This is the B10 Group’s registration and privacy policy in accordance with the EU General Data Protection Regulation (GDPR). The privacy policy applies to all persons who are:

• B10 customers or potential future customers
• Persons otherwise related to the customer relationship, such as the beneficial owner or representative
• Targeted individuals

(hereinafter referred to as “Registered”).

1. Data Controller

B10 Group Oy (hereinafter referred to as B10), Pohjoisesplanadi 33 A, 00100 Helsinki
Email info@b10.fi

2. Contact person responsible for the register

Ilkka Linna, +358 40 519 9559, ilkka.linna@b10.fi

3. Register name

Asiakas- ja markkinointirekisteri

4. Legal basis and purpose of processing personal data

The legal basis for processing personal data under the EU General Data Protection Regulation is the obligations arising from specific laws binding on the companies of the B10 Group.

As a financial sector operator, B10 Group Oy and its subsidiaries are obliged to comply with, for example, the following laws and regulations:

Investment Services Act
Credit Institutions Act
Act on the Prevention of Money Laundering and Terrorist Financing
Securities Markets Act

The purpose of processing personal data is to manage customer relationships, market services, manage risks and prevent abuse, and fulfill obligations arising from legislation.nhallinta ja väärinkäytösten estäminen sekä lainsäädännöstä tulevien velvoitteiden täyttäminen.

5. Data content of the register

The information stored in the register includes: the person’s name, personal identification number, classification, country of taxation, citizenship, contact information (telephone number, email address, address), financial information, information regarding educational background and profession, information related to customer relationship management such as emails and phone calls, information about financial instruments owned and changes to them, account number, possible representatives and any other information related to the customer relationship.
The information is stored for five full calendar years after the end of the customer relationship. When the retention period for personal data has expired, the data will be deleted within a reasonable period of time.

The controller does not perform profiling or use automated decision-making based on personal data.

6. Data sources

The data stored in the register has been collected from the data subjects themselves, from agreements made with a company belonging to the B10 Group or from other third parties handling the data subject’s affairs.

Data on contact persons of companies and other organizations can also be collected from public sources such as public registers, websites, directory services and other companies.

7. Recipients of personal data

The data is disclosed to authorities, such as the Tax Administration and the Financial Supervisory Authority, in order to fulfill the right to information based on the law.

If B10 is involved in a merger, business transaction or other corporate arrangement, it may have to disclose the data subjects’ personal data to third parties.

8. Regular disclosure of data and transfer of data outside the EU or EEA

Data is not regularly disclosed to parties other than the Tax Administration and the Financial Supervisory Authority. Data is not transferred by the controller outside the EU or EEA.

9. Principles of register protection

The register is handled with care and the data processed using information systems is protected appropriately. The digital security of the data is appropriately taken care of.

The controller ensures that the stored data, software usage rights and other data critical to the security of personal data are handled confidentially and only by those employees whose job description includes it.

10. Right of inspection and right to demand correction of data

Every person in the register has the right to check their data stored in the register and to demand correction of any incorrect data or completion of incomplete data. If a person wishes to check the data stored about them or to request a correction, the request must be sent in writing to the controller. When submitting a request to the controller, the controller must prove their identity. The controller will respond to the customer within the time period stipulated in the EU Data Protection Regulation, within one month. To the extent that the data includes business secrets or personal data of other persons, the data will not be provided, but the customer will be informed of their existence, who can then request that they be deleted if they wish.

B10 deletes on its own initiative or at the request of the data subject and supplements personal data in the register that is incorrect, unnecessary, incomplete or outdated in relation to the purpose of the processing.

11. Other rights related to the processing of personal data

A person in the register generally has the right to request that personal data concerning him or her be deleted from the register (“right to be forgotten”). However, this right under the GDPR is overridden by the Financial Sector legislation, which obliges the Group to retain data for a specified period.

The data subjec has the right to lodge a complaint with a data protection authority if the data subject considers that his or her personal data has been processed in breach of applicable law. In the European Union, a complaint may be lodged with a data protection authority, in particular the data protection authority of the country of residence or work or the data protection authority of the country in which the alleged infringement has occurred. The Finnish data protection authority is the Data Protection Ombudsman: tietosuoja.fi

12. Changes to the register and data protection statement

B10 may amend and update this data protection statement as necessary. The changes may also be based on changes in data protection legislation. Data subjects will be notified of any significant changes.