GDPR Compliance

1. Legal Framework

CivicWork processes personal data in compliance with the following European and Finnish legislation:

• General Data Protection Regulation (GDPR) EU Regulation 2016/679, applicable across all EU/EEA member states
• Finnish Data Protection Act Tietosuojalaki (1050/2018), which supplements and implements the GDPR in Finland
• Finnish Information Society Code Laki tietoyhteiskunnan palveluista (917/2014), governing electronic communications and cookies
• EU ePrivacy Directive Directive 2002/58/EC (as amended), concerning privacy in electronic communications

2. Data Protection Principles (GDPR Article 5)

We process personal data in accordance with the following principles:

• Lawfulness, fairness, and transparency We process data lawfully and inform you about our practices
• Purpose limitation We collect data for specified, explicit, and legitimate purposes
• Data minimisation We collect only data that is necessary for our purposes
• Accuracy We keep your data accurate and up to date
• Storage limitation We retain data only as long as necessary
• Integrity and confidentiality We protect your data with appropriate security measures
• Accountability We demonstrate compliance with these principles

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on one or more of the following legal bases:

• Consent (Article 6(1)(a)) Where you have given clear consent for specific processing
• Contract (Article 6(1)(b)) Processing necessary for the performance of a contract with you
• Legal obligation (Article 6(1)(c)) Processing necessary to comply with a legal obligation
• Legitimate interests (Article 6(1)(f)) Processing necessary for our legitimate interests, provided your rights do not override them

4. Your Rights Under GDPR and Finnish Law

As a data subject, you have the following rights:

• Right of access (Article 15) You may request a copy of your personal data
• Right to rectification (Article 16) You may request correction of inaccurate data
• Right to erasure (Article 17) You may request deletion of your data in certain circumstances
• Right to restrict processing (Article 18) You may request limitation of processing in certain cases
• Right to data portability (Article 20) You may receive your data in a structured, machine-readable format
• Right to object (Article 21) You may object to processing based on legitimate interests
• Right to withdraw consent Where processing is based on consent, you may withdraw it at any time
• Right to lodge a complaint You may complain to a supervisory authority, including the Finnish Data Protection Ombudsman

To exercise any of these rights, please contact us at privacy@civicwork.com. We will respond within one month as required by GDPR Article 12(3).

5. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules (BCRs) where applicable

6. Data Protection Officer

For questions regarding our data protection practices or to exercise your rights, you may contact our data protection team at privacy@civicwork.com.

7. Supervisory Authority (Finland)

If you are not satisfied with our response to your concerns, you have the right to lodge a complaint with the Finnish supervisory authority:

You may also lodge a complaint with the supervisory authority in the EU/EEA country of your residence, place of work, or place of the alleged infringement.

8. Related Documents

For more information, please refer to our related policies:

• Privacy Policy How we collect, use, and protect your data
• Cookie Policy Our use of cookies and similar technologies
• Terms of Service Terms governing use of our platform