Privacy notice

This privacy notice covers data processing with respect to (i) our website and (ii) our operations in general.


This privacy notice contains information on how we collect, store and process data concerning visitors to this website.

We do not seek to collect any personally identifying information about you as you visit this website, except when knowingly provided by you. This website includes a contact request form which you can use to provide us with your contact details. The information you give on this form will only be used to relay the details to us so that we can reach out to you.

We will retain your information only for as long as it is necessary for the above-mentioned purpose. Where we collect personal data about you through the contact request form, the legal basis for processing that data is the fact that such processing is necessary in order to take steps at your request prior to entering into a possible contractual relationship.

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed by us, and where that is the case, request access to that data as well as to have any inaccurate or incomplete personal data rectified or completed. In certain circumstances, you may also have the right to object to the processing, to request the erasure of the data or restriction of its processing, or to receive the data in a structured, commonly used and machine-readable format. Please contact us for any inquiries you may have related to exercising these rights. If you consider our processing activities of your personal data to be inconsistent with applicable data protection laws, you may lodge a complaint with the relevant supervisory authority. Contact details for the supervisory authority in Finland can be found here.

The data controller responsible for your personal data for the purposes of applicable Finnish and European Union data protection laws is HH Partners, Attorneys-at-law Ltd (Business ID: 1636521-5). If you have any questions about this privacy notice or our data collection practices, please contact us.



In connection with our operations, we process personal data in accordance with the European Union’s General Data Protection Regulation (2016/679; “GDPR“) and other laws, statutes and regulations applicable in Finland concerning the processing of personal data and data protection (together the “data protection regulation“).

This notice describes how we process personal data:

  • when managing client relationships and assignments;
  • when negotiating with our prospective future clients or handling inquiries from prospective clients before starting a client relationship;
  • in our recruitment processes; and
  • while carrying out our statutory obligations, for example, related to the prevention of money laundering and terrorist financing and knowing our clients.

For the purposes of this notice, “personal data” means any information relating to an identified or identifiable natural person, hereinafter referred to as “data subject“. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to that natural person.

Processing” means any operation or set of operations which is performed on personal data or on sets of personal data either by automated means or manually, such as collection, recording, organisation, structuring, storage, adaptation or alteration, searching, inquiry, use, disclosure by transmission, dissemination or otherwise making available, coordination or combination, restriction, deletion or destruction.


Asianajotoimisto HH Partners Oy / HH Partners, Attorneys-at-Law Ltd (1636521-5)
Postal address: PL 232, 00101 Helsinki
Street address: Eteläesplanadi 22 A, 00130 Helsinki

Contact Person of the Controller

Attorney-at-law, partner Martin von Willebrand
Telephone: (09) 177 613

Purposes and Legal Bases for Processing Personal Data

The table below describes the purposes for our processing of personal data, the corresponding legal bases for processing in accordance with data protection regulations, and the categories of personal data that may be processed for the specified purpose. The categories of personal data presented in the table are defined in more detail in the following section (Categories of Personal Data).

We hope that you understand that the listed categories of personal data or parts thereof will always be processed only if and to the extent that they are adequate, relevant and limited to what is necessary in relation to the purposes of the processing. If the processing is carried out for a purpose other than the one for which the data was collected and the processing is not based on the consent of the data subject or applicable legislation, we will ensure that the processing is in any case compatible with the purpose for which the data was originally collected.

Purpose Legal basis Categories of personal data

Handling of assignments and any other provision of legal services Performance of contract; legitimate interest of the controller (provision of legal services) Basic information, client information

Management of client relationships and development of services Legitimate interest of the controller (provision of legal services);
performance of contract
Basic information, client information, consents and prohibitions, interests

The controller’s obligations to identify and know its clients and to prevent, detect and investigate money laundering and terrorist financing, as well as to investigate money laundering and terrorist financing and the crime by which the property or proceeds of crime subject to money laundering or terrorist financing have been obtained (including, for example, a possible obligation to file a money laundering report on the client) Legal obligation Client identification information

Determination of disqualification, any procedures related to the supervision of activities taken by attorneys-at-law and any other compliance with legislation on advocacy that is binding on the controller, the rules of the Bar Association and code of conduct for attorneys-at-law Legal obligation;
legitimate interest of the controller (provision of legal services)
Basic information, client identification information, client information

Marketing, acquiring clients or assignments and communicating with potential clients Legitimate interest of the controller (provision of legal services); performance of contract or taking steps at the request of the data subject prior to its conclusion; consent Basic information, client information, consents and prohibitions, interests

Recruitment Consent; legitimate interest of the controller (provision of legal services); performance of contract or taking steps prior to its conclusion at the request of the data subject Job applicant information, consents and prohibitions, interests

Categories of Personal Data

Depending on the purpose, the following table defines the categories of personal data that may be processed.

Category of personal data Data content of the category

Basic information Name, contact details, address, language, job or professional title of a client or a representative of a client company, and other standard and public information relating to the business, business connections, industry and profession of the client

Client identification information Information necessary for the reliable identification of the client and the fulfilment of the related obligations of the controller, such as data obtained from the client or from public registers (such as the Trade Register, the Business Information System, bankruptcy, restructuring and enforcement registers), personal identity codes or company identifiers and other corresponding identification data.

The controller also processes other data that is, for example, necessary for fulfilling the obligations concerning the supervision of the Act on Preventing Money Laundering and Terrorist Financing (Anti-Money Laundering Act), such as:

  • name, date of birth and personal identification number;
  • name, date of birth and personal identification number of the representative;
  • full name, registration number, date of registration and registration authority of the legal entity;
  • full names, dates of birth and nationalities of the members of the board of directors or equivalent decision-making body of the legal person;
  • the field of activity of the legal entity;
  • name, date of birth and identification number of the beneficial owners;
  • the name of the document used for the verification of identity, the document number or other identifying data and the issuer or a copy of the document or, where the client has been remotely identified, information on the procedure or sources used for authentication;
  • information on the client’s activities, nature and extent of business, financial position, political influence, grounds for the use of the transaction or service and information on the origin of funds, as well as other necessary client identification information referred to in Chapter 3, Section 4, Subsection 1 of the Anti-Money Laundering Act;
  • information related to the determination of the origin of funds pursuant to Chapter 3, Section 4, Subsection 3 of the Anti-Money Laundering Act and information necessary for the fulfilment of enhanced due diligence relating to a politically exposed person pursuant to Section 13 of the Act;
  • for foreign clients who do not have a Finnish personal identity code, information on the client’s nationality and travel document information; both
  • other information obtained for the purpose of fulfilling the obligation to report suspicious transactions pursuant to Chapter 4, Section 1 of the Anti-Money Laundering Act.

Client information Information related to the client relationship, contractual relationship, assignment and communication, such as:

  • the services provided to the client, their performance and use, information on the parties and/or other persons involved in the assignment necessary for the performance of the assignment;
  • other transaction data relating to the services;
  • information related to the management of client assets;
  • information related to invoicing and collection;
  • complaints and data regarding their processing; and
  • other similar information (including information obtained in the course of negotiating with our prospective clients before or without assignment).

Job applicant information Job application, CV and other information provided by the job applicant in the recruitment process.

Consents and prohibitions Information about consents and prohibitions, such as permissions and prohibitions for direct marketing and authorisation for references.

Interests The interests of the data subject and other similar information provided by the client or other data subject.

Disclosure of Personal Data

We may disclose personal data only to the extent required and permitted by applicable legislation and the Code of Conduct for Attorneys-at-Law that binds us by law.

In our operations, we are bound by and comply with an extensive obligation of secrecy and secrecy, under which our law firm’s attorneys-at-law, staff members and other persons performing permanent or temporary services to the office may not disclose without authorisation such private person, family, business or professional secret of which they have become aware in the course of their duties, nor may they disclose without authorization any other information that they have in the course of their duties have learned about the client and their circumstances. Such parties may, however, be exempted from their obligation of secrecy and confidentiality to the extent permitted by the party protected by that obligation or if there is a right or obligation to do so by law or by reference to Code of Conduct for Attorneys-at-Law.

Within the limits mentioned above, we may provide data to our subcontractors and service providers for processing, for example, for data processing, financial administration and other similar services, but even then, as a rule, only on behalf of the controller, applying appropriate and legally required secrecy, protection and other data protection obligations.

Personal data is not regularly transferred outside the European Union or the European Economic Area. However, personal data may be transferred or disclosed outside the European Union or the European Economic Area as permitted by law if the data is transferred to a country where the European Commission has determined that the level of data protection is adequate or where contractual or other arrangements (such as using Standard Contractual Clauses approved by the European Commission) ensure an adequate level of data protection or where processing is based on a legal basis under data protection rules, for example where data is transferred to the country concerned for the establishment, exercise or defence of legal claims.

Retention of Personal Data

Personal data will be stored for no longer than is necessary for the stated purposes of processing or for purposes compatible with them.

We regularly assess the existence of such needs in relation to the personal data we hold and, to the extent that we deem the need to be deleted, we delete or anonymise personal data from our systems, archives and/or registers or, where this is not possible (for example, to the extent that the data is stored in backup archives), we store it securely and prevent further processing until deletion is possible.

However, to the extent that the data is subject to a retention obligation arising from, for example, legislation on accounting, taxation or advocacy, the data will in any case be stored for the minimum period specified in that obligation.

Data collected in order to fulfil the obligations of the Anti-Money Laundering Act (see above, client identification data) will be stored for five years from the end of the client relationship, unless further storage of the personal data in question is necessary to safeguard a criminal investigation, pending legal proceedings or the rights of the controller or its employees. In this case, the need for further storage of personal data and documents shall be examined no later than three years after the previous review of the need for further storage.

Sources of Personal Data

Personal data is mainly obtained from our client or the data subject himself/herself.

For the purposes of providing legal services and managing client relationships, as well as legal and professional obligations related to our operations, personal data may also be processed and updated from other sources to the extent necessary to achieve the specified purpose (e.g. public registers and other public sources, counterparties and authorities).

Data Security

We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data, such as (where appropriate):

  • pseudonymisation and encryption of personal data;
  • procedures and capabilities to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
  • procedures and capabilities to quickly restore the availability of and access to data in the event of physical or technical failure; and
  • procedures for regularly testing, examining and evaluating the effectiveness of technical and organisational measures to ensure the security of data processing.

Physical material is stored in a locked space and is only available to those entitled to the information.

Access to digital material is restricted only to the controller’s employees who have the right to do so due to their duties by means of user IDs. We use appropriate technical and organizational measures to protect data against unauthorised access, alteration, disclosure, destruction or other unauthorised processing. We require all IT service providers we use to maintain confidentiality, appropriate data security and commit to the requirements and principles of applicable data protection legislation.

Rights of the Data Subject

In accordance with applicable data protection legislation, the data subject has the following rights:

  • The right to obtain confirmation from the controller as to whether it processes personal data concerning the data subject and, if so, the right to access the personal data
  • The right to request from the controller the rectification of data concerning the data subject and, in certain cases, the right to request the erasure of personal data, restriction of processing or to object to the processing of personal data
  • Insofar as the processing of personal data is based on consent, the right to withdraw consent at any time
  • The right to object direct marketing at any time

The data subject may exercise their rights by contacting us using the contact details provided in this privacy notice.

The exercise of the rights of the data subject is restricted by attorney-client privilege and other confidentiality requirements that the controller is binded by.

The data subject has the right to complain about our processing of their personal data to the competent data protection authority. The contact information of the Finnish supervisory authority can be found on the page:

Updating the Privacy Notice

We may update this privacy notice from time to time due to changes in legislation or our business operations. We aim to inform data subjects of changes in a manner that is required by their significance and taking into account factors restricting the exercise of the rights of the data subject, such as attorney-client privilege and other confidentiality requirements that bind us.