Privacy Policy and Cookies

Home > Privacy Policy and Cookies

We are committed to protecting the privacy of our customers and users of our services, and to complying with data protection laws and good data protection practices. We aim to provide you with a safe user experience. In this privacy policy, we explain our practices related to the collection and processing of personal data.

1. Data Controller

FCG Finnish Consulting Group Oy (1940671-3)

Osmontie 34, 00610 Helsinki

010 409 2000

2. Contact Person for Registry Matters

Data Protection Officer: tietosuojavastaava@fcg.fi

3. Data Protection Officer

Data Protection Officer: tietosuojavastaava@fcg.fi

4. Name of the Registry

FCG Finnish Consulting Groupin asiakas-, sidosryhmä- ja koulutuksiin osallistujien rekisteri. (FCG Finnish Consulting Group’s customer, stakeholder, and training participant registry.)

5. Whose Personal Data Do We Collect?

The register processes the following groups of individuals:

  • Contact persons of our customers
  • Contact persons of our potential customers
  • Contact persons of our stakeholders, including lecturers participating in trainings
  • Participants and attendees of trainings/events
  • Website visitors
  • Webshop customers

6. Purpose and Legal Basis for Processing Personal Data

The controller maintains a database of active Finnish companies, communities, and public administration organizations.

In addition to the contact and background information of the organization, the register maintains information about the positions and tasks of individuals working in the organization, along with their contact details.

Personal data is processed for the following purposes:

  • Managing customer relationships and other customer communications, such as marketing, newsletters, customer surveys, chat conversations, online messages, maintaining customer contact information, handling online store orders, and billing.
  • Providing expert and customer services related to the controller’s services and assignments.
  • Planning and developing the controller’s operations and offerings based on the registered users’ online behavior.
  • Managing services (e.g., events and trainings) and assignments, including handling service requests, communicating with customers, sharing materials related to trainings, distributing participant lists at training sessions, and managing access rights in the controller’s extranet and training management information systems.
  • Stakeholder collaboration, such as maintaining the expertise areas of individuals acting as lecturers and registering implementations, as well as paying invoices and fees to stakeholders.
  • Disclosing contact information of participants in trainings/events to other stakeholders involved in the training/event for marketing purposes.

The processing of personal data is primarily based on the controller’s legitimate interest (e.g., managing customer relationships, ensuring legal protection, marketing, billing, paying fees, sharing participant lists for trainings/events, disclosing contact information to stakeholders for marketing purposes), or on an agreement (e.g., registration for training) or statutory obligation (e.g., accounting obligations related to the retention of billing transactions). Additionally, consent may be requested from the data subjects if necessary.

Special considerations related to the controller’s trainings/events: Registration information may be used in the arrangements of the specific training/event, and the names of registrants may be shared in the participant list. The training/event may be recorded. The purpose of recording is to enable participation in trainings/events via remote connection or to use the recordings/photos for training or marketing purposes.

7. Types of Personal Data We Process and How Long We Retain Them

The personal data register may contain the following information:

  • First and last name
  • Basic information related to work/position
  • Organization
  • Contact information
  • Interests
  • Information related to the use of services, including billing information
  • Information related to service requests
  • Information related to chat conversations and online messages
  • Information related to the expertise of external consultants
  • Dietary and allergy information of those registered for trainings and events
  • Date of birth due to trainings and events held on cruises
  • IT management information such as technical identifiers, log data, usernames, and technical information related to the use of provided services
  • Training videos/broadcasts or photos may capture identifiable individuals.

We retain basic personal data in our customer and stakeholder register for the duration of the customer relationship, unless accounting or other mandatory legislation requires a different retention period.

For marketing purposes, data can be used as long as the controller needs the data for this purpose. For accounting purposes, data is retained as long as legislation requires.

Service requests related to service activities are retained for 10 years from the end of the calendar year in which the service request was resolved.

Chat conversations are retained for 6 months, after which they are deleted.

Personal data related to trainings and events is generally retained for 10 years. Date of birth, dietary, and allergy information is deleted within 2 months after the end of the training or event.

Data can be deleted at the customer’s request, and newsletter subscribers have the opportunity to cancel their subscription with each newsletter received.

8. Sources of Personal Data

We primarily obtain personal data from the data subject in connection with customer relationships, use of services, billing, payment of fees, communication, and transactions, as well as from website visitors during communications.

We may also obtain information from the following sources:

  • Kuntaliitto group companies.
  • The organization you represent.
  • Publicly available sources.
  • Contact information registers purchased from external service providers.

9. Who Processes Personal Data and To Whom Can It Be Disclosed

Personal data can be processed by our entire staff, mainly those responsible for planning and organizing trainings/events, managing customer relationships, handling service requests, and managing billing.

We may outsource personal data processing tasks or transfer personal data to the customer registers of the following Kuntaliitto group companies for the purposes described in section 6 of this privacy statement:

  • Suomen Kuntaliitto ry
  • KL-Kustannus Oy
  • Kuntaliitto Holding Oy
  • Kuntaliitto Palvelut Oy
  • Kuntatalo Oy
  • Suomen kuntasäätiö sr

In the context of internal transfers and disclosures of personal data within the Kuntaliitto group, we ensure the security and confidentiality of personal data by always complying with applicable data protection legislation and using internal data transfer and processing agreements.

For trainings/events, data may be disclosed to stakeholders of the trainings/events.

We may outsource personal data processing tasks to external service providers in accordance with data protection legislation and within its limits. External service providers may process personal data only according to the instructions and purposes defined by FCG, which are agreed upon separately in data processing agreements.

We may disclose your personal data in the manner required by competent authorities, based on the applicable legislation at the time. These authorities include, for example, tax, police, enforcement, and supervisory authorities.

We may disclose your personal data for scientific or historical research and product development. Personal data is generally modified so that the data subject is no longer identifiable.

10. Transfer of Personal Data Outside the EU or EEA

In some cases, we may transfer personal data to organizations operating in so-called third countries outside the EU and EEA. Such data transfers may be carried out if one of the following conditions is met:

  • The European Commission has decided that the level of data protection in the country in question is adequate.
  • Other necessary safeguards have been implemented, for example, by following the European Commission’s approved standard contractual clauses or ensuring that the company processing the data has valid binding corporate rules.
  • Exceptions apply to special situations, such as when the execution of a contract requires it or you have given your consent to the transfer of the data.

11. How We Protect Personal Data

Typically, no paper records are generated from the register. If such records are generated, they are securely destroyed in accordance with the controller’s data protection policy.

Personal data is processed in several different information systems. The controller ensures that the systems are protected by restricting access rights and applying appropriate updates. The systems are also protected by network technical measures (use of firewalls and placement of systems in different network segments).

12. Rights Related to Personal Data Processing and Additional Information

The data subject has the right to request access to personal data concerning them and the right to request the rectification or erasure of such data, or to restrict or object to its processing. The data subject has the right to prohibit direct marketing or profiling related to it.

The data subject has the right to request the personal data they have provided to the controller in a commonly used and machine-readable format, and the right to transfer such data to another controller if the processing is based on the data subject’s consent.

Every data subject has the right to lodge a complaint with the relevant supervisory authority or the supervisory authority of the EU member state where the data subject’s residence or workplace is located, if the data subject believes that their personal data has not been processed in accordance with applicable data protection legislation.

The data subject has the right to withdraw consent-based processing of personal data at any time.

The controller may ask the data subject to clarify their request in writing and verify the data subject’s identity before processing the request. The controller may refuse to comply with the request on grounds provided by applicable law.

The necessary information provided in this privacy statement will be delivered to the data subject when personal data is collected from them or when personal data has not been obtained directly from the data subject.

Providing personal data is not a statutory requirement. The data subject is not obliged to provide personal data, and failure to provide such data will not result in consequences. Providing personal data may be based on an agreement or the making of an agreement and may thus be a prerequisite for purchasing the controller’s services.

If you wish to exercise your rights or obtain more information about the processing of your personal data, you can also contact the controller by sending an email to tietosuojavastaava@fcg.fi. We may ask the data subject to clarify their request in writing if necessary, and the data subject’s identity may be verified before taking further action. We may refuse to disclose personal data on grounds defined in data protection legislation.

13. Additional Information on the Rights of the Registered Individual

The rights of the registered individual are regulated by the General Data Protection Regulation (EU 679/2016) and will be regulated by complementary national legislation. The Office of the Data Protection Ombudsman publishes information on the rights of the registered individual and provides instructions on how to exercise these rights on its website in Finnish.

14. Changes to the Privacy Policy

We continuously develop our services and may update this privacy policy as necessary. Changes may also be related to changes in legislation. If the changes are significant, we will notify you on the website and/or contact you in another appropriate manner.

We recommend that you review the content of this privacy policy from time to time to stay informed of any changes.