Your privacy at a glance
GRIT acts as a controller in terms of the processing of your personal data described herein. In certain situations where personal data is processed by another company of the Estlander Capital Group, that group company may act as a controller.
How and why we use your data
As a part of our business, we process personal data for various purposes. Data protection laws require that we only process and use your data for certain predetermined reasons, and only if we have a legal basis to do so. Below you’ll find an overview of the different purposes for which we process your personal data as well as their respective legal basis:
- The provision of investment and fund services. GRIT provides various investment and fund services, hereto related ancillary services and investment products. The performance of such service contracts requires that we process certain personal data. However, the extent of the processing varies depending on i.a. the service and the type of client.
- Data relating to unit holders. According to applicable law, GRIT is obliged to handle subscriptions, redemptions and reporting in terms of the fund unit holders. It is necessary for GRIT to process certain personal data to fulfill these obligations.
- Client categorization and client control. Irrespective of whether a person becomes a client or a fund unit holder or not, GRIT is obliged to carry out client categorization and client control (i.a. to prevent money-laundering and terrorism financing). Also fulfilling such obligations entails the processing of personal data.
- Tax reporting. National and international regulations require us to collect and report certain information regarding the customer’s taxation.
- Customer relationship management, customer service and marketing. We at GRIT care for our customers and we do our utmost to maintain a good customer relationship. In the case of potential customers, we are keen on informing them about our services. This entails processing personal data, and such processing is based on our legitimate interest to keep our customers satisfied and to attract new customers. In certain situations, direct electronic marketing is based on your specific consent.
- Handling of customer complaints and data subject requests. Although we strive to keep our customers satisfied, should a customer raise a complaint, we’ll keep records of such complaints in accordance with applicable legislation. We’ll also keep records of your requests as a data subject, to handle your matter as efficiently as possible.
- Business development. Keeping up with the developments in the industry is important to us, which is why we consider it our legitimate interest to keep our business, products and services relevant and to help prepare us and our customers for the challenges of tomorrow.
- Website experience and maintenance. We collect cookies for the proper use of our website and for enhanced user experience, which is based on our legitimate interest (please see below for further information on cookies).
- Recruitment. If you apply for a job at GRIT, we handle your application, CV and other documents that contain personal data. Such processing is based on your consent.
Certain personal data is processed within the Estlander Capital Group, if it is deemed necessary and in accordance with applicable law. Such situations are e.g. to execute an agreement with you or to effectively manage a customer relationship. Processing within the group may also take place when required by law, such as client classification and the prevention of money-laundering and terrorism financing.
Certain processing of personal data is necessary for the performance of contracts and to adherer to legal requirements applicable to GRIT. Should you not provide the necessary personal data, we may not be able to provide our services to you.
For the purposes specified above, we process the following categories of personal data (with examples in brackets):
- Basic identification data (name, social security number/date of birth, ID picture).
- Contact details (name, phone, e-mail and domicile).
- Information on the fund unit holders (amount, classes and series in terms of fund units).
- Data on the customer relationship (e.g. service language, contract information, transaction details).
- Data relating to know your customer procedures and customer identification, including information on beneficial owners.
- Information required for us to adhere to tax reporting obligations (e.g. tax domicile and tax number).
- Information regarding customer complaints and data subject requests.
- Data on how you use the website gritfundservices.fi.
- Recruitment information (application, experience, education).
- Consents (for direct electronic marketing and recruitment).
Please keep in mind that that the specific personal data processed and the extent of the processing vary depending on i.a. your position (e.g. as a client, potential client, website visitor or contact person of a service provider), the types of services provided, and client category.
When and how do we collect data?
We collect data from you at the commencement of your customer relationship to us as well as during it to administer and take care of what is necessary for your client contract and your customer relationship.
We may also collect data within the other companies within the Estlander Capital Group and from third parties, with whom we co-operate to provide you with our services and manage your customer relationship. In addition, we may collect data from publicly available sources provided by authorities (for example the population register center, commercial registers, and supervisory authorities) and international organizations like the EU and the UN.
We also automatically collect certain technical data, when you visit our website at gritfundservices.fi.
We only use necessary cookies to provide the website, improve their functionality, follow up the use of and improving safety of the website. The data is not used for identifying individual visitors. You can turn off cookies, but that may impact the functionality of the website and that they may not necessarily be available as intended.
As a data subject you have several rights as listed below. You can exercise your rights by sending us an email at email@example.com. You’re entitled to exercise your rights free of charge. However, for repetitive requests, or requests that are manifestly unfounded or excessive, we reserve a right to charge a reasonable fee.
Right to access data that we hold on you
You have the right to access the personal data that we hold on you. We may not always be able to meet your request to provide you with your information as your right might be restricted based on e.g. law or the need to protect the integrity of another person.
Right to withdraw your consent
To the extent that processing your personal data is based on consent, for example electronic direct marketing, you are entitled to change your mind at any time and withdraw your consent by notifying us per e-mail on or by unsubscribing to newsletters sent to you.
Right to request correction of inaccurate or incomplete data
If you note that the information we have on you is incorrect or incomplete, you have the right to request correction thereof by submitting a written request.
Right to object to processing
You have the right to object to the processing of your personal data based on legitimate interest and for marketing, including profiling. You are required to specify the specific situation where you are objecting to the processing.
Right to request limitation of the processing
You have the right to request that the processing of your personal data is restricted if
- you deny that they are correct
- the processing is illegal but you anyhow object to a deletion
- we do not longer need the data but you need it to manage a legal claim, or
- you have objected to the processing and the matter has not yet been clarified.
Right to port your data
You may ask to have the data that you have provided to us and that is processed automatically transferred in a machine-readable format to yourself or another service provider designated by you. We will not transfer data to the extent that it includes data on another individual.
You have the right ”to be forgotten”
You may request the deletion of any personal data we hold about you. This does not necessarily mean that all your personal data is erased, if there is another legal ground for keeping them, e.g. our legal obligation.
You have the right to lodge a complaint
If you are not happy with how we process your personal data, we do hope that you first contact us and give us the opportunity to sort things out. You may naturally also contact the supervisory authority directly. The Finnish supervisory authority is the Finnish Data Protection Ombudsman. You may also contact the supervisory authority in your country of residence.
How secure is the data we process?
Protecting your personal data is key to our business and part of our compliance and risk management. We have taken appropriate organizational and technical measures to ensure that your data is safely kept and protected from unauthorized processing and loss.
How long do we store your data?
We store your data for as long as needed for the purpose for which they were collected or required by law. The exact storage period varies depending on the purpose and the applicable legal requirements. Although it’s not feasible to predetermine the storage period for all personal data, i.a. the following legal requirements and principles are used to determine the storage period from time to time:
- Customer information are stored at least for seven years.
- Data relating to know your customer procedures and customer identification are stored for at least five years after the customer relationship has ended.
- Customer complaints data and data subject requests are stored for as long as they are necessary to handle the complaint and possible related legal matters, which is at least five years.
- Data on potential customers are stored for as long as the person is deemed a potential customer to us.
Personal data processed in relation to your customer relationship is only disclosed to our co-operation partners to the extent necessary for providing our services to you and executing your client contract or you have consented thereto. Such co-operations are based on written agreements that ensures that your personal data is protected. The third parties referred to are mainly other companies of the Estlander Capital Group as well as fund management companies and other service providers relating to the provision of our investment services. We also disclose personal data to the authorities as far as we have a legal obligation to do so.
Transfer of data outside EU/EEA
For the conduct of our business we partly use services, such as e.g. cloud services, where the service provider is a company located outside the EU or the EEA or that belong to such a group. Transfer of data to such organizations is possible, if there are sufficient protective measures for the transfer in question, which fulfill the requirements of data protection laws. Data may also be transferred in situations when it is required for the execution of your contract or you have provided your consent thereto.
How to reach us
If you have questions or comments on privacy matters or the way in which personal data is being processed by us, please contact:
GRIT Fund Management Company Ltd
Alatori 1 A, FI-65100 Vaasa
Tel.: +358 207 613 350
You may also contact our Compliance Officer per e-mail firstname.lastname@example.org. If you prefer to correspond via mail, please send your letter to the above address and mark the envelope “Compliance”.
Information about this document
This document has been created in compliance with the applicable data protection laws, including the EU General Data Protection Regulation (GDPR). The document was published first on November 30th 2018. This document is updated as needed.