GDPR Statement of GloESDE Oy (VAT FI34832446)
Data Protection and Processing of Personal Data
GloESDE Oy processes personal data of students, staff, stakeholders, and customers, as well as
research data that may contain personal information. Personal data includes any information that
can directly or indirectly identify an individual.
Data Protection Legislation
The EU General Data Protection Regulation (GDPR) is directly applicable legislation across the
entire European Union and applies to all processing of personal data.
- What is personal data? | Data Protection Ombudsman’s Office (https://tietosuoja.fi/en/home)
- EU General Data Protection Regulation (EU 2016/679) | Regulation – 2016/679 – EN –
GDPR – EUR-Lex https://eur-lex.europa.eu/ - National Data Protection Act (1050/2018) – Available in English on the official website.
Data Protection Policy
The GloESDE Oy Board has approved the data protection policy on February 23, 2025. The data
protection policy defines the key principles, responsibilities, and operational procedures that
GloESDE Oy follows in handling personal data. To ensure compliance, additional guidelines and
codes of conduct are in place, forming a comprehensive framework together with the data
protection policy.
Personal data may only be processed when there is a legal basis. The objective is to ensure that
GloESDE Oy complies with the obligations imposed by the EU General Data Protection
Regulation (GDPR), national legislation, and other applicable laws related to personal data
processing, and that compliance can be demonstrated through documentation.
GloESDE Oy processes personal data in various tasks, including learning environments, where
personal data is processed to facilitate work tasks, enable student learning, and maintain access
rights and information security. Personal data is also used for GloESDE Oy’s marketing
purposes, but is not disclosed to third parties except in connection with outsourced service
providers (such as Moodle). This document contains links to the relevant materials where each
subcontractor’s terms and conditions are detailed.
General Data Protection Guidelines
This guideline summarizes the key considerations for personal data processing and security. The
purpose is to facilitate the application of the EU General Data Protection Regulation (GDPR) in
data processing. - European Commission: Rules for the protection of personal data inside and outside the
EU. - EU Agency for Fundamental Rights: Handbook on European Data Protection Law – 2018
Edition https://fra.europa.eu/en
- Data Controller
GloESDE Oy, Tykkitienkatu 4 A 12, 33300 Tampere, Finland
Email: mari.moisio@gloesde.com - Contact Person for Data Protection Matters
CEO Mari Moisio, +358 (0)50 406 6966 - Purposes of Personal Data Processing
GloESDE Oy processes personal data for the following purposes:
- Provision and management of training services
- Customer relationship management and development
- Marketing communications
- Website development and analytics
- Processed Personal Data
GloESDE Oy processes the following personal data:
- Training Platform: Name, email address, address, phone number, date of birth, industry,
market area, country of operation, company name (if applicable), VAT number (if
applicable), billing address, general sustainability-related questions. - HubSpot CRM: Basic customer information (name, contact details), purchase history,
marketing-related data. - Website Contact Form: Name, email address, message.
- Newsletter Subscription: Name, email address.
- Google Analytics: Website usage data (e.g., IP address, browsing history, browser details).
- Data Retention Periods
GloESDE Oy retains personal data only for as long as necessary to fulfill the above-mentioned
purposes, subject to the following limitations:
Legal Basis for Processing (GDPR Article 6)
Purpose of Processing Legal Basis (GDPR Article 6)
Event Registration Contract or Consent
Customer Management (CRM) Legitimate Interest
Training Platform (Moodle) Contract
Marketing Communications Consent
Analytics (Google Analytics, Cookies) Consent
Information Security and Access Control Legal Obligation
Personal Data Retention Periods
Data Type Retention Period
Event Registration Data Deleted 6 months after the event
Student Data (Moodle) Retained for 3 years after study completion
CRM Customer Data Retained for 2 years after the last customer interaction
Marketing Lists Retained until the user withdraws consent
Analytics Data (Google Analytics) Retained for 26 months
- Data Disclosure
GloESDE Oy does not disclose personal data to third parties, except in the following cases:
- To fulfill legal obligations
- At the request of authorities
- To subcontractors who process data on behalf of GloESDE Oy (Moodle, HubSpot,
MailerLite, Paytrail)
GloESDE Oy processes personal data in accordance with the EU General Data Protection
Regulation (GDPR) and only uses service providers who declare compliance with GDPR. Personal
data is processed according to the defined purposes of GloESDE Oy. However, GloESDE Oy is not
responsible for the privacy policies or data storage locations of third parties. The privacy policies of
service providers are available on their respective websites (see links below).
- Data Security
GloESDE Oy has implemented appropriate technical and organizational measures to protect
personal data from unauthorized access, disclosure, loss, and destruction. - Data Subject Rights
Data subjects can exercise their rights by contacting the GloESDE Oy Data Protection Officer:
Email: mari.moisio@gloesde.com
Phone: +358 (0)50-406 6966
How Requests Are Processed
- Right to Access: Upon request, you will receive a copy of your personal data within 30 days.
- Right to Rectification: If your data is incorrect, you may request its update.
- Right to Erasure (”Right to be Forgotten”): We delete your data in accordance with legal
obligations. - Right to Object to Processing: You can withdraw consent for marketing communications or
cookie usage at any time. - Right to Restrict Processing: If the legal basis for processing is disputed, data usage may be
temporarily suspended. - Right to Data Portability: If you wish to transfer your data, you can request it in a commonly
used format.
- Cookies and User Consent
GloESDE Oy’s website uses cookies for website analytics and to improve the user experience. The
following cookies are used:
- Google Analytics Cookies: How Google Uses Cookies – Privacy & Terms – Google
- Functional Cookies
- Yoast SEO Cookies: Yoast and Your Privacy (GDPR) • Yoast
Users can manage cookie preferences in their browser settings.
Cookies are used on the website to enhance user experience and analytics. Users have the right to: - Accept or decline cookies immediately on the website.
- Modify or withdraw their consent later via cookie settings.
You can manage your cookie consent at any time through the website’s cookie settings or
browser settings.
- Changes to the Privacy Statement
GloESDE Oy may update this privacy statement as necessary.
Cookie Policy and Consent
GloESDE Oy’s website uses cookies for website analytics and user experience improvement. By
using the website, you accept the use of cookies. You can manage cookie settings in your browser.
Additional Information:
- Paytrail Data Privacy Notice | Paytrail https://www.paytrail.com/en/data-privacy-notice
- HubSpot Data Privacy Resources (hubspot.com) https://knowledge.hubspot.com/privacy-and-consent/gdpr-resources?hubs_content=knowledge.hubspot.com/fi/privacy-and-consent/gdpr-resources&hubs_content-cta=English
- MailerLite How MailerLite Stays GDPR-Compliant – MailerLite https://www.mailerlite.com/gdpr-compliance
- Moodle Security and Privacy – Moodle – Learning Management System
Data Protection and Security Guidelines for Personal Data Processing https://moodle.com/security-privacy/
- Identify whether you process personal data and follow this guideline. Personal data
includes any information that can be linked to an individual and used to directly or indirectly
identify them (e.g., name, personal identification number, phone number, credit card
number, photo, etc.). - Privacy is a fundamental right. Handle personal data carefully, regardless of whether it is
processed electronically, verbally, or on paper. Protect information from unauthorized
access and be particularly cautious when processing confidential personal data (e.g.,
sensitive data such as health information). - Always process personal data within the original system whenever possible. Avoid
unnecessary transfers outside the original system (e.g., to Excel spreadsheets). Processing
personal data within the original system ensures that data processing logs are maintained. - Plan the entire lifecycle of personal data processing (collection, use, modification,
deletion) before starting data collection and document the process. - Minimize data collection. Only collect and store the necessary personal data (e.g., avoid
unnecessary processing of personal identification numbers). - Inform individuals whose data is collected before processing begins. The law strictly
defines what must be communicated to data subjects. - Process personal data only for its intended purpose. Personal data processing must
always have a predefined legal basis and purpose. - Delete unnecessary or outdated personal data. Do not store personal data beyond its
intended use. Follow internal data management policies regarding retention periods. - Store personal data securely. Keep physical documents in locked cabinets, use restricted
access controls for digital files, and encrypt external storage devices. Only authorized
personnel should have access to personal data. - Keep personal data up to date. Only accurate data is useful.
- Transfer personal data securely. Always verify the recipient. If sending confidential or
sensitive data via email, encrypt the message or attachment (never send passwords via
email). Ensure that any transfers outside GloESDE Oy comply with data protection
requirements. - Report any suspected data breaches immediately to mari.moisio@gloesde.com. Acting
quickly minimizes risks and potential damages.
Special Instructions - Handling Personal Data in Excel and Other Documents
If processing confidential or sensitive personal data in Excel, Word, or other document formats
outside the original system:
- Use only GloESDE Oy’s workstations or approved cloud services.
- Do not transfer personal data to personal devices or unauthorized cloud services.
- If sending confidential data via email, always encrypt the information.
- Use a VPN when accessing services remotely.
- Encrypting Laptop Drives
All GloESDE Oy’s laptops must be encrypted. Confidential data is stored on workstations, and
proper security measures must be in place. IT services manage encryption centrally. - Transferring Personal Data Outside the EEA
Personal data may only be transferred outside the European Economic Area (EEA) if:
- The European Commission has determined that the third country ensures an adequate level
of protection, or - A contract using EU Standard Contractual Clauses (SCCs) has been signed with the
recipient.
More information: European Commission – Data Transfers Outside the EU https://commission.europa.eu/law/law-topic/data-protection/data-transfers-outside-eu_en
- Handling Personal Data by Service Providers
If personal data is transferred to an external service provider (e.g., outsourcing or SaaS services), a
data processing agreement (DPA) must be signed to ensure GDPR compliance. - You can also read about Gloesde homepage cookie policy from here https://gloesde.com/cookie-policy-eu/
For any questions regarding data protection, please contact:
Email: mari.moisio@gloesde.com
Phone: +358 (0)50 406 6966