Privacy Policy & Registration Statement

25.6.2025

Shillinki Properties Oy (Business ID 3235697-6)

Tuomas Välimäki

Shillinki Properties Oy's customer register (hereinafter referred to as the "Customer Register")

BASIS FOR PROCESSING PERSONAL DATA AND MAINTAINING THE REGISTER

General information on data processing

To the extent that the Customer Register contains personal data, its processing is in accordance with the Data Protection Act and other currently valid laws, regulations, provisions and official instructions concerning the processing of personal data. Personal data refers to information that can be linked to a specific person. This document describes in more detail the procedures for collecting, processing and disclosing personal data, as well as the rights of the customer, i.e. the data subject.

Purpose of collecting and processing personal data (i.e. keeping a register)

1. Contractual, customer or other comparable relationship

The purpose of using the customer register is for the controller to:

- a contractual or customer relationship with the client (e.g. seller or landlord)

- a relationship related to the performance of an assignment with the client's counterparty (e.g. buyer or tenant)

- a contractual relationship with the user of an expert service (such as an assessment assignment)

- a relationship based on the marketing permission given by the client, the purpose of which is, among other things, multi-channel marketing communication to the client, e.g. by email, online, telemarketing or by post

- The controller may also collect information from persons present at apartment presentations, for example, to prevent, monitor and investigate crimes or abuses, or by other means to investigate the interests of potential customers or to establish a subsequent customer relationship/provide services and for marketing.

- The persons described above are referred to in this statement as “Customer”.

2. Legislation concerning real estate agencies

The Act on Real Estate Agencies and Rental Apartment Agencies (1075/2000) and the Act on Real Estate and Rental Apartment Brokerage (1074/2000) and the handling of assignments based on them require the recording, use and retention of the information mentioned in the section “Data content of the customer register”. For example, the brokerage firm must keep an order diary in which personal, target and event information related to each order is recorded, along with documents.

3. Statutory supervision of money laundering

In accordance with Chapter 3, Section 3 of the Act on the Prevention of Money Laundering and the Financing of Terrorism (444/2017, hereinafter referred to as the “Money Laundering Act”), Customer identification data and other personal data in accordance with the law are recorded, retained and may be used to prevent, detect and investigate money laundering and the financing of terrorism, as well as to investigate money laundering and the financing of terrorism and the crime through which the property or proceeds of crime that are the subject of money laundering or terrorist financing have been obtained. Customer identification data or other personal data that have been obtained solely for the purpose of preventing and detecting money laundering and the financing of terrorism shall not be used for a purpose that is incompatible with these purposes.

4. Data storage based on consent

To the extent that the above-mentioned right of registration is exceeded, or there is no other legal basis mentioned, the Customer will be asked for separate consent to the storage, processing and storage of personal data. The assignment data will also be used for contractual relationships related to evaluation and other expert services and will be stored in a manner similar to the Assignment Diary. The Customer may also be asked for separate consent to the analysis of the information provided and customer behavior for marketing purposes.

Consequences for not receiving the information

If the controller does not receive the above-mentioned information, the customer relationship cannot be initiated or continued, or any other agreement or legal action can be entered into with the Customer.

Purpose of use of data

The data in the customer register is mainly used for the following purposes:

- management and development of customer relationships

- production, provision, development and improvement of services

- invoicing, collection and verification of customer transactions

- targeting of advertising

- analysis and statistics regarding services

- customer communication, marketing and advertising

- targeting of marketing content according to the information and behavior provided by the Customer

- protection and security of the rights and/or property of the controller and other persons and entities related to the services

- fulfillment of the controller's statutory obligations

- other similar purposes

ABOUT THE INFORMATION CONTAINED IN THE CUSTOMER REGISTER

Shillinki Properties Oy processes information in the Order Diary, in the register information concerning the supervision of the Money Laundering Act, and in the customer contact list.

The order diary and its attachments may process the following groups of information:

- Basic information about the Customer, such as full name, address, language

- Personal identification number of the person acting on their own behalf or on behalf of the company and possibly company ID for reliable identification

- Information related to invoicing and collection

- Information related to customer service and contractual relationship, such as services provided to the Customer, their use date, date and information of the purchase offer, its acceptance, rental or sales contract, target information, brokerage fee, service vendor information and other similar information

- Permission information and prohibitions, such as direct marketing permits and prohibitions

- Customer's points of interest

- Other transaction information about the services

- Complaints and their processing information

- Tenant's credit information and other financial information for assessing the ability to pay rent

- Other information provided by the Customer

The following information related to the Customer may be processed in the register data concerning the supervision of the Money Laundering Act:

- name, date of birth and personal identification number

- name, date of birth and personal identification number of the representative

- full name of the legal person, registration number, date of registration and registration authority

- full names, dates of birth and nationalities of the members of the board of directors or similar decision-making body of the legal person

- field of activity of the legal person

- name, date of birth and personal identification number of the beneficial owners

- name of the document used for identity verification, document number or other identification information and issuer or a copy of the document or, if the customer is remotely identified, information on the procedure or sources used for verification

- information on the Customer's activities, nature and scope of business, financial status, grounds for the use of the transaction or service and information on the origin of the funds, and other information necessary for knowing the Customer referred to in Section 4, subsection 1 of the Money Laundering Act

- Section 4, subsection 3 of the Money Laundering Act information related to the investigation of the origin of funds pursuant to Section 13, and information necessary to fulfil the enhanced due diligence requirement regarding politically exposed persons pursuant to Section 13

- for a foreign Customer who does not have a Finnish personal identity code, information on the Customer's citizenship and travel document information

The following information related to the Customer is or may be processed in the Customer contact information listing:

- Name, address, email, telephone number

- purpose of contact

- information on contacting the Customer and the time of contact, and follow-up measures

DATA RETENTION PERIOD

Information in the assignment diary is retained for ten (10) years after the end of the assignment.

Information pursuant to the Money Laundering Act is retained for five (5) years, unless further retention of the information in question is necessary for a criminal investigation, pending legal proceedings, or to protect the rights of the controller or its employees. The necessity of further storage of data and documents will then be examined no later than three (3) years after the previous review of the necessity of storage (Act on the Prevention of Money Laundering and Terrorist Financing, 444/2017, Section 4).

Other personal data will be deleted after there is no longer a need to store the personal data. If the collection and storage of personal data has been based solely on the Customer's consent, the personal data will be deleted at the Customer's request.

REGULAR DATA SOURCES

Personal data is collected from the data subject, among other things, when the data subject uses the controller's services or when planning their use (for example, when filling out documents). Personal data may also be collected directly from the data subject in other ways, for example, during site presentations, through contact forms, through newsletter subscriptions, from customer satisfaction surveys or raffles. Personal data can also be collected and updated from, for example, property management offices, the population register and other official registers (such as the land registry and mortgage register) and credit information registers.

DISCLOSURE OF DATA

The access rights to all data concerning the data subject are limited to those persons who need access to the data contained in the register to carry out the purposes of processing the register or otherwise perform their work tasks. The controller may disclose personal data within the limits permitted and required by applicable legislation, as well as to implement an agreement between the parties or when a substantive connection is fulfilled. Personal data may thus be disclosed, for example, to the Regional State Administrative Agency and other authorities, to the banks of the parties to the transaction in connection with a transaction, and at various stages of the assignment, e.g. to the property manager and the land surveying authority, and to legal advisors in disputes.

Data is not routinely transferred outside the European Union or the European Economic Area. However, data may be transferred or disclosed outside the European Union or the European Economic Area in a manner permitted by law, if the data is transferred to a country where the European Commission has determined that the level of data protection is adequate, or contractual arrangements can guarantee an adequate level of data protection. Transfer outside the EU may also temporarily occur in connection with the use of various cloud services.

Information is disclosed to authorities in cases required by law.

In addition, the purchase price and other information about the transaction object is disclosed to the Finnish Real Estate Brokerage Federation (KVKL), where the information is stored in the KVKL price monitoring service (HSP) used by real estate brokers to the extent required by the service. Information from the HSP may be further disclosed to HSP customers. The privacy policy for the service in question can be read at http://www.hintaseurantapalvelu.fi/tietosuoja.

In connection with the outsourcing of the data management of the data controller, the processing of personal data may also take place by the data controller's subcontractors, but in this case only on behalf of the data controller. Such subcontractors may include, for example, service providers of real estate brokerage systems and marketing systems, as well as parties that maintain apartment sales announcement portals and companies that conduct customer satisfaction surveys. Shillinki Properties Oy's subcontractors include Linear Oy (the privacy policy can be read at https://linear.fi/wp-content/uploads/2021/04/Tietosuojaseloste.pdf), Almamedia (the privacy policy can be read at https://www.almamedia.fi/tietosuoja), Schibsted (the privacy policy can be read at https://info.privacy.schibsted.com/fi/tietosuoja-ja-evastekaytannot/?ref=ot_footer) and Wix (the privacy policy can be read at https://www.wix.com/about/privacy).

Access to the register requires a user ID granted by the Customer Register administrator. The administrator also determines the access level granted to other users. Only those employees of the controller and employees of subcontractors have access to the information for whom it is necessary to perform work-related tasks. The information is collected in the service's databases, which are protected by firewalls, passwords and other technical means. Customer information is stored electronically. If personal data containing a personal identification number is transferred from Shillinki Properties Oy, for example by email, this always requires the written permission of the owner of the personal identification number.

CUSTOMER RIGHTS

1. Inspection, receipt and transfer of information

The customer has the right to inspect what information about him or her has been stored in the Customer Register. The customer must submit a request for inspection to the controller in writing in a personally signed form or in a similarly certified document, or by email.

Departing from the above, the Customer does not have the right to inspect the information obtained in order to fulfill the reporting or reporting obligation stipulated in the Money Laundering Act (Section 4:3 of the Money Laundering Act). However, the Data Protection Commissioner may, at the Customer’s request, inspect the lawfulness of the processing of this information.

The controller shall provide the aforementioned information to the Customer within 30 days of submitting the inspection request.

The Customer has the right to have the customer information concerning him or her, which he or she has provided, transferred to a third party in a structured and commonly used machine-readable format. However, the controller shall store the transferred information in accordance with this privacy policy.

2. Rectification of incorrect information

The Customer has the right to rectify the information stored in the personal register concerning him or her to the extent that it is incorrect.

3. Objection or restriction of processing and deletion of information

The customer has the right to object to the processing of data concerning him or her for direct advertising, distance selling and other direct marketing, as well as for market and opinion research and for the development of the controller's business, and to restrict the processing of data concerning him or her, as well as the right to have personal data concerning him or her already registered and stored for the aforementioned purpose deleted.

4. Withdrawal of consent

If the data in the register is based on the consent given by the customer, the consent can be withdrawn at any time by notifying the controller's representative mentioned in this statement. Upon request, all data that does not have to be stored, or cannot be stored, by law or other grounds mentioned in this privacy statement will be deleted.

5. Procedure for exercising rights

A request for inspection, correction or other information can be submitted by contacting the controller using the contact details mentioned in this statement.

6. Disputes

The Customer has the right to refer the matter to the Data Protection Ombudsman if the Controller does not comply with the Customer's request for rectification or other request.

PROFILING AND AUTOMATED DECISION-MAKING

The Controller does not conduct profiling of the Customer or use automated decision-making based on personal data.