Registry description

Registry description Section 10 of the Personal Data Act (523/99)

The legal bases for the processing of personal data are the following in accordance with the EU General Data Protection Regulation (hereinafter also referred to as the “GDPR”):

Completion date 25.5.2018

FINMANI / Fin Kauppahuone OY'S CUSTOMER REGISTER PRIVACY STATEMENT

1 Registrar The registrar of the register is FINMANI / Fin Kauppahuone OY: (business ID FI24764355)

The contact person for registration matters is: ECommerce Manager Armi Hakkarainen FINMANI / Fin Kauppahuone OY: N

Address: Lylykoskentie 9 H 1, 80130 Joensuu

Phone: +358 (0) 444 331 300 Email: palvelu@finmani.fi

2 Name of the registry The name of the register is FINMANI / Fin Kauppahuone OY's customer register.

3 Purpose of the processing of personal data Personal data is processed for purposes related to the management, administration and development of the customer relationship, the provision and delivery of services, and the development and invoicing of services. Personal data is also processed for the purposes required to clarify possible complaints and other claims. In addition, personal data is processed in communications to customers, such as for information and news purposes and in marketing, as part of which personal data are also processed for purposes related to direct marketing and electronic direct marketing. The customer has the right to prohibit direct marketing directed at him. The controller processes the data itself and utilizes subcontractors acting on behalf and for the account of the controller in the processing of personal data.

4 Legal bases of the proceedings The legal bases for the processing of personal data are the following in accordance with the EU General Data Protection Regulation (hereinafter also referred to as the “GDPR”): the data subject has consented to the processing of his or her personal data for one or more specific purposes (Article 6 1.a of the GDPR); processing is necessary for the performance of a contract to which the data subject is a party or in order to take pre-contractual measures at the request of the data subject (Article 6 (1b) GDPR); processing is necessary for the legitimate interests of the controller or of a third party (Article 6 (1f) GDPR). The data subject's legitimate interest referred to above is based on a relevant and appropriate relationship between the data subject and the data controller as a result of the data subject's processing and the processing for purposes which the data subject could reasonably have expected at the time of collection.

5 Data content of the register (categories of personal data to be processed) The register contains, in principle, the following personal data on all registered persons: basic information and contact details of the person: [first name, surname, address, telephone number, e-mail address, order details]; information related to the person's company or other organization and the person's position or job title in question. in a company or organization; personal marketing authorizations and prohibitions.

6 Regular sources of information Personal data is collected from the registered person himself. Personal data shall also be collected and updated, within the limits of the applicable law, from publicly available sources related to the performance of the customer relationship between the controller and the data subject and through which the controller fulfills its responsibilities for the maintenance of the customer relationship.

7 Retention period of personal data The data collected in the register shall be kept only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data were collected. The need for the retention of personal data shall be assessed every five years and in any case the data relating to the data subject shall be deleted from the register six years after the end of that data subject's relationship with the controller and the end of the customer relationship obligations and measures. For example, accounting documents are kept for six years from the end of the financial year. The controller shall regularly assess the need for data retention in accordance with its internal code of conduct. In addition, the controller shall take all reasonable steps to ensure that personal data which are inaccurate, erroneous or out of date for the purposes of processing are deleted or rectified without delay.

8 Recipients of personal data (groups of recipients) and regular disclosures Personal data will not be disclosed to third parties.

9 Data transfer outside the EU or the EEA Personal data contained in the register will not be transferred outside the EU or the EEA.

10 Registry security principles Materials containing personal data shall be kept in locked premises accessible only to designated and authorized persons.