Privacy Policy for Clients

This is the data protection policy of H&A Team Ltd., regarding data concerning the contact persons of our clients. We will update this policy as needed and will inform our clients of it if the changes affect the content significantly. We will not inform you of minor changes that do not change the actual content of this policy (e.g. corrections in spelling and grammar).

This is a translation of the Data Protection Policy originally written in Finnish. In case of any contentual differences, the Finnish document prevails.


2.5.2023: Contact details of register controller’s contact person, clarification of legitimate interest.
19.5.2023: Information regarding newsletter.

Register controller

H&A Team Ltd. (1780124-2)
Vernissakatu 8 A, 01300 Vantaa

Contact person in register-related matters

In charge of data protection matters

1. Register name

Customer contacts of H&A Team Ltd.

2. What personal data do we collect?

We collect the following data concerning the contact persons of both our existing and potential client businesses and organizations:

  • Name, phone number, work email address, position, and possible information regarding reachability.
  • Message history related to maintaining the customer relationship and customer contacts.
  • Possible other information considered necessary in creating or maintaining a customer relationship.

3. Why do we process personal data?

Clients: We process data on the basis of a contract. The collected information is used in creating and maintaining customer relations, keeping in touch with our clients, processing feedback and providing service.

We keep a list of our clients’ email addresses for the purpose of sending them newsletters containing customer communications. The basis for this kind of processing is our legitimate interest based on the existing client relationship between us and the client.

Potential clients: We process data for the purpose of communicating with our potential clients and making an offer. The legal basis is the company’s legitimate interest of maintaining its business activities. The basis for processing information given on contact forms is consent.

The data collected will not be used in automated decision-making or profiling.

4. How do we obtain information?

We receive all information from our clients or potential clients straight from the person themself or from another contact person of the same company, or through a tender service. The information may be given either orally or in a written form.

We may also contact potential clients ourselves via phone, if we believe that the services we provide could be of benefit to them. We do not utilize any marketing registers but use contact information published e.g. on the internet.

5. How do we store data?

The information is stored mainly in our client register that is in an electronic form, and possibly in phone contact lists. If the contact person changes, the details that are out of date will be deleted immediately. In case of the customer relationship ending, we retain the information concerning contact persons for three months after the contract has ended. Fulfilling our legal obligations may require us to store some data for a longer period of time, in which case the retention period will be determined in accordance with these obligations. Such obligations are e.g. accounting obligations.

Email correspondence is stored for six months after the end of the contract, unless we have a legitimate reason to store them for a longer period of time.

The newsletter email list is updated every three months and always before sending a newsletter.

Contact form: The information given through a contact form is stored for as long as it takes to process and to respond to the contact request, up to a maximum of three months.

6. Who process personal data?

Only those administrative workers of H&A Team who have a valid reason to process such personal information will be given access to the data. Access is restricted by giving the access rights and passwords only to those to whom they belong. We have trained our office workers in complying with the data protection plan, and they have signed a non-disclosure agreement.

7. Will personal data be disclosed to third parties?

If a company has agreed to act as a referee in a tender, the contact details of the contact person may be disclosed to the party requesting the tender. We always ask for the permission of the contact person beforehand.

We may disclose the contact details of a contact person to our supplier if the information is needed in delivering the supplies. We will ask for the permission of the contact person beforehand.

We may use WhatsApp groups in our customer communications if this has been agreed on together. In this case, the group members’ phone numbers as well as all the other information they may have made public in their profile are visible to the other members of the group.

Transferring data outside of the EU/EEA

  • Data may be transferred to processors located outside of the EEA, such as a cloud service provider. In such cases we make sure that the processor is committed to guaranteeing an adequate level of data protection through, e.g., Standard Contractual Clauses (SCCs).

8. What kind of rights do you have as a data subject?

The GDPR provides you with the following rights:

Access to your data

  • You may have a copy of the personal data we hold about you.

Update and rectify your data

  • If you find inaccuracies in the data we process, you can ask us to rectify them. Incomplete data can also be completed.

Remove your data

  • You may ask us to remove your data, for example if you withdraw the consent you have given. Please note that this may affect the extent to which we will be able to serve you.

Restrict processing of your data

  • In some cases, you may request restriction of processing your data, after which your data can only be stored and processed with your consent, for the establishment, exercise of defence of legal claims, for the protection of the rights of a natural or legal person, or for reasons of important public interest of the EU or a Member State.

Object to processing of your data

  • You may always request that your data is not used for direct marketing purposes or to send a newsletter.

Transfer your data to another controller

  • When the processing is based on your consent or a contract, you may ask us to transmit the data you have supplied to us to another controller of your choosing, in a structured, commonly used and machine-readable format.

If you would like to exercise your right to update and rectify your data, please send your written request to If you would like to exercise your other rights, send your request to We will respond within a month from receiving your request, a period specified in the GDPR. We may ask you to provide more information in order to be able to confirm your identity. If we refuse your request, we will let you know the reason for our refusal.

You also have the right to lodge a complaint with the supervisory authority if you feel we do not comply with the data protection legislation. Further information is provided by the Office of the Data Protection Ombudsman.

9. What happens in a case of a data breach?

A personal data breach means an event leading to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data.

In case of a data breach occurring, we will inform you personally, if it is likely that the breach will pose a high risk to your rights and freedom.

We will inform the supervisory authority within 72 hours from noticing the data breach, if it is likely that the breach will pose a risk to the rights and freedom of a natural person.