Use of Personal Data

General – to whom this privacy policy applies

Alisa Bank Plc and the entities belonging to the same group (“Alisa Bank” or “we”) are committed to protecting the rights of individuals and keeping your personal data safe in accordance with the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and other laws applicable to and binding upon Alisa Bank.

Alisa Bank processes personal data for many different reasons and this privacy policy describes how Alisa Bank collects, uses, retains and protects your personal data. In this privacy policy “data subject” or “you” means clients, potential clients, employees of our clients or other relevant parties, such as beneficial owners, authorized representatives and associated parties.

Controller

Alisa Bank Plc
Address: Pursimiehenkatu 4 A, 00150 Helsinki
Phone number: 0203 80101
Email: asiakaspalvelu@alisapankki.fi

Contact person for matters concerning the register

Data Protection Officer

Purpose of the processing of personal data and lawful basis

We mainly process your personal data to fulfil our legal and contractual obligations and to market interesting products and offer services to you. The purpose and legal basis for the processing are detailed below:

• Identifying and knowing you. Lawful basis: our legal obligation to identify and know our client, which requires the processing of personal data.
• Concluding and managing agreements with clients. Lawful basis: performance of a contract or our legitimate interest if the client is a legal entity.
• Performance of payment services. Lawful basis: consent in accordance with the Act on Payment Services.
• Opening and managing services (other than payment services) for you. Lawful basis: performance of a contract.
• Execution and verification of business transactions. Lawful basis: performance of a contract
• Marketing, product and client analysis (this may include profiling (see below)). Lawful basis: our legitimate interest to market our products and services and using profiling, for example, for client analysis for marketing purposes and your consent to receive electronic direct marketing.
• Calls and chats can be recorded and retained for confirming transactions or for purposes relating to documentation, quality control and development. Lawful basis: our legitimate interest to strengthen the quality of our services and to develop our services and to demonstrate compliance with legal obligations related to the services.
• Carrying out obligations based on law and authority regulations. Legal basis: our legal obligation that requires the processing of personal data. These are, for example, the following:

(i) compliance with accounting laws;
(ii) measures to combat and detect money laundering, fraud and terrorist financing;
(iii) comparing personal data with sanctions lists; and
(iv) reporting to tax, police and enforcement authorities as well as the Financial Supervisory Authority and other Finnish and foreign authorities.

We will ensure that processing of personal data carried out based on our legitimate interest is proportionate to your interests.

Automated decision making and profiling

We may use your personal data for analysis and profiling so that we can create profiles of you to support the development of our services, products and concepts, as well as for marketing purposes, client and risk ratings.

We may use automated decision-making if permitted by law or with your express consent, or if necessary for the performance of an agreement. You can always request a manual decision-making procedure instead of an automated one, express your opinion or challenge a decision based solely on automated processing, such as profiling, if that decision entails legal effects for you or otherwise has an equivalent significant effect on you. Please contact asiakaspalvelu@alisapankki.fi for further information about the logic involved with the processing as well as the significance and possible consequences of such processing.

Categories of data subjects

Persons who have/have had:

• A client relationship with us or who have submitted an application to enter into such a relationship with us.
• A client relationship -based interest, obligation or other right in a contract, service or transaction, such as possible beneficiaries or persons acting by proxy (person authorised to use the account, trustees, beneficial owners, persons authorized within a company, guarantor, pledgor or other).
• Persons who have otherwise contacted us (for example, through our website).
• Persons, whose personal data we have a statutory obligation to process.

Contents of the register

The data we collect can be categorized as follows:

A. Basic data, for example:

• Identification data (client ID, personal identity code or date of birth, name, nationalities, taxation countries, language, fiscal residence) and a copy of an identification document (for example passport or driver’s license).
• Contact data (addresses, telephone numbers, email addresses, contact persons and their identification details).
• Entry stating whether you are employed by Alisa Bank.

B. Data required by the industry regulation such as, for example, information for purposes of combatting money laundering and terrorist financing and information relating to customer due diligence (i.a. KYC).

C. Client classification data, for example:

• Information relating to the commencement of the client relationship.
• Type of contract.
• Contact person.
• Client history.
• Information on the corporate entity you represent.
• Information on payment defaults, credit ratings and information on assets and debts.

D. Client business data:

• Identifiers, identification method and identification date.
• Bank contact data (contra accounts).
• Accounts, portfolios, loans (basic data and control data).
• Control data for reporting and client communications.
• Collateral and pledge related data.
• Price lists.
• Contracts and applications.
• Permission to electronic data exchange with normal email, client contact and thereto related information.
• Service language.
• Client complaints.

E. Marketing data:

• Consent/prohibition for direct marketing.
• Information given by yourself (areas of interest for direct marketing).
• Marketing measures targeted at you.
• Data relating to the use of electronic services (for example cookies).
• Event invitations and thereto related data.
• Data relating to communication with you (for example email).
• Profiling information.

F. Personal data related to institutional clients:

• Identification data (name, address, telephone number, email).
• Position within the corporation represented by you.
• Employment and occupational data.
• Services offered or description of collaboration.
• Project schedules.

The list is illustrative and non-exhaustive. The information collected may vary depending on the purpose of use and applicable category of data subjects. The information collected is limited to what is necessary in relation to the purposes for which it is processed.

Regular sources of data

Data is primarily obtained directly from you or from your representative, from public registers kept by the authorities, from sanctions list (EU and UN sanctions list as well as from lists maintained by national organizations such as the Office of Foreign Assets Control (OFAC), from credit information registers and from other commercial information providers (for example information on beneficial owners and politically exposed persons).

We also collect payment order related data from other banks, payment service providers and other corresponding parties as well as from such other entities within the group with which we collaborate.

Data is also formed in connection with performing the services used by you. With your consent, data can also be obtained from other parties, such as your asset manager or employer.

Data recipients or group of recipients

To the extent allowed by the GDPR and other applicable legislation we may disclose data to other entities within our group as well as to our partners.

We may also use third party service providers. The service providers we use may process data on our behalf and on our instructions and only to the extent necessary to provide the service in question. These service providers are processors in accordance with the GDPR, with whom we have entered into GDPR-compliant data processing agreements.

In certain situations, we also provide information to authorities for them to be able to carry out their statutory duties.

Transfer of data outside of the EU or the EEA

As a rule, data is not transferred outside of the EU or the EEA.

If the purpose of the processing of personal data or the technical implementation of the processing so requires, personal data may be transferred outside the EU and the EEA. In this case, we (and the service providers we use) will comply with the requirements of the GDPR and the primary transfer tool used are the standard contractual clauses of the European Commission, provided that the European Commission has not adopted an adequacy decision for the receiving third country.

Principles of register security

Protecting your privacy is important to us and responsible processing of your personal data is an essential part of our business. We have appropriate technical, organizational and security procedures in place to protect all information in our possession from loss, misuse, unauthorized use, disclosure, alteration and destruction. We also set similar requirements for our partners.

Your rights

To the extent permitted by the GDPR you have the following rights:

• Right of access: You have the right to access the personal data we hold about you. Some of the information we hold about you is already visible in the online services provided by us. However, the right of access may be restricted due to legal requirements.
• Right to require your personal data to be rectified: If your personal data is incorrect or incomplete you have the right to request that the data is corrected, unless restricted by law.
• Right to request erasure of personal data: You have the right to have your personal data erased, for example, if you withdraw your consent to the processing of your data or object to the processing and there are no other justified reasons for further processing, or the processing of your data is unlawful. However, we may be required by law to retain your personal data during the client relationship and after such relationship has ended.
• Right to request restriction of processing: You may request us to restrict the processing of your personal data, for example, if you believe that your personal data is incorrect, there is no legal basis for processing or if you have objected to the processing of your data (see below). For example, processing may be limited only to the retention of your personal data.
• Right to object: You have the right to object to the processing of your personal data based on our legitimate interests. In this case, however, we may continue the processing if, for example, we have a compelling legitimate interest to the processing which overrides your interests. You can always object to direct marketing and related profiling.
• Right to request personal data be transmitted from one system to another: You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means, on the basis consent or for the purposes of fulfilling a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us.
• Right to withdraw consent: If the processing of your personal data is based solely on consent and not on, for example, a client relationship or similar relationship, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data prior to the withdrawal.

Requests to exercise the above rights should be made to the following address: asiakaspalvelu@alisapankki.fi.

Data retention period

As a general rule, personal data will be processed for as long as necessary for the purposes of carrying out the processing as described in this policy.

Your data will at least be stored for the duration of the client relationship. In most cases, we have an obligation to retain your data also after the client relationship, taking into account statutory retention periods (such as retention periods deriving from the Money Laundering Act (5 years) and Accounting Act (10 years)).

If your application or our contact with you does not result in a client relationship, or if you choose not to withdraw the loan offered to you in the loan offer, we will retain your personal data for 24 months from the last contact, submission of your application or submission of our loan offer.

We may process your personal data for a further 24 months from the end of the client relationship for marketing purposes.

We will delete retained personal data when the legal basis for the processing of the data has ceased to exist.

Complaint

If you believe that we process your personal data in breach of applicable data protection legislation you have the right to lodge a complaint with the Office of the Data Protection Ombudsman. The contact details of the Office of the Data Protection Ombudsman are:

Address: Lintulahdenkuja 4, 00530 Helsinki
Phone number: 029 566 6700
email: tietosuoja@om.fi

Obligation to provide us with personal data

If you do not provide all of the requested personal data we may not be able to establish, maintain and develop a client relationship with you or the legal entity you represent or communicate about our services with you.

This policy

We reserve the right to amend and to update this privacy policy. An up-to-date version of the policy is always found on our website www.alisapankki.fi/yleiset/henkilotiedot.

To the extent any discrepancies between this English version and the Finnish version policy exist, the Finnish version will prevail.

General – to whom this privacy policy applies

Alisa Bank Plc and the entities belonging to the same group (“Alisa Bank” or “we”) are committed to protecting the rights of individuals and keeping your personal data safe in accordance with the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and other laws applicable to and binding upon Alisa Bank.

Alisa Bank processes personal data for many different reasons and this privacy policy describes how Alisa Bank collects, uses, retains and protects your personal data. In this privacy policy “data subject” or “you” means external or internal job or internship applicants.

Controller

Alisa Bank Plc
Address: Pursimiehenkatu 4 A, 00150 Helsinki
Email: rekrytointi@alisapankki.fi

Contact person for matters concerning the register

Responsible for customer register: HR

Purpose of the processing of personal data and lawful basis

We mainly process your personal data so that we can complete the recruitment process, negotiate an employment contract and, where possible, inform you of vacancies. The purpose of the processing and the legal basis are detailed below:

• Processing your application. Lawful basis: your consent.
• A recruitment process that has not started based on your application: Lawful basis: our legitimate interest to contact you and consider you for a job task.
• Personality and aptitude assessments. Lawful basis: your consent.
• Informing of job tasks/positions. Lawful basis: we will also process your personal data with your consent for a period of six months from the end of the recruitment process so that we can, to the extent possible, inform you about job openings.
• Negotiating an employment contract. Lawful basis: the performance of a contract or the taking of steps prior to entering into such a contract.

We will ensure that processing of personal data carried out based on our legitimate interest is proportionate to your interests.

Categories of data subjects

Alisa Bank external and internal job and internship applicants.

Contents of the register

We process the following personal data:

• Basic data such as name, address, email and telephone number.
• Competency information such as education, job description, skills and work history.
• Job applications and their appendices (i.a. curriculum vitae, study register).
• Other information provided by you such as language and IT skills, salary expectation, period of notice, areas of interest and contact information of recommender.
• Information related to the interview and the progress of the recruitment process.
• Other relevant information for recruitment, such as personality and aptitude assessments, social media public professional profiles.

Regular sources of data

Personal data is collected directly from you in connection with recruitment.

Data recipients or group of recipients

Your personal data will not be disclosed to third parties.

However, we may use external recruitment service providers or services to conduct personality and aptitude assessments. These service providers process data on our behalf and on our instructions and only to the extent necessary to provide the service in question. These service providers are processors in accordance with the GDPR, with whom we have entered into GDPR-compliant data processing agreements.

We may also disclose personal data, for example, to authorities to the extent permitted and required by applicable law.

Transfer of data outside of the EU or the EEA

Data is not transferred outside of the EU or the EEA.

Principles of register security

Protecting your privacy is important to us and responsible processing of your personal data is an essential part of our business. We have appropriate technical, organizational and security procedures in place to protect all information in our possession from loss, misuse, unauthorized use, disclosure, alteration and destruction. We also set similar requirements for our partners.

Your rights

To the extent permitted by the GDPR you have the following rights:

• Right of access: You have the right to access the personal data we hold about you. However, the right of access may be restricted due to legal requirements.
• Right to require your personal data to be rectified: If your personal data is incorrect or incomplete you have the right to request that the data is corrected, unless restricted by law.
• Right to request erasure of personal data: You have the right to have your personal data erased, for example, if you withdraw your consent to the processing of your data or object to the processing and there are no other justified reasons for further processing, or the processing of your data is unlawful. However, we may be required by law to retain your personal data during the employment relationship and after such relationship has ended.
• Right to request restriction of processing: You may request us to restrict the processing of your personal data, for example, if you believe that your personal data is incorrect, there is no legal basis for processing or if you have objected to the processing of your data (see below). For example, processing may be limited only to the retention of your personal data.
• Right to object: You have the right to object to the processing of your personal data based on our legitimate interests. In this case, however, we may continue the processing if, for example, we have a compelling legitimate interest to the processing which overrides your interests. You can always object to direct marketing and related profiling.
• Right to request personal data be transmitted from one system to another: You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means, on the basis consent or for the purposes of fulfilling a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us.
• Right to withdraw consent: If the processing of your personal data is based solely on consent and not on, for example, a customer relationship or similar relationship, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data prior to the withdrawal.

Requests to exercise the above rights should be made to the following address: HR@alisapankki.fi

Data retention period

Your personal data will be processed for as long as necessary for the purposes of carrying out the processing as described in this policy.

Your personal data will be kept for a period of two years from the end of the recruitment process in case any legal claims should arise within this period. We will delete retained personal data when the legal basis for the processing of the data has ceased to exist.

Complaint

If you believe that we process your personal data in breach of applicable data protection legislation you have the right to lodge a complaint with the Office of the Data Protection Ombudsman. The contact details of the Office of the Data Protection Ombudsman are:

Address: Lintulahdenkuja 4, 00530 Helsinki
Phone number: 029 566 6700
email: tietosuoja@om.fi

Obligation to provide us with personal data

If you do not provide all of the requested personal data we may not be able to take you into account in our recruitment process.

This policy

We reserve the right to amend and to update this privacy policy. An up-to-date version of the policy is always found on our website.

To the extent any discrepancies between this English version and the Finnish version policy exist, the Finnish version will prevail.

General – to whom this privacy policy applies

Alisa Bank Plc and the entities belonging to the same group (“Alisa Bank” or “we”) are committed to protecting the rights of individuals and keeping your personal data safe in accordance with the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and other laws applicable to and binding upon Alisa Bank.

In this privacy policy “data subject” or “you” means Alisa Bank shareholder, shareholder representative or assistant.

Controller

Alisa Bank Plc
Address: Pursimiehenkatu 4 A, 00150 Helsinki
Phone number: 0203 80101
Email: asiakaspalvelu@alisapankki.fi

Contact person for matters concerning the register

Data Protection Officer

Purpose of the processing of personal data and lawful basis

In connection with the registration for the General Meeting, we collect and process your personal data to verify the identity of the persons registered for Alisa Bank's General Meeting and that the person is entitled to participate in the General Meeting, to enable the shareholders to exercise their legal rights and to perform other activities related to the organization and holding of the General Meeting

The purpose of the processing of the personal data is also to draw up the list of participants of the General Meeting, the list of votes and to arrange possible voting. The list of votes, which is based on the General Meeting register, is appended to the minutes of the General Meeting. Said voting list includes the name of the shareholder or of any representative, the number of shares and votes.

The processing of personal data is based on our statutory obligations as set forth in the Finnish Companies Act (624/2006).

The technical provider of the registration service for the General Meeting may be a third part such as Euroclear Finland Ltd.

Categories of data subjects

Alisa Bank shareholder, shareholder representative or assistant registered for General Meeting.

Contents of the register

We process the following personal data:

• Contact information (addresses, telephone numbers, email addresses and contact persons).
• Identification data (personal identity code or date of birth and name).
• Information on possible proxies.
• Number of shares and votes.
• Account information (book-entry account number).

Regular data sources

The personal data is collected mainly in connection with the registration for the General Meeting directly from you. Based on the information provided in connection with the registration, Alisa Bank compares the information provided with the shareholder list of Alisa Bank maintained by Euroclear Finland Ltd and extracts the registered person’s information from the shareholder register.

Data recipients or group of recipients

As a rule, personal data is not disclosed to third parties.

We may, however, use third party service providers for example if the technical implementation of the processing so requires. The service providers we use may process data on our behalf and on our instructions and only to the extent necessary to provide the service in question. These service providers are processors in accordance with the GDPR, with whom we have entered into GDPR-compliant data processing agreements.

We may also disclose personal data to, for example, authorities, to the extent permitted and required by applicable law.

Transfer of data outside of the EU or the EEA

Data is not transferred outside of the EU or the EEA.

Principles of register security

Protecting your privacy is important to us and responsible processing of your personal data is an essential part of our business. We have appropriate technical, organizational and security procedures in place to protect all information in our possession from loss, misuse, unauthorized use, disclosure, alteration and destruction. We also set similar requirements for our partners.

A third party, such as Euroclear Finland Ltd, may be responsible for the technical maintenance of the electronic register and the registration and advance voting system. In this case, the communication connection from the user's browser to the third-party server is SSL-encrypted.

Your rights

To the extent permitted by the GDPR you have the following rights:

• Right of access: You have the right to access the personal data we hold about you. However, the right of access may be restricted due to legal requirements.
• Right to require your personal data to be rectified: If your personal data is incorrect or incomplete you have the right to request that the data is corrected, unless restricted by law.
• Right to request erasure of personal data: You have the right to have your personal data erased, for example, if you object to the processing and there are no other justified reasons for further processing, or the processing of your data is unlawful. However, we may be required by law to retain your personal data despite of your request to have it deleted.
• Right to request restriction of processing: You may request us to restrict the processing of your personal data, for example, if you believe that your personal data is incorrect or if there is no legal basis for processing. For example, processing may be limited only to the retention of your personal data.

Requests to exercise the above rights should be made to the following address: asiakaspalvelu@alisapankki.fi.

Data retention period

Personal data will be processed for as long as necessary for the purposes of carrying out the processing as described in this policy or in accordance with retention periods set forth by law.

Personal data entered in or appended to the minutes of the General Meeting shall be retained as set forth in the Companies Act (624/2006) as part of the minutes of the General Meeting at least for the duration of the company's operations and after the operations have ceased, at least for a period equivalent to the retention period for accounting records.

Other personal data will be deleted from the register when they are no longer necessary for the preparation of the minutes and the three-month appeal period under the Companies Act (624/2006) to challenge the decision of the General Meeting has expired.

Complaint

If you believe that we process your personal data in breach of applicable data protection legislation you have the right to lodge a complaint with the Office of the Data Protection Ombudsman. The contact details of the Office of the Data Protection Ombudsman are:

Address: Lintulahdenkuja 4, 00530 Helsinki
Phone number: 029 566 6700
email: tietosuoja@om.fi

Obligation to provide us with personal data

The provision of personal data as described in this privacy policy is necessary in order for us to be able to fulfil our statutory obligations. If you do not provide us with your personal data in accordance with this privacy policy, we will not be able to process your registration and you will not be able to attend the General Meeting.

This policy

We reserve the right to amend and to update this privacy policy. An up-to-date version of the policy is always found on our website.

To the extent any discrepancies between this English version and the Finnish version policy exist, the Finnish version will prevail.