Updated January 2025
1. General
We are committed to respecting your privacy and processing your personal data in accordance with applicable data protection legislation. This document concerning the processing of your personal data (“Privacy Policy”) aims to fulfill our obligation to inform you as a data subject regarding our personal data processing practices and your rights as the data subject, as required by the General Data Protection Regulation 2016/679 of the European Union ("GDPR"). We reserve the right to reasonably amend this Privacy Policy and kindly ask you to visit this page recurringly and review this Privacy Policy for possible changes.
Our website may also include links to websites and services operated by third parties, for which this Privacy Policy does not apply. Rather, we encourage you to consult the respective privacy policies of those third parties, would they apply to you.
2. Contact information
Utopia Analytics Oy, VAT ID: FI26411588 (“we”, “us”, “our” or “Utopia”), acting as the data controller in accordance with this Privacy Policy.
Data Protection Officer
Mikonkatu 6 C FI-00100, Helsinki, Finland
dpo@utopiaanalytics.com
3. Categories and sources of personal data as well as the purposes and legal bases for the processing of personal data
Categories of Personal Data
Purpose of processing
Source of personal data
Legal basis for processing
Customer’s contact and communication data, such as company name, contact person, phone number, email address, position/role and personal data contained in surveys and messages between us and the data subject. We may also collect meeting details and data necessary (e.g. specific interest/reference expressed by a data subject or observed by us) to tailor our offers and services to the customer.
Customer relationship management; Identifying the customer or its representative; Fulfilling of contractual obligations towards the customer; Invoicing; Service development; Marketing
Data subjects themselves; Public registers; Company websites; Our business partners. Data may also be obtained in the course of business
Consent; Legitimate interest of the data controller (communicating with customer, customer relationship management, marketing of new services); Legal obligations; Performance of a contract
Potential customer’s contact and communication data, such as company name, contact person, phone number, email address, position/role and personal data contained in surveys and in messages between us and the data subject. We may also collect meeting details and data necessary (e.g. specific interest/reference expressed by a data subject or observed by us) to tailor our offers and services to the potential customer.
Identifying the potential customer or its representative; Obtaining new customers; Service development; Marketing
Data subjects themselves; Public registers; Company websites; Our business partners. Data may also be obtained in the course of business
Consent; Legitimate interest of the data controller (marketing our services and communicating with potential customer); Legal obligations
Account data, such as company name, representative name, location, phone number, email address, statistical and log data, IP address, certain communications and potential other account related data.
Identifying the customer or its representative; Fulfilling of contractual obligations towards the customer; Service development
Data subjects themselves; Our customers. Data may be also obtained in the course of business
Consent; Performance of a contract; Legitimate interest of the data controller (service development)
Certain (mainly pseudonymized) data, such as user name, location, name, image, phone number, email address, posts/comments made on the internet such as on forums, social media and in chats.
Service development
Data subjects themselves; Public registers; Company websites; Social media; Our business partners
Consent; Legitimate interest of the data controller (service development)
Job applicant’s data, such as name, address, phone number, employment background, academic history, data on aptitude assessments, photographs, identity data on referees, data collected from referees, and other information the applicant provides in, for example, a resume or a cover letter or in a recruitment process at large.
Recruitment of employees
Data subjects themselves and with their consent, their referees
Consent; Actions necessary prior to entering into an employment contract; Legitimate interest of the data controller (recruitment of the appropriate employee)
Website visitor’s data, such as IP address and other observed data (see cookie policy).
Developing our website; Marketing; Statistics; Ensuring that our website works properly and in a secure manner
Personal data accumulated by website visits; Our business partners
Consent; Legitimate interest of the controller (ensuring the security and functioning of our website)
Data of other persons contacting us, such as name, phone number, email address of the data subject, meeting/event details, personal data contained in certain communications between us and a data subject.
The purpose can vary pursuant to the nature and contents of the contact, for example, answering to your enquiries, event/meeting organization and/or taking other necessary actions pursuant to your request(s)
Data subjects themselves
Consent; Legitimate interest of the controller (answering to your enquiries)
Provision of certain personal data is required by legislation or as a part of you entering into or continuing the validity of an existing contract with us. Failure to provide such personal data may result in our inability to enter into or continue the performance of an existing contract with you, or we may not be able to fulfil certain legal obligations.
4. How long do we store your personal data?
We will store your personal data for the period of time required for the purpose of processing listed above, unless mandatory laws require us to store certain personal data for longer. The storage period may differ greatly from one type of processing to another, but is generally determined as follows:
- Data processed on the basis of a contract: Stored for the duration of the contract or the provision of services, and for as long as needed thereafter with view to i.a. invoicing or other incomplete business.
- Data processed based on our legitimate interest: Stored for the duration necessitated by the legitimate interest, as described above, unless you justifiably object to the processing and such objection has been approved.
- Data processed based on our legal obligations: Stored for the duration prescribed by mandatory laws such as the Finnish Accounting Act 1336/1997 (6/10 years).
- Data processed based on your consent: Stored for the duration as determined by the purpose of the processing as well as the scope and validity of your consent – if you withdraw your consent, we will stop the related processing based on this legal basis.
5. Where is your personal data stored and where is it transferred to?
We aim to store your personal data within the European Union and the European Economic Area (“EU/EEA”). However, due to certain systems and services used to support our business and providing our services, some personal data may be transferred outside the EU/EEA. We ensure such transfers are done in accordance with applicable data protection legislation, for example, by means of the personal data remaining in a country recognized by the European Commission as ensuring an adequate level of protection, by using the European Commission’s Standard Contractual Clauses, or by means of other transfer mechanisms designated by the GDPR, and where necessary, additional safeguards.
6. Who may we disclose or transfer your personal data to?
Your personal data may be shared with and processed by our partners, subcontractors or other third parties for the legitimate purposes of marketing, sales, accounting, recruiting, website maintenance, statistics, invoicing, seeking advice from external professionals, enabling third parties to provide services on behalf of or to us, providing our services, or as otherwise necessary for our ordinary business activities. We ensure that a data processing agreement exists between us and relevant third parties. We may also share personal data with third parties where such is reasonably necessary with view to potential or actual litigation, to meet any obligations of applicable legislation and / or authority order, or to detect, prevent, or otherwise address crime or security issues. We may further share personal data in connection with a merger, acquisition or a similar business transaction or otherwise in accordance with your consent.
7. Security of processing
Security of processing is of utmost importance to us, and we have implemented and maintain several technical and organizational measures to ensure the protection of personal data, such as:
- Data encryption;
- Strict access rights;
- Physical facility safeguards;
- Update process management;
- Continuous personnel training;
- Regular internal and external audits;
- Business continuity and recovery plans;
- Non-disclosure agreements and undertakings;
- Internal guidelines on data security and data protection; and
- Designated personnel responsible for data security and data protection.
The appropriateness of the measures taken are based on a risk assessment with view to the nature, scope, context and purposes of processing as well as the risks the processing may entail for your rights and freedoms. We do not use personal data for automated decision-making (including profiling), which would produce legal or other significant effects on you.
8. Your rights as a data subject
As a data subject, you have the following rights.
- The right to access: You have the right to request copies of your personal data. However, to protect the confidentiality of our clients, we may not agree to requests for data that could jeopardize the processing of confidential client data.
- The right to rectification: You have the right to request that we correct any information you believe is inaccurate. You also have the right to request us to complete the information you believe is incomplete.
- The right to erasure: You have the right to request that we erase your personal data, under certain conditions.
- The right to restrict processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.
- The right to object to processing: You have the right to object to our processing of your personal data, under certain conditions.
- The right to data portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
- The right to withdraw consent: Where personal data processing is based on your separate consent, you have the right to withdraw your consent. The withdrawal shall not affect the lawfulness of processing based on consent performed before the withdrawal.
Moreover, we shall on our own initiative delete, correct and complement any personal data which is discovered to be incorrect, unnecessary, incomplete or outdated for its intended purposes.
Please send your request to our contact address mentioned above. You may need to provide proof of your identity or answer certain questions for us to be able to process your request.
As a data subject you are always entitled to contact the relevant data protection authority if you have data processing related concerns, complaints or if you believe our processing infringes upon applicable legislation. You may do this in the EU Member State of your habitual residence, your place of work or the place of the alleged infringement. In Finland, the supervisory authority is the Data Protection Ombudsman and further information is available at www.tietosuoja.fi.
