Oras Invest Oy (business ID 1908260-8, “Oras Invest” or “we”) is committed to protecting the privacy of your personal data. This privacy notice demonstrates how we collect and use personal data and what rights data subjects have in accordance applicable data protection laws, including the EU General Data Protection Regulation (GDPR, 2016/679). With this privacy notice, Oras Invest wants to promote transparency and demonstrate how personal data is processed as part of our business operations. Kindly note that this privacy notice may be amended from time to time.

1. Controller and contact information

Name: Oras Invest Oy

Business ID: 1908260-8

Address: Erottajankatu 2A, 4th floor, 00120 Helsinki, Finland

Should you have any questions regarding the processing of personal data or if you wish to use your rights under applicable data protection laws, please contact Anniina Myllyperkiö, anniina.myllyperkio@orasinvest.fi, tel. +358 (0)10 2868 100.

2. Personal data collected and processed as well as purpose and legal basis for processing personal data

Oras Invest processes personal data for the following purposes:

Job applicants and employees:

We process personal data of job applicants in order to carry out and to fulfil requirements concerning our recruitment procedures, including receiving and processing job applications, evaluating the job applicants and managing employee relationships. The processing of job applicants’ personal data is based on Oras Invest’s legal obligations and legitimate interest to carry out the recruitment process or to carry out other measures related to entering into an employment agreement between Oras Invest and the job applicant.

We process personal data of employees for purposes connected to your employment, such as workflow management, payroll processing, performance management, benefits, pension, personnel administration, including health and medical benefits, leave entitlements, bonuses, talent management, career development, engagement, teambuilding, or operations management. The processing of employees’ personal data is based on Oras Invest’s legal obligations as an employer and the performance of the employment contract to which the employee is a party. In relation to job applications and employment, we process the following personal data:

Board members:

We process personal data when we have a legal obligation (namely under the Companies Act and the Securities Markets Act) to process your personal data, when it is necessary to perform the contract we may have with you, when it is in our legitimate business interests, and when it is necessary to protect our legal position. The purposes of the processing include providing IT services for board members, organising of board meetings and administration around board membership and decisions, responding to requests of regulators and public authorities, performing legal disclosures, and social events. The purpose of the processing is also to sufficiently carry out our business as well as to conduct standard organizational procedures. In relation to identifying and maintaining information on board members, we process the following personal data:

Managing business relationships:

We process personal data in order to maintain and manage our business relationships with our business partners, service providers and other similar entities as well as their representatives and contacts persons. Personal data is also processed for the purpose of entering into agreements as well as to fulfil contractual obligations. The legal basis for processing personal data is the performance of an agreement and for compliance with legal obligations. The processing is also based on our legitimate interest to sufficiently carry out our business as well as to conduct standard organizational procedures. In relation to managing business relationships, we process the following personal data:

Maintaining information on shareholders of Oras Invest:

We process personal data for the purposes of identifying and maintaining information on shareholders of Oras Invest as well as for communication purposes and to perform standard organizational procedures. The legal basis for the processing is for the compliance with legal obligations, namely the Companies Act and the Securities Markets Act. The processing is also based on our legitimate interest to sufficiently carry out our business as well as to conduct standard organizational procedures. In relation to identifying and maintaining information on shareholders, we process the following personal data:

Developing our website and ensuring its functionality:

We also use Google Analytics in order to compile analytics data and reports on website visitor usage and to help us improve our website. For more information on Google Analytics, please visit Google Analytics.

The personal data is processed in order to analyse our operations and website visitor behaviour so that we can develop and improve the quality of the content of the website and other related services. Analytical data is also processed to develop our business and to perform standard administrative and organizational functions. The legal basis for the processing is our legitimate interest to develop our website and to ensure the proper functionality of the website. Analytical data is collected about the technical devices used to access the website as well as about the use of the website, such as the sections which have been visited and the times of the visits. Analytical data are not used to identify individuals.

We use Google Analytics’ cookies on our website www.orasinvest.fi. Cookies are small text files that are saved on your computer or device to help our website perform a number of functions and to make the user experience more efficient. Cookies can help us monitor the number of people visiting our website and help us better understand the way in which people interact with our website. We will request your consent for processing personal data when it is necessary under applicable privacy laws. You can read further about our cookie practices from our Cookie Policy.

3. Regular sources of data

In terms of job applications, personal data is collected from the job applicants themselves in connection with submitting the job application. For managing our business relationships, we collect personal data mainly from the representatives or contact persons themselves, or alternatively from the organizations they represent. Shareholders’ information are obtained from the shareholders themselves or from the organizations they represent or from additional sources such as public registries.

When visiting the www.orasinvest.fi website, personal data is collected e.g., via cookies as you interact on the website.

4. Data disclosures and transfers outside the EU/EEA

Personal data is processed within Oras Invest, for the purposes mentioned above and only by specific personnel who have the right to do so due to their position in the company or in order to perform their duties. Such personnel are HR professionals as well as administrative and IT personnel.

Oras Invest may use third party service providers to process personal data. Such service providers are processors of personal data who process personal data on behalf of Oras Invest and in accordance with the instructions of Oras Invest. Oras Invest ensures that personal data processed by the service providers are processed in accordance with appropriate confidentiality and data processing agreements and applicable data protection legislation.

Personal data is located in the EU/EEA, but processors outside the EU/EEA who process personal data on behalf of Oras Invest may have access to personal data when providing their services to Oras Invest. In cases where said disclosure takes place, Oras Invest ensures that the European Commission has decided on an adequate level of protection of personal data in the country of destination, uses standard contractual clauses or other equivalent arrangements approved by the European Commission and complies with all other appropriate safeguards for disclosure or transfer of personal data outside the EU/EEA.

5. Retention and deletion of personal data

Personal data will be retained for as long as it is necessary to fulfil the purpose of processing. When we no longer need to process your personal data for its original purpose, the data will be either anonymized or deleted. However, data retention may be extended if necessary, to fulfil legal obligations and requirements, such as securing the rights of Oras Invest or handling potential claims.

In terms of job applications, the retention time is three months from the end of the recruitment process.

In the light of applicable data protection legislation, Oras Invest evaluates continuously its need to process personal data, and undertakes all reasonable measures to ensure that the personal data processed is accurate and up to date.

6. Principles of how the personal data is secured

Your personal data will be processed lawfully, fairly and in a transparent manner, collected for specified, explicit and legitimate purposes, and will not be further processed in a manner that is incompatible with said purposes mentioned in this privacy notice. Oras Invest will only process adequate and relevant personal data, limited to what is necessary in relation to the purposes for which it is processed.

Oras Invest uses appropriate technical and organizational measures designed to protect the personal data that are collected and processed. The measures used provide an adequate level of security for the processing of the personal data of the data subjects. All specific personnel at Oras Invest as well as third-party service providers are required to treat your personal data strictly confidentially.

7. Data subjects’ rights

You, as a data subject, have a right to receive information on whether your personal data are being processed and if data are processed, you have a right to access your data. You also have the right to ask for the data to be rectified or deleted or for the processing to be restricted within the limitations set out in and in accordance with applicable data protection legislation.

Where the processing is based on consent, as a data subject you have the right to withdraw your consent at any time. Please notice that a withdrawal of your consent will not affect the lawfulness of the consent based processing taking place before your withdrawal of consent.

Any request shall be made to the point of contact provided above, by a personally signed or otherwise comparably verified document.

We will do our best to implement your request. However, sometimes we must refuse your request, in which case we shall inform you of the basis of such refusal.

If Oras Invest will process personal data for a purpose other than that for which the personal data were collected, Oras Invest shall provide the data subjects with such information for that purpose and any other relevant additional information prior to the processing.

In case you consider that our processing of personal data does not meet the requirements of the General Data Protection Regulation or other applicable legislation, you may contact the Finnish Data Protection Authority (www.tietosuoja.fi) to confirm the appropriateness of the processing of your personal data.