Here is the full English translation of the privacy policy ("Tietosuojaseloste") you provided:

Privacy Policy

This is the Privacy and Data Protection Statement of Noren Oy in accordance with the Finnish Personal Data Act (Sections 10 and 24) and the EU General Data Protection Regulation (GDPR). This statement was last updated on May 15, 2023.

1. Introduction

This privacy policy describes how we collect, process, and protect personal data in our operations. It is important to us that you can trust us to handle your personal data carefully, transparently, and with respect for your privacy. We comply with the General Data Protection Regulation (GDPR) and other data protection legislation in all our operations and strive to follow the best data protection practices.

2. Personal Data Processed and Purposes of Processing

We collect and use your personal data only for the specific purposes defined below. You can also see the types of personal data processed for each purpose. Some of the personal data may be sensitive. If a data subject chooses not to provide certain personal data, the services offered by the controller may not be fully available.

Customer Relationship Management

  • Contact person’s name and contact information

  • Information related to the customer relationship, such as orders placed

Conducting Research

  • Participant’s name and contact information

  • Information about participation in the research

  • Information about participation in prize draws and incentives related to the research

  • Responses, photos, and other materials provided by the participant

Service Development

  • Name and contact information

  • Information about participation in service development

  • Information about participation in prize draws and incentives related to development

  • Responses, photos, and other materials provided by the participant

Recruitment

  • Name and contact information

  • Information contained in job applications and resumes

  • Language skills, education, and other qualifications or competencies

  • Information collected during the recruitment process, such as interview notes and references

  • LinkedIn profile URL and information from the profile

3. Legal Basis for Processing Personal Data

Data protection legislation requires that all personal data processing be based on a legal basis defined in the GDPR. We process your personal data based on the following legal grounds:

Legitimate Interest
Legitimate interest is the legal basis for processing personal data related to contact forms and recruitment. When legitimate interest is used as a basis, we assess it against the rights of the data subjects as required by law and ensure that the processing does not cause undue harm or risk.

Consent
In certain situations, we process your personal data only if we have received your explicit prior consent. For example, processing personal data in the context of research is based on consent. You can withdraw your consent at any time by contacting us using the contact details provided at the end of this policy.

4. Sources of Personal Data

Personal data is primarily collected directly from the data subject. Data may also be collected from companies managing research panels, from the registers of the client commissioning the research, or from public registers maintained by authorities or businesses. Data may also be received from other group companies, as described in the section “Disclosures of Personal Data.”

5. Disclosures and Transfers of Personal Data

We handle your data confidentially and do not sell, rent, or otherwise unnecessarily disclose your personal data to third parties.

5.1 Disclosures of Personal Data

Disclosure means that the controller (in this case, Noren) provides personal data to a third party who uses the data for their own purposes. We collect consent from the data subject before disclosing data to third parties. Personal data may be disclosed to:

  • Noren’s client companies in connection with assignments.

  • Other companies within the Bravedo Group, for example, contact information of customer organization representatives.

5.2 Transfers of Personal Data

A transfer means that the controller provides personal data to a third party who processes it on behalf of the controller. For example, using cloud services requires transferring data to the service provider, who acts as the processor.

Some of the data we collect is stored and processed outside the European Economic Area (EEA), for example, if our service provider is located or stores data outside the EEA. These service providers are contractually obligated to ensure an adequate level of data protection in all processing activities.

6. Protection of Personal Data

We protect your personal data from loss, unauthorized access, and misuse through appropriate technical and organizational security measures. These include firewalls, encryption, backups, and secure facilities.

Access to your personal data is internally restricted through electronic and physical access control and governed by access right policies. Only employees who need the data for their job duties are allowed to process it. In research, data is anonymized after collection so that individuals cannot be identified from the results.

7. Retention of Personal Data

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected unless a longer retention period is required by law. The retention period for personal data collected in research is communicated to the data subjects in the consent form for the research.

Once the retention period ends, the data is either permanently deleted from backups and systems after a delay period or anonymized so that individuals can no longer be identified.

8. Rights of Data Subjects

8.1 Right to Information

You have the right to receive information about the processing of your personal data in a concise, transparent, and easily understandable format. This privacy policy aims to fulfill that right. We can provide additional information by email upon request.

8.2 Right of Access

You have the right to request confirmation of whether we are processing your personal data. You can also request and receive a copy of the personal data we are processing.

8.3 Right to Data Portability

In certain situations, you have the right to receive your personal data in a commonly used, machine-readable format and transfer it to another controller. This applies when processing is based on consent or a contract and is carried out by automated means.

8.4 Right to Rectification

We aim to keep your data up-to-date and correct any inaccuracies without delay. You have the right to request corrections or additions to your personal data if it is inaccurate or incomplete.

8.5 Right to Restrict Processing

You may request that we restrict the processing of your personal data. During restriction:

  • Your data can be stored but not otherwise processed, unless:

    • With your consent

    • For legal claims

    • To protect another individual’s rights

    • For important public interest reasons

You can request restriction in the following cases:

  • You contest the accuracy of the data

  • The processing is unlawful, but you do not want the data deleted

  • We no longer need the data, but you require it for legal claims

  • You have objected to processing based on legitimate interest, and we are evaluating the balance of interests

8.6 Right to Object

In some cases, you have the right to object to the processing of your personal data entirely, particularly when the processing is based on public interest or legitimate interest. If you object, we must stop processing unless we demonstrate compelling legitimate grounds that override your rights, or we need the data for legal claims.

If your data is used for direct marketing, you can always object, and we must stop processing it for that purpose.

8.7 Right to Erasure (“Right to Be Forgotten”)

In certain cases, you have the right to request the complete deletion of your personal data. This applies, for example, if processing was based on consent and you withdraw that consent.

8.8 Right to Withdraw Consent

When we process your data based on your explicit consent, you have the right to withdraw your consent at any time. After withdrawal, processing and storage will stop unless another legal basis (such as a legal obligation) applies.

8.9 Right to Lodge a Complaint

You also have the right to file a complaint with a supervisory authority if you believe your personal data has been processed unlawfully or your rights have not been properly fulfilled. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman.

8.10 Exercising Your Rights

If you have questions about your rights or wish to exercise them, please contact us using the details provided at the end of this policy. We will respond to all requests without undue delay, and no later than one month after receiving your request. If we are unable to fulfill your request, we will inform you of the reasons within the same timeframe.

9. Data Controller and Contact Information

Data Controller:
Noren Oy
Business ID: 2740559-3
Annankatu 15 B 51, 00120 HELSINKI, Finland

Contact for Privacy Matters:
annakerttu.aranko@noren.fi
+358 (0)50 437 0186

10. Updates to This Policy

We continuously develop our privacy practices and may update this privacy policy from time to time. If necessary, we may also inform you directly of significant changes.

Let me know if you'd like this in PDF or Word format, or if you want help adapting it for another company or country.