Privacy policy for rental and investment activities

Updated 19 May 2022

This privacy policy applies to the processing of personal data of DEAS Asset Management Finland Oy’s customers and corporate customers’ representatives in its rental and investment operations.

1. DATA CONTROLLER

DEAS Asset Management Finland Oy (hereinafter “the Company”)
Mikonkatu 7, 5B
00100 HELSINKI
Business ID: 1604474-5

2. CONTACT PERSON

The data controller’s contact person for data protection matters is:
Iiris Parkkinen
DEAS Asset Management Finland Oy
Mikonkatu 7, 5B, 00100 Helsinki
Email: iipa@deas-asset.com

3. PERSONAL DATA PROCESSED

Rental operations

The data controller processes the following personal data and any changes thereto concerning customers, tenants and their representatives (hereinafter also referred to as “data subject”):

Basic data of the data subject

• Customer’s name, personal identity number or business ID and contact information
• Corporate customer’s representative’s name, personal identity number and contact information

Other data related to the customer relationship, such as

• Customer data and other data related to rental applications and rental agreements
• Data about the rented property
• Data about the payment of rent and security deposit
• Data about termination of the rental agreement
• Data related to customer communications and contacts, as well as data about complaints and customer feedback

Investment operations

Basic data of the data subject

• Name, personal identity number or business ID and contact information of an investor or potential investor
• Name, personal identity number and contact information of an investing company’s or potential investing company’s representative

Other data related to the customer relationship, such as

• Data related to investments, including data on the objects of investment
• Data on termination of agreements
• Data related to customer communications and contacts, as well as data on complaints and customer feedback

4. PURPOSES OF PROCESSING PERSONAL DATA

The data controller processes personal data for the purpose of managing, maintaining and developing customer relationships, such as rental agreements and investor relations. For these purposes, the data controller may conduct actions such as customer satisfaction surveys. The data controller maintains the data of its customers, meaning tenants, investors and/or their representatives, rental ledgers and investment data, and is responsible for the maintenance and servicing of the rented premises and the implementation of investment activities.

Personal data may also be processed for the purposes of customer communication and marketing by the data controller and the companies belonging to the same group as the data controller, as well as for the fulfilment of statutory obligations.

5. LEGAL BASIS FOR PROCESSING

The processing of personal data is primarily based on the contractual relationship between the Company and the data subject or on the implementation of measures prior to the conclusion of a contract at the request of the data subject. This basis for processing may apply to situations related to the preparation and execution of an investment or rental agreement.

In addition, the processing of personal data is based on statutory obligations, such as accounting obligations, statutory reporting obligations, obligation to ensure data protection and information security, risk management and customer due diligence obligations, such as preventing misuse.

The processing of personal data for the management of customer relationships and the administration, maintenance, development and marketing of business operations is based on the Company’s legitimate interest.

Electronic direct marketing to the data subject’s personal communication channels is based on the data subject’s consent.

6. TRANSFERS AND DISCLOSURES OF PERSONAL DATA

Personal data may be disclosed to the extent permitted and required by applicable legislation. For example, personal data may be disclosed to contractual partners carrying out recovery of receivables, as well as to parties who are legally entitled to access the data, such as competent authorities.

We use subcontractors that operate on our behalf in the processing of personal data. We have outsourced the following activities involving the processing of personal data to an external service provider:

• IT management (including the implementation of certain service packages, such as customer satisfaction surveys)
• Property management services, technical property services, rental services, financial management services of property and housing companies, recovery of rent and other receivables, financial and legal consultation

7. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY

We transfer personal data outside the EU or EEA. Where personal data is processed outside the EU or EEA, we will ensure that the subcontractor is committed to the EU Commission’s standard clauses for the processing of personal data and/or is covered by the Privacy Shield protection system.

8. RETENTION PERIOD OF PERSONAL DATA

The personal data will be retained for as long as it is necessary for the purposes of the processing of personal data or to comply with the legal obligations of the data controller.

9. RIGHTS OF THE DATA SUBJECT

Right of access

The data subject has the right to obtain confirmation from the data controller as to whether personal data concerning them is being processed. In addition, the data subject has the right to access personal data concerning themselves as well as information on the processing of personal data in accordance with the EU General Data Protection Regulation.

Right to rectification

The data subject has the right to request the data controller to rectify inaccurate and erroneous data concerning the data subject without undue delay. In addition, the data subject has the right to have incomplete personal data supplemented.

Right to erasure

The data subject has the right to have the data controller erase personal data concerning the data subject without undue delay if:

• the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
• the data subject objects to the processing of their personal data on grounds relating to their particular situation and there are no legitimate grounds for the processing or the data subject objects to the processing of their personal data for direct marketing purposes;
• the personal data has been unlawfully processed by the data controller; or
• the personal data must be erased in order to comply with a legal obligation to which the data controller is subject.

Right to restriction of processing

The data subject has the right to restrict the data controller’s processing of the personal data in such a way that the personal data may be stored and only processed with the data subject’s consent, or to establish, exercise or defend a legal claim, or for the protection of the rights of another person if:

• the data subject contests the accuracy of the personal data, in which case the processing is restricted for the time necessary to ensure the accuracy of the data;
• the data controller is processing the personal data unlawfully and the data subject objects to the erasure of the personal data and instead requests the restriction of the use of the personal data;
• the data controller no longer needs the personal data for the purposes of the processing, but the data subject needs them to establish, exercise or defend a legal claim; or
• the data subject has objected to the processing of their personal data on grounds relating to their particular situation and is awaiting the determination of whether the legitimate grounds of the data controller override the grounds of the data subject’s objection.

Right to data portability

Where the data subject has provided their personal data to the data controller themselves, the data subject shall have the right to receive the personal data in a structured, commonly used and machine-readable format and to transfer the data to another data controller if:

• the processing is carried out automatically; and
• the processing is based either on the consent of the data subject or the processing of the data subject’s personal data is necessary for the performance of a contract, such as a rental agreement, or for the implementation of pre-contractual measures at the request of the data subject;

The right to data portability is limited to procedures that do not adversely affect the rights or freedoms of others.

10. RIGHT TO OBJECT TO THE PROCESSING OF PERSONAL DATA

The data subject has the right to object to the processing of their personal data on grounds relating to their particular situation, if there is no justified reason for the processing.

In addition, the data subject has the right to object to the processing of their personal data for direct marketing purposes. Direct marketing or the processing of personal data for direct marketing purposes must be terminated after the right to object has been exercised.

11. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

The data subject has the right to lodge a complaint with the competent supervisory authority if the data subject considers that the rights of the data subject based on the General Data Protection Regulation have been violated in the processing of personal data.

12. SOURCES OF PERSONAL DATA (IF NOT FROM THE DATA SUBJECT)

Data is collected from the data subject, such as in connection with the search for a rental property, as well as from electronic services, rental agreements and customer service calls and messages.

Personal data may also be collected and updated from the data controller’s other registers, resigning customers, the data controller’s partners, as well as from authorities and companies providing services related to personal data, such as the Digital and Population Data Services Agency and credit information from Suomen Asiakastieto Oy’s credit information register.

13. SECURITY OF PROCESSING OF PERSONAL DATA

Personal data is stored in systems that are protected by firewalls, passwords and other generally acceptable technical and organisational means in the field of information security.

Manually maintained materials are located in premises that are not accessible to unauthorised persons.

Only those employees of the data controller who need to process personal data for the performance of their duties have access to the personal data processed by the data controller.

14. WHO CAN YOU CONTACT?

All communications and requests regarding this privacy policy must be made in writing or in person to the contact person named in section two (2).