Privacy policy

Date 9th January 2024

1. Controller
Sponda Ltd (business ID: 0866692-3)
Yrjönkatu 29 C, P.O. box 940, FI-00101 Helsinki
tel. +358 (0)20 43131

2. Contact details for register matters
Sponda Ltd
Yrjönkatu 29 C, P.O. box 940, FI-00101 Helsinki
tel. +358 (0)20 43131
e-mail: privacy@sponda.fi

3. Name of the register
MOW customer register

4. Purpose and legal basis of the processing of personal data
The controller processes personal data for the purposes of marketing membership and the leasable

facilities, holding membership and lease agreement negotiations, concluding and managing agreements, invoicing, managing reservations, providing the services and managing customer relationships.

Personal data is processed for the purpose of sending announcements, press releases and marketing
messages from the controller and/or its group companies.
Personal data can also be processed in connection with the controller’s direct marketing, opinion and
market surveys or other comparable addressed mail, including electronic direct marketing. Personal data may also be processed in order to create classifications, categories or profiles, and to create targeted marketing that is more interesting to the data subject.

The legal basis for the processing of personal data is an agreement, legitimate interest and/or the data
subject’s consent. In cases where the legal basis for the processing is a legitimate interest, the interest
refers to the controller’s needs to market its products and services effectively and develop its services.
Processing tasks can be outsourced to external service providers, in accordance with and within the limits set by data protection law.

5. Data content of the register
The following data of data subjects can be saved:
– name
– e-mail address
– address
– telephone number
– agreement/membership number
– print card number
– company’s name and contact details

The controller collects data for purpose of identifying its business partners (KYC), which includes collect-
ing the data of responsible persons, beneficial owners, politically exposed persons, origin of funds, regulation, sanctions lists and credit rating among other things.

6. Storage period of personal data
The data stored in the register may be stored for as long as necessary for the original purpose of the
collection and processing, or for as long as required by the law and regulations.

7. Regular sources of data
Sources of data are tenants/members, the property owner or their representatives and/or the data subject and the data that is generated when the data subject uses the services.

Other possible sources of data are publicly-available or commercial external databases of decisionmakers and enterprises, credit rating registers and sanction lists.

8. Regular disclosure of data and recipient categories
Personal data may be disclosed between the group companies of the controller. Personal data may
be disclosed in connection with the sale, transfer or other disposal of a site or business.
Personal data may be disclosed to the payer of a rent deposit and the funders of the controller and/or
its group company.

Personal data may be disclosed to registered debt-collection firms and general courts when the con-
troller and/or its group company is applying for an eviction or payment order.

Personal data may be disclosed to authorities in order to help them carry out their statutory duties.

9. Transfer of data outside the EU or the EEA

Personal data may be transferred outside the European Union or the European Economic Area in accordance with and within the limits of data protection law.

The controller, the controller’s subcontractors or partners may use companies that are located outside the EU or the EEA to assist in the processing of personal data, or they may use workforce or other resources that are located outside the EU or the EEA for processing personal data. It is also possible that a co-operation partner selected by the controller to which the controller decides to transfer data is located outside the European Union or the European Economic Area, for example, in the United States.
The legislation of non-EU/EEA countries does not necessarily provide the same level of protection for
personal data as the European Union. However, the controller tries to ensure the protection of personal
data in these cases by using the safeguards required under data protection law, such as the standard
contractual clauses of the European Commission.
10. Protection principles of the register
Manual material

Any manual materials are stored in a locked room that only authorised persons can access.
Electronically-processed data
The register is stored in electronic form, appropriately protected from outsiders with the help of firewalls
and other technical measures. Only designated employees of the controller and representatives of
partners have the right to process the data stored in the register.
The aim of the measures described above is to safeguard the confidentiality, availability and integrity
of the personal data stored in the register and to permit the exercise of the data subject’s rights.

11. Automatic decision-making
Personal data is not used for automatic decision-making that would have legal or other similar effects
on data subjects.

12. Right to object to the processing of one’s personal data
Where the ground for the processing of personal data is the legitimate interest of the controller, the
data subject has the right to object to the profiling or other processing of any personal data relating to
their particular situation.

The data subject may object to the processing of their personal data by submitting a request, as de-
scribed in section 15 of this privacy policy. In the request, the data subject must specify the particular

situation on the basis of which they object to the processing. The controller may refuse to satisfy the
request under the criteria set out in legislation.

13. Right to object to direct marketing

The data subject may give their consent or refusal to direct marketing to the controller channel-specif-
ically, and the content or refusal also covers profiling for direct marketing purposes.

14. Other rights of the data subject related to the processing of personal data
Right of access to personal data
The data subject has the right to access their personal data in the register. The access request must be
made following the instructions set out in this privacy policy. The right of access can be refused on the
grounds provided for in legislation. In principle, exercising the right of access is free of charge.
Right to request rectification or erasure of personal data or restriction of processing
The data subject must, without undue delay and after noticing or becoming aware of the mistake, rectify, erase or complement any data in the register that violates the purpose of the register, is incorrect, unnecessary, incomplete or outdated, if the data subject can do this him- or herself.

If the data subject cannot rectify the data, the rectification request must be submitted as described in
section 15 of this privacy policy.

In addition, the data subject has the right to request the controller to restrict the processing of their personal data, for example, while the data subject is waiting for the controller’s response to the rectification or erasure request.

Right to move data between systems
Insofar as the data subject has submitted data to the register that is processed on the basis of the data
subject’s consent, the data subject has the right to receive such data in a form that is readable by a
computer and to move them to another controller’s system.
Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a competent supervisory authority if the con-
troller has not complied with applicable data protection regulations in its operations.

Other rights
If the legal basis for the processing of personal data is the data subject’s consent, the data subject is
entitled to withdraw their consent by notifying the controller, as described in section 15 of this privacy
policy.

15. Contacts
The data subject should contact the controller if they have any questions concerning the processing of
personal data and the exercise of their rights. The data subject may exercise this right by sending a
request to the controller via e-mail to privacy@sponda.fi or by mail to Sponda Ltd, Yrjönkatu 29 C, P.O.
Box 940, FI-00101 Helsinki.