Data protection policy

1. Introduction

Realia Group Oy and its subsidiaries (“Realia Group”) gather and process personal information about individuals in order to carry out its business and to comply with the requirements of the laws. These individuals can include customers, employees, suppliers and other people Realia Group has a relationship with. The objective of the data protection is to protect individual’s right to privacy when personal data is processed.

Having respect for individual’s rights to privacy is an essential part of Realia Group’s business activities. This Data Protection Policy (“Policy”) defines the main principles to comply with in order to respect data protection and to ensure compliance with applicable laws and regulations. The relevant national laws will take precedence in the event they conflict with this Policy.

This Policy applies to all companies and operating countries of Realia Group. This Policy and related guidelines and work practices are designed to ensure that also all employees are aware of and comply with their obligation to protect the privacy of all individuals and the security of such individual's Personal Data. “Personal Data” is defined as any information related to an identified or an identifiable person. For example, an individual’s name, home address, e-mail address, telephone number, or government-issued identification numbers would constitute Personal Data.

2. Data protection and processing in Realia Group

Realia Group has adopted the following principles to govern its collection and processing of Personal Data:

2.1 Fairness and lawfulness

The processing of Personal Data is always based on a specific and lawful purpose and processed in a legal and fair manner protecting the legitimate interests of individuals.

2.2. Restriction to a specific purpose

Personal Data may be collected only for a specified, explicit and legitimate purpose and may not be further processed contrary to such intended purpose.

2.3 Data economy

Personal Data must be adequate, relevant and not excessive in relation to the purpose for which it is collected and/or further processed. Realia Group aims at minimizing the processing of personal data. Personal data must not be kept any longer than strictly necessary or required by law.

2.4 Data quality

Suitable steps must be taken in order to ensure that Personal Data processed is accurate, complete and kept up to date.

2.5 Data security

Personal Data must be kept confidential and data security shall be taken into account in Realia Group’s data systems. Necessary technical and organizational safeguards are established to protect personal data against any unauthorized or unlawful use and against any accidental loss or destruction. Access right to material containing Personal Data is granted only on a need-to-know basis. Employees may have access to Personal Data only as is necessary for the position in 3 question. The same applies regardless of whether the data is processed electronically or paper form.

2.6 Transparency

Realia Group is open towards the data subjects and applies the principle of transparency when processing Personal Data. Openness is put into practice, for example, by providing information about processing activities on the Realia Group’s webpages. All data subjects shall be offered information on what kind of Personal Data is being processed and how is the Personal Data being processed. Realia Group ensures that all data subjects are aware of how to exercise their rights as data subjects.

3. Data Protection Implementation

Local management together with the responsible Human Resources personnel and the Realia Group’s Data Protection Coordinator will be responsible for assessing and complying with local regulations regarding the processing of Personal Data. Every employee must be familiar with this Policy as well as the relevant guidelines given based on this Policy.

If any employee of Realia Group suspects a violation of this Policy, he or she shall report such concern to his/her manager, the Chief Compliance Officer or the Data Protection Coordinator.

Any activity that is in breach of (i) this Policy, (ii) internal guidelines or instructions given based on this Policy or (iii) data protection legislation, is considered to be a data protection incident. All incidents must be reported as described above and investigated appropriately.