Contact us
Search the site

Privacy Notice for Partners and Visitors at Municipality Finance

Updated: 25.8.2025

Privacy Notice for Partners and Visitors at Municipality Finance

Read Municipality Finance’s privacy notice for partners and visitors to Municipality Finance’s premises.

Data Controller

Municipality Finance Plc (”MuniFin”)
Business ID 1701683-4

Contact details for matters related to this privacy notice

Municipality Finance Plc / Legal
legal@munifin.fi

Jaakonkatu 3 A / P.O. Box 744

FI-00101 Helsinki, Finland

Purposes of ProcessingLegal Basis
Sales and marketing activities (including
direct marketing)		The controller’s legitimate interest in
offering and marketing its products to
existing and potential partners in order to
promote its business
Fulfilling contractual obligationsThe controller’s legitimate interest in
carrying out its business activities
Maintaining partner relationships, including
organizing events		The controller’s legitimate interest in
maintaining business relationships
Fulfilling obligations based on laws and
regulatory requirements (e.g. Accounting
Act, Investment Services Act, sanctions
regulations)		Legal obligation
Information collected during visits to
MuniFin and video surveillance		The controller’s legitimate interest in
protecting its premises and ensuring the
safety of employees and visitors
Maintaining and improving the security of
information systems		The controller’s legitimate interest in
maintaining and enhancing the security of
its information systems

What Personal Data Can Be Collected?

This privacy notice applies to:

  • Contact persons of banks and investment service companies acting as counterparties in funding and investment activities.
  • Contact persons, beneficial owners, and board members of other parties acting as partners of MuniFin, such as service providers.
  • Individuals visiting MuniFin’s premises.

The following data may be collected about data subjects:

  • Identification and contact details: name, phone number, email address, position, represented organization, sanctions-related information.
  • Other information necessary for maintaining the business relationship: such as related events and tasks.
  • Additional data stored by MuniFin: e.g., connections to other target groups, regular mailing information (e.g., for newsletters).
  • Information collected during visits to MuniFin.

Personal data may be obtained through:

  • Self-disclosure by the individual: via email, online forms, phone, or other similar methods.
  • Information collected by MuniFin: e.g., requests for proposals, contracts, partner websites.
  • Registers maintained by authorities: e.g., the Trade Register.
  • Commercial information providers: such as Suomen Asiakastieto.
  • Phone and meeting recordings: MuniFin may record calls and Teams meetings to confirm assignments, prepare meeting minutes, and fulfill statutory obligations. Recordings are used only for these purposes.
  • Video surveillance: MuniFin premises are monitored by video surveillance to protect the property, assets, and individuals, and to prevent and investigate possible security incidents or crimes. Video recordings capture images, recording time, and location. Surveillance areas are marked with signs. Viewing of recordings is governed by strict internal instructions. Only designated personnel with job-related authorization can view recordings. Recordings may be disclosed to authorities (e.g., the police) when required by law.

How Long Are Personal Data Retained?

MuniFin retains personal data for as long as necessary for the purpose for which the data was collected and processed, or for as long as applicable regulations require. Personal data are also retained for as long as needed to perform contractual obligations and to meet statutory retention requirements.

Detailed retention periods are as follows:

  • Personal data related to contracts are retained for 10 years after the end of the contract.
  • Phone recordings are retained for five years.
  • Teams meeting recordings are retained for a maximum of one year.
  • Other data are retained for the duration of the contractual relationship, unless the purpose for which the data was collected ends earlier, in which case the data will be deleted once no longer needed (e.g., data collected for events).
  • Visitor data are deleted six months after the visit.
  • Video surveillance data are retained for a maximum of 90 days.

To Whom May Personal Data Be Disclosed?

Data may be disclosed, on a regular basis or where required or permitted by law, to:

  • Authorities
  • IT service providers and other contractual partners, where necessary for the purpose of the contract

When disclosing personal data, the controller ensures compliance with applicable legal requirements, including confidentiality obligations binding on the controller.

Can Data Be Transferred Outside the EU or the European Economic Area?

When using IT service providers or other contractual partners, MuniFin may transfer data outside the EU or the European Economic Area (EEA). Data will not be transferred outside the EU, the EEA, or countries recognized by the European Commission as providing an adequate level of data protection, unless adequate safeguards for data protection have been ensured through contractual arrangements or in another manner required by data protection legislation.

Storage and Protection of Personal Data, and Notification of Data Breaches

Manual material
Manual material is printed only when necessary and stored in locked premises. Access is granted only to authorized persons. Paper printouts are destroyed after use.

Digitally stored data
Personal data are kept confidential. The use of personal data within the controller’s organization is governed by internal instructions, and access is restricted so that only those employees who need the data for their work tasks are authorized to use it. The controller requires all IT service providers it engages to ensure confidentiality, maintain appropriate information security, and comply with the principles of data protection legislation.

Notification of data breaches
In the event of a personal data breach, the data subject will be notified without undue delay in accordance with Article 34 of the EU General Data Protection Regulation, if the breach is likely to result in a high risk to the rights and freedoms of the individual.

Rights of the Data Subject

The data subject has the following rights regarding the processing of their personal data:

  • Right of access
    The data subject has the right to know whether the controller processes personal data concerning them and, if so, to access such data.
  • Right to rectification
    The data subject has the right to request the correction or completion of inaccurate, incorrect, or incomplete personal data concerning them.
  • Right to erasure
    In certain situations, the data subject has the right to request the deletion of their personal data (“right to be forgotten”), for example, when the data are no longer needed for the purposes for which they were collected.
  • Right to restriction of processing
    In certain circumstances, the data subject may request that the processing of their personal data be restricted, for example, when the accuracy of the data is contested.
  • Right to object
    In certain situations, the data subject may object to the processing of their personal data, particularly where the processing is based on the controller’s legitimate interest or where the data are processed for direct marketing purposes.
  • Right to data portability
    The data subject has the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit those data to another controller when the processing is based on consent or contract and is carried out by automated means.
  • Right to withdraw consent
    Where the processing of personal data is based on consent, the data subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
  • Right to lodge a complaint with a supervisory authority
    The data subject has the right to lodge a complaint with the Data Protection Ombudsman if they consider that their personal data have been processed in violation of data protection legislation.
  • Exercising rights
    The data subject may exercise their rights by contacting the controller. Contact details for matters related to this privacy notice are provided at the beginning of the notice.