Processing of personal data at Evli

Data is obtained from the data subject and third parties, such as from public registers kept by the authorities, and credit information registers. With the client’s consent, data can also be obtained from another party, such as an asset manager, or employer. Personal data may also be collected from an entity on whose behalf towards Evli the data subject acts, for example, from public information of the company, such as registers kept by third parties, or other public sources. Obligation of secrecy restricts the disclosure of data held by the Evli Group to third parties, apart from with the consent of the person to whom the data pertains, or in cases required by the law, for example, to the authorities.

Examples of data sources of third parties:

• registers held by public authorities (population registers, tax administration registers, and other registers, for example)
• economic sanctions and sanctions lists (for example, registers held by international organizations, such as registers of the European Union, and the United Nations, as well as national registers, such as lists held by the Office of Foreign Assets Control (OFAC), and lists of the Finnish National Bureau of Investigation)
• other companies and cooperation companies of the Evli Group other publicly available sources.

The purpose of the processing of personal data is stated in more detail in the separate data protection notices at the bottom of this page.

The legal basis for the processing of personal data depends on for which purposes they are processed at Evli. In addition, Evli processes client data depending on the products or services the client decides to start using. The processing of personal data is based on a basis set down in the law, and here we describe the bases Evli complies with when we process personal data. Activities mentioned below the examples may belong to more than one basis for processing on a case-by-case basis.

Agreement 

Evli collects personal data before preparing or drafting an agreement, or executing an order. Evli processes data in order to document and fulfill its obligation towards the client, and to offer specific products and services to the client, as well as to implement agreements.

Examples of processing activities in which Evli complies with this basis for processing:

• investigating a client’s background information for providing investment advice, as well as for offering services and products
• administering and monitoring of orders, events, payments, charges, transfers, and withdrawals
• actions against Evli’s terms of use and monitoring thereof, as well as addressing misconducts
• administering credits, and loans granted
• investigating financial information to open accounts
• verifying and identifying a client’s identity to offer a digital online service for the client
• cooperation with third parties to fulfill contractual obligations.

Legal obligation

Different laws, regulations, and decisions by authorities obligate to comply with a particular procedure and therefore process the personal data of our clients.

Examples of processing activities in which Evli complies with this basis for processing:

• Know your customer (KYC)
• preventing money laundering and terrorist financing
• sanctions screening
• credit information check
• client classification in accordance with the securities market regulation
• client’s suitability, and appropriateness evaluation
• reporting to the authorities (tax authorities, the police, executing authorities, and supervisory authorities, for example)
• risk management obligations
• bookkeeping activities
• service-specific and product-specific legislation (regulation and reporting concerning securities, funds, and other instruments)
• handling and monitoring of client complaints
• as of April 1, 2024, an obligation to utilize information from the Positive credit register, maintained by the Tax Administration, to assess a private person’s creditworthiness.

Consent

Evli request a separate consent for processing of personal data from the client in cases where electronic direct marketing is not based on a legitimate interest. In such cases, the request includes the purpose for data processing, the type of personal data, and the right to withdraw the consent. The consent may be withdrawn at any time after it has been given.

Examples of processing activities in which Evli complies with this basis for processing:

• processing of special categories of personal data, for example, dietary information collected for events
• various voluntary surveys, competitions, and draws as part of brand surveys, for example
• cookies, and corresponding technology.

Legitimate interest

If needed, Evli may exercise legitimate interest provided that the client’s fundamental rights and freedoms do not contradict such interests.

Examples of processing activities in which Evli complies with this basis for processing:

• management of a client relationship and client communication
• various analyses, such as marketing, client, and product analyses
• marketing actions, including targeting and planning of direct marketing, including the development of processes and business activities, as well as the testing thereof
• recording of phone calls in connection with client service
• analyses of the use of social media for the purpose of targeting marketing and communication, as well as to provide user support
• optimization of services and product offering to suit the client, and to improve our product offering
• client profiling for analyses conducted for marketing purposes
• client profiling to prevent frauds, as well as to support measures taken to prevent money laundering and terrorism
• use of anonymized data for development purpose of services and products, and in testing
• audits, such as accounting and internal audits legal claims and their handling, such as a debt recovery procedure, or establishment, exercise or defence of legal claims.

Evli stores data that is required by the client relationship at least for the duration of the client relationship. After the termination of the client relationship, the storage period depends on the data purposes, and Evli complies with its legal obligations regarding data storage.

Evli stores personal data as long as it is necessary to fullfil the purposes defined in the data protection notice, for which the personal data have been collected and processed, unless other legislation obliges to store personal data for a longer period of time. If Evli stores personal data for purposes other than executing an agreement, such as preventing money laundering and terrorist financing, accounting purposes, or complying with the capital requirements, Evli stores personal data only if the storage is necessary for such a purpose and/or legislation so requires.

There may be differences in the data storage obligations within the Evli Group, as a result of national laws of different countries. In principle, Evli stores client data for ten (10) years after the end of the client relationship to establish, exercise, and defend legal claims, collect debts or receivables, as well as to demonstrate compliance with obligations imposed by laws and regulations at the request of the authorities. The storage period of personal data, however, depends on a case-by-case basis on the purpose of processing of data. The storage period may be extended if personal data is needed for a trial, or other legal proceedings. The personal data will be erased from our systems and registers within a reasonable period when personal data are no longer needed. Upon request, Evli will provide more detailed information.

Examples of storage periods Evli complies with:

• material concerning client agreements will be stored for ten (10) years after the end of the client relationship, due to legal and contractual obligations and responsibilities, unless otherwise provided by the law
• client’s identification information under the legislation on preventing money laundering and terrorist financing will be stored, in principle, for five (5) years after the end of the client relationship
• personal data of a representative of an entity will be stored as long as the data subject acts as the representative of the entity towards Evli. We will erase the personal data within a reasonable time after the role in question has terminated or the entity has announced a new representative, provided that personal data is not related to agreements or agreement materials, or unless personal data is required to be stored to comply with legal obligations.
• for electronic direct marketing, we will store necessary personal data for the time being, unless the recipient withdraws their consent given to electronic direct marketing, or prohibits electronic direct marketing
• personal data related to events (trainings, and client events) will be stored, in principle, for one (1) year after the end of such event, unless personal data will be utilized in a later event or marketing. Dietary information will be erased one (1) month after the event.
• until the close of a voluntary survey, competition, or draw, as well as possible audio or video recordings for exposure and publicity will be processed for five (5) years at the most.
• consents and prohibitions given to the processing of personal data will be stored throughout their validity, in most cases for the time being

Evli is legally entitled to disclose personal data, to the extent permitted by legal obligations, in order to offer services and products, and to comply with a contractual relationship. 

Evli has the right to disclose personal data to other Evli Group companies that are bound by the same obligation of secrecy as Evli Plc. The data may be used for managing client relationships, risk management, and direct marketing, for example. Information on the Evli Group companies (the list is not exhaustive). In addition, in accordance with the law, Evli discloses personal data to the authorities, for example, to the Financial Supervisory Authority, Tax Administration, the police, and enforcement authorities.  

Evli may also disclose personal data to other third parties, to the extent permitted by the Personal Data Act, to offer services and products, and to comply with the contractual relationship. Such cases are, for example, identification solutions and data transfer between different parties, such as central banks, cooperation banks, bank transfer recipients, and clearing houses. Moreover, Evli has concluded cooperation agreements with, for example, third party service providers and suppliers concerning support services for software development, maintenance, server, and IT.

In general, Evli Plc processes personal data within the European Economic Area (“EEA”), but data can also be processed in third countries outside the EEA. When data is transferred out of the European Union or the European Economic Area, Evli Plc will ensure an adequate level of protection of personal data by agreeing with issues concerning the processing of personal data in accordance with the data protection legislation. In addition, where applicable, we use standard contractual clauses approved by the European Commission, and take into account the EU-U.S. Data Privacy Framework, for example, as well as other possible additional security mechanisms. We will provide further information upon request.

Evli has appropriate administrative, technical, and organizational security measures in place. With these measures, we will secure data held by Evli in order to, for example, prevent unauthorized use, destruction, and loss of data.

The data subject has rights in accordance with the data protection legislation in force. The more detailed application of rights depends on the processing purpose and situation of personal data on a case-by-case basis. The data subject cannot exercise all rights in all situations. It depends, for example, on what basis personal data are processed. The request concerning the data subject’s rights can be delivered to Evli by post or email. 

To exercise your rights for measures mentioned in this notice, please contact: 

1. Evli Plc, postal address of the Investor Service: Evli Plc c/o Investor Service P.O. Box 1081, 00101 Helsinki, Finland.

2. Evli Plc, email address of the Investor Service: info@evli.com

3. Evli Plc, client service number of the Investor Service: +358 9 4766 9701.

Furthermore, we remind you that the data subject has the right to lodge a complaint with the competent data protection supervisory authority if the data subject considers that their personal data has been processed in violation of legislation. We recommend, however, directly contacting Evli first to clarify the issue related to the processing of personal data.

Based on the rights of the data subject, in accordance with the data protection legislation, the subject has the following rights:

The right to obtain information on the processing of their personal data, as well as to obtain access to such personal data:

The data subject has the right to be informed of the collection and processing of their personal data at Evli. The data subject has the right to receive confirmation on whether or not their data are processed at Evli, and if data is being processed, the right to access data and obtain a copy of the data undergoing processing. In addition, Evli’s clients can independently verify and retrieve their data directly from the My Evli online service. Data and consents that have been collected from clients and potential clients for direct marketing purposes may be reviewed and managed as a self-service 

Right to rectification and erasure of personal data:

If the data subject’s personal data are processed at Evli, the data subject has the right to obtain the rectification of inaccurate data. The data subject also has the right, on a case-by-case basis in situations described in more detail in the data protection legislation, to request the erasure of their data (the right to be forgotten). Legal obligations may, however, prevent the execution of the data erasure request.

Right to restriction of processing:

In certain cases, in accordance with the data protection legislation, the data subject has the right to request the restriction of processing of their personal data. If the personal data suspected to be inaccurate or contested cannot be rectified or erased, or there is other confusion in the request for erasure, the processing will be restricted for a period enabling Evli to verify the accuracy of the data.

Right to personal data portability:

In certain cases, in accordance with the data protection legislation, the data subject has the right to request that their data is transmitted to another controller. Such right concerns personal data provided to the controller in a structured, commonly used, and machine-readable format, and whose processing is based on the data subject’s consent or an agreement where the processing is carried out by automated means. The data subject has the right to have the data transmitted directly from one controller to another, where technically feasible.

Right to object processing:

In accordance with the data protection legislation, the data subject has the right to object the processing and profiling of personal data based on legitimate interests. Evli may refuse the data subject’s request if the processing is necessary to pursue compelling legitimate interests of Evli or a third party. Despite this, the data subject always has the right to object the processing of their personal data for direct marketing purposes and profiling related to direct marketing.

Right to withdraw consent:

In situations where the processing of the data subject’s personal data is based on the consent given by the data subject, the data subject has the right to withdraw their consent at any time and free of charge. The withdrawal does not have an impact on the processing of personal data before the withdrawal. In addition, the data subject has the right to withdraw their consent for electronic direct marketing, for example, prohibit the sending of newsletters or electronic direct marketing. On the direct marketing register, the data subject themselves erases and manages their data. The prohibition of direct marketing will be entered in the client register following the client’s notification. More information on Direct Marketing

Right not to be subject to automated decision-making:

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Evli does not make substantial decisions regarding the data subject based solely on automated data processing and profiling without the data subject’s explicit consent, authorization under applicable legislation, or when automated decision-making is necessary for concluding or executing an agreement. The existence of automated decision-making is notified in connection with the service, and it is always possible to lodge a complaint of the decisions.

Evli complies with the data protection legislation in force and has appointed a Data Protection Officer. The general task of the Data Protection Officer is to monitor that the data protection legislation in force will be complied with at Evli. 

The contact details of the Data Protection Officer of Evli Plc:
Data Protection Officer, tietosuoja@evli.com
Evli Plc c/o Data Protection Officer, P.O. Box 1081, 00101 Helsinki, Finland.

The data subject has the right to lodge a complaint with appropriate data protection supervisory authority. In Finland, the office of the Data Protection Ombudsman carries out supervision in accordance with the data protection legislation. The Data Protection Ombudsman controls, supervises, and provides advice on the processing of personal data. 

Contact information of the Data Protection Ombudsman of Finland:
The office of the Data Protection Ombudsman, P.O. Box 800, 00521 Helsinki, Finland

Evli processes different kinds of personal data depending on the products or services the client uses. Categories of personal data and data contents are specified in the separate data protection notices at the bottom of this page. 

Evli records phone calls and online meetings in order to, for example, document client requests, ensure security, receive and confirm orders and other actions, and curb and prevent criminal activities, as well as to comply with other legal requirements. In some cases, as allowed by legal requirements, recordings may also be used for training personnel, controlling quality, and developing processes.

In Evli’s premises, branches have surveillance cameras for security reasons and to prevent crime. At our branches, areas with camera surveillance are marked with signs. We perform camera surveillance as part of our security system. Recorded material may be shared with the authorities if provision is necessary for criminal investigation.

Evli processes the following categories of personal data, for example: 

Identification data:
For example, a client’s basic information, such as their first name and surname, date of birth, social security number, nationality, electronic identification data, or identification document details. Voice and video recordings of possible contacts.

Contact information:
For example, a client’s phone number, email address, and postal addresses.

Profile data:
For example, additional information related to client details, such as client number or ID, client classification, and information on the client’s risk profile. In addition, client data and transaction data during the client relationship, for example.

Financial data:
For example, ownership information in custody and provided by the client, balance, financial instruments, debt data, payment reminders, credit information, income information, investment targets, and risk tolerance. 

Tax data:
For example, tax domicile, and tax information number provided by the client.

Online identifiers:
For example, a client’s IP address, equipment identity and browser ID, or other specific identifier.

PEP (politically influential person):
For politically influential persons, information on their position or its termination.

Data security information:
For example, electronic system log in details, security log and audit trail data, as well as time stamps and location stamps of a possible key card, as well as numeric data.