Privacy Policy

Roihu Attorneys Ltd’s register for managing client relationships and assignments.

Published on 25 October 2023

General information

Roihu Attorneys Ltd (“Roihu”) collects and processes personal data that is necessary for the opening and management of client relationships and assignments. In processing personal data, Roihu complies with applicable data protection legislation, such as the Data Protection Act (1050/2018) and the EU General Data Protection Regulation (2016/679).

This Privacy Policy explains how and why Roihu processes personal data and what rights our clients have in relation to the processing of personal data.

Data controller and contact details

Roihu Attorneys Ltd
Business ID:     2366974-3
Postal address: Hämeenkatu 9, FI-33300 Tampere, Finland

Purposes and legal basis for processing personal data

Personal data is processed for the following purposes:

  • Managing assignments:
    Processing includes, among other things, correspondence and other communications with clients, conducting conflict of interest checks, managing invoicing and processing personal data of counterparties and counterparties’ representatives. Depending on the assignment, we may also need to process sensitive personal data such as criminal records. The legal basis for processing is the contractual relationship related to the assignment, including compliance with the law and the Code of Conduct for attorneys-at-law and other legal obligations, such as accounting legislation.
  • Obligations under money laundering legislation:
    Processing includes the identification of our clients as required by money laundering legislation. The legal basis for processing is compliance with legal obligations.
  • Customer relationship management:
    This includes the maintenance and development of customer relationships and the development of the services provided. For example, we may send newsletters, event invitations and other marketing material. The legal basis for processing is Roihu’s legitimate interest in developing customer relationships and services and acquiring new clients.
  • Website development:
    The processing includes the collection of data related to visitor traffic, such as cookies, for the purpose of developing the website and its content. The legal basis for the processing is the legitimate interest of Roihu to carry out marketing and develop its services.

Categories of personal data processed, contents and sources of data

Roihu collects and processes the following information:

  • Identification and contact information (e.g. name, date of birth, personal identification number, occupation/position, photograph, address, telephone number, e-mail address, name of client entity and business ID)
  • Client relationship information (including bank account number, billing and payment information, political influence and other information that is needed to identify and know the client, credit information and other information that identifies the client relationship)
  • Information relating to the performance of the assignment (including documents containing personal data and personal data concerning the counterparties and other involved parties).
  • Direct electronic marketing (including subscriptions, consents, and opt-outs)
  • Website visitor tracking (including IP addresses and website behaviour)
  • Other information voluntarily provided by the client (e.g. customer feedback)

The provision of identification and contact information, client relationship information and information related to the performance of the assignment is necessary to open and perform assignments. Providing information related to direct electronic marketing and website visitor tracking is voluntary.

In most cases, the data is collected directly from the client during the opening or performance of the assignment or in the context of marketing. Data may also be collected from public websites or public registers such as the Finnish Trade Register. External service providers may be used for direct electronic marketing and website visitor tracking.

Retention period of personal data

Roihu will retain personal data as long as necessary to fulfil the purposes set out in this Privacy Policy, unless accounting or other legislation or the Code of Conduct for attorneys-at-law require longer retention period or Roihu needs the personal data for legal proceedings or similar legal procedures.

As a general rule, the retention period for personal data relating to assignments is ten years from the end of the assignment or client relationship. However, the retention period and the retention criteria vary according to the categories of personal data, depending on the purpose for which a particular category of personal data is used. When there is no longer a need to process the personal data, it will be deleted within a reasonable period of time.

Processors and recipients of personal data

In principle, Roihu will not disclose personal data to third parties or outside the European Economic Area, unless required to do so by law or for the performance of the assignment.

However, Roihu may outsource some of its services to external service providers or use subcontractors, ensuring the secure and appropriate processing of personal data in accordance with applicable data protection legislation.

Principles for protection of personal data and security of processing

Roihu processes personal data in a manner that aims to ensure appropriate security and data protection in all circumstances, including protection against unauthorised processing and accidental loss, destruction or damage.

Appropriate technical and organisational safeguards are in place to protect the processing of personal data, including the use of firewalls, encryption technologies, secure facilities, appropriate access control and access management, and staff training. All parties handling personal data are bound by confidentiality obligations in relation to the processing of personal data under the Employment Contracts Act and the confidentiality clauses in their contracts.

Client’s rights

The client has the right to request information about the processing of personal data and to request verification of the data concerning the client. If the personal data are processed in the context of an assignment, the request may be refused on grounds of confidentiality.

The client has the right to request the restriction of the processing of personal data and the rectification of inaccurate or incorrect data.

Where the processing of personal data is based on Roihu’s legitimate interest, the client has the right to request the erasure of personal data or to object to the processing of personal data.

The client has the right in accordance with data protection legislation to request the transfer of his or her personal data to another controller.

The client’s requests mentioned above may be made in the course of a personal visit or submitted to Roihu in writing, such as by e-mail, using the contact details provided in this Privacy Policy. Identity will be verified before providing the information. The request for verification will be answered within a reasonable time and, where possible, within one month of the request and the verification of identity. If the request cannot be granted, the refusal will be made in writing.

The clients have the right to lodge a complaint with the Data Protection Authority ( if they believe that their personal data has been processed in breach of data protection legislation.

Changes to Privacy Policy

Roihu is constantly developing its services and may therefore need to change and update this Privacy Policy. Changes may also be based on changes in legislation. It is recommended that you consult the contents of this Privacy Policy regularly. Any changes will be posted on the Roihu website in connection with the Privacy Policy.