LAKEA OY BANKRUPTCY ESTATE’S PRIVACY POLICY

1 GENERAL

In this privacy policy, we provide the information required by the General Data Protection Regulation 2016/679 of the European Union (“GDPR“) to data subjects, i.e., persons whose personal data may be processed as part of the bankruptcy estate’s activities and the performance of the legal duties of the estate administrator acting on its behalf. We describe how the bankruptcy estate collects, stores and otherwise processes personal data related to the duties of the bankruptcy estate and the estate administrator acting on its behalf.

2 CONTROLLER

Lakea Oy bankruptcy estate (business ID 3560384-8) (“controller“, “bankruptcy estate” or “we“) acts as the data controller in accordance with this privacy policy. The debtor company is Lakea Oy (business ID 0182213-7) (“debtor company”).

The contact person for the controller is the estate administrator, advocate Heikki Vesa, and the postal address is Lakea Oy’s bankruptcy estate, c/o Krogerus Attorneys Ltd, Lin- nankatu 3 B, 20100 Turku, Finland.

Please send any communications regarding the bankruptcy and the processing of per- sonal data by email to lakea@krogerus.com.

The joint controllership of the estate administrator and the Bankruptcy Ombudsman re- garding the case management system for bankruptcy and corporate restructuring matters is described in more detail at section 11.

3 PURPOSES AND LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA

The main purpose of processing personal data is to fulfil the obligations of the bankruptcy estate and the estate administrator acting on its behalf under the Finnish Bankruptcy Act (120/2004, as amended) and other applicable legislation. Personal data is only processed on legal bases established by data protection legislation.

The main legal basis for processing personal data is compliance with the legal obligations of the bankruptcy estate and the estate administrator acting on its behalf. Such legal obligations mainly arise from the Bankruptcy Act and labour legislation.

The table below lists, by category, the purpose of the processing, the legal basis and the categories of personal data processed. For a more detailed description of the categories of personal data to be stored, see section Error! Reference source not found..

Purpose of processing

Legal basis

Categories of personal data

Taking possession of property, accounting records and other materials (e.g. personal data

registers) (Bankruptcy Act ch. 8,

Legal obligation

Debtor company information

Purpose of processing	Legal basis	Categories of personal data
sc. 9) and ch. 14, sc. 5), Act on the Public Disclosure and Confidentiality of Tax Information sc. 13(2)(2))		Information on the debtor company’s creditors Information on the debtor company’s customers
		Debtor company employee information
		Information on the debtor company’s contractual partners
		Information on the bankruptcy estate’s contractual partners
Tasks related to wage security (Bankruptcy Act ch. 14, sc. 5(1) and 5(3))	Legal obligation	Debtor company employee information
Preparation of estate inventory and/or debtor description (Bankruptcy Act ch. 9, sc. 1 and 2)	Legal obligation	Information on the debtor company’s creditors Debtor company information
		Debtor company employee information
		Information on the debtor company’s contractual partners
Settlement of claims and compilation of the disbursement list and the bankruptcy estate’s final settlement of accounts	Legal obligation	Debtor company information Information on the debtor company’s customers
		Information on the debtor company’s creditors
		Information on the debtor company’s contractual partners

Purpose of processing	Legal basis	Categories of personal data
Tasks related to ongoing administration (e.g. performing routine tasks related to employer obligations and managing the bankruptcy estate’s books) (Bankruptcy Act ch. 14, sc.5.1,9)	Legal obligation	Debtor company employee information Debtor company information Information on the debtor company’s creditors Information on the debtor company’s customers Information on the debtor company’s contractual partners Information on the bankruptcy estate’s contractual partners
Liquidation of the assets of the bankruptcy estate (Bankruptcy Act ch. 14, sc.5(1), 5(7) and ch. 17, sc. 3)	Legal obligation	Debtor company information Information on the debtor company’s contractual partners Information on the bankruptcy estate’s contractual partners Information on the debtor company’s customers
PEP and sanctions list checks in auction situations	Legal obligation	Information on other third parties

4 CATEGORIES OF PERSONAL DATA

The bankruptcy estate processes information on the debtor company, creditors, and the debtor company’s customers and employees. The processing of personal data is necessary for the estate administrator acting on behalf of the bankruptcy estate for the fulfilment of legal obligations, such as taking possession of the bankruptcy estate’s assets and determining bankruptcy claims. The table below specifies the personal data categories referred to in section Error! Reference source not found..

Category of personal data	Content of the category
Debtor company information	Information on the names and roles of the owners of the debtor company and the members of its board of directors and management team; information on the names, contact details and employment relationships of the debtor company’s employees
Information on the debtor company’s creditors	Identification and due diligence information relating to the debtor company’s creditors and their representatives
Information on the debtor company’s customers	Information on the debtor company’s customers and identification and due diligence information on their representatives
Debtor company employee information	Information on employees’ names, contact details and personal identification numbers, as well as information on employment relationships, such as employment contracts, duration of employment, employees’ duties, salary information, information on trade union membership, sick leave certificates
Information on the debtor company’s contractual partners	Identification and due diligence information relating to the debtor company’s contractual partners and their representatives
Information on the bankruptcy estate’s contractual partners	Identification and due diligence information related to the bankruptcy estate’s contractual partners and their representatives (for example, external service providers required to perform the obligations of the bankruptcy estate and the estate administrators acting on behalf of the bankruptcy estate, in relation to e.g., accounting, payroll and asset liquidation)
Information on other third parties	For example, in auction situations, the bankruptcy estate may carry out PEP and sanctions checks on bidders, in which case identification information (e.g., name) will be processed.

5 SOURCES AND UPDATING OF PERSONAL DATA

The bankruptcy estate mainly collects personal data directly from the data subjects and the debtor company. In addition, personal data may also be obtained from third parties, such as banks, authorities (e.g., tax and enforcement authorities) and from public or private registers, if the collection of data is necessary for the bankruptcy estate and the estate administrator acting on its behalf to perform their legal obligations and duties.

6 RECIPIENTS AND CATEGORIES OF RECIPIENTS OF PERSONAL DATA

The bankruptcy estate may disclose personal data to the following parties:

authorities, such as the Legal Register Centre, the Tax Administration, the KEHA Centre (Development and Administrative Services Centre), the Office of the Bankruptcy Ombudsman (including the Kosti information management system for bankruptcies and corporate reorganisations) and the judiciary;
the creditors of the bankruptcy estate (e.g. in connection with the processing of the draft disbursement list);
contractual partners of the bankruptcy estate, such as accountants and payroll administrators, as well as other subcontractors of the bankruptcy estate which are necessary for the fulfilment of the bankruptcy estate’s legal obligations;
third parties, such as insurance companies, pension companies, banks and trade unions; and
the buyer of the debtor company’s business operations, if the operations or part thereof are sold as part of the

Personal data will only be disclosed or granted access to only to the extent necessary for the administration of the bankruptcy estate in accordance with the restrictions set out in applicable law. The bankruptcy estate shall enter into an agreement with its subcontrac- tors processing personal data on behalf of the bankruptcy estate regarding the processing of personal data. Each subcontractor shall process personal data only to the extent nec- essary provide the service.

7 TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

In principle, personal data processed by the bankruptcy estate will not be transferred to third countries outside the European Union or the European Economic Area (EU/EEA).

However, it is possible that the transfer of personal data from the bankruptcy estate to third countries outside the EU/EEA may be necessary for the fulfilment of legal obligations of the estate administrator acting on behalf of the bankruptcy estate. Such a situation may arise, for example, when a creditor of the bankruptcy estate is located outside the EU/EEA and the transfer of data related to bankruptcy claims is necessary for such creditor, for example, for the processing of a draft distribution list. In addition, it is possible that some of the service providers used by the controller are located outside the EU/EEA.

If personal data from the bankruptcy estate is transferred outside the EU/EEA in limited situations, the controller shall ensure that the transfers are carried out within the limits permitted by data protection legislation, such as using the European Commission’s model contract clauses or other transfer mechanisms specified in the GDPR.

8 DATA RETENTION PERIOD OR CRITERIA FOR DETERMINING THE RETENTION PERIOD

The bankruptcy estate shall retain personal data for at least as long as is necessary for the bankruptcy estate and the estate administrator acting on its behalf to fulfil their obligations under the Bankruptcy Act. In addition, the bankruptcy estate has legal obligations to retain data even after the bankruptcy proceedings have ended.

In accordance with chapter 2, section 10 of the Finnish Accounting Act (1336/1997, as amended), the accounting records of a bankrupt entity shall be retained for ten years and supporting documents for six years after the end of the financial year. If the bankruptcy estate itself has been subject to accounting requirements on the basis of its own business operations, the bankruptcy estate shall retain its accounting records in accordance with the Accounting Act. In addition, in accordance with chapter 19, section 8 of the Bankruptcy Act, the estate administrator shall retain key documents relating the scrutiny and admin- istration of the bankruptcy estate, the liquidation of the assets and the management of the estate for at least ten years from the date of approval of the final settlement of accounts. Key documents include the estate inventory, the debtor’s statement, the final settlement of accounts and documents relating to the sale of assets relevant to the bankruptcy estate. The documents to be retained are specified in more detail by a Decree of the Ministry of Justice 502/2004 on the retention of documents. Information may also be retained for the purposes of preparing, presenting or defending a legal claim for the period required by the legal process.

The estate administrator acting on behalf of the bankruptcy estate shall ensure the secure destruction of the debtor company’s accounting records and the bankruptcy estate’s doc- uments when the retention criteria and periods specified in law or other regulations bind- ing on the estate administrator acting on behalf of the bankruptcy estate expire.

Personal data to be retained	Retention period
Bankruptcy estate accounting records	Accounting books 10 years and receipts 6 years from the end of the financial year
Key documents relating to the scrutiny and administration of the bankruptcy estate, the liq- uidation of assets and the management of the bank- ruptcy estate	At least 10 years from the end of the final settlement of accounts

9 SECURITY OF THE PROCESSING

The following technical and organisational security measures are implemented and maintained to ensure the protection of personal data in the bankruptcy estate:

internal guidelines and regulations on information security and data protection;

non-disclosure agreements and undertakings;

control of access rights and use;

data encryption and pseudonymisation; and

physical and external security of production facilities and other areas containing confidential

The data will not be used for profiling, and the processing does not involve automated decision-making.

10 RIGHTS OF THE DATA SUBJECT

As a data subject, you have certain rights, unless otherwise provided by the legal obligations of the bankruptcy estate, such as the estate administrator’s duty of confidentiality or the advocate’s duty of confidentiality. Rights under the GDPR, such as the right to object to processing, withdraw consent or transfer data to a third party, do not generally apply to the processing of personal data by the bankruptcy estate. This is due to the bankruptcy estate processing personal data on the basis of its legal duties and obligations, and not, for example, on the basis of consent, legitimate interest or public interest.

All requests mentioned herein should be sent to the bankruptcy estate’s contact person specified in section Error! Reference source not found.. The request can be made in any format. We may ask for further details if necessary to fulfil the request.

More detailed information on the exercise of data subjects’ rights is available on the website of the Data Protection Ombudsman at https://tietosuoja.fi/en/what-rights-do-data- subjects-have-in-different-situations and https://tietosuoja.fi/en/notification-to-the-data- protection-ombudsman.

Rights of the data subject

Right to access your data

You have the right to know whether the bankruptcy estate processes your personal data and what personal data it processes. You can also request a copy of your personal data. In addition, you have the right to inspect your personal data.

Exercising this right is, in principle, free of charge. However, the bankruptcy estate may charge a reasonable administrative fee based on administrative costs for any additional copies you request. If you submit your request electronically and have not requested any other form of delivery, the information will be provided in a commonly used electronic format.

Right to rectify your data

You have the right to request that inaccurate and incorrect personal data concerning you be corrected or supplemented.

Right to have your data erased	In certain cases, you may have the right to have your data erased. However, a request for the deletion of personal data cannot be fulfilled if the personal data is stored in order to comply with a legal obligation. Due to the nature of bankruptcy and estate administration duties, the right to delete data is very limited.
Right to restrict the processing of your data	In certain cases, you have the right to request the restriction of the processing of your data.
Right to lodge a complaint with a supervisory authority	You have the right to lodge a complaint with the competent supervisory authority if you consider that data protection legislation has not been complied with in the processing of your personal data. In Finland, the supervisory authority is the Data Protection Ombudsman.

11 JOINT CONTROLLERS

11.1 General

The Act on the Case Management System for Bankruptcy and Restructuring Matters (667/2019, as amended; “Kosti Act“) regulates the maintenance and use of the case management system, as well as the responsibilities and joint controllership related to the case management system. The purpose of this section 11 is to inform data subjects about matters relating to the joint controllership of the Bankruptcy Ombudsman and the estate administrator.

11.2 Joint controllers

Bankruptcy Ombudsman’s Office

Postal address: Unioninkatu 16, 00130 Helsinki

Telephone number: 029 566 5111 Email: konkurssiasiamies@oikeus.fi

Joint controller’s contact person: Data Protection Officer at the Bankruptcy Om- budsman’s Office

The current contact details for the Bankruptcy Ombudsman can be found on the Bankruptcy Ombudsman’s website in the privacy policy for the case management system for bankruptcy and corporate restructuring matters (“Kosti privacy policy“) (in Finnish only: https://konkurssiasiamies.fi/fi/index/kosti/tietosuojaseloste.html).

Bankruptcy estate’s administrator

Estate administrator: Heikki Vesa

Postal address: Lakea Oy bankruptcy estate, c/o Krogerus Attorneys Ltd, Linnan- katu 3 B, 20100 Turku

Email: lakea@krogerus.com

Bankruptcy Ombudsman and the estate administrator act as joint controllers of the case management system referred to in section 1(3) of the Kosti Act when the case manage- ment system is used to transmit information from the estate administrator to creditors and the debtor or from creditors to the estate administrator.

11.3 Purposes of processing personal data and the legal basis for processing

The purpose of the case management system is to transmit information to the Bankruptcy Ombudsman for the supervision of bankruptcy administration and to enable the transmis- sion of information from the estate administrator to creditors and the debtor in the bank- ruptcy case or from creditors to the estate administrator.

The main legal basis for the processing of personal data is compliance with the legal obligations of the Bankruptcy Ombudsman and the estate administrator.

11.4 Assignment of responsibilities between joint controllers

The Bankruptcy Ombudsman is responsible for the security of the system and the data stored in it. More detailed information on the processing of personal data by the Bank- ruptcy Ombudsman in connection with the case management system can be found in the Kosti privacy policy.

The estate administrator is responsible for the lawfulness of the data stored in the sys- tems, for example with regard to the necessity and accuracy of the data. For clarification, creditors are responsible for the accuracy of the data they store in the system and for correcting the data without undue delay in accordance with section 2(3) of the Kosti Act.

11.5 Contact point

The Bankruptcy Ombudsman acts as a contact point in accordance with Article 26(1) of the GDPR, to which all enquiries concerning the processing of personal data in the Kosti case management system are addressed.

Lakea Oy’s privacy policy

This privacy policy describes the processing of Lakea Oy’s personal data. The object of data processing is the data of our customers and potential customers and the data of our collaboration partners’ employees.

In this policy we describe

The contact information of the data collector
What kind of data we collect
What rights the data subject has and how they can be exercised
The intended purpose of the data and the legal basis for collecting it
How long we will store the data for
The data recipients and data transfer to third countries
Amendments to the privacy policy
The supervisory authority and allocation of complaints
How we protect the data
Additional information on the processing of personal data

The contact information of the data collector

Lakea Oy

PO Box 32, Koulukatu 22
FI-60100 SEINÄJOKI, FINLAND

Business ID: 0182213-7

E-mail: info@lakea.fi

What kind of data we collect and for what purpose

The personal data collected by Lakea can be categorised as follows:

Data related to identification and communication, such as the data subject’s name, address, phone number, e-mail address, and, in connection with agreements and the creditworthiness check, the personal identity code
Data required for the establishment and management of tenancy
Data related to customer relationship management in connection with housing sales
Data required for the realisation of building management-related service requests
Data describing the jobs of the customers’ and collaboration partners’ contact persons, such as titles, job descriptions, or responsibilities
Data related to the use of our website, such as cookies, IP addresses, device IDs, and customer IDs, as well as the data collected by the social community plugins

Personal data which we collect directly from the data subject

We mainly collect the data directly from the data subjects themselves in customer service situations. Customers may also provide the information via phone, social media communication channels, a form, an online form, or e-mail. This data is used for communication in order to either offer services to or provide services for the customer. The data concerning website visitor analytics is also formed on the basis of the data subject’s actions during the visit at the website.

Personal data which we may collect from third parties

From third parties, we collect data for verifying the private customer’s creditworthiness (Suomen Asiakastieto Oy). We also collect data from other public sources, such as company registers (e.g., the Finnish Business Information System and the Finnish Trade Register of the Finnish Patent and Registration Office) for verifying the authority to sign of the person about to sign an agreement.

What rights the data subject has and how they can be exercised

The data subject has rights regarding the personal data in Lakea’s possession.

In ordinary customer service situations that are related to, e.g., changes to the contact or invoicing information and other kinds of enquiries, Lakea Oy’s customer service can be contacted.

The data subject has the following rights:

Right to gain access to the personal data

The data subject has the right to access the personal data in our possession. The right to access the data may, however, have to be limited due to legislation or other factors concerning the protection of other persons’ privacy.

Right to the rectification of data

The data subject has the right to request the rectification of incorrect or insufficient data.

Right to the erasure of data

The data subject has the right to request the erasure of their data. Data may be erased, e.g., in the following cases:

The data subject withdraws their consent and there are no other grounds for processing.

The data subject objects to the processing of data, and there are no other grounds for continuing processing.

Right to restrict the processing

The data subject has the right to restrict the processing of their personal data.

Right to object

The data subject has the right to object to the processing of their personal data.

Right to the transfer of data

The data subject has the right to obtain the personal data they have provided in a machine-readable format. This right applies to personal data that has been processed automatically on the basis of an agreement or consent. The right to the transfer of data from one system to another does not apply to contact information of professionals processed in connection with business relations between companies in cases where the processing is not based on the consent of the data subject or an agreement to which the person is a party.

Right to withdraw consent

The data subject has the right to withdraw their consent at any time without prejudice to the legality of the agreement concluded before the withdrawal if the processing is based on consent. Withdrawing consent may, however, affect our ability to provide services.

Right to file a complaint with the supervisory authority

The data subject has the right to file a complaint with the supervisory authority if they suspect that their personal data is being used inappropriately or illegally.

In order to exercise their rights, the data subject must contact

Lakea Oy

PO Box 32, Koulukatu 22
FI-60100 SEINÄJOKI, FINLAND

E-mail: info@lakea.fi

The intended purpose of the data and the legal basis for collecting it

Lakea processes personal data in order to meet the statutory and contractual obligations and carry out sales and marketing activities. The legal basis for our processing is:

Implementation of an agreement

The primary legal basis for our processing of personal data is the fulfilment of our contractual obligations. We process personal data, to the extent that is necessary, in order to provide the service ordered from us or to fulfil another contractual obligation.

Statutory obligation

In addition to agreements, our operations include statutory obligations on the basis of which we process personal data. The sources of obligations include, for instance, the accounting legislation, the legislation related to resident selection and tenancy (such as the Finnish Act on Interest Subsidy for Rental Housing Loans and Right of Occupancy Housing Loans and the Finnish Act on Residential Leases), the legislation concerning housing sales (such as the Finnish Housing Transactions Act), and the legislation concerning building management.

Consent

On the basis of a consent, analytics data is collected on the use of our website so that we can develop our website and target services. You provide your consent by accepting the cookies when entering the website.

For the part of the data collected for marketing purposes, the data subject is asked for their consent, which can be withdrawn at any time.

How long we will store the data for

Personal data will be stored for the duration of the contractual relationship, and after that for the period required by legislation.

We will store the data related to website visitor analytics for 38 months for the monitoring and development of marketing and customer service.

The data recipients and data transfer to third countries

Data is transferred or released to Lakea Oy’s service providers or subcontractors for the fulfilment of Lakea’s contractual obligations. Agreements required by the General Data Protection Regulation have been concluded with these entities on the processing of personal data. In connection with housing trade, data is released to financial institutions as required by legislation.

Data is not transferred or released outside the EU area.

Amendments to the privacy policy

The practices related to the privacy policy may be updated. The amendments will be published on this site. The amendments required by the GDPR and other significant changes will also be reported via other channels, such as e-mail.

The supervisory authority and allocation of complaints

Each data subject has the right to file a complaint with the supervisory authority concerning the processing of personal data if they feel that the personal data is not being processed appropriately.

Office of the Data Protection Ombudsman

Visiting address: Lintulahdenkuja 4

Postal address: PO Box 800, FI-00531 Helsinki, Finland

Switchboard: +358 29 566 6700

E-mail: tietosuoja@om.fi

How we protect the data

The aim of Lakea Oy’s security measures is securing the availability of data and data systems, ensuring the confidentiality and integrity of the data, and minimising the damages due to possible deviations. The protective measures are based on a risk assessment conducted on the operations, and they are proportioned to manage the protected object and the risks it is subjected to. The requirements of the applicable data protection legislation are taken into account in the processing of personal data and the protective measures.

Additional information

A more detailed policy concerning the processing of one’s own personal data can be acquired with a single document by sending e-mail to info@lakea.fi. Contacts are answered on weekdays between 8am and 4pm.

Our website may contain links to social media. If you already have an account in the service of the social media provider, the service in question may be able to recognise you by this content or a visit to its site. You may also be recognised by such content even if you have not registered yourself as a user of the social media service in question. Additional information about the data security practices concerning social media can be acquired from the terms of service and privacy policy of the service provider in question.

You can forbid the collection of data used for targeting advertisements (e.g., Facebook Pixel), if you wish. You can take care of that, for instance, via the website www.youronlinechoices.com/fi/.

Additional information on cookie management:

Privacy statement