Privacy notice

Privacy notice

1. Background

Asianajotoimisto DLA Piper Finland Oy (DLA Piper Finland Attorneys Ltd.), 2425412-8 (“DLA Piper”, “we”) is the data controller in relation to the processing of our clients’ and stakeholders’ personal data for purposes stated in this notice. We want to make sure that your personal data is handled appropriately in a manner that respects your privacy. In this notice, we describe how your personal data is processed by us in connection with our customer relationship, communications, business partners and marketing activities and what rights you have with respect to your personal data.

This privacy notice applies to:

  • Clients and client representatives
  • Individuals involved in our engagements, including opposing parties, opposing counsel, arbitrators, judges, and other relevant participants
  • Prospective clients
  • Suppliers and supplier representatives
  • Recipients of our newsletters and marketing communications
  • Participants in our events, seminars, and webinars

Please note that we have a separate privacy notice for job applicants and employees.

This privacy notice has been last updated on 25 March 2025.  

2. From where do we collect personal data?

We primarily collect personal data from the data subject him/herself when we manage our client assignments and provide legal services. We may collect your personal data in the following ways:

  • Personal data that you give to us, for example, in connection with concluding agreements with us and using our services, communicating with us, subscribing to our newsletter, events or other communications.
  • Personal data that we collect or generate automatically, for example, when you visit our website, we automatically collect some data about you and your visit; or when you use or interact with our IT systems.
  • Personal data provided by third parties: We may receive personal data from individuals involved in our engagements. This may include, but is not limited to, individuals acting in the capacity of an opposing party, opposing party’s counsel, arbitrator, judge, consultant, witness, expert, public authority employee, cooperation partner, employee of a company subject to acquisition or sale, or contracting party.
    In such cases, we may obtain your personal data from various sources, such as directly from you, your employer or other relevant parties, as part of the preparation, administration, or execution of our legal engagement.
  • Personal data that we collect from other sources, for example, by obtaining information from publicly available sources, such as business information registers, Suomen Asiakastieto Oy, Alma Talent Oy, and other cooperation partners and service providers that provide such contact details.   
  • Personal data provided by other DLA Piper entities.

3. Key Aspects of Data Processing: Categories, Purpose, Legal Basis, and Retention Period

The tables below provide details on our data processing activities. Please note that multiple tables may apply to your personal data.

Clients, their representatives and other persons involved in our engagements

We may process personal data for the following purposes.

Provision of legal services and engagement management

Categories of personal dataPurpose of processingLegal basisStorage period
  • Identity data: e.g., name, title.
  • Contact data: e.g., postal address, phone number, and email.
  • Identification information: Passport details, identity card, date of birth, and personal identity number.
  • Authorization & ownership: Information on your authority to represent a legal entity or your status as a beneficial owner.
     
  • Sensitive & legal data: If relevant to the engagement, we may process special categories of personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, or sex life) or data related to criminal convictions (e.g., money laundering or other offenses, or trading prohibitions).
     
  • Billing information: responsible contact person, account number, and tax-related details.
     
  • Engagement-related data: Correspondence, case details, and other relevant information, including audio and video recordings related to legal proceedings or engagements.
We process your personal data to fulfill the engagement entrusted to us by you or the organization you represent, or any engagement in which you are otherwise involved.

If you are a client as a natural person, we process your personal data based on the performance of a contract (GDPR Art. (6)(1)(b)).

If you represent a legal entity client or are otherwise involved in our client engagement processing is based on our legitimate interests to carry out the engagement from our client. (GDPR Art. (6)(1)(f)).

Personal data is retained for at least 10 years from the date of completion of the engagement, or for such longer period as is required by the nature of the client relationship or the engagement.

 

Client due diligence and legal compliance

Categories of personal dataPurpose of processingLegal basisStorage period
  • Identity data e.g. name, title.
  • Contact details: e.g. postal address, telephone number, email address and citizenship.
  • Identification information and documents.
  • Authorization & ownership data: Information on whether you are authorized to represent a legal entity or are a beneficial owner.
  • Client & political exposure data: If you are a client, a representative, or an owner of a legal entity client, or a close associate or family member of such a person, we may process information on whether you are a politically exposed person, including your name and professional position.
  • Billing details: Contact person, account number, and tax-related information.
  • Engagement-related data: Correspondence, case details, and other relevant data, including audio and video recordings related to legal proceedings or engagements.
  • Sensitive & legal data: If necessary for the engagement, we may process sensitive data or data related to legal breaches, such as money laundering or regulatory violations.
We process your personal data to conduct necessary client checks (such as conflict checks) and comply with the requirements of the Finnish Bar Association and applicable laws, including those related to anti-money laundering, sanctions, tax, and accounting.

Legal obligation (GDPR Art. (6)(1)(c)).

The legal basis for the processing of personal data is the existence of a legal obligation under the applicable Bar rules, anti-money laundering, sanctions, tax or accounting legislation.

Processing relating to criminal convictions or offences is based on Data Protection Act Section 7(1)(1).

Finnish Bar Association compliance: At least 10 years from the completion of the engagement, or longer if required by the client relationship or nature of the engagement.

Anti-Money Laundering Act: Generally retained for 5 years, but may be kept for up to 10 years if necessary for preventing, detecting, or investigating money laundering or terrorist financing.

Accounting Act compliance: Retained for 6 years from the end of the financial year in which the data was processed.

Other legal & legitimate interests: Retained as long as necessary to comply with legal requirements or legitimate business interests.

 

Business development, innovation, and statistical analysis

Categories of personal dataPurpose of processingLegal basisStorage period
  • Identity data: e.g., name, title.
  • Contact details: e.g., postal address, telephone number, and email address, where relevant.
  • Statistical data: personal data used for statistical purposes is generally processed only in an aggregated and anonymized form.
  • Engagement-related information: Correspondence, event details, or other data directly or indirectly linked to you that is relevant to the engagement.

We process your personal data to support business and methodological development, including software development and testing.

Additionally, we may use personal data for statistical purposes, such as reporting to ranking bodies and creating reference materials.

The processing is based on our legitimate interests to develop our business and to keep statistics (GDPR Art. (6)(1)(f)).Personal data is retained for at least 10 years from the date of completion of the engagement, or for such longer period as is required by the nature of the client relationship or the engagement.

 

Supplier management

Categories of personal dataPurpose of processingLegal basisStorage period
  • Identity data: e.g., name, title.
  • Contact details: e.g. postal address, telephone number, email address and citizenship).
     
  • Identification information and documents.
     
  • Authorization & ownership: Information on your authority to represent a legal entity or your status as a beneficial owner.
     
  • Billing details: Contact person, account number, and tax-related information.
     
  • Information you provide when communicating with us.
We process your personal data to manage our business relationship (or the relationship with the organization you represent), including maintaining contact records, filing contracts, handling billing, as well as processing orders and deliveries.

Legitimate interest (legal persons). The processing of personal data is necessary for the purposes of fulfilling our legitimate interests in managing the business relationship (GDPR Art. (6)(1)(f)).

 

Performance of a contract (sole traders). The processing of personal data is necessary for the performance of a contract (GDPR Art. (6)(1)(b)).

Your personal data will be kept for the duration of the business relationship. After the business relationship ends, we will retain your personal data where necessary to protect our legitimate interests and to comply with our legal obligations.


Processing of personal data related to marketing, events, seminars/webinars

Recipients of newsletters or other marketing communications

Categories of personal dataPurpose of processingLegal basisStorage period
  • Identity data: e.g., name, title.
  • Contact details: e.g. postal address, telephone number, email address.
  • Employment information: e.g.  employer and title.
     
  • Language preference.
     
  • Preferences regarding the type of marketing communication.
We process your personal data to communicate about our business, market our services, communicate about our career opportunities, and manage the distribution of newsletters or other marketing materials, such as annual reports.
 		The processing is based on our legitimate interest to communicate and market our business, manage and distribute marketing communications, and share relevant information about our firm and initiatives (GDPR Art. (6)(1)(f)). 
This includes, inter alia, highlighting news, events, or engagements of interest to recipients.		Your personal data is processed until you choose to unsubscribe or up to 2 years from receiving your personal data.
You can unsubscribe from receiving newsletters or other marketing communications at any time by using the link provided in the communication or by contacting us at marketinghelsinki@fi.dlapiper.com
We cease all processing of your personal data for the purposes of newsletters and other marketing communications immediately after receiving your deregistration.

 

Attendees of our events, seminars, and webinars

Categories of personal dataPurpose of processingLegal basisStorage period
  • Identity data: e.g., name, title, employer.
  • Contact details: e.g., postal address, telephone number and email address.
  • Language preference.
  • Food preferences.
  • Photographs, audio and video recordings of events and seminars/webinars.
We process your personal data when you participate in an event organized by us, including registering your attendance and communicating with you regarding the event. The purpose of this processing is to facilitate event organization and management.

Legitimate interest (GDPR Art. (6)(1)(f)).

Legal obligation (GDPR Art. (6)(1)(c)).

For photographs of events and seminars/webinars: consent (GDPR Art. (6)(1)(a)).

The data subject has given his or her explicit consent to the processing of personal data (Article 9(2)(a) of the GDPR).

We will only process personal data belonging to special categories of personal data (e.g. health data) if you provide such data voluntarily, thus with your explicit consent.

Personal data in general is processed until the end of the event and thereafter for 2 years to assess the quality and success of the event and to communicate about our future events and activities.

However, we may retain limited engagement information on past events attended for customer relationship management purposes (in which case the applicable storage period is as provided above for customer relationship management).

 
Information about food preferences is erased within 60 days after an event, meeting or seminar has taken place.

Information about participation (name, organization and name of the event) is retained for accounting purposes for 6 years from the end of the financial year during which the data was processed.

If the processing is based on your consent, the personal data will only be retained as long as your consent is valid. You can withdraw your consent at any time by contacting us.

 

Establishing, exercising, and defending legal claims

Categories of personal dataPurpose of processingLegal basisStorage period
  • Identity data: e.g., name, title, employer.
  • Contact data: e.g., postal address, phone number, and email.
  • Identification information: Passport details, identity card, date of birth, and personal identity number.
  • Any information related to the establishing, exercising, and defending legal claims.
We process your personal data to fulfill the engagement entrusted to us by you or the organization you represent, or any engagement in which you are otherwise involved.The processing is based on our legitimate interests to establish, exercise and defend legal claims (GDPR Art. (6)(1)(f)).In the event of any legal claim or action, your personal data is retained during the legal process and until the legal process has been finally completed and the obligations associated with it have been fully discharged.

 

4. Recipients that we share your personal data with

We share your personal data with:

Service providers

In order to fulfil the purposes of the processing of your personal data, we share personal data with service providers that we have engaged. These service providers provide IT services to us (such as operation, technical support and maintenance of IT systems). The service providers may only process your personal data for these purposes and in accordance with our instructions and not for their own purposes.

We are the data controller for the processing of personal data that the service providers carry out on our behalf.

Other recipients

RecipientPurposeLegal basis for the transfer
Authorities (e.g. the Police, the Tax Agency and the Financial Supervisory Authority).In order to fulfil any legal obligations to which we are subject, e.g. in connection with requests from authorities or other legal claims.Legal obligation (GDPR Art. (6)(1)(c)). The processing is necessary to fulfil legal obligations to which we are subject.
Authorities (incl. courts) and legal representatives.To establish, exercise and defend legal claims.Legitimate interest (GDPR Art. (6)(1)(f)). The processing is necessary to fulfil our legitimate interest of disputes and cases being managed by competent courts and legal representatives.
Other DLA Piper entities

By default, we do not share personal data with other DLA Piper entities. However, if necessary for the fulfillment of an engagement and it is so agreed upon with our client, we may share personal data when the assignment requires legal expertise from another jurisdiction.

We may also share general identity data, contact data, professional data, and event related data with other DLA Piper entities if we arrange a joint client event together with other DLA Piper entities

Legitimate interest (GDPR Art. (6)(1)(f)).
Buyers, sellers and external advisors/other parties involvedTo enable business changes, e.g. sales or merger of the business or investments in general.Legitimate interest (Art. 6(1)(f) GDPR). The processing is necessary to fulfil our legitimate interest in conducting and executing business changes.
Collaboration partnersWe may share general identity data, contact data, professional data, and event related data with our collaboration partners. For example, if we arrange a joint client event together with our collaboration partners, it is necessary to share personal data for event management purposes.Legitimate interest (Art. 6(1)(f) GDPR). The processing is necessary to arrange seminars, webinars, and other events.

 

5. Where we process personal data

Personal data are predominantly processed within the EU/EEA. However, in limited circumstances some of our service providers may provide part of their services to us from countries outside the EU/EEA. For such cases, we have ensured an adequate level of data protection in accordance with the requirements of EU data protection legislation, including by way of transferring data to countries with an adequacy decision adopted by the European Commission or using, as required, standard contractual clauses adopted by the European Commission (together with appropriate technical and organisational safeguards).

Furthermore, all the DLA Piper entities have signed a data sharing agreement which is based on standard contractual clauses adopted by the European Commission to ensure we will comply with our legal and regulatory obligations under EU data protection legislation.  

6. Your Rights

Under data protection regulations you have certain rights in relation to the processing of your personal data. We process your personal data to the extent necessary in order to fulfil your rights. Please submit requests for exercising your rights by contacting us at privacyfinland@fi.dlapiper.com.

You have the right to:

Access your personal data

You have the right to access personal data we process about you. You may request a copy of your personal data at privacyfinland@fi.dlapiper.com. We will provide you with it unless we have lawful reasons not to share this data or if sharing the data would adversely affect the rights and freedoms of others.

Update your personal data

Furthermore, you have the right to request that incorrect or incomplete personal data is corrected or completed. 

Withdraw consent

To the extent we rely on your consent to process personal data you have the right to at any time withdraw your consent.

Object to the processing of personal data

You have the right to object to the processing of your personal data based on a legitimate interest for reasons which concerns your particular situation. In such a situation, we will stop using your personal data where the processing is based on a legitimate interest, unless we can show that the interest overrides your privacy interest or that the use of your personal data is necessary in order to manage or defend legal claims.

Delete your personal data

Under certain circumstances you have the right to request that your personal data is deleted. However, we cannot delete your personal data if we for example are obligated under law to keep the data.

Restrict the use of your personal data

You have the right under certain circumstances to request that the processing of your personal data is restricted. If the processing of your personal data has been restricted we may only, besides storing the data, process your personal data with your consent, in order to establish, exercise or defend legal claims or to defend rights of others.

Transfer your personal data (data portability)

Finally, you have the right to request a copy of the personal data that we store about you in a structured, commonly used and machine-readable format (data portability). The right to data portability, compared to the right to access, only comprises such personal data you yourself have provided and which we process based on certain legal grounds, e.g. your consent.

Lodge a complaint with a supervisory authority 

You have right to lodge a complaint with a supervisory authority (contact details for the Finnish data protection authority can be found here).

7. We can update this information

We may occasionally update this information, e.g. if we would process personal data for new purposes, collect additional categories of personal data or share personal data with other recipients. In such a case we will notify you in an appropriate way. The latest version of the information is always published on this page.

8. Contact

If you have any questions regarding the processing of your personal data, please do not hesitate to contact us. See below for contact details.

Asianajotoimisto DLA Piper Finland Oy
Business ID: 2425412–8
​​​​​​​Kanavaranta 1, 00160 Helsinki
E-mail: privacyfinland@fi.dlapiper.com