Privacy Policy

Privacy Policy Implementation

We implement our privacy policy in accordance with both the EU General Data Protection Regulation (GDPR) and other relevant legislation. The goal of our privacy policy is to ensure the protection of personal data related to individuals working in our organization, stakeholders, and data subjects, as well as the rights and obligations of the data controller. In handling personal data, we uphold privacy and promote adherence to good data processing practices. We adhere to the following general principles in the processing of personal data:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality

Rights of the Data Subject

Privacy protects an individual’s private life, including the right to one’s personal data. A fundamental principle of the rights of the data subjects is to ensure protection against unauthorized or harmful use of personal data. As the data controller, we provide transparent information about the processing of personal data before starting any processing activities.

Rights and Obligations of the Data Controller

We ensure the rights of the data subject are met. Additionally, we ensure that personal data is not processed without a proper legal basis (such as the consent of the data subject). We ensure that personal data is processed only under appropriate conditions and that this is also considered when planning new processing methods. The processing of personal data is purpose-bound, meaning we define the purposes for which personal data is processed in advance. We also implement necessary technical and organizational measures to ensure and demonstrate compliance with legislation. These measures are reviewed and updated as necessary.

Technical and Administrative Solutions for Data Protection

Based on risk assessment, we select technical security solutions to protect the data we hold and have built a management system to monitor, guide, and implement daily data processing in our company. We ensure the level of data protection required by our privacy policy by conducting audits and reviews. We have appointed a Data Protection Officer (DPO) who leads and implements the privacy policy approved by management and the operational measures approved by the board. We also regularly train our employees in data protection matters. Data processors are also bound by confidentiality obligations.

Actions in Case of Data Protection Breach

If a data protection breach is suspected or identified, the issue is investigated immediately. In addition, the data subject whose privacy has been compromised is notified without delay. We also report data breaches to the supervisory authority.

Personal Data Processing Guide

The purpose of the personal data processing guide of Digi- and Advertising Agency Höyry is to guide the processing of personal data, implement privacy protection, and promote adherence to good data processing practices.

The personal data processing guide is based on the EU General Data Protection Regulation, which applies to the processing of personal data that is wholly or partly automated, and to the processing of personal data which forms part of a filing system or is intended to form part of a filing system.

This guide provides common regulations for the personal data processing of Digi- and Advertising Agency Höyry. The personal data processing guide is approved by the entrepreneurs/board of Digi- and Advertising Agency Höyry. The updating of the guide is the responsibility of the Data Protection Officer of Digi- and Advertising Agency Höyry.

Download the complete personal data processing guide (Finnish only)

Data Controller

Digi- ja mainostoimisto Höyry Oy

Contact Information

Digi- ja mainostoimisto Höyry Oy
Koskikatu 10
96200 Rovaniemi
+358 50 366 2726

Person responsible for the register

Sami Halonen
Koskikatu 10
96200 Rovaniemi
+358 50 366 2726

Data Subjects

Potential customers

Purpose of Processing Personal Data

Personal data is collected for a specific, explicit, and lawful purpose. Data is collected for contact purposes, such as sales of services and marketing communications of Digital and Advertising Agency Höyry Oy, and for handling customer feedback.

Personal Data Stored in the Register

Contact form details are not public and are collected only for internal operations of Digi- ja mainostoimisto Höyry Oy. The customer register includes the following information:

Contact information
  • Name Company/organization
  • Address
  • Email
  • Phone number
  • Additionally, information on the subject of the message and area of interest is requested
  • Information on purchased products/services

Rights of the Data Subject

The data subject has the right to inspect what personal data concerning them is stored in the register.


Furthermore, upon making a sufficiently detailed and specified request, they have the right to access their personal data and the data contained in the recordings. The request for inspection must be made in writing and signed, addressed to: Digital and Advertising Agency Höyry, Koskikatu 10, 96200 Rovaniemi


The data controller must correct any erroneous information in the personal data register indicated by the concerned party. The data controller also has an obligation to periodically verify the accuracy and currency of the data in the register. The data subject may also demand that the data controller remove their personal data from the register. The Data Protection Officer manages the processing of the action.


The data subject has the right to demand a restriction on the processing of their personal data. They also have the right to receive their personal data, which they have provided to the data controller, in a structured, commonly used, and machine-readable format and have the right to transfer this data to another data controller. Additionally, the data subject has the right to object to the processing of their data, automatic decision-making, and profiling.


The data subject has the right to prohibit the use of their data for direct marketing.


Data in the contact form register is deleted when it is no longer necessary for the purposes of processing and at the latest five years after the need related to the contact has ended. Access rights to the register are removed when the data controller determines that the system user no longer requires access or usage rights to the register data due to work-related reasons.

Digital and Advertising Agency Höyry Oy will also delete customer data from the register if the concerned individual legally demands the removal of their data. Data will not be removed if the law specifies otherwise, or an authorized authority has initiated a process that requires data retention, or another party has sought a protective order from Finnish courts for the data.


If the processing of personal data concerning the data subject is based solely on consent and not, for example, on a customer relationship or membership, the data subject may withdraw their consent. The data subject can file a complaint about the decision to the Data Protection Ombudsman
The data subject has the right to demand that we restrict the processing of disputed data until the issue is resolved.

Right to Complain

The data subject has the right to lodge a complaint with the Data Protection Ombudsman if they believe that their personal data is being processed in violation of the applicable data protection legislation. Data Protection Ombudsman’s contact information:

Regular Sources of Data

Personal data is collected from the customer themselves upon establishing a customer relationship and from the registrar’s systems through online forms. Data is also updated from governmental sources or other service providers to ensure accuracy.

Regular Disclosures of Data

Data is not generally disclosed for marketing purposes outside of Digital and Advertising Agency Höyry and its offices.

Duration of Processing

Personal data is primarily processed as long as the customer relationship exists. Registered individuals can opt out of our marketing lists through a link provided in each marketing email we send or by sending a message to:

Processors of Personal Data

The data controller and its employees process personal data. We may also partially outsource the processing of personal data to a third party, in which case we ensure through contractual arrangements that personal data is processed in accordance with applicable data protection laws and otherwise appropriately.

Transfer of Data Outside the EU

Personal data is not transferred outside the European Union or the European Economic Area.

Automated Decision-Making and Profiling

We do not use data for automated decision-making or profiling.

Cookies and Tracking of Browsing

We collect information about the user’s terminal device through cookies (”cookies”) and other similar technologies such as the browser’s local storage. A cookie is a small text file that the browser stores on the user’s terminal device. Cookies often contain an anonymous, unique identifier that allows us to recognize and count the browsers visiting our website.

Our website uses the Google Analytics service. Our pages also contain links to other websites and services. We are not responsible for the privacy practices or content of these external sites. Third parties may set cookies on the user’s terminal device when they visit our services to record the visitor numbers of various sites.

The privacy policy has been approved continuously and reviewed on 23.04.2024.