General Privacy Statement Scope This General Privacy Statement (“General Privacy Statement”, “General Statement” or “Statement”) is issued on behalf of companies in Accountor Software Business, that consists of different legal entities operating in several countries. The entity who will control for your data is dependent on the situation where your personal data is processed. Company in Accountor Software Business that you are interacting with in the specific situation, for example Software Company that has a contractual relationship with you, or with a company you represent, or Software Company you are visiting with make decisions about your personal data (act as data controllers in relation to you). You may find contact details of the data controller in your specific situation as well as contact information for data protection at the end of this Statement. When Statement talks about “Software Company”, “we”, “us” or “our”, it refers to the company in Accountor Software Business responsible for the processing of your personal data. This General Statement aims to give you information on how we collect and process your personal data, with whom data is shared, how long it is stored and what are your rights as regards personal data. This Statement applies to the processing of personal data. Personal data means information that can be associated with you either directly or indirectly. Also data referring to an individual representing or acting on behalf of a company, e.g. a managing director, is personal data. A company information that does not relate to any natural person is not personal data. As Software Company processes personal data in different situations and related to several stakeholders, we have prepared some accessory statements that supplement this General Statement and provide more detailed information in the given situation. These specific statements can be found by clicking on the applicable headings provided here. However, if there are any discrepancies between the General Statement and an accessory statement, the latter will primarily be determinative. Collection of personal data We may collect your personal data through different means. You may yourself provide information through direct interactions with us or data may be generated when you use our services. In addition, we may create data based on information we have about you. Your personal data may be obtained also from other Software Companies or external third parties, including publicly available sources. We may combine the data collected about you from publicly available sources, and from our different interactions with you in connection with e.g. service provision and marketing communication. You are not required to provide any personal data to us, but the consequences of your choice may vary depending on the circumstances. For example, it is possible that we will not be able to provide our service to you or act in accordance with your request. Personal data categories We process different kinds of personal data about you depending on the situation. The categories and scope of data is always limited to what is necessary for the purposes it is processed for. Categories of personal data in a given processing situation are detailed in a respective accessory statement. We may also process personal data for statistical purposes, meaning that information is aggregated to the level where no natural person may be identified from the result. Such data is not considered personal data as this data cannot be associated with you. As a rule, we do not process special categories of personal data like information about your health. However, in limited cases such data may be processed provided, that the processing is conducted in accordance with the applicable laws and you have been informed thereon. Purpose and legal basis for processing personal data We collect, process, and use only personal data, which is needed for operational purposes, efficient customer care and relevant commercial activities, including the processing of personal data for anonymising it. We only use your personal data for the legitimate and explicitly defined purposes and do not process data in a manner that is incompatible with those purposes. Purposes of the processing in a given situation are detailed in a respective accessory statement. We always have a legitimate basis for the processing of your personal data that is communicated to you. We usually process your personal data for the performance of an agreement or contractual relation we have with you, or a company you represent, and us, or in order to enter into such relation. We may process personal data in order to meet our statutory obligations e.g. in relation to accounting, to conduct sanction screening or to fulfil authorities’ (e.g. tax authority) requests as required by law. Further, you may have consented to the processing of your personal data for one or more specific purposes. This is typical in activities conducted for promoting our business or services e.g., in marketing or social media campaigns. You will always be informed on the purposes of the processing with necessary details before asking a consent. Personal data may also be processed based on our legitimate interest or those of a third party provided, that your fundamental rights do not override such interest. For example, we combine the data collected about you from different sources or process personal data to provide services, to develop our operations or in order to generate internal reports for management purposes. In these cases, the processing of personal data is based on our legitimate interest to ensure that our operations are effective and our offering is competitive, and that we have relevant information at hand to better understand our customers as well as to manage our operations. Sharing and disclosures of personal data We may share your personal data with other Software Companies within the limits of applicable laws and for the purposes indicated in this Statement, including development of services, and marketing their products and services to you. Personal data may be shared between Software Companies for internal administrational purposes, for example, as part of our reporting activities on company performance and for the purposes of using centralized solutions e.g. in the use and maintenance of information and communication systems and hosting of data. Sharing of personal data is based on our legitimate interests to enable and develop efficient business operations and customer relationship management as well as to inform our customers of relevant services of other Software Companies. We may also disclose your personal data to third parties, when: permitted or required by law, e.g. to comply with requests by competent authorities or related to legal proceedings; our trusted service providers process personal data on behalf of us and under our instructions, or when we and our partner process personal data for jointly defined purposes under the Statement. We control and are responsible for such processing of your personal data.; when we acquire services from our service providers as part of internal processes (e.g. in a recruitment process), to conduct or support our business (e.g., social media campaigns) or to provide services to you. In these cases, our service provider is responsible for the lawfulness of the personal data processing.; we are involved in a merger, acquisition, or sale of all or a portion of our assets; we assess that disclosure is necessary to enforce or protect our rights, such as to respond to legal claims, to protect your safety or the safety of others, investigate fraud, or respond to a government request; there is a legitimate interest for the disclosure, such as we are organising a joint conference or event with a third party, provided, that we have informed you on such sharing; and you have consented into such disclosure, but only to parties the consent relates to. Note that from time to time our service providers may use personal data processed on our behalf and in connection with service provision further for their own purposes independently such as for their service development, training artificial intelligence, statistics or to fulfill their legal obligations. Software Company strives to ensure that this further processing is not incompatible with the original purposes personal data is processed for. In such case the service provider in question is responsible for the lawfulness of the processing. Transfers of personal data outside the EU or EEA The personal data we process is located primarily in the EU or European Economic Area. We may, however, transfer your personal data outside these areas if our partner, or service provider, who processes personal data, is located fully or partly (e.g., for technical administration) in a third country. Personal data may also be transferred to third countries in situations, where this is required from the service provider under binding non-EU legislation. In these cases, we will take necessary steps to provide appropriate safeguards for international data transfers and to the extent necessary implement supplementary measures for protection of personal data as required by applicable laws. This means that personal data is transferred only to countries that have been deemed to provide an adequate level of protection of personal data by the European Commission (“countries with adequate protection”). For further details, see Adequacy decisions | European Commission (europa.eu) with a service provider that is based outside countries with adequate protection, or which is otherwise not in a scope of the Adequacy decision, we will use specific contract clauses approved by the European Commission and implement necessary technical, organisational, or contractual supplementary measures to ensure that personal data has the same protection as in EEA. For further details, see Standard Contractual Clauses (SCC) | European Commission (europa.eu) In limited cases, e.g., when you participate in Software Company’s marketing or social media campaigns, the transfer of personal data to a third country may be based on your explicit consent. In such cases you will be provided details on the transfer and related risks beforehand. You will find contact details at the end of Statement, if you want further information on the specific mechanism used by us when transferring your personal data outside the EEA. Retention of personal data Your personal data is retained only for as long as necessary to fulfil the purposes it is processed for, including for the purposes of satisfying any legal, accounting, or reporting requirements and as defined in this Statement. We have defined retention periods to all personal data we have on you. When defining such periods, we have considered various factors such as the nature and sensitivity of personal data and the purposes the data is processed for. Your personal data processed based on a contractual relationship with you, or a company you represent, are stored, as a rule, for the duration of the contractual relationship or as long as the provision of the services requires. After our relationship or service provision has ended, we typically store personal data that are necessary to protect our legitimate interests e.g., enabling response on requests or claims under applicable provisions concerning statute of limitations, or we may store your personal data, to the extent necessary, in order to respect your request not to receive direct marketing from us. Personal data processed based on legitimate interests are processed as long as there are grounds for their processing. If you object such processing, data will be erased after your request has been validated. An example of this kind of processing falling within the scope of legitimate interest is direct marketing. If personal data is processed based on legal obligations, it is retained as long as required by law. Obligations to the storage of personal data are set, for example, by the Accounting and Money Laundering laws. The storage time of personal data processed with your consent is determined according to the purposes of processing. Your rights Your rights and options as regard personal data depend on the purposes of the processing and on the situation. The right to access – You have the right to receive confirmation of whether your personal data is processed, and if it is, to access the data. This enables you to receive information on how we process your data and a copy of the personal data we hold about you in our registers. The right to rectify data – You are entitled to have your personal data rectified or, in certain cases, to have defective personal data supplemented. The right to object to the processing – You are entitled to object to the processing of your personal data that is based on Software Company’s legitimate interest or those of a third party, if your particular situation overrides such interest. We may reject your request, if the processing is necessary in order to implement mandatory and legitimate interests. You are always entitled to oppose to the processing of your personal data for direct marketing purposes and for related profiling. The right to data portability – You have the right to receive your personal data you have submitted to us for the processing based on your consent or the implementation of an agreement. In such cases, we will provide you, or a third party you have chosen, your personal data in a structured, commonly used and machine-readable format. The right to be forgotten – You may ask us to erase your personal data where there is no valid reason for us continuing to process it. For example, if you consider personal data unnecessary for the purposes described above or you cancel the consent you have given. The right to restriction of the processing – You have the right under certain circumstances to require Software Company to restrict the processing of your personal data. For example, for the period needed for verifying the accuracy of your personal data. The right to give and withdraw your consent – If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. We may need to request specific information from you to help us confirm your identity and ensure that you are entitled to exercise your rights. You can execute your rights by sending the above-mentioned requests to us. You will find contact details at the end of the Statement. If you think that the processing of your personal data is not appropriate, you have a right to contact Data Protection Supervisor in your country. Information security We maintain security measures (including physical, technical, electronic, and administrative measures) that are appropriate to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, we limit access to personal data to those authorized employees and service providers who need to know the information in the course of their work tasks. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. Please be aware that, although we endeavour to provide appropriate security measures for personal data, no security system can prevent all potential security breaches. If a security breach occurs, we will inform you in accordance with applicable laws. Changes to this Statement We may update this Statement at any time, if required in order to reflect the changes in our data processing practices. You can find the latest version at our website. The last update of this Statement was on May 20th, 2024. Contact details: If you have any questions regarding this Statement or the personal data we process about you, please contact us. You may find contact addresses below. Companies in Accountor Software Business: Parent company: Accountor Holding Oy Business ID: 2480336-9 Keilaniementie 1, 02150 Espoo, Finland dpo@finago.com Software Companies for employment and worktime: Accountor HR Solutions Oy Business ID: 2776178-2 Åkerlundinkatu 11 33100 Tampere tietosuoja@accountorhr.fi Software Companies for financial management: Accountor Finago Oy Accountor Finago AB Keilaniementie 1 Hälsingegatan 49 02150 Espoo 113 31 Stockholm 0836922-4 SE 556942-4467 Accountor Finago ApS Herlev Hovedgade 195 2730 Herlev DK 35418105 Apix Messaging Oy Keilaniementie 1 02150 Espoo 2332748-7 Ecom Oy Ecom Tilit Oy Lemminkäisenkatu 34 Lemminkäisenkatu 34 20520 Turku 20520 Turku 0968083-1 2092247-5 eTasku Solutions Oy Åkerlundinkatu 11 A 33100 Tampere 2487226-8 Isolta Oy Keilaniementie 1 02150 Espoo 1854047-8 Contact email of Software Companies for financial management privacy@finago.com