Money laundering data file Privacy Policy
Created: 1 December 2022
Administer Plc and its group companies (collectively referred to as “Administer”) are committed to ensuring the confidentiality and information security of the personal data they possess. This Privacy Policy describes what kinds of personal data Administer collects for the money laundering data file and how these personal data are processed.
1. Joint controllers
This Privacy Policy applies to the joint money laundering data file of Administer Plc and its group companies. Administer Plc is responsible for the technical administration of the personal data file and acts as a single point of contact with regard to data protection issues.
Administer Plc
Itämerenkatu 5
FI-00180 Helsinki
Business ID 0593027-4
Telephone: +358 (0)20 703 2000
All joint controllers of the register can be found on the Group’s website at https://administergroup.com/administer-konserni-yhtiolistaus/.
2. Contact person for the data file
The contact person for questions regarding the processing of Data Subjects’ personal data and the exercise of Data Subjects’ rights is the group’s Data Protection Officer Anja Hänninen.
Tietosuoja@Administer.fi
Tel. +358 (0)40 5220 621
Administer Oyj/Tietosuoja, Itämerenkatu 5, 00180 Helsinki.
3. Name of the data file
Administer money laundering data file.
4. The persons whose data we collect
The money laundering data file is used to process the personal data of Administer’s current and potential new Customers, their contact persons, the actual beneficial owners of Customer companies, the board of directors or members of similar decision-making bodies, the CEO and the Customer’s and/or their actual beneficial owner’s family members and/or company partners (“Data Subject”) to the extent required by statutes regarding money laundering.
5. The kinds of data we collect
The money laundering data file processes the following data in accordance with the Act on Preventing Money Laundering and Terrorist Financing (444/2017; “Money Laundering Act”):
- The Customer’s name, date of birth and personal identity code
- the representative’s name, date of birth and personal identity code;
- the actual beneficial owner’s name, date of birth and personal identity code;
- the legal person’s full name, registration number, date of registration and registration authority;
- the full names, dates of birth and nationalities of the legal person’s board of directors or similar decision-making body;
- the legal person’s line of business;
- contact information (postal address, e-mail address and phone number);
- the name, number or other identifier of a document used to verify identity or a copy of the document or, in the case of non-face-to-face identification for the Customer, data on the procedure or sources used in verification; (approved documents for identity verification include a passport, personal identity card, driver’s licence and a Kela photocard);
- information on the Customer’s activities, nature and extent of business, financial standing, grounds for use of transaction or service and information on source of funds as well as the other necessary information that is referred to in section 4, subsection 1 of the Money Laundering Act and is acquired for the purpose of Customer due diligence;
- the necessary information acquired in order to fulfil the obligation to obtain information regarding the source of funds provided in section 4, subsection 3 of the Money Laundering Act, and the enhanced Customer due diligence obligation relating to politically exposed persons provided in section 13;
- for foreign Customers who do not have a Finnish personal identity code, information on the Customer’s nationality, a personal identity card granted by an EEA authority and travel document information.
6. The basis and purpose of processing personal data
The processing of personal data is based on Administer’s duty to fulfill its legal obligations.
According to chapter 3, section 3 of the Money Laundering Act, the Customer’s due diligence data and other personal data is saved, stored and may be used to prevent, detect and investigate money laundering and terrorist financing and such crimes as were committed to gain the assets or proceeds of crime subject to money laundering or terrorist financing. Customer due diligence data and other personal data obtained solely for the purpose of preventing and detecting money laundering and terrorist financing may not be used for purposes incompatible with this purpose.
7. Regular sources of data
Personal data are collected to the money laundering data file primarily from public sources of information, such as trade and other similar registers and the Internet. Personal data are also collected directly from the Customer / the Customer’s contact person.
8. Disclosures and transfer of data
We disclose personal data to the extent permitted and required by legislation. Data may be disclosed to the Finnish National Bureau of Investigation’s Financial Intelligence Unit according to mandatory legislation.
Administer may partially outsource the processing of personal data to service providers, such as IT service providers. When personal data processing is outsourced, Administer ensures that the processing of personal data complies with legislation through sufficient contractual obligations.
Administer does not regularly transfer personal data outside the EU or EEA. However, data may be transferred or disclosed outside the EU or EEA in accordance with what is permitted by Data Protection Legislation if the data are transferred to a country where the European Commission has determined that the level of data protection is adequate or if contractual arrangements can ensure an adequate level of data protection. Transfers outside the EU may temporarily occur when using different cloud services, such as OneDrive, iCloud or Dropbox.
9. Storage period of personal data
The Customer’s personal data are stored in the money laundering data file for as long as the Customer and commissioning relationship is valid. The data relevant to the Money Laundering Act is stored for five (5) years after the Customer and commissioning relationship has ended, unless the personal data in question needs to be stored for a longer period due to criminal investigation or a pending trial or to secure the rights of the controller or a party in the controller’s service. In such cases, the need to continue storing data and documents is reviewed at least three (3) years after the last time that the need for storage was reviewed. The review and its date are logged.
10. Protection of personal data
The personal data in the data file are protected in the manner required by the relevant legislation, with due consideration for data security. Administer has taken appropriate technical and organisational measures to protect personal data against accidental or unlawful loss, disclosure, misuse, alteration, destruction or unauthorised access. The security measures are updated in accordance with the continuous development of technology. Data is protected by firewalls and various encryption techniques, in addition to which the server rooms selected for use are secure and subject to appropriate access control. The data in the systems are backed up regularly.
The employees involved in the processing of personal data have signed a data security and data protection commitment and received the necessary instructions and training for the processing of personal data. The data files containing personal data are located in locked facilities, and the data can only be accessed by certain designated persons. Manual materials are stored in locked facilities, and digitally-processed personal data are protected with access right restrictions. All the used data resources are logged into with personal usernames and passwords. The access rights to personal data involve different levels of access and the granting and use of access rights is supervised by business unit.
11. The rights of the Data Subject
Unless otherwise stated in mandatory legislation, The Data Subject has the right to inspect their personal data in Administer’s data file and, if they wish, to obtain a copy of said data in accordance with Data Protection Legislation. The Data Subject also has the right to demand that Administer rectify, erase or supplement their personal data in the data file if the personal data are inaccurate, unnecessary, incomplete or outdated in relation to the purpose of the processing. Furthermore, the Data Subject has the right to request the controller to restrict the processing of their personal data. Requests for inspection and rectification shall be addressed to the data file’s contact person, whose contact information is provided at the beginning of this Privacy Policy.
As an exception to what is stated above, the Data Subject does not have the right to inspect the data acquired to fulfil the Money Laundering Act’s reporting obligation and obligation obtain information (Money Laundering Act, chapter 4, section 3). However, the Data Protection Officer may investigate whether the processing of these data complies with legislation at the Data Subject’s request.
The Data Subject has the right to lodge a complaint with a supervisory authority if they are of the opinion that the processing of their personal data violates the Data Protection Legislation. A notification of a fault in the processing of personal data can be submitted on the Office of the Data Protection Ombudsman website: https://tietosuoja.fi/ilmoitus-epakohdasta-henkilotietojen-kasittelyssa.
12. Profiling and automatic decision-making
Administer does not carry out profiling targeting the Customer based on the personal data or use automatic decision-making.
13. Amendments to the Privacy Policy
Administer constantly develops its business operations, which is why Administer reserves the right to amend this Privacy Policy by announcing such amendments on its services. Amendments to the Privacy Policy may also be based on changes in legislation.
Administer shall communicate amendments to the Privacy Policy on its website by publishing the updated Privacy Policy and specifying the date of the amendment. For this reason, Administer recommends that Data Subjects regularly check the current Privacy Policy on the Administer website. In the event that Administer makes significant amendments to the Privacy Policy, Administer shall also announce such amendments in other ways, such as by sending an e-mail message or publishing a release on the website and/or social media pages before the amendments take effect.
This Privacy Policy was last updated on 8 December 2022.
14. Contacts
We are happy to help you with any questions you may have regarding the processing of your personal data and the exercise of your rights. Please contact us in writing. The contact information is provided in section 2 at the beginning of this Privacy Policy. Contact persons for the data file.