Privacy notice and cookie policy

We are committed to protecting the privacy of our customers and users of our services and to complying with data protection legislation and good data protection practices in our operations. We strive to provide you with a safe and secure user experience. In this privacy statement, we explain our practices regarding the collection and processing of personal data.

1 Data controller

FCG Finnish Consulting Group Oy (1940671-3)
Osmontie 34, 00610 Helsinki
010 409 2000

2 Contact person in matters concerning the register

3 Data protection officer in matters concerning the register

4 Name of the register

Register of FCG Finnish Consulting Group’s customers, stakeholders and training participants

5 Whose personal data do we collect?

The following categories of personal data are processed in the register:

  • Our customers contact persons
  • Our potential customers/customer contacts
  • Contact persons of our stakeholders, incl. lecturers participating in the trainings
  • Participants for trainings/events
  • Web visitors

6 For what purpose do we use your personal data and what is the lawfulness of the processing?

The controller maintains an information pool on active Finnish companies, communities and public administration organisations.

In addition to the organisation’s contact and background information, the register maintains information on the position and duties of the persons working in the organisation, including their contact information.

Personal data is processed for the following purposes:

  • Customer relationship management and other customer communications, such as marketing, newsletters, customer surveys, maintaining customer contact information and invoicing.
  • Providing expert and customer services related to the controller’s services and assignments.
  • Planning and developing the controller’s operations and offerings based on, for example, the online behaviour of data subjects.
  • Administering services (e.g. events and trainings) and assignments, including processing service requests, communicating with customers, distributing materials related to training, distributing participant lists at training events and managing access rights in the controller’s extranet and training management information systems, for example.
  • Stakeholder cooperation, such as maintaining the competence areas of persons acting in the role of lecturers, registering implementations and paying stakeholder invoices and fees.
  • Disclosure of the contact details of training/event participants to other stakeholders involved in the training/event for marketing purposes.

The processing of personal data is primarily based on the legitimate interest of the data controller (e.g. customer relationship management, legal certainty, marketing, invoicing, payment of fees, sharing of event participant lists, providing contact information to stakeholders for marketing purposes) or agreement (e.g. training registration) or legal obligation (including accounting obligations related to the storage of invoicing transactions). In addition, data subjects may be required to give their consent if necessary.

Special remarks related to the data controller ‘s trainings / events: Registration information can be used to organize the event and the names of the registrants can be shared in the list of participants. The event may be filmed. The purpose of filming is to enable participation in training remotely or the use of recordings/images for training or marketing purposes.

7 What kind of personal data do we process and how long do we store it?

The register may contain the following personal data:

  • Person’s first and last name
  • Basic information related to the job/position
  • Organization
  • Contact details
  • Interests
  • Information related to your use of the Services, including billing information
  • Information related to service requests
  • Information related to the expertise of an external expert
  • Diet and allergy information of those who have registered for trainings and events
  • Date of birth in relation to training and events, for which e.g. the shipping company requires it
  • IT management information such as technical identifiers, log information, usernames, information, usernames, technical information related to the use of the provided services
  • Training videos/broadcasts or images may contain identifiable persons

We store basic personal data in our customer and stakeholder register for the duration of the customer relationship, unless accounting or other mandatory legislation requires a different retention period.

For marketing purposes, we may use personal data for as long as we need the data for this purpose. For accounting purposes, we retain data for as long as required by law.

Service requests related to service activities are stored for 10 years from the end of the calendar year in which the service request was resolved.

Generally, personal data related to training and events is stored for 10 years. Date of birth, diet and allergy information are deleted within 2 months after the end of the training or event.

Data can be deleted at the customer’s request and the newsletter subscriber can unsubscribe the order at the time of each newsletter receipt.

8 Where do we get your personal data from?

We receive personal data primarily from the registered person in events related to the customer, use of services, invoicing, payment of fees, communication and transactions, as well as from web visitors in connection with messages.

We may also receive information from the following sources:

  • Group companies of the Association of Finnish Municipalities (Kuntaliitto)
  • From the organization you represent.
  • From publicly available sources.
  • Contact information registers purchased from external service providers.

9 Who processes personal data and where it may be disclosed

Personal data may be processed by our entire personnel, mainly those responsible for planning and organising training/events, those responsible for customer relationship management, service request processors and persons handling invoicing.

We may outsource personal data processing tasks or disclose personal data to the customer registers of the following group companies of the Association of Finnish Municipalities for the purposes described in section 6 of this privacy statement:

  • Suomen Kuntaliitto ry
  • KL-Kustannus Oy
  • Kuntaliitto Holding Oy
  • Kuntaliitto Palvelut Oy
  • Kuntatalo Oy
  • Suomen kuntasäätiö sr

In connection with transfers and disclosures of personal data within the Association of Finnish Municipalities, we always ensure the security and confidentiality of personal data in compliance with current data protection legislation and by using the Group’s internal data transfer and data processing agreements.

For trainings/events Data may be disclosed to training/event stakeholders.

We may outsource personal data processing tasks to external service providers in accordance with and within the limits set by data protection legislation. External service providers may only process personal data in accordance with FCG’s instructions and purposes, which have been separately agreed upon in data processing agreements.

We may disclose your personal data as required by the competent authorities and based on the legislation in force at any given time. These authorities include, for example, tax, police, enforcement and supervisory authorities.

We may disclose your personal data for scientific or historical research and product development. As a rule, personal data has been converted into such a form that the data subject can no longer be identified from them.

10 Transfer of personal data outside the EU or EEA

In some cases, we may also transfer personal data to organisations operating outside the EU and EEA, i.e. in so-called third countries. Such transfers may take place if one of the following conditions is met:

  • The EU Commission has decided that the country in question has an adequate level of data protection.
  • Other necessary safeguards have been put in place, for example by complying with standard contractual clauses approved by the EU Commission or by ensuring that the company processing the data has binding corporate rules in place.
  • Exceptions apply in specific situations, for example if this is necessary for the performance of a contract or if you have given your consent to the transfer of such data.

11 How do we protect personal data?

The register typically does not generate paper material. If such occurs, the material will be disposed of securely in accordance with the Data controller’s data protection policy.

Personal data is processed in several different information systems. We shall ensure that the information systems are protected by restricting access rights and by appropriate updates. Information systems are also protected by network technology measures (use of firewalls and placement of information systems in different network segments).

12 Data subject’s rights and additional information related to the processing of personal data

The data subject has the right to request access to personal data concerning him or her, as well as the right to request the rectification or deletion of personal data concerning him or her or to restrict or object to the processing. The data subject has the right to prohibit direct marketing to him or her and the profiling that may be related to it.

The data subject shall have the right to request personal data concerning him or her which he or she has provided to the controller in a commonly used and machine-readable form and to transfer such data to another controller if the processing is carried out with the consent of the data subject.

Every data subject has the right to make a complaint with the relevant supervisory authority or the supervisory authority of the EU Member State where the data subject lives or works if the data subject considers that his or her personal data have not been processed in accordance with the applicable data protection law.

Data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

The controller may ask the data subject to clarify his request in writing and to verify the identity of the data subject before processing the request. The controller may refuse to execute the request on the grounds provided for by the applicable law.

The data subject will be provided with the necessary information provided in this privacy statement when personal data is collected from the data subject or when personal data have not been obtained directly from the data subject.

The provision of personal data is not a legal requirement. The data subject is not obliged to provide personal data and failure to provide such data will not result in penalties. The provision of personal data may be based on a contract or the conclusion of a contract and may thus be a condition for the purchase of services as a controller.

If you wish to exercise your rights or obtain further information on the processing of your personal data, you may also contact the controller by sending an email to If necessary, we may ask the data subject to specify his or her request in writing, and the identity of the data subject may, if necessary, be verified before taking any other measures. We may refuse to disclose personal data on grounds defined in data protection legislation.

13 Further information on the rights of the data subject

The rights of data subjects are laid down in the European Union’s General Data Protection Regulation (EU 679/2016) and will be laid down in complementary national legislation. The Office of the Data Protection Ombudsman publishes information on the rights of data subjects on its website and provides instructions on how to exercise these rights.

14 Changes to the Privacy Statement

We are constantly developing our services and may update this Privacy Statement as needed. The changes may also be related to a change in legislation. If the changes we make are important, we will notify you on the Website and / or by contacting you in any other appropriate manner.

We encourage you to periodically review the contents of this Privacy Statement to be informed of any changes to the Statement.

Last updated 10.11.2023.