Privacy Notice  

This privacy notice describes how Avalon processes personal data from our clients and partners. Avalon is a part of Digia Plc. In terms of account management and recruitment, our data protection principles are also described in Digia’s privacy notice.  

This privacy notice was updated on 28 Sep 2023. 

1. Controller’s Information 

Digia Plc, business ID 0831312-4 
Address: Atomitie 2 A, 00370 Helsinki, FINLAND 
Tel.: Exchange, +358 (0)10 313 3000  

If you have questions regarding our data processing policies, please contact us at:  

info@avalon.fi  

Data Protection Officer, Digia Plc  
dpo(at)digia.com 

We process personal data according to the applicable data protection laws, including the EU's General Data Protection Regulation (2016/679) and the Finnish Data Protection Act (1050/2018).  

The table below lists the purposes and legal bases for processing personal data.  

4. Categories of personal data 

We process data regarding the following stakeholders: 

• Our clients and the representatives and contact persons of these clients 
• Our subcontractors and suppliers and the contact persons of these subcontractors and suppliers 
• Potential clients and the representatives and contact persons of these potential clients 
• Members of other stakeholder groups (such as job applicants and other partners) 
   

We process the following data that is necessary for the aforementioned functional purposes: 

• Name 
• Email address 
• Phone number 
• Company name, company ID, the contact person in the company and their position 

• Subscription information, agreement and quote information, invoicing and payment information 
• Client feedback and contact details 
• Information based on the client relationship, such as contact log, feedback and follower information 
• Additional information provided by the data subject (such as a CV sent by a job applicant) 
   

5. Regular information sources

The personal data we process is primarily collected from the following sources: 

• Directly from the data subject for the purposes of maintaining the customer relationship (for example, via the contact form on the website) 
• Directly from the data subject as part of a job application and recruitment process 
• Directly from the data subject as part of another partnership 

• From publicly/commonly available sources (such as the internet and trade register) 
• From a registered employee or a representative of a stakeholder currently in a customer, business, partner or contractual relationship with us 
• For business purposes, we may check company information from Suomen Asiakastieto Oy's registers. These reports may also contain information about company representatives.
    

6. Recipients of personal data 

We do not generally release any personal information to third parties, excluding instances where authorities so require in accordance with the law, or in order to provide services to customers. For carrying out our services, we use trusted third-party service providers who may, in accordance with data protection law, process personal information on our behalf to carry out these services.  

We use Google Analytics and HubSpot to collect user data from our website in order to better analyse and improve the website and to offer targeted marketing to the site users.  

We use cookies on our website to improve user experience. Cookies are small text files that are placed on your computer by websites that you visit, by the request of your browser. You can disable cookies from the browser’s settings.  

We process and store the personal data described in this privacy notice mainly within the EU and EEA. However, some suppliers of systems or services we use may be located, operate or process data in countries outside the EU and EEA, where the level of data protection may not have been deemed sufficient by decision of the European Commission. With regard to processing activities described in this privacy notice, we use the following suppliers operating outside the EU or EEA:  

Potential transfers of personal data out of the European Union or European Economic Area will always be executed following the applicable data protection regulations. 

• The support service for our marketing automation system (Hubspot, Inc.) is located in EU area.  
• The support service for our webinar application (GoToWebinar/LogMeIn, Inc.) is located outside the EU in the United States.  
• The support services, development and integration development of our customer relationship management systems and enterprise resource planning system (Dynamics 365, HubSpot, Dataplatform, M-Files, Workday) may be carried out outside the EU in India, Ukraine and the USA. 

All transfers of data are subject to a separate prior assessment. In transferring personal data, we comply with the national and international regulations in force at the time. This means, for example, that in safeguarding transfers of data, we comply with the necessary contractual protection measures, usually by means of adopting the European Commission Standard Contractual Clauses or an equivalent transfer protection measure.   

7. Storage periods and deletion of data

We process and store personal data only as long as it is necessary for the pre-determined purpose of use. Unnecessary personal data that we have no valid reason to store or process will be regularly deleted in accordance with our data protection policy. Personal data becomes unnecessary, for example, when the customer, business, partner or contractual relationship to us has ended, apart from where the law requires the continued storage of the personal data.  

Storage periods for different purposes: 

• marketing: 10 years from the last interaction 
• partners and stakeholders: 10 years from ending our collaboration 
• recruitment: 2 years after the recruitment process has ended 
• cookies: 1 year
   

8. General description of the relevant technical and organisational security measures of the register controller

We have implemented all relevant technical and organizational data safety mechanisms required by law to protect the personal data we process from illegal access, processing, disappearing, altering and other data safety risks. All personal data is stored in a system protected by the protection software and functionalities of the operating system.  

Our information network and hardware that hosts personal data is protected by a firewall and other applicable technical measures. Personal data registers can only be accessed by employees who have signed applicable non-disclosure agreements and who have been trained on how to use the personal data registers. Our personal data registers are located in locked and guarded facilities. We have given our employees written instructions and orders on data protection and how to process personal data, and our employees are obliged to follow them.  

We regularly check our personal data processing functions and the systems and hardware used in them in order to, for example, estimate any risks to personal data associated with deploying new technology.  

9. Rights of data subjects 

Data protection legislation guarantees data subjects several rights concerning the processing of their personal data. We respect these rights and are committed to their implementation.   

The data subject has the following rights that will be applied depending on the case:  

1. Data subjects have the right to request access to their personal data from the controller and receive a copy of the data; 
2. Data subjects have the right to transmit their personal data to another system in cases where processing is based on consent and carried out automatically; 
3. Data subjects have the right to request that any inaccurate, incomplete or outdated personal data is rectified or erased; 
4. Data subjects have the right to request the restriction of processing in certain circumstances, such as when Digia no longer requires the data but the data subject does not wish them to be erased but instead requests that their processing be restricted; 
5. Data subjects have the right to object, on grounds relating to their particular situation, to processing in certain circumstances, such as when processing is based on the controller’s legitimate interest and the controller cannot present more weighty grounds than those presented by the data subject; 
6. Data subjects have the right to request that the controller erase their personal data, provided that certain conditions are met (“the right to be forgotten”), such as when the personal data are no longer needed for the purpose for which they were collected, or when processing was based on consent and this consent has been withdrawn; 
7. Data subjects have the right to withdraw their consent to processing at any time; and 
8. Data subjects have the right to lodge a complaint with the competent supervisory authority. In Finland, this authority is the Office of the Data Protection Ombudsman (see tietosuoja.fi/en). 

Requests for the execution of rights should be addressed to PrivacyQuery(at)digia.com. Please note that execution of some of the rights may require that certain additional legal requirements are met. We may also ask that the person presenting the request provide additional information to allow us to verify their identity. 

Include the following information in your request: 

• Information that allows us to identify you (such as full name, email address or similar) 
• The role in which you are contacting us (current or former Avalon employee, job applicant, customer or a member of our customer’s personnel, subscriber to our newsletter or other similar party) 
• Which of the legal rights listed above you wish to exercise.