PRIVACY POLICY FOR HIPPOCRAITES LTD’S STAKEHOLDER REGISTER

This Privacy and Register Notice was last updated on: 11 May 2024

1 Data Controller
The controller of the register is HippocrAItes Oy (Business ID 3397861‑1)
Email: paavo.paukamainen@hippocraites.fi

2 Name of the Register
The name of the register is HippocrAItes’ stakeholder register.

3 Purpose of Processing Personal Data
Personal data is processed for purposes related to:

- managing, administering and developing cooperation or customer relationships,
- offering and delivering services or products,
- forwarding information provided by the stakeholder or customer to partners whose purpose is to provide their own services to customers,
-and developing services or products.

Personal data is also processed for handling possible complaints and other claims.
Additionally, personal data is processed for communication directed to stakeholders or customers, such as information and news updates, as well as for marketing purposes. Personal data may also be processed for direct marketing and electronic direct marketing.

The data subject has the right to prohibit direct marketing targeted at them.
The controller processes data itself and also uses subcontractors acting on behalf of and for the account of the controller.
The controller’s contractual partners who provide services may also process personal data. At the request of the data subject, personal data may also be used for other purposes.

4 Legal Basis for Processing
The main legal basis for processing personal data is the controller’s legitimate interest arising from a stakeholder or customer relationship. More detailed legal bases in accordance with the EU General Data Protection Regulation (“GDPR”) are:

1. the data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Art. 6(1)(a));
2. processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Art. 6(1)(b));
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Art. 6(1)(f)).

The legitimate interest mentioned above is based on a meaningful and appropriate relationship between the controller and the data subject, resulting from the controller developing or producing services or products in which the data subject is interested, either due to a customer relationship or another reason. Processing takes place for purposes the data subject can reasonably expect at the time of data collection and within the context of the relationship.

5 Data Content of the Register (Categories of Personal Data)
The register may contain the following personal data about data subjects:

1. Basic and contact information: first name, last name, postal address, phone number, email address
2. Direct marketing consents and prohibitions
3. Information collected from customer or other cooperation relationships
4. Information provided by the person via forms

6 Regular Sources of Data
Personal data is collected from the data subject. Additionally, personal data is collected from partners whose services the person uses through the controller.

Personal data is also collected and updated, within the limits of applicable legislation, from publicly available sources relevant to maintaining the relationship between the controller and the data subject and necessary for fulfilling the controller’s obligations in relation to such relationships.

7 Retention Period of Personal Data
Data collected in the register is retained only as long as necessary for the original or compatible purposes for which the personal data was collected.

The need for retaining personal data is assessed every three years; however, in all cases, data concerning a data subject is deleted five years after the customer relationship between the data subject and the controller has ended, and all related obligations and actions have been completed. For example, accounting documents are retained for five years after the end of the financial year.

The controller regularly evaluates the necessity of retaining data according to its internal guidelines. The controller also takes all reasonable measures to ensure that inaccurate, incorrect or outdated personal data is deleted or corrected without delay.

8 Recipients of Personal Data and Regular Disclosures
Personal data is not disclosed to external parties except for essential disclosures to cooperation partners. The partners are: Google, LinkedIn and HubSpot. Data is not disclosed unnecessarily, and the principle of data minimization is followed. At the request of the data subject, personal data may also be used for other purposes.

9 Transfer of Data Outside the EU or EEA
Personal data contained in the register may be transferred outside the EU or EEA under the conditions set by the EU General Data Protection Regulation.

10 Principles of Register Protection
Access to databases and systems is restricted with personal user IDs and passwords. The controller has limited access rights and privileges to systems and storage platforms so that only persons whose legitimate processing tasks require it may access or process the data. Additionally, system usage events are logged in the controller’s IT system.

Employees and other persons acting for the controller are bound by confidentiality obligations and must keep confidential any information obtained in connection with the processing of personal data.

11 Rights of the Data Subject
The data subject has the following rights under the EU General Data Protection Regulation:

the right to obtain confirmation from the controller as to whether or not personal data concerning them is being processed, and, where that is the case, access to the data and the following information: