Privacy Notice (GDPR – Articles 13 & 14)

This Privacy Notice describes how personal data is processed in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”).

1. Data Controller

HC Services Oy

Business ID: FI21666135

Postal Address: Candelinintie 5c, 90570 Oulu, Finland

2. Contact Person for Data Protection Matters

Tom Laine, Email: tom@tomlaine.com

3. Purpose and Legal Basis for Processing

Personal data is processed for the purpose of sending newsletters and communications related to news, content, and events.

The lawful basis for processing under Article 6(1) GDPR is:

• Consent (Article 6(1)(a))

Consent is given when an individual downloads free materials, subscribes to the newsletter, or participates in free training provided by the company.

4. Categories of Personal Data Processed

The following personal data is processed:

Mandatory data:

• Name

• Email address

• City

Optional data (provided voluntarily):

• Company

• Job title

• Professional interest

No additional personal data is collected, and the data is not used for profiling or automated decision-making.

5. Sources of Personal Data

Personal data is collected directly from the data subject when they:

• Subscribe to the newsletter

• Download free materials provided by the company

• Participate in free training or events

(Article 13 GDPR applies, as the data is obtained directly from the data subject.)

6. Recipients of Personal Data

Personal data is not disclosed to third parties.

Data may be processed by service providers acting as data processors on behalf of the data controller, solely for the purpose of providing the service.

7. Transfers of Personal Data Outside the EU/EEA

The newsletter register is managed using a Hubspot web service.

Hubspot processes personal data in accordance with applicable data protection safeguards. Where data is transferred outside the EU/EEA, appropriate safeguards are applied in accordance with GDPR requirements (such as Standard Contractual Clauses).

The data controller maintains its primary records in Finland.

8. Data Retention Period

Personal data is stored only for as long as the data subject remains subscribed to the newsletter or until consent is withdrawn.

Once consent is withdrawn, the personal data is deleted without undue delay, unless retention is required by applicable law.

9. Rights of the Data Subject

The data subject has the following rights under the GDPR:

• Right of access (Article 15)

• Right to rectification (Article 16)

• Right to erasure (“right to be forgotten”) (Article 17)

• Right to restriction of processing (Article 18)

• Right to object to processing (Article 21)

• Right to withdraw consent at any time (Article 7(3))

Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

Requests related to these rights must be sent from the email address registered in the system to the contact person listed above.

In addition, the data subject has the right to lodge a complaint with a supervisory authority.

10. Unsubscribing and Withdrawal of Consent

The data subject may unsubscribe and withdraw consent at any time by:

• Using the unsubscribe link included in every email, or

• Sending a request by email to the contact person responsible for the register

11. Data Security

Appropriate technical and organizational measures are applied to protect personal data against unauthorized access, loss, alteration, or disclosure.

Access to the newsletter system is restricted, and the service provider ensures that unauthorized parties do not have access to personal data.

12. Automated Decision-Making

Personal data is not used for automated decision-making or profiling as defined in Article 22 GDPR.