This Privacy Notice describes how we collect, store and process personal data. It also describes the purposes for which we process personal data and to whom we may disclose personal data, and how the data subject may influence the processing of his or her personal data. This Privacy Notice also describes our obligations when processing personal data.

This Privacy Notice applies to the processing of personal data while carrying out our assignments and our other services. In addition, the Privacy Notice applies when we collect personal data to comply with our legal obligations. However, this Privacy Notice does not apply to links that may be on our website leading to other external services that are not managed by us.

When processing personal data, we always comply with up-to-date data protection legislation, which among other refers to the European Union’s General Data Protection Regulation (2016/679) (“GDPR”) and the national data protection law (5.12.2018/1050). In addition, we are bound by other applicable legislation and industry guidelines, such as the Advocates Act (496/1958), the Finnish Bar Association’s good legal practice and other binding guidelines, for example on confidentiality, information security and the storage of assignment material.

Controller and contact information

Backström & Co Ltd., Attorneys-at-Law (Business ID: FI22267443)

Address:                                Korkeavuorenkatu 30, 00130 Helsinki


Telephone:                            + 358 9 6689 940

Personal data collected and the sources of personal data

Personal data generally refers to data relating to a natural person, i.e., “the data subject”, as further defined in the GDPR, from which a person can be identified. We collect only the following categories of personal data that are essential for our operations:

  • Identification and contact details, such as name / company representative’s name, address, telephone number, e-mail address, nationality, position within the company, business ID, photo, person’s representative’s name and date of birth / personal identity code.
  • Personal data required to comply with a legal obligation, such as those imposed by laws on attorneys and statements of the origin of the funds involved in the transaction, as required by the Act on Detecting and Preventing Money Laundering and Terrorist Financing.
  • Personal data and other assignment material related to the management of the customer relationship or an assignment.
  • Payment and billing information such as bank account number, collection information, credit check information, and customer ID or other customer relationship information.
  • The use of our website generates information such as IP address, search and browsing information of our website, browser and operating system information through visits and cookies or other analytical technologies. However, we do not collect or use this information in any way. If we collect this information, we will ask for permission to collect through cookie settings.

The personal data is principally collected from the data subject in connection with the assignment, for example upon agreeing on and executing the assignment. Personal data of other parties related to the assignment may be collected from our clients and other parties as required.

Personal data may also be collected, within the limits permitted by law, from registers maintained by third parties, such as the Digital and Population Information Agency, the Trade Register, Suomen Asiakastieto and the Business Information System.

Purposes of processing

The processing of personal data is carried out to maintain and manage the assignment relationship between the office and the client and in order to provide our services. We also collect information to comply with our legal obligations, such as those contained in the legislation regulating legal profession, and for risk management and prevention of abuse.

Personal data will not be used for purposes other than those for which the personal data was collected.

The legal basis for the processing of personal data

The legal basis of the processing of personal data is principally our legitimate interest of the legitimate interest of a third party, in which case the processing of personal data is based on, for example, execution of an assignment. We always consider the benefits and potential disadvantages of processing based on the legitimate interest, and we ensure that the legitimate interest in processing personal data does not override the rights and interests of data subjects. The basis for processing may also be an agreement between the parties (the office and the customer, i.e., the registered) in connection with an assignment or other services.

We may also process personal data based on our legal obligations, such as legislation regulating the attorney practice, anti-money laundering and anti-terrorist financing, or compliance with accounting obligation.

General description of organizational and technical security measures

In accordance with Article 32 (1) of the GDPR, we will consider and implement appropriate technical and organizational measures to ensure the security of the processing of personal data, such as:

  • pseudonymization and encryption of personal data
  • our ability to ensure the continued confidentiality, integrity, availability, and fault tolerance of our processing systems and services;
  • our ability to quickly restore data availability and access in the event of a physical or technical failure, and;
  • the procedure by which we regularly test, examine, and evaluate the effectiveness of technical and organizational measures

We always carry out necessary measures to ensure the security, confidentiality, and adequacy of our operations.

Automated decision making and profiling

We do not use the personal data we collect for automated decision-making or profiling in any way.

The storing of personal data

Personal data will be stored only for as long as it is necessary to carry out the activities described in this Privacy Notice, unless required by law to retain personal data for a longer period.

The documentation and material included in the client and assignment agreements shall be stored in accordance with the requirements and guidelines of the Finnish Bar Association for at least 10 years after the end of an assignment.

Customer identification data collected to prevent money laundering and terrorist financing shall be stored in accordance with Act on Detecting and Preventing Money Laundering and Terrorist Financing for 5 years from the end of the customer relationship.

Regular disclosures

Generally, the data will not be disclosed to third parties, except in situations where a legal obligation or the data subject’s assignment obliges or requires for it. In some situations, personal data may be disclosed to our service providers to the extent required for the providing of such services. All third-party service providers we use must ensure an adequate level of protection of personal data.

Data transfer outside the EU or the EEA

We do not transfer the data outside the EU or the European Economic Area. If such is required for the providing of our services, the performance of legal obligations or for any other reason, we will ensure adequate measures to sufficiently protect the personal data.

Rights of the data subject regarding the processing of personal data

In accordance with the GDPR, the data subject has the right to:

  • obtain information on the processing of their personal data,
  • gain access to the personal data,
  • rectify inaccurate personal data,
  • erase the personal data and become forgotten,
  • restrict the processing of personal data,
  • transfer data from one system to another,
  • object the processing of the personal data, and
  • not be subject to automated decision-making

The registered has the option to disable cookies on our website in their own browser. However, this may prevent access to our website.

Right to file a complaint

A data subject has the right to file a complaint with the competent supervisory authority if the applicable data protection rules have not been complied with.

The competent supervisory authority in matters relating to the processing of personal data is:

Office of the Data Protection Ombudsman:

Lintulahdenkuja 4, 00530 Helsinki,
Tel. +358 29 566 6700,