and contractual information
|Personal data in the contract and other documentation between the Company and the data subject, communications between the data subject and the Company, reclamations and other information on the use of services
|4.7 Information related to the use of services
|Information concerning financial status, classification of the customer, appropriateness assessment, investment objects, subscription orders (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy), information concerning education and occupation, information on payment transactions
|4.8 Technical behaviour information and identification information
The collected data may include the user’s IP address, visited sites, browser type, Internet address, time and duration of session, etc. (see Section 8 Cookies below)
|4.9 Managing the rights of the data subject, such as contents and prohibitions
|Marketing bans and consents
Communications and measures related to the data subject’s rights (see Section 10 Rights of data subjects below)
|4.10 Recruitment-related information
|Curriculum vitae and job application as well as other information on education, competence and job history
Results of potential aptitude tests, status inquiries and safety analysis reports
Information of references and other individuals participating in recruitment
|4.11 Other voluntarily disclosed (additional) information
|Wishes and preferences related to the contract or marketing/marketing event
Other information disclosed during communication or meetings
Information in the curriculum vitae related to expert roles in various business programmes (only Innovestor Ignite Oy)
Disclosing the information mentioned in Sections 4.1–4.7 is essential for the management of the obligations based on legislation and the contract between the Company and the data subject as well as for the provision of the Company’s services. Should the data subject fail or refuse to disclose the necessary personal data, concluding or implementing the contract or managing the statutory obligations may be hindered.
The disclosure of information mentioned in Sections 4.8–4.11 is voluntary but necessary if the data subject wishes to use its rights or for us to serve the customer to the best of our ability. Failing or refusing to disclose recruitment-related information hinders the employee’s evaluation and may terminate their recruitment process.
4.2 Primary sources of data
The personal data is primarily collected from the data subject via telephone or e-mail or when meeting the data subject face to face. In addition, data subjects disclose personal data either electronically or on paper through received subscription undertakings as well as investment service and subscription contracts. A representative authorised by the data subject may also disclose data on behalf of the data subject. In addition, the data subject may have disclosed data to the Company when visiting the Company, its website or social media or when participating in events. Data can also be collected in connection with marketing upon the individual’s permission.
4.3 Data collected from other sources
In its marketing activities, the Company may use external service providers that process data subjects’ contact information for marketing purposes.
Personal data can also be collected from a corporation on behalf of which the data subject is acting. In addition, data can be collected and updated in context allowed by legislation from data files maintained by third parties, such as the Finnish Patent and Registration Office or from other public sources and databases such as LinkedIn.
Subcontractors, cooperating partners and other stakeholders disclose personal data of data subjects when required by legislation and contractual obligations.
The Company can collect recruitment-related personal data in accordance with the prerequisites of legislation concerning data protection in working life from recruiting service providers and potential background surveys, such as status inquiries, and by contacting references.
5 Retention of personal data
The retention period and criteria of personal data vary between categories of personal data according to the purpose and processing grounds of each category. When the processing of personal data is based on special legislation that is binding to Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy, the legislation also usually specifies the retention period of the data. The usual requirement is to retain personal data for the duration of the customer relationship and contractual relationship and for five years after the termination of said relationships (especially Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy).
In terms of representatives of corporations, the retention of their personal data is also connected to the duration of their status as a representative with the Company.
Personal data required for marketing shall be retained for as long as the data subject is targeted by a specific marketing activity, in other words participates in an event or is contacted about certain services or products, if the data subject has not reported their objection to the use of personal data in direct marketing or, when the marketing is based on consent, has not withdrawn their consent.
The consents, prohibitions and restrictions for processing personal data shall also be retained for the duration of their validity.
Once the personal data is no longer needed as specified above, the data shall be erased within a reasonable amount of time. The Company shall provide more detailed information on retention periods of personal data or the criteria concerning retention periods upon request.
6 Processors and other recipients of personal data
Personal data is transferred between the companies in the Innovestor Group for purposes related to marketing, customer service, other management of customer relationships and the risk management of the Group. The Companies shall process the personal data according to data protection legislation.
The Company may disclose personal data to third parties and utilise external processors, such as service providers, for processing personal data. Service providers supplying IT systems, financial administration services, legal services and other services as well as subcontractors, for example, may participate in the processing of personal data. The Company shall use sufficient contractual obligations to ensure that the processors of personal data process the data appropriately and according to legal requirements.
In addition, the Company may need to disclose personal data to contractual partners of the Company as well as other third parties due to the Company’s contractual obligations as well as statutory reporting and notification obligations.
The Company shall provide more detailed information on the processors and other recipients of personal data upon request.
The Company shall disclose personal data to the authorities in order to fulfil the legal information rights of said authorities. In addition, the Company may have to disclose personal data if the Company is involved in legal action or other arbitration proceedings. Should the Company become involved in a merger, business transaction or other corporate transaction, it may have to disclose personal data to third parties.
7 Transfer of personal data outside the European Union or the European Economic Area
The Company shall not transfer personal data outside the European Union (EU) or the European Economic Area (EEA). We use Google Analytics as a cookie-based tool to analyze the use of our website and services, as described in section 8 below. Personal data contained in Google Analytics may be transferred outside the EU or EEA and we cannot guarantee the adequacy of the transfer arrangements as required by the GDPR. We are following the guidance of the Finnish Data Protection Authority on this matter.
A cookie is a small text file stored on your device (persistent cookie) or in the cache (session cookie). The network server of the website creates the cookie. The network server specifies the data contained by the cookie which can then be used when the user visits a website. This enables the storing of data such as the user’s settings and remembering their login information. Cookies provide us with information on the language selections of those visiting our website, the time zone of the used browser and the use of the pop-up form. The user can freely manage and remove cookies installed in their browser. However, prohibiting cookies may restrict the use of the website or services.
9 Principles of protecting personal data and security of processing
The Company processes personal data in a manner that ensures appropriate security and data protection of the personal data in all situations, including protection against unauthorised processing and against accidental loss, destruction or damage.
The Company uses appropriate technical and organisational protective measures to ensure the aforementioned, including the use of firewalls, encryption technology, secure facilities, appropriate access control and instructions for the employees and subcontractors participating in the processing of personal data.
Paper materials are stored in locked facilities only accessible for authorised individuals. The data is only printed out when necessary, and any paper printouts are destroyed in a secure manner.
Access rights are limited according to job descriptions. All the individuals processing personal data are bound by professional secrecy concerning matters related to the processing of personal data.
The Company may outsource the processing of personal data to service providers, whereupon the Company shall use sufficient contractual obligations to ensure that the personal data is processed appropriately and legally.
10 Rights of data subjects
The data subjects have rights guaranteed by data protection legislation.
10.1 Right to access and verify data
The data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her is being processed.
The data subject shall have the right to verify and access the personal data concerning him or her and, upon request, receive the data in writing or in electronic format.
10.2 Right to rectification and erasure of data
The data subject shall have the right to obtain the rectification of inaccurate personal data. In addition, the data subject shall have the right to obtain the erasure of personal data concerning him or her in accordance with valid data protection legislation.
The Company shall also take initiative to erase, rectify and supplement personal data it has observed to be inaccurate, unnecessary, incomplete or outdated for the purposes of the processing.
10.3 Right to data portability, restriction of processing and the right to object to the processing
The data subject shall have the right to transmit the personal data concerning him or her to another controller in accordance with valid data protection legislation.
In addition, the data subject shall have the right to restrict the processing of personal data concerning him or her in accordance with the prerequisites specified by data protection legislation. In addition, in a situation where personal data suspected to be inaccurate cannot be rectified or erased or there is uncertainty concerning the request for erasure, the Company shall restrict access to the data.
The data subject shall have the right to object to the processing and to prohibit the use of the data for certain types of processing, such as direct marketing.
10.4 Right to withdraw consent
If the processing of personal data is based on consent provided by the data subject, the data subject shall have the right to withdraw their consent. In addition, the data subject shall have the right to withdraw their consent for electronic direct marketing. The withdrawal shall not affect processing preceding the withdrawal.
10.5 Implementation of the rights
Due to the obligation to verify identity before disclosing information, we may need to ask for more detailed information. The request shall be answered within a reasonable amount of time and, whenever possible, within one month of presenting the request and verifying the identity.
Should the Company be unable to agree to the data subject’s request, the data subject shall be informed of the refusal in writing. The Company may refuse a request (such as the erasure of data) due to a statutory obligation or a statutory right of the Company (such as obligation or claim related to our services).
10.6 Right to lodge a complaint with a supervisory authority
The data protection shall have the right to lodge a complaint with an authorised data protection authority if they find that their personal data has been processed in violation of valid legislation. However, we request that the issue be primarily discussed with the Company.
The contact information of the Finnish data protection authorities can be found here.
11.1 Version history
|24 May 2018
|Specification document created
|29 March 2019
|Specification document updated
|25 June 2019
|Specification document updated in terms of processors of personal data and cookies.
|19 September 2019
|Amended to cover the mentioned companies in the Innovestor Group.
|14 January 2020
|19 October 2021
|Added new group companies, corporate venturing services and legislation on protection for whistleblowers
|1 March 2023
|Change of controller’s address, completion of data sources and transfer of personal data outside the EU