Company GDPR & Privacy Statement

GDPR Statement of GloESDE Oy (VAT FI34832446)
Data Protection and Processing of Personal Data
GloESDE Oy processes personal data of students, staff, stakeholders, and customers, as well as
research data that may contain personal information. Personal data includes any information that
can directly or indirectly identify an individual.
Data Protection Legislation
The EU General Data Protection Regulation (GDPR) is directly applicable legislation across the
entire European Union and applies to all processing of personal data.

• What is personal data? | Data Protection Ombudsman’s Office (https://tietosuoja.fi/en/home)
• EU General Data Protection Regulation (EU 2016/679) | Regulation – 2016/679 – EN –
  GDPR – EUR-Lex https://eur-lex.europa.eu/
• National Data Protection Act (1050/2018) – Available in English on the official website.
  Data Protection Policy
  The GloESDE Oy Board has approved the data protection policy on February 23, 2025. The data
  protection policy defines the key principles, responsibilities, and operational procedures that
  GloESDE Oy follows in handling personal data. To ensure compliance, additional guidelines and
  codes of conduct are in place, forming a comprehensive framework together with the data
  protection policy.
  Personal data may only be processed when there is a legal basis. The objective is to ensure that
  GloESDE Oy complies with the obligations imposed by the EU General Data Protection
  Regulation (GDPR), national legislation, and other applicable laws related to personal data
  processing, and that compliance can be demonstrated through documentation.
  GloESDE Oy processes personal data in various tasks, including learning environments, where
  personal data is processed to facilitate work tasks, enable student learning, and maintain access
  rights and information security. Personal data is also used for GloESDE Oy’s marketing
  purposes, but is not disclosed to third parties except in connection with outsourced service
  providers (such as Moodle). This document contains links to the relevant materials where each
  subcontractor’s terms and conditions are detailed.
  General Data Protection Guidelines
  This guideline summarizes the key considerations for personal data processing and security. The
  purpose is to facilitate the application of the EU General Data Protection Regulation (GDPR) in
  data processing.
• European Commission: Rules for the protection of personal data inside and outside the
  EU.
• EU Agency for Fundamental Rights: Handbook on European Data Protection Law – 2018
  Edition https://fra.europa.eu/en

1. Data Controller
   GloESDE Oy, Tykkitienkatu 4 A 12, 33300 Tampere, Finland
   Email: mari.moisio@gloesde.com
2. Contact Person for Data Protection Matters
   CEO Mari Moisio, +358 (0)50 406 6966
3. Purposes of Personal Data Processing
   GloESDE Oy processes personal data for the following purposes:

• Provision and management of training services
• Customer relationship management and development
• Marketing communications
• Website development and analytics

1. Processed Personal Data
   GloESDE Oy processes the following personal data:

• Training Platform: Name, email address, address, phone number, date of birth, industry,
  market area, country of operation, company name (if applicable), VAT number (if
  applicable), billing address, general sustainability-related questions.
• HubSpot CRM: Basic customer information (name, contact details), purchase history,
  marketing-related data.
• Website Contact Form: Name, email address, message.
• Newsletter Subscription: Name, email address.
• Google Analytics: Website usage data (e.g., IP address, browsing history, browser details).

1. Data Retention Periods
   GloESDE Oy retains personal data only for as long as necessary to fulfill the above-mentioned
   purposes, subject to the following limitations:
   Legal Basis for Processing (GDPR Article 6)
   Purpose of Processing Legal Basis (GDPR Article 6)
   Event Registration Contract or Consent
   Customer Management (CRM) Legitimate Interest
   Training Platform (Moodle) Contract
   Marketing Communications Consent
   Analytics (Google Analytics, Cookies) Consent
   Information Security and Access Control Legal Obligation
   Personal Data Retention Periods

Data Type Retention Period
Event Registration Data Deleted 6 months after the event
Student Data (Moodle) Retained for 3 years after study completion
CRM Customer Data Retained for 2 years after the last customer interaction
Marketing Lists Retained until the user withdraws consent
Analytics Data (Google Analytics) Retained for 26 months

6. Data Disclosure
   GloESDE Oy does not disclose personal data to third parties, except in the following cases:

• To fulfill legal obligations
• At the request of authorities
• To subcontractors who process data on behalf of GloESDE Oy (Moodle, HubSpot,
  MailerLite, Paytrail)
  GloESDE Oy processes personal data in accordance with the EU General Data Protection
  Regulation (GDPR) and only uses service providers who declare compliance with GDPR. Personal
  data is processed according to the defined purposes of GloESDE Oy. However, GloESDE Oy is not
  responsible for the privacy policies or data storage locations of third parties. The privacy policies of
  service providers are available on their respective websites (see links below).

6. Data Security
   GloESDE Oy has implemented appropriate technical and organizational measures to protect
   personal data from unauthorized access, disclosure, loss, and destruction.
7. Data Subject Rights
   Data subjects can exercise their rights by contacting the GloESDE Oy Data Protection Officer:
   Email: mari.moisio@gloesde.com
   Phone: +358 (0)50-406 6966
   How Requests Are Processed

• Right to Access: Upon request, you will receive a copy of your personal data within 30 days.
• Right to Rectification: If your data is incorrect, you may request its update.
• Right to Erasure (”Right to be Forgotten”): We delete your data in accordance with legal
  obligations.
• Right to Object to Processing: You can withdraw consent for marketing communications or
  cookie usage at any time.
• Right to Restrict Processing: If the legal basis for processing is disputed, data usage may be
  temporarily suspended.
• Right to Data Portability: If you wish to transfer your data, you can request it in a commonly
  used format.

6. Cookies and User Consent

GloESDE Oy’s website uses cookies for website analytics and to improve the user experience. The
following cookies are used:

• Google Analytics Cookies: How Google Uses Cookies – Privacy & Terms – Google
• Functional Cookies
• Yoast SEO Cookies: Yoast and Your Privacy (GDPR) • Yoast
  Users can manage cookie preferences in their browser settings.
  Cookies are used on the website to enhance user experience and analytics. Users have the right to:
• Accept or decline cookies immediately on the website.
• Modify or withdraw their consent later via cookie settings.
  You can manage your cookie consent at any time through the website’s cookie settings or
  browser settings.

1. Changes to the Privacy Statement
   GloESDE Oy may update this privacy statement as necessary.
   Cookie Policy and Consent
   GloESDE Oy’s website uses cookies for website analytics and user experience improvement. By
   using the website, you accept the use of cookies. You can manage cookie settings in your browser.
   Additional Information:

• Paytrail Data Privacy Notice | Paytrail https://www.paytrail.com/en/data-privacy-notice
• HubSpot Data Privacy Resources (hubspot.com) https://knowledge.hubspot.com/privacy-and-consent/gdpr-resources?hubs_content=knowledge.hubspot.com/fi/privacy-and-consent/gdpr-resources&hubs_content-cta=English
• MailerLite How MailerLite Stays GDPR-Compliant – MailerLite https://www.mailerlite.com/gdpr-compliance
• Moodle Security and Privacy – Moodle – Learning Management System
  Data Protection and Security Guidelines for Personal Data Processing https://moodle.com/security-privacy/

1. Identify whether you process personal data and follow this guideline. Personal data
   includes any information that can be linked to an individual and used to directly or indirectly
   identify them (e.g., name, personal identification number, phone number, credit card
   number, photo, etc.).
2. Privacy is a fundamental right. Handle personal data carefully, regardless of whether it is
   processed electronically, verbally, or on paper. Protect information from unauthorized
   access and be particularly cautious when processing confidential personal data (e.g.,
   sensitive data such as health information).
3. Always process personal data within the original system whenever possible. Avoid
   unnecessary transfers outside the original system (e.g., to Excel spreadsheets). Processing
   personal data within the original system ensures that data processing logs are maintained.
4. Plan the entire lifecycle of personal data processing (collection, use, modification,
   deletion) before starting data collection and document the process.
5. Minimize data collection. Only collect and store the necessary personal data (e.g., avoid
   unnecessary processing of personal identification numbers).
6. Inform individuals whose data is collected before processing begins. The law strictly
   defines what must be communicated to data subjects.
7. Process personal data only for its intended purpose. Personal data processing must
   always have a predefined legal basis and purpose.
8. Delete unnecessary or outdated personal data. Do not store personal data beyond its
   intended use. Follow internal data management policies regarding retention periods.
9. Store personal data securely. Keep physical documents in locked cabinets, use restricted
   access controls for digital files, and encrypt external storage devices. Only authorized
   personnel should have access to personal data.
10. Keep personal data up to date. Only accurate data is useful.
11. Transfer personal data securely. Always verify the recipient. If sending confidential or
    sensitive data via email, encrypt the message or attachment (never send passwords via
    email). Ensure that any transfers outside GloESDE Oy comply with data protection
    requirements.
12. Report any suspected data breaches immediately to mari.moisio@gloesde.com. Acting
    quickly minimizes risks and potential damages.
    Special Instructions
13. Handling Personal Data in Excel and Other Documents
    If processing confidential or sensitive personal data in Excel, Word, or other document formats
    outside the original system:

• Use only GloESDE Oy’s workstations or approved cloud services.
• Do not transfer personal data to personal devices or unauthorized cloud services.
• If sending confidential data via email, always encrypt the information.
• Use a VPN when accessing services remotely.

1. Encrypting Laptop Drives
   All GloESDE Oy’s laptops must be encrypted. Confidential data is stored on workstations, and
   proper security measures must be in place. IT services manage encryption centrally.
2. Transferring Personal Data Outside the EEA
   Personal data may only be transferred outside the European Economic Area (EEA) if:

• The European Commission has determined that the third country ensures an adequate level
  of protection, or
• A contract using EU Standard Contractual Clauses (SCCs) has been signed with the
  recipient.
  More information: European Commission – Data Transfers Outside the EU https://commission.europa.eu/law/law-topic/data-protection/data-transfers-outside-eu_en

1. Handling Personal Data by Service Providers
   If personal data is transferred to an external service provider (e.g., outsourcing or SaaS services), a
   data processing agreement (DPA) must be signed to ensure GDPR compliance.
2. You can also read about Gloesde homepage cookie policy from here https://gloesde.com/cookie-policy-eu/

For any questions regarding data protection, please contact:
Email: mari.moisio@gloesde.com
Phone: +358 (0)50 406 6966