Privacy Notice

1. Data Controller

Applex Attorneys Ltd
Rautatienkatu 21 C, 33100 Tampere

tel. +358 10 2999 471


2. Purposes of processing personal data

Applex Attorneys Ltd (data controller) processes personal data in accordance with applicable data protection legislation, including EU General Data Protection Regulation (2016/679).

The purposes of processing are:

  • managing customer relationships and customer services
  • managing assignments related to legal services
  • fulfilling the rights and obligations of the customer and the data controller
  • identifying customers and conducting conflict-of-interest research
  • processing of personal data concerning stakeholders (suppliers, job applicants, other co-operation partners)
  • processing of personal data of website visitors for the purpose of ensuring and developing the functionality of our website
  • processing of personal data for the purposes related to the data controller’s products and services including developing, providing, fulfilling, and marketing of products and services

Furthermore, personal data in our registers are processed in accordance with requirements of data protection legislation for Applex Attorneys Ltd’s communication to stakeholders, such as newsletters, electronic communication, electronic direct marketing and invitations. Applex Attorneys Ltd provides inter alia business law services, other legal services and dispute resolution services, and provides related education events and newsletters.


3. Legal basis for processing of personal data

Legal basis for processing of personal data are legal obligations of the data controller, contract, consent and legitimate interests of the data controller. Processing is also based on guidelines and regulations issued by the Finnish Bar Association.

The legitimate interest of the data controller is the legal basis for processing of personal data when there is a material connection between a data subject and the data controller. Such material connection is formed, for example, when the data subject has on its own initiative contacted the data controller, or when the data controller, for example, processes the data subject’s personal data in connection with a business or co-operation matter between the data subject’s employer and the data controller.

On basis of its legitimate interest, the data controller may also save to its customer register personal data of potential clients and their contact persons and representatives which can be, on reasonable grounds, expected to be interested to acquire products and services provided by the data controller.

The data controller’s electronic direct marketing may be sent to data subjects who have given their voluntary consent to electronic direct marketing. When the data subject is requested to give his or her consent, he or she will be simultaneously informed that withdrawal of consent is possible easily and at any time. In addition, in accordance with applicable data protection legislation, electronic direct marketing can also be sent to recipients for whom the data controller can reasonably consider that the products or services marketed have essential connection with the potential customer’s area of responsibility or work.

Withdrawal of consent may be done by giving a notice to the data controller or by clicking the cancelling option, which can be found in every marketing message (“Unsubscribe” link), whereupon personal data of the data subject will be removed from the data controller’s list concerning subscribers of electronic direct marketing.


4. Categories of personal data processed

The register includes personal data of the following persons:

  • Customers of the data controller and their representatives and contact persons
  • Representatives and contact persons of the data controller’s subcontractors and suppliers
  • Potential customers
  • Other stakeholders (job applicants, co-operation partners)
  • Persons related to assignments

The following personal data of the data subjects, relevant on the basis of the above mentioned purposes of processing, are processed, such as:

  • Name
  • E-mail address
  • Phone number
  • Company and title
  • Name and business ID of the company and contact person
  • Additional information provided by the data subject himself/herself
  • Personal data processed on a case-by-case basis in connection with assignment (such as emails, documents, other communication)
  • Information based on customer relationship, such as contact history, feedback and follow-up information
  • Information needed for identifying a person as provided for in the Finnish Act on Preventing Money Laundering and Terrorist Financing (444/2017) (such as name, date of birth, personal identification number, citizenship, passport copy and information to determine financial situation and political influence of a person)


5. Regular information sources of the register

Personal data has been primarily obtained from the following information sources:

  • Directly from the data subject himself/herself for the purpose of managing customer relationship and assignments
  • Directly from the data subject himself/herself in connection with job application and recruitment process
  • Directly from the data subject himself/herself in connection with other co-operation partnership
  • Insurance companies, courts and authorities
  • public/commonly available sources (such as internet or Trade Register)
  • the data subject’s employer or other representative of the data controller’s customer, business or co-operation contact or contract party
  • Companies’ information is checked from Suomen Asiakastieto Oy’s registers in business contexts, hence reports may include data concerning companies’ representatives
  • In connection with attending events organized by the data controller or its co-operation partners


6. Recipients of personal data

In principle, the data controller will not disclose personal data of the data subjects to third parties, except when authorities in accordance with legislation require to do so or mandatory laws stipulate this.

Despite the above stated, in connection with implementing its technical services, the data controller uses reliable service providers which process personal data on behalf of the data controller on basis of data protection agreement required by data protection legislation. The service providers will process the personal data, for which the data controller is responsible for, in accordance with the data controller’s documented instructions.

The data controller may also disclose personal data to other data controller or a third party if agreed with the data subject on a case-by-case basis.

In addition and pursuant to requirements of the applicable data protection legislation, the data controller may disclose contact information of a data subject to data controller’s co-operation partners for example when the data controller organizes a customer or education event together with such co-operation partner. Such co-operation partner is responsible for processing of personal data for its own part.

In principle, personal data is not transferred outside of European Union or European Economic Area. However, Hubspot is used in connection with the data controller’s website. Use of these services may require transfers of personal data outside of European Union or European Economic Area. Possible transfers of personal data will always be carried out in accordance with applicable data protection legislation.


7. Retaining personal data

The data controller will process and retain personal data only as long it is necessary for the purposes of processing which have been determined in advance. Personal data which has become redundant, i.e. personal data which the data controller no longer has legal basis to retain or process, will be deleted on regular basis in accordance with the data controller’s own data protection policy. Personal data has become redundant, for example, when the customer, business, co-operation or contract relationship to the controller has ceased, notwithstanding cases where legislation requires retaining personal data.


8. Rights of the data subject

The data subject has the following rights, applicable on case-by-case basis.

Right to withdraw consent

On basis of Article 7 of the EU General Data Protection Regulation (679/2016, ”GDPR”) , the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Right of access by the data subject to his or her data

On basis of Article 15 of the GDPR, the data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and certain information concerning data processing stipulated in the Article.

Right to rectification

On basis of Article 16 of the GDPR, the data subject has the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking in to account the purposes of processing, the data subject has the right to have incomplete personal data completed, including means of providing a supplementary statement.

Right to erasure

On basis of Article 17 of the GDPR, the data subject has the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay, and the data controller will have the obligation to erase personal data without undue delay, provided that requirements stipulated in the Article are fulfilled.

Right to restriction of processing

On basis of Article 18 of the GDPR, the data subject has the right to obtain from the data controller restriction of processing, provided that requirements stipulated in the Article are fulfilled.

Right to data portability

On basis of Article 20 of the GDPR, the data subject has the right to receive data concerning him or her, which he or she has provided to the data controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, in cases where processing is based on consent or contract and the processing is carried out by automated means.

When exercising the above described right to data portability, the data subject has the right to have personal data transmitted directly from one data controller to another, where technically feasible.

Right to object

On basis of Article 21 of the GDPR, the data subject has the right to object, on grounds relating to his or her particular situation, at any time processing of personal data concerning him or her and having its legal ground on the legitimate interest of the data controller, including profiling. The data controller will no longer process personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time of processing data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

Right to lodge a complaint with a supervisory authority

If the data subject considers that the data controller is infringing applicable legislation concerning personal data processing and data protection, the data subject has the right to lodge a complaint with a supervisory authority. The supervisory authority in Finland is the Data Protection Ombudsman,

Responsibilities of the data controller arising from the rights of the data subject

The data controller will inform the data subject about all measures that have been taken on basis of a request made pursuant to Articles 15-22, without undue delay and in any case within one month having received such a request. The time limit may be prolonged for at most two months where needed, taking into consideration quantity and complexity of the requests made. The data controller will inform the data subject about such possible prolongment within one month having received the request, as well as about the reasons for delay. If the data subject has presented his or her request electronically, the information must be provided electronically when possible, unless the data subject requests otherwise.

If the data controller does not carry out the measures based on the data subject’s request, the data controller must immediately and at the latest within one month since having received the request, notify the data subject about the reasons for this, as well as about the possibility to lodge a complaint with a supervisory authority and to use other legal remedies.

Exercising rights

You may exercise your above stated rights by contacting the data controller via sending an e-mail to the e-mail address info(at) We aspire to provide a reply as soon as possible and, where needed, provide you with additional instructions or ask additional questions based on your request.

Please note that prior to fulfilling a request we have a right as well as an obligation to verify your identity, due to which we must be able to recognize you in an adequate manner.

Legislation applicable to our activities and rules of the Finnish Bar Association may prevent us from executing your request.

If your request is manifestly unfounded or excessive, we may charge a reasonable fee for administrative costs to carry out your request or refuse to act on the request.


9. Processing of personal data and profiling

The data controller does not use automated decision-making, such as automated profiling, as part of processing personal data.


10. Cookies

You can read more of as well as give and withdraw your consent for use of cookies in “Cookie settings” section of our website.


11. General description of appropriate technical and organizational security measures of the data controller

Access to registers have been granted solely to such designated employees of the data controller who have signed appropriate non-disclosure agreements.

The data controller has provided all its employees with binding written instructions and orders concerning processing of personal data and data protection, which instructions and orders the employees are bound to obey.

Data security of information systems has been arranged adequately, including encryptions and technical restrictions. The system is protected by security software. Access to the system requires each user to enter a username and password. The server environment is protected with passwords and an appropriate firewall. The systems require login with passwords. The communication between the server and the user’s device is encrypted. In addition, the data controller’s computer network and the hardware on which the registers are located are protected by a firewall and other technical measures. The destruction of personal data is carried out with secure measures.

The data controller will revise its processing operations and equipment on regular basis and, amongst other things, assess risks related to processing of personal data for example when introducing new technology.


12. Changes to this Privacy Notice

This Privacy Notice has been last updated on 1 October 2021.

The data controller may change this Privacy Notice.

If you have any questions regarding the processing of your personal data by the data controller, please contact us by email at info(at) or by phone: +358 10 2999 471.