PRIVACY POLICY OF BO LKV OY
This document is a combined privacy policy and information notice in accordance with the Data Protection Act and the General Data Protection Regulation of the European Union (2016/679/EU). Bo LKV Oy is committed to processing personal data in accordance with this privacy policy and applicable data protection legislation. This privacy policy describes how Bo LKV Oy collects and processes personal data.
Privacy policy for Bo Business’ corporate customers can be found here.

1. CONTROLLER
Bo LKV Oy
Läntinen Rantakatu 53 
20100 Turku, Finland
Business ID: 2796763–3 (”Bo”)
You can find an up-to-date list of Bo’s offices and their contact details here.

2. REGISTER NAME AND DATA CONTENT
Customer Register of Bo LKV Oy (“Customer Register”)

3. CONTACT PERSON
For questions regarding data protection and this Customer Register, please contact Tuomas Asplund, the Responsible Manager and Data Protection Officer of Bo.

Tuomas Asplund
Responsible Manager, Lawyer, Public Purchase Witness
Bo LKV Oy
050 353 1091 | tuomas.asplund@bo.fi
https://bo.fi

4. LEGAL BASIS FOR PROCESSING PERSONAL DATA / WHY DOES BO COLLECT YOUR INFORMATION?
4.1. General information on data processing
To the extent that the Customer Register contains personal data, such data shall be processed in compliance with the Data Protection Act and all other applicable laws, regulations, decrees, and official guidelines concerning the processing of personal data in force at any given time. Personal data refers to any information that can directly or indirectly identify a natural person. This Privacy Policy provides a detailed description of the procedures related to the collection, processing, and disclosure of personal data, as well as the rights of the customer, i.e., the data subject.

4.2. Purpose of collecting personal data
a) Contractual, customer, or equivalent relationship
The purpose of the Customer Register is to manage the data controller’s:

– contractual or customer relationship with the principal (e.g., seller or lessor);
– relationship related to the execution of the assignment with the counterparty of the principal (e.g., buyer or lessee);
– contractual relationship with the user of a valuation assignment or other expert service; and
– relationship based on the customer’s marketing consent, intended for multichannel marketing communications to the customer, for example via email, online, telemarketing, or postal mail.

The data controller may also collect information, for example, from individuals attending apartment viewings, for the purposes of preventing, monitoring, and investigating crimes or misconduct. Additionally, data may be collected through other means to determine the interests of potential customers, to establish a future customer relationship, or for the provision of the services and marketing. The data controller may also collect documents related to an assignment that contain personal data of individuals other than the client (for example, estate inventory deeds).

Individuals mentioned in section a) above are referred to in this Privacy Policy as Customers.

b) Compliance with legal obligations
Legislation governing real estate agencies, including the Act on Real Estate Brokerage and Letting Agencies (1075/2000) and the Act on the Real Estate and Rented Premises Brokerage (1074/2000), as well as the execution of assignments based on such legislation and the investigation of the Customer’s own search criteria, require the collection, use, and storage of the information specified in section 5 (Data Content of the Customer Register) below.

A real estate agency is, among other things, required to maintain an assignment logbook, in which all personal, property, and event-related data connected to each assignment, along with relevant documentation, are recorded (“Assignment Logbook”).

c) Statutory anti-money laundering supervision.
In accordance with Chapter 3, Section 3 of the Act on Preventing Money Laundering and Terrorist Financing (444/2017, hereinafter the “Anti-Money Laundering Act”), the data concerning customer due diligence and other personal data required under the Act are recorded, retained, and may be used for the prevention, detection, and investigation of money laundering and terrorist financing, as well as for initiating investigations into money laundering, terrorist financing, or the alleged offence from which the laundered assets or criminal proceeds originate. The data concerning the customer due diligence or other personal data obtained solely for the purpose of preventing and detecting money laundering and terrorist financing shall not be used for purposes incompatible with these objectives.

4.3. Consequences of failure to provide data
If the data controller does not receive the information referred to in sections a), b), and c), the customer relationship cannot be initiated or continued, nor can any other agreement be entered into, or legal transaction conducted with the Customer. If sufficient information to identify a visitor is not obtained during an apartment viewing, attending the viewing may not be possible for that individual.

4.4. Legal basis for the processing of personal data
Only personal data necessary for Bo’s operations and responsibilities are collected from Customers and other individuals. Bo may be entitled to process Customer data on the basis of multiple legal grounds. The legal bases for the processing of personal data may include:
a) A contractual relationship
b) the data controller’s legal obligation
c) the legitimate interests of the data controller, and
d) the consent of the data subject.

Insofar as the right to register personal data based on the legislation or circumstances referred to in section 4.2. above is exceeded, or where no such other legal basis exists, the Customer’s explicit consent will be separately requested for the recording, processing, and retention of personal data. Assignment-related data is also used for contractual relationships related to valuation and other expert services and is stored in a manner equivalent to that of the Assignment Logbook. In addition to, or separately from, the registration rights based on laws or circumstances, the Customer may be asked to consent to the analysis of provided data and customer behavior for marketing purposes (e.g., direct marketing by email or other similar advertising via online channels, post, or telemarketing).

4.5. Purpose of processing personal data
The information contained in the Customer Register may be used for the following primary purposes:
– management and development of the customer relationship,
– provision, offering, development, improvement, and protection of services,
– invoicing, debt collection, and verification of customer transactions,
– targeted advertising,
– analysis and statistical evaluation related to services,
– customer communication, marketing, and advertising,
– tailoring the content of marketing and advertising (including via email) based on the information provided by the Customer and their behavior,
– protecting and safeguarding the rights and/or property of the data controller and other individuals and parties involved in assignments,
– fulfillment of the data controller’s legal obligations, and
other similar purposes.

5. DATA CONTENT OF THE CUSTOMER REGISTER / WHAT INFORMATION DOES BO COLLECT?
Bo processes data in the Assignment Logbook, records maintained for anti-money laundering supervision, and in the customer contact lists.

a) The Assignment Logbook and its attachments include, or may include, the processing of the following categories of data:

– Basic customer information, such as full name, address and language personal identity code and, where applicable, business identity code for a person acting on behalf of a company for reliable identification
– information related to invoicing and debt collection
– information related to customer and contractual relationships, such as services offered to the customer, date of service usage, date and details of purchase offers, their acceptance and rental or sales agreements, property details, brokerage fees, seller information for the service and other similar data
– permissions and prohibitions data, such as direct marketing consents and opt-outs
– interests and other information voluntarily provided by the Customer
– other service-related transaction data
– complaints and information related to their handling
– credit and other financial information of tenants for the purpose of assessing rental payment capability.

The following information related to the Customer is processed, or may be processed, in records maintained in compliance with the Anti-Money Laundering Act:

– full name, date of birth, and personal identity code
– representative’s full name, date of birth, and personal identity code
– complete name, registration number, registration date, and registering authority of the legal person
– full names, dates of birth, and nationalities of members of the board of directors or equivalent decision-making body of the legal person
– business sector of the legal person
– names, dates of birth, and personal identity codes of the beneficial owners
– name, number, or other identifier and issuer of the document used to verify identity, or a copy of the document; in the case of remote identification, information on the method or sources used for identification
– information about the customer’s operations, nature and scope of business, financial status, justification for the transaction or use of service, origin of funds, and other necessary data collected to identify the customer
– information required under Chapter 3, Section 4(3) of the Anti-Money Laundering Act concerning the source of funds, and essential information collected to fulfill the enhanced customer due diligence obligations related to politically exposed persons in accordance with Chapter 3, Section 13
– in case of a foreign customer without a Finnish personal identity code, the customer’s nationality and travel document details.

c) The following Customer-related information is processed, or may be processed, in customer contact lists:
– Name, address
– purpose of contact
– details of Customer interactions, including the time of contact and any follow-up actions.

6. DATA RETENTION PERIOD
Information in the Assignment Logbook is retained for ten (10) years following the end of the assignment.

Data collected under the Anti-Money Laundering Act is retained for five (5) years, unless further retention is necessary for a criminal investigation, ongoing legal proceedings, or for the protection of the rights of the data controller or the people employed by it. The necessity for continued retention of such data and documents must be re-evaluated no later than three (3) years after the most recent assessment of necessity.

Information in the customer contact lists is retained for two (2) years.

In addition to the above, data may be retained and used for marketing purposes if the Customer has provided consent or if such retention is otherwise required by law.

Other personal data will be deleted once it is no longer necessary for the purposes for which it was collected. If the collection and retention of personal data is solely based on the Customer’s consent, the data will be deleted upon the Customer’s request.

7. REGULAR SOURCES OF DATA / FROM WHERE DOES BO COLLECT PERSONAL DATA?
Personal data is collected directly from the Customer in connection with the assignment agreement, purchase or rental offers, and other assignment-related transactions, as well as for fulfilling the obligation to obtain information, and preparing documentation. Data is also collected when the Customer uses the data controller’s services, or otherwise directly from the Customer, for example, during apartment and property viewings, through contact forms on the data controller’s website, or via customer satisfaction surveys and lotteries. Personal data may also be collected and updated from, for example, property management agencies, the Digital and Population Data Services Agency, and other official registers (such as the title and mortgage register), as well as from credit information registers.

Data based on consent is collected directly from the Customer or, with their consent, from registers or sources maintained by public authorities or third parties.

8. DISCLOSURE OF DATA / TO WHOM MAY BO DISCLOSE YOUR DATA?
The data controller may disclose personal data within the limits permitted and required by applicable legislation, or for the purpose of fulfilling a contract between the parties or where there is an appropriate connection.

For example, personal data may be disclosed to Regional State Administrative Agency and other public authorities, to the banks of the parties involved in a transaction, and at various stages of the assignment to parties such as property managers and the National Land Survey of Finland, as well as to the legal representatives of the parties in case of disputes.

As a rule, data is not transferred outside the European Union or the European Economic Area. However, data may be transferred or disclosed outside the European Union or the European Economic Area in accordance with applicable law, provided that the data is transferred to a country for which the European Commission has determined an adequate level of data protection, or where appropriate safeguards (e.g., contractual arrangements) are in place to ensure an adequate level of data protection. Transfers outside the European Union may also temporarily occur in connection with the use of cloud-based services.

Data is disclosed to public authorities where required by law.

Information on purchase prices and other details of the property transaction may also be disclosed to the Federation of Real Estate Agency (Kiinteistönvälitysalan Keskusliitto, KVKL), where the data is stored in the Federation of Real Estate Agency’s price monitoring service (hintaseurantapalvelu, HSP) used by real estate agents. The data is stored to the extent required for the provision of the service. Data from the HSP may be further disclosed to its clients. The current privacy policy of the service is available at http://www.hintaseurantapalvelu.fi/tietosuoja (see the link “Tietosuoja- ja rekisteriseloste” at the bottom of the page).

In the context of outsourced IT services, personal data may also be processed by subcontractors acting on behalf of the data controller. Such subcontractors may include, for example, service providers of real estate and marketing systems, housing listing portals, and companies conducting customer satisfaction surveys.

9. CUSTOMER RIGHTS / HOW CAN YOU ENSURE LAWFUL PROCESSING?
9.1. Examination, access, and data portability
The customer has the right to examine the personal data stored about them in the Customer Register. The examination request must be submitted to the data controller in writing, either in a document signed by hand or in a similarly verified format, or alternatively via email.

Notwithstanding the above, the Customer does not have the right to access data obtained to fulfill the obligation to obtain information and to report under the Anti-Money Laundering Act. However, at the Customer’s request, the Data Protection Ombudsman may verify the lawfulness of the processing of such data.

The data controller shall provide the requested information to the Customer within 30 days of receiving the examination request.

In cases where the processing of personal data is based on the Customer’s consent or a contract, and the processing is carried out automatically, the Customer has the right to receive their own submitted data in a structured, commonly used, and machine-readable format, and to transmit such data to another data controller. Where technically feasible, the Customer has the right to have the data transferred directly from one data controller to another. The original data controller will continue to store the transferred data in accordance with this Privacy Policy.

9.2. Rectification of Incorrect Data
The Customer has the right to request the rectification of any inaccurate or incorrect personal data stored in the personal data register concerning them.

9.3. Objection to, or Restriction of Data Processing
The customer has the right to object to the processing of their personal data for the purposes of direct marketing, distance selling, other forms of direct advertising, market and opinion research, and the development of the data controller’s business operations. The Customer also has the right to restrict the processing of their personal data and to have personal data already stored for such purposes erased, even if there may otherwise be a legal basis for the processing.

9.4. Erasure of Data (Right to Be Forgotten)
The Customer has the right to request the erasure of their data without undue delay, unless there is a lawful basis for retaining the data.

9.5. Withdrawal of Consent
If the data stored in the register is based on the Customer’s consent, such consent may be withdrawn at any time by notifying the representative of the data controller as indicated in this Privacy Policy. Upon request, all data that is not required to be stored by law or under another legal basis outlined in this Privacy Policy will be deleted.

9.6. Procedure for Exercising Rights
Requests for access, rectification, or any other requests may be submitted by contacting the data controller’s representative mentioned in section 3 of this Privacy Policy.

9.7. Disputes
The Customer has the right to bring the matter to the Data Protection Ombudsman if the data controller does not comply with the Customer’s request for rectification or other requests.

10. PROFILING AND AUTOMATED DECISION-MAKING
The data controller does not perform profiling of the Customer based on personal data, nor does it use automated decision making.

11. PROTECTION OF PERSONAL DATA
The personal data stored in the register is protected in accordance with statutory requirements and appropriate data security standards. Bo has implemented suitable technical and organizational measures to safeguard personal data against accidental or unlawful loss, disclosure, misuse, alteration, destruction, or unauthorized access.

Bo continuously adapts its security measures in line with technological advancements.

Access to the register requires a user ID granted by the main administrator of the Customer Register. The main administrator also determines the level of access rights granted to other users. Only those employees of the data controller and employees of subcontractors who require access to the data for work-related duties have such access. The data is stored in service databases protected by firewalls, passwords, and other technical safeguards. These databases are located in locked and guarded facilities, and only certain pre-authorized individuals may access the data. Customer data is stored electronically. If personal data containing personal identity codes is transmitted by Bo (e.g., via email), it is done in a secure manner.

Where personal data is processed on behalf of the data controller by a subcontractor, the data controller has ensured through contractual arrangements that appropriate protective measures are in place and that the processing of personal data complies with applicable data protection legislation.

12. CHANGES TO THE PRIVACY POLICY
Bo continuously develops its business operations and therefore reserves the right to amend this Privacy Policy by notifying such changes through its services. Amendments to the Privacy Policy may also be made due to changes in legislation.