5. Retention of Personal Data
Karhu retains personal data for as long as necessary to fulfill the purposes defined in this privacy policy, unless legislation requires a longer retention period (for example, obligations related to specific laws, accounting, or reporting requirements), or unless Karhu needs the data to prepare, present, or defend a legal claim or resolve a similar dispute.

The retention period and criteria vary depending on the category of personal data and its intended use.

Consents and restrictions are retained for the duration of their validity.

Cookies from the Google Analytics service expire 26 months after the user’s first visit to our website. Among the cookies used by the ClickDimensions service, the cuvid cookie expires after 2 years from the user’s first visit, while the cusid and cuvon cookies expire 30 minutes after the start of a session. Users can also manually delete these cookies through their browser settings.

For organizations, the retention of the data subject’s personal data is tied to the period during which the data subject acts as a representative of the organization in relation to Karhu. Personal data is deleted within a reasonable time after the end of this role.

When personal data is no longer needed as described above, the data is deleted within a reasonable time unless Karhu is legally required to retain the data for a longer period.

6. Recipients of Personal Data
In accordance with this privacy policy, Karhu may outsource the processing of personal data to service providers or subcontractors, such as IT suppliers and accounting firms. Karhu ensures, through appropriate contractual obligations, that personal data is processed properly and in compliance with the law.

The following entities participate in the processing of personal data:
• Microsoft Oy (and other companies within the group)
• J&K International Oy
• CSI Helsinki
• Pp-Tilipalvelu Tmi
• Google Inc

We may disclose contact information to our partners within the limits permitted by applicable legislation and good legal practice. As a general rule, data is not disclosed to third parties.

In specific cases, personal data may be disclosed to authorities when required or permitted by law.

Additionally, in emergency or unforeseen situations, Karhu may be required to disclose personal data to protect human life, health, or property. Karhu may also need to disclose personal data if it is involved in legal proceedings or other dispute resolution processes.

If Karhu is involved in a merger, business acquisition, or other corporate transaction, it may need to disclose personal data to third parties. In such cases, the data subject’s privacy is protected, and appropriate notifications will be provided to the data subject if necessary.

7. Transfer of Personal Data Outside the European Union or European Economic Area
If personal data is transferred outside the European Union or the European Economic Area (for example, when required by a client relationship), Karhu ensures an adequate level of data protection. This is achieved by establishing agreements on the processing of personal data in compliance with data protection legislation, such as using the standard contractual clauses approved by the European Commission.

8. Principles of Personal Data Protection and Security of Processing
Karhu processes personal data in a manner that ensures its proper security, including protection against unauthorized processing, accidental loss, destruction, or damage.

To safeguard personal data, Karhu implements appropriate technical and organizational security measures, including the use of firewalls, encryption technologies, secure facilities, proper access control, and access management. Employees and subcontractors involved in data processing are instructed accordingly.

Contracts and other documents that must be retained in their original form are stored in locked premises, with access restricted only to authorized individuals.

All entities processing personal data are bound by confidentiality obligations under employment contracts and contractual non-disclosure clauses. Additionally, Karhu’s clients are protected by attorney-client privilege.

In accordance with this privacy policy, Karhu may outsource the processing of personal data to service providers or subcontractors. In such cases, Karhu ensures through appropriate contractual obligations that personal data is processed lawfully and securely.

Our website uses a TLS-encrypted connection, ensuring that all electronic personal data is protected. You can verify this by the green lock symbol on the left side of the browser’s address bar. If personal data exists in physical form, it is stored in locked facilities inaccessible to unauthorized persons and is securely destroyed when no longer needed.

Data received through website traffic monitoring is protected by a TLS-encrypted connection. Information collected via Google Analytics and ClickDimensions is stored and processed on the service providers’ own servers. Access to the Google Analytics and ClickDimensions services integrated with Karhu’s website requires login credentials, which are only available to a limited number of employees at Karhu.

If Karhu holds personal data in physical form, it is stored in secured, locked facilities and is securely destroyed when no longer required.

9. Rights of Data Subjects
Data subjects have rights guaranteed by data protection legislation.

Data subjects have the right to obtain confirmation as to whether their personal data is being processed. They also have the right to review and access their personal data and, upon request, receive this information in written form.

Data subjects have the right to request the correction of inaccurate or incorrect personal data. Additionally, they have the right to request the deletion of their data. The data controller will also, on its own initiative, delete, correct, or complete any personal data that is incorrect, unnecessary, incomplete, or outdated for the purposes of processing.

Data subjects have the right to request the transfer of their personal data to another data controller.

Additionally, under the conditions defined by data protection legislation, data subjects have the right to request the restriction of the processing of their personal data. If inaccurate personal data cannot be corrected or deleted, or if there is uncertainty regarding a deletion request, the company will restrict access to the data.

Data subjects have the right to object to the processing of their data for specific purposes. They also have the right to prohibit the disclosure and processing of their personal data for direct marketing purposes.

If the processing of personal data is based on the data subject’s explicit consent, the data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Requests related to the rights of data subjects must be submitted in writing using the contact details provided above. The request must include sufficient identification details. The request will be processed within a reasonable time, and if possible, no later than one month from the date of submission and verification of identity. The company may request additional information if necessary to fulfill the request. If the request cannot be granted, the data subject will be informed of the refusal in writing.

10. Right to Lodge a Complaint with the Supervisory Authority
The data subject has the right to lodge a complaint with the data protection authority if they believe that their personal data has been processed in violation of applicable legislation.

11. Cookies and Other Technical Tracking
We monitor traffic on the www.karhulaw.fi website using cookies. For this purpose, we use the Google Analytics program (Google Inc.). Your browser automatically sends certain information to Google, such as the URL of the accessed webpage or the search term used to navigate from Google’s search engine to Karhu’s website.

Karhu does not receive the user’s IP address through Google Analytics, only anonymized data, meaning Karhu cannot directly identify the user. Google Analytics generates anonymous reports from cookie data, showing, for example, the number of visitors, the website from which a visitor arrived at Karhu’s website, the duration of the website visit, whether the user has previously visited the website, and which pages on the website the user has accessed.

By monitoring website traffic, we aim to improve our website and enhance the user experience. You can prevent Google Analytics from collecting data about you and learn more about this on Google’s website.

Our website also uses other cookies. Through the ClickDimensions service, we primarily collect your IP address, the website from which you arrived, the duration of your visit, the pages you accessed, and any search terms you used in a search engine that directed you to our site. This helps us improve our website’s functionality and create a more user-friendly experience. We also use cookies to detect the browser’s language setting so that we can direct the user to view our website in the most suitable language.

We also use third-party services on our website, and their cookies enable the sharing of our website content on social media platforms. These service providers include Facebook and LinkedIn.

You always have the option to block, manage, and delete cookies through your browser or mobile device settings.

12. Changes to the Privacy Policy
Karhu continuously develops its services and may need to modify and update this privacy policy as necessary. Changes may also be based on amendments to data protection legislation. We recommend reviewing the contents of the privacy policy regularly.

This privacy policy was published on August 17, 2018,
last updated on February 13, 2025.