last updated 1st October 2023

PRIVACY POLICY

The protection of your personal data is important to 3Step IT Group Oy and its affiliated companies, hereinafter referred to as “3stepIT” or “we”.

This privacy policy applies to personal data that you give us when visiting our website, using our Asset Management services, using our other services and/or portals, reporting suspected misconduct, interacting with us in meetings, social medial, emails and other means of communication.

The purpose of this privacy policy is to inform you about:

What personal data we collect about you;
How we use your personal data and on which basis;
Who we share your personal data with;
International transfers of your personal data;
For how long we retain your personal data;
What actions we have taken to keep your data secure;
What are your rights as a data subject and how you may exercise them;
How you can contact us in case of questions related to this privacy policy.

For recruitment related data, please refer to Privacy policy for Recruitment.

For Speak Up (whistleblowing) related data, please refer to Privacy policy for Recruitment.

3Step IT Group Oy (business ID 2087590-4), Limited Liability Company registered in Finland acts as a contact point for all 3Step IT Group companies in privacy related requests:

Office address: Mechelininkatu 1A Helsinki 00180, Finland

The general phone number: +358 10 525 3200

Data Protection Officer: dpo@3stepit.com

If you have any questions relating to our use of your personal data under this privacy policy, please contact our Data Protection Officer at the contact details provided above, or use the contact form provided on our website: tell us a bit about your enquiry and we will pass it to the right expert and controller, if need be.

The contact details of all 3Step IT Group Oy's affiliated companies can be found below:

3Step IT Oy

Business ID 2161942-7

Mechelininkatu 1A

00180 Helsinki

Registered in Finland

3 Step IT A/S

Business ID 26106427

Vandtårnsvej 62

2860 Søborg

Registered in Denmark

3 Step IT AS

Business ID 878703812

Wergelandsveien 7

0167 Oslo

Registered in Norway

3 Step IT Sweden AB

Business ID 556488-0218

Box 1556

581 15 Linköping

Registered in Sweden

3Step IT OÜ

Business ID 10731756

Narva mnt 7d

Tallinn 10117

Registered in Estonia

3 Step IT Trading AB

Business ID 559267-1738

Drottninggatan 19

582 25 Linköping

Registered in Sweden

AddPro Finans AB

Business ID 556861-4357

Box 1566

581 52 Linköping

Registered in Sweden

3 Step IT SIA

Business ID 40003717838

Vilandes iela 3

LV-1010 Riga

Registered in Latvia

UAB 3Step IT

Business ID 300059934

Vito Gerulaičio g. 10-101

Vilnius

Registered in Lithuania

3 Step IT Services Limited

Business ID 13762523

100 Liverpool Street

EC2M 2AT London

Registered in United Kingdom

The data controller for your personal data may be either 3Step IT Group Oy or any of its affiliated companies, depending which company has a contractual or other relationship with you.

We may also act as a data processor and in that role process personal data on behalf of our contractual parties. Please note that this privacy policy does not cover personal data subject to processing activities we conduct as a processor, such as customer data processed when using our Asset Management systems. In cases where 3stepIT acts as a processor, we kindly advise you to contact the data controller (e.g., your organization) for further information on the collection and processing of that specific data.

Please note that if you interact with 3stepIT either through, or on behalf of your organization, then certain personal data may be subject to your organization’s privacy policy.

1. What personal data do we collect?

We collect and use your personal data to the extent necessary to carry out our operations and provide our services as well as to comply with any regulatory obligations in our activities. These purposes and collected personal data are defined in more detail below.

Customers, Suppliers and Marketing

In connection with our operations and during the lifecycle of business relationship with our customers, we collect various types of personal data, meaning any information that identifies or allows to identify you.

The provision of the personal data is a requirement necessary to enter into a contract with the customer and in order to use the service portal. You are not obliged to provide personal data in connection with marketing or when communicating with us, however, the provision of personal data might be a prerequisite for the use of 3stepIT’s services or products, and participation to certain events and communication related to such matters.

As for Know Your Customer / Customer Due Diligence data, the provision of the personal data is a requirement necessary to enter into a contract with the customer or to pursue such customer relationship.

Purpose of processing	Legal basis	Personal data
To fulfil regulations and legal requirements relating to: • anti-money laundering and counter-financing of terrorism, including Know Your Customer (KYC) obligations; • international financial sanctions and embargoes • export control obligations set forth in relevant international and national export control regulations • other mandatory legal requirements such as accounting	Legal obligation The legitimate interest of the data controller when financial sanctions are imposed by UK and the United States which 3stepIT has contractually undertaken to comply with	• Name, date of birth, city of birth, nationality, personal identity number, address, other information included in ID copy, information included in possible proof of address • PEP-status and details of such PEP-status Data subject categories may include following: • Customer or representatives of the customer (authorised signatories or employees of customer without signatory status), possible beneficial owners of the customer, next-of-kin and close business associates of PEP-persons
To market our products and services (e.g. sending newsletters), communicate with you and develop our customer relationships To develop our products and services	Legitimate interest of the data controller	• Name, title, address and contact information of the customer or contact persons, representatives and/or decision-makers of the customer • Data from your interactions with us, including meetings, emails and other communication or correspondence with us • Data relating to your habits and preferences, such as participation in our marketing events, potential co-development projects and areas of interest • Other personal data relating to data subject’s attendance to 3stepIT’s marketing or other events and general information of data subject’s areas of interest • Usage data including information used to connect to our products and data created from use of our products • Data from public sources, e.g. job title from LinkedIn
To provide the service portal to the customers	Legitimate interest of the data controller	• Usernames and log data (e.g., account credentials provided to customers, data relating to logins)
To provide and deliver our products and services to you	Performance of a contract	• Name, title, address and contact information of the customer or contact persons, representatives and/or decision-makers of the customer • Identification information related to your role as authorized representative or beneficial owner of our customer entity (e.g., full name, identity (e.g., ID card or other personal ID, passport information, etc.), nationality, place and date of birth, gender, photograph)
To manage and develop the supplier relationship, such as business partner management To manage contracts	Legitimate interest of the data controller Performance of a contract	• Name, title, address and contact information of the supplier or contact persons • Correspondence and other information relating to the maintenance of the supplier relationship

Sources of personal data

We collect data of the following data subjects in connection with our operations:

Contact persons or other representatives of our customers or customer prospects;
Ultimate beneficial owners of our customers and their next of kins, significant owners;
Users of our products and services;
Participants to our webinars and events;
Contact persons or other representatives of our suppliers.

We collect data either directly from you or indirectly, e.g., when the data collection is related to your role at our customer or customer prospect. If you provide us with third party personal data, please remember to inform the data subjects whose personal data you are sharing that we process their personal data and direct them to this privacy policy. You further warrant and represent that you have the necessary rights to provide such personal data to us.

We obtain personal data indirectly from the following sources:

Our customers;
Our business partners;
Public sources (e.g., company registers, LinkedIn, company websites, press);
Third parties such as data brokers or databases (e.g., databases used in marketing, KYC or sanction screening).

Retention periods

The personal data will be retained as long as required by applicable laws and regulations. The personal data relating to customers or suppliers will be retained as long as the business relationship with the customer or supplier is active. Currently the retention period is five years after the end of the contractual relationship with the customer.

The personal data related to KYC data will be retained five years after the end of the contractual relationship. We retain certain personal data after the termination of the customer or supplier relationship based on statutory requirements for the period required by accounting or other applicable mandatory laws.

We retain data on our potential customers and their representatives for five years. The personal data related to marketing is retained for five years.

In addition, data may be retained for the time necessary for the preparation, presentation or defence of a legal claim.

Website Visitors

3stepIT processes the personal data of website (including our service portals) visitors and the persons who visit our social media pages and personal data that we have obtained through cookies, events, newsletter sign up and contact forms on our website.

You are not obliged to provide us with your personal data, however, the provision of personal data might be a prerequisite for the use of 3stepIT’s services or products.

Purpose of processing	Legal basis	Personal data
To improve the website performance, functionalities, and user experience and to analyse the website traffic	Consent prior placing other than strictly necessary cookies Legitimate interest of the controller when retrieving the data through the cookies	• Information about your device (IP address, technical specifications and uniquely identifying data) • Other personal data retrieved via cookies, such as site pages visited, links, buttons and other items clicked, date, time, number and duration of visits
To target ads	Consent prior placing other than strictly necessary cookies Legitimate interest of the controller when retrieving the data through the cookie	• Information about your device (IP address, technical specifications and uniquely identifying data) • Other personal data retrieved via cookies, such as site pages visited, links, buttons and other items clicked, date, time, number and duration of visits • Data from your interactions with us, including visits to our internet websites or social media pages (connection and tracking data such as cookies, IP address), meetings, emails and other communication or correspondence with us
To communicate with you (e.g., sending newsletters and information on products and services)	Legitimate interests of the data controller Consent of the data subject prior to sending electronic direct marketing where applicable	• Information about your device (IP address, technical specifications and uniquely identifying data) • Other personal data retrieved via cookies, such as site pages visited, links, buttons and other items clicked, date, time, number and duration of visits • Data from your interactions with us, including visits to our internet websites or social media pages (connection and tracking data such as cookies, IP address), meetings, emails and other communication or correspondence with us

Sources of personal data

The personal data we process is obtained directly from you in connection with the use of our website (including our service portals) and social media pages and the sending of newsletters or other communications.

The personal data is also collected through cookies and similar tracking technologies that are placed on our website (including our service portals). Cookies are pieces of data that websites store on your browser when you visit them. Cookies are used because they can give you a more personalised web experience. We use cookies on our website to target content and adverts, and to understand how people use our site.

Where we use cookies which collect your personal data, such collection is covered by this privacy policy.

By allowing all cookies, we can enhance your experience. This means helping you find the right information quickly and tailoring content to your needs. By default, we enable only strictly necessary cookies required for the website to function and cannot be switched off. They are set in response to actions made by you such as setting your privacy preferences and to also help keep the website secure. These cookies do not store any personally identifiable information.

Because we respect your right to privacy, you can choose to allow performance, advertisement and functional types of cookies. Click ‘Manage preferences’ on the main cookies policy provided to you when landing to our website for more information on the data collected by our cookies and to adjust your preferences regarding the cookies used. You can use your browser settings to delete cookies that have already been set at any time.

In addition, 3stepIT processes personal data from a data subject's social media account when interacting with our social media pages. Each social media provider processes personal data in accordance with its own privacy policy.

Retention periods

The personal data will be retained as long as required by applicable laws and regulations.

Personal data retrieved through cookies will be stored for 5 years. The personal data related to marketing is retained for 5 years.

In addition, data may be retained for the time necessary for the preparation, presentation or defence of a legal claim.

1. Who do we share your personal data with?

Sharing of information within 3stepIT

We share personal data within 3stepIT for the purposes set out above, so e.g., for the purposes of complying with legal obligations or the purposes of marketing or providing our services to our customers.

Disclosing information outside 3stepIT

To fulfil some of the purposes described in this policy, we may disclose your personal data outside 3stepIT from time to time to:

Service providers which perform services on our behalf (e.g., IT services, logistics, marketing, telecommunication, advisory and consulting);
Our commercial partners, including our financing partners;
Authorities or other public bodies if we are required by law to disclose such data;
KYC: In connection with assigning concluded lease agreements to its refinancing partners, 3stepIT transfers personal data to the selected refinancing partner, who process personal data as data controller in accordance with its own privacy policy. 3stepIT will deliver a copy of the refinancing partner’s privacy policy upon request.
Certain regulated professionals such as lawyers or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to actual or proposed purchaser of the companies or businesses of the 3stepIT.
If 3stepIT is involved in a corporate transaction personal data may be disclosed to third parties in relation to such transaction in accordance with the applicable data protection laws.

2. International transfers of personal data

As some of our affiliates, service providers, and partners are located outside the European Economic Area, we may need to transfer personal data outside the European Economic Area to carry out our operations. Transfers of this kind are done according to the requirements of the applicable laws, and by following the applicable safeguards for the transfers, e.g., based on adequacy decisions adopted by European Commission, or using standard contractual clauses approved by European Commission.

3. How long do we retain your data?

In addition to the above-mentioned data specific retention periods, personal data is deleted or returned once it is no longer needed for its purpose. The retention periods are defined based on e.g., the following factors:

Requirements set forth in applicable laws and regulations; and
Other requirements related to the purpose of the processing in question, e.g., operational requirements, such as proper account maintenance and management, security reasons, or responding to legal claims or regulatory requests.

4. How do we secure your data?

We apply appropriate technical and organizational measures to keep your personal data secure. We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data. Your data can only be accessed by persons for whom it is necessary in relation to their work.

We may outsource our processing of personal data to external service providers. In such events we enter into appropriate agreements with the providers to ensure that your personal data is processed in accordance with this privacy policy and any applicable laws.

5. Your rights as a data subject

In accordance with applicable regulations and where applicable, you have the following rights:

Rights of the data subject
Right of access to your data	You can obtain information relating to the processing of your personal data and request a copy of such personal data. If you make your request electronically and have not requested another form of delivery, the data will be provided in the commonly used electronic format.
Right to rectify your data	Where you consider that your personal data is inaccurate or incomplete, you can request that such personal data is modified accordingly.
Right to have your data erased	You can require the deletion of your personal data, to the extent permitted by law. However, a request to delete personal data cannot be implemented if the personal data is stored, for example, to comply with a legal obligation.
Right to restrict the processing of your data	In certain cases, you have the right to request the restriction of the processing of your data.
Right to object to the processing of your data	You can object to the processing of your personal data, on grounds relating to your situation. You have the right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing. 3stepIT may refuse a request if the processing is necessary for the legitimate interests of 3stepIT or a third party.
Right to withdraw your consent	Where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time. With every newsletter, we provide a way for you to request to revoke your consent at any time when you do not wish to subscribe to and receive our newsletters anymore.
Right to transfer data from one system to another	Where legally applicable, you have the right to have the personal data you have provided to us to be returned to you or, where technically feasible, transferred to a third party. To the extent that we process your data on a contractual basis and the processing is carried out automatically, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and the right to transfer that data to another controller.
Right to lodge a complaint with a supervisory authority	You have the right to lodge a complaint with the competent supervisory authority if you consider that data protection legislation has not been respected in the processing of your personal data.

If you wish to exercise the rights listed above, please send your request to our Data Protection Officer, the contact information of which is provided at the beginning of this policy.

We may need to request specific information (such as copy of identification) from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to anyone who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.