Data protection policy

1. Personal data controller

Forefront Oy
Business ID: 2242273-0
Mikonkatu 13 A
00100 Helsinki, Finland
info@4front.fi

2. Contact person

Contact information in matters related to personal data files:

Hanna Koskela, Forefront Oy
0400 745605
hanna.koskela(at)4front.fi

3. Purposes of processing of personal data and legal ground for the processing

Processing of personal data at 4FRONT relates to providing our services (based on an existing customer relationship) as well as marketing our services to potential clients.

The primary basis for the processing of personal data is the client relationship between 4FRONT and the customer, as well as the assignment based on this relationship. 4FRONT processes personal data to the extent necessary for the implementation of the assignment.

The content of the personal data varies depending on the specific assignment. Assignment-specific compilations resembling registers may include contact information for individuals such as interviewees, survey participants, workshop and event attendees, and other individuals supporting the information-gathering process for the assignment.

The personal and contact information used in assignments is primarily obtained from the client. In addition to the information provided by the client, individuals may independently provide their personal data to 4FRONT, for example, through survey responses or event registrations.

In addition, we will utilise personal data (mainly contact information) to market our services. We have records of our clients’ and potential clients’ details to market and provide more information about our services. We may also obtain personal data also from publicly available sources, such as website and LinkedIn.

4. Personal data recorded in the register

Personal data processed in our assignments as well as in our marketing activities contains, in principle, the following contact information

  • Name
  • Organisation
  • E-mail
  • Phone number

5. Data security

We implement the following technical and organizational measures to protect personal data from unauthorized access, loss, or misuse:

  • Technical security measures:
    1. Access to data is restricted to authorized personnel through user-specific credentials, passwords, and access controls.
    2. We use encryption to protect personal data during storage and transmission.
    3. Firewalls, intrusion detection systems, and antivirus software are in place to prevent security threats.
    4. Our systems, software, and security patches are regularly updated to mitigate vulnerabilities.
  • Physical security measures
    1. Servers and storage facilities are housed in secure, access-controlled environments.
    2. Physical documents containing personal data are stored securely and disposed of in accordance with data retention policies.
    3. Security monitoring and logging are in place to detect unauthorized access.
  • Data retention and backup procedures
    1. Personal data is retained only for as long as necessary to fulfill the specified purposes.
    2. We conduct regular data backups and ensure secure storage to prevent data loss.
    3. When data is no longer required, it is securely deleted or anonymized in accordance with our retention policies (e.g. after one year when the assignment has ended).
  • Organizational and administrative security measures
    • Data access is granted only to individuals who require it for their tasks, following the principle of least privilege.
    • Third-party service providers processing personal data on our behalf must comply with equivalent security standards.
    • Security practices are routinely checked and updated.

6. The data subject’s rights

The registered person, data subject, has the right to know for what purposes and by which methods we process their personal data.

The data subject has the following rights

  • Right to access data: The data subject may check the data we have recorded.
  • Right to rectification: The data subject may request the rectification of inaccurate or incomplete personal data.
  • Right to object: The data subject may object to the processing of personal data if the data subject feels that personal data has been processed unlawfully.
  • Right to forbid direct marketing: The data subject has the right to forbid the use of personal data for direct marketing.
  • Right to deletion: The data subject has the right to request the deletion of data if personal data processing is not necessary.
  • Withdrawing consent:If the processing of personal data is only based on the data subject’s consent and not for instance on a customer relationship or membership, the data subject may withdraw consent.
  • Right to complain: The data subject has the right to complain to the Data Protection Supervisor if the data subject feels that we are violating the effective data protection regulation when processing personal data. The contact information of of the Data Protection Ombudsman https://tietosuoja.fi/en/home

Requests concerning the data subject’s rights can be sent by email to the register’s contact person.

7. Data processors, disclosures and data sharing

Personal data is processed by those 4FRONT employees who work in the specific assignment or who are eligible in the company’s marketing activities.

The provided or independently submitted personal data is not shared with third parties.

Documents resembling registers and containing personal data are collectively deleted one (1) year after the conclusion of the respective assignment. 4FRONT Oy does not transfer or process personal data outside the EU or EEA.

8. Cookies

We do not use third-party cookies on our website.

9. Retention periods

The retention periods have been based on the purpose of e.g. the client assignment and the applicable legislation.

By regularly reviewing the personal data collected (e.g., the contact information), we ensure that the data is up to date and is not retained longer than needed or required by the relevant laws.

In general, we retain personal data collected/utilised in the assignments for one year after the termination of the service agreement unless no other retention times are defined in the contract agreement.

10. Automatic decision-making and profiling

We are not using the data for automatic decision-making or profiling.