Conficap Oy, Privacy Notice for Business Customers and
Partners
Last updated: 7.3.2024
This Privacy Notice describes how Conficap Oy (hereinafter also “we”) processes the personal data of contractual parties in connection with its investment activities, and the personal data of its tenants of its commercial properties, business partners, and other stakeholders in its real estate and investment businesses. Conficap complies with the EU General Data Protection Regulation (2016/679) and applicable national data protection legislation when processing personal data.
Personal data means any information that makes it possible to identify a person. It may be information that directly identifies a person, such as a name, personal identification number, telephone number, e-mail address or photograph, or information that, when combined with other information, makes it possible to identify a person.
1. Controller and contact details
Conficap Oy (2862035-9)
Address: Salomonkatu 17 A, 00100 HELSINKI (Finland)
Contact for privacy matters: dataprotection@conficap.com
2. Personal data processed and the purpose and the legal basis for processing
2.1 Tenants of commercial properties and business partners
| PERSONAL DATA | PURPOSE OF PROCESSING | LEGAL BASIS |
| Information concerning the company and the company’s contact persons, such as name, email, phone number, position in the company, client number or other similar identifier Private customer’s name, email, phone number, social security number, client number or other similar identifier (indivicuals leasing storage spaces) | Establishing and maintaining the client relationship or other partnership, developing the business | Legitimate interest |
| Identifying the customer or company representative, handling and monitoring payments and fulfilling other contractual obligations | Fulfillment of lease agreement or other partnership agreement | |
| Legal obligation (Knowing your customer, “KYC”, in accordance with antimoney laundering legislation) | ||
| Information concerning the client relationship or partnership, such as existing and previous agreements with tenants and suppliers, other orders and | Fulfilling contractual obligations | Fulfillment of lease agreement or other partnership agreement |
| Accounting | Legal obligation | |
| assignments, signees to agreements, invoicing information | ||
| Information concerning communications and direct marketing opt-ins and opt-outs | Establishing and maintaining the client relationship or other partnership, carrying out communications and electronic direct marketing, developing the business | Legitimate interest |
| Electronic direct marketing to private persons | Consent | |
| Information collected in connection with events, such as registration information, special diets, invoicing information | Hosting events | Legitimate interest |
| Consent regarding health data (e.g. allergies) | ||
| Data collected from onpremises recording camera surveillance and access control, such as footage of persons on the premises, time and place, personal access identifier, time stamp of access events Camera surveillance is carried out at the entrance and corridoors of the buildings. Entrances and doors (incl. entrances to common areas) are subject to access contro | Ensuring the security of property, premises and persons on the premises, preventing and detecting vandalism and crime | Legitimate interest |
2.2 Representatives of target companies and other stakeholders in our investment business
| PERSONAL DATA | PURPOSE OF PROCESSING | LEGAL BASIS |
| Information concerning the company and the company’s contact persons, such as name, email, phone number, position, social security number, nationality, domicile Information concerning the company’s key personnel, such as sanctions data, ownership of shares, ultimate beneficial ownership, | Identifying the responsible parties, representatives and ultimate beneficial owners of a company | Legal obligation |
| Making an investment or agreeing on financing and fulfilling related contractual obligations | Fulfilling a contract | |
| Legitimate interest | ||
| information on possible political influence, passport copies | ||
| Information concerning fund managers, analysts and other stakeholders, such as name, position, email, phone number, communication details | Managing investor relations and carrying out the investment business | Legitimate interest |
2.3 Website visitors
| PERSONAL DATA | PURPOSE OF PROCESSING | LEGAL BASIS |
| Basic and contact details, such as name, email, phone number, information on the company you represent, background for contacting us | Establishing the client relationship, responding to inquiries from clients and potential clients | Legitimate interest |
| Information regarding use of the website, such as IP address, device ID or other identifier as well as cookies | Website development and analytics | Consent |
We use Piwik PRO Analytics Suite as our website analytics software and consent management tool. We collect data about website visitors based on cookies. The collected information may include a visitor’s IP address, operating system, browser ID, browsing activity and other information. See the scope of data collected by Piwik PRO.
We calculate metrics like bounce rate, page views, sessions and the like to understand how our website/app is used. We may also create visitors’ profiles based on browsing history to analyze visitor behavior, show personalized content and run online campaigns.
We host our solution on Microsoft Azure in Germany, Netherlands, United States and Hong Kong, Orange in France and ElastX in Sweden, and the data is stored for 25 months.
The purpose of data processing: analytics and conversion tracking based on consent. Legal basis: Art. 6 (1)(a) GDPR.
Piwik PRO does not send the data about you to any other sub-processors or third parties and does not use it for its own purposes. For more, read Piwik PRO’s privacy policy.
3. Sources of personal data
Personal data is collected in connection with meetings and when concluding agreements, at client events, or by other means directly from the individual, for example through a web form. Personal data can also be collected from generally available sources, such as from real estate agents, Trade Register, credit information registers, and other public and private registers in accordance with applicable laws.
4. Disclosures of personal data and transfers outside the EU/EEA area
We can disclose personal data in accordance with applicable laws to authorities, legal and financial consultants, real estate agencies and to investment service providers and fund managers. Data can be disclosed to group companies for administrative purposes, for example based on use of shared IT systems. Information about the company’s own key personnel is disclosed to contractual partners to the extent required by KYC obligations. Information may be published to the extent agreed with the customer or partner.
In business transaction situations or in order to acquire funding we may disclose some personal personal data described above to the extent required by each case to such companies who we have agreed to share the information with, in order to evaluate our company value, and to prepare and execute any actions necessary for the circumstances. Nondisclosure agreements will be obtained accordingly in these cases.
We have outsourced some activities involving the processing of personal data to subcontractors who provide e.g., IT systems and maintain servers where data is stored. We conclude personal data processing agreements with our subcontractors as required by data protection legislation. We use subcontractors for the following operations:
- IT administration and support
- Lobby services, access control and access key management
- Accounting
- Marketing
- Contract management
The IT systems we use may allow the service provider to access data from outside the EU/EEA. Where personal data is processed outside the EU/EEA, we will ensure that the transfer is justified under the General Data Protection Regulation, e.g. by an EU Commission adequacy decision or the application of standard contractual clauses.
5. Security of personal data
Personal data are processed with due care and the data systems storing personal data are adequately protected by firewalls, passwords, and other technical means. Where data are stored on Internet servers, the physical and digital security of their hardware shall be adequately ensured. Databases and their backups shall be located in locked and secured premises. We ensure that stored data, server access rights and other information critical to the security of personal data are treated confidentially and only by those employees whose job description includes this.
6. Retention of personal data
We retain personal data for the duration of the lease agreement of partner agreement and for the necessary period of time after the termination of such agreement, taking into account possible statutory periods of action and accounting rules. As a rule, business-to-business contracts are stored for 10 years from the end of the contract. Data relating to KYC checks are stored for 5 years after the end of the established customer relationship or the performance of the business operation, in accordance with the Anti-Money Laundering Act.
We assess the need to store data regularly considering the applicable legislation. Additionally, we take all the reasonable measures to ensure that no data, which is incompatible for the purposes of the processing, obsolete or incorrect, is stored in the register. We correct or erase such data without delay.
7. Data subject rights
As a data subject, you have the right to inspect the personal data stored in the register concerning yourself and the right to demand rectification or erasure of the data.
Insofar as processing is based on your consent, you also have the right to withdraw or change your consent regarding personal data processing.
As a data subject, you have the right to object or to demand restriction of the processing of your data and to lodge a complaint with the supervisory authority.
On grounds relating to your particular situation, you also have the right to object other processing activities when the legal basis of processing is the legitimate interest. In connection with your request, you shall identify the specific situation, based on which you object to the processing. We can refuse the request of objection only on legal grounds
As a data subject, you also have the right to object to processing at any time and free of charge insofar as it relates to direct marketing, including profiling.
8. Updates to this Privacy Notice and inquiries regarding personal data
We may update this Privacy Notice from time to time if there are changes in the processing of personal data. Any communication or request regarding this Privacy Notice should be made in writing or in person to the contact point designated in section one.