Gofore General Privacy Notice

DATA CONTROLLER

Joint controllership of Gofore Plc, Gofore Lead Oy, Gofore Verify Oy, Gofore Drive Oy, Creanex Oy, Rebase Consulting Oy, Sleek Oy, Gofore Estonia OÜ, Gofore Spain SL, Gofore Germany GmbH, eMundo GmBH and eMundo GmbH Austria (jointly, “Gofore”).

Gofore Plc (Business ID 1710128-9, Kalevantie 2, 33100 Tampere)

Gofore Lead Oy (Business ID 1906590-4, Urho Kekkosen katu 7 B 00100 Helsinki)

Gofore Verify Oy (Business ID 2384333-4, Urho Kekkosen katu 7 B 00100 Helsinki)

Gofore Drive Oy (Business ID 2616184-9, Vapaaherrantie 2, 40100 Jyväskylä)

Creanex Oy (Business ID 1818868-9, Rieväkatu 14, 33540 Tampere)

Rebase Consulting Oy (Business ID 3125035-2, Lönnrotinkatu 5, 00120 Helsinki)

Sleek Oy (Business ID 3266908-3, Kalevantie 2, 33100 Tampere)

Gofore Estonia OÜ (Registration number 14628239, Maakri 19/1, 10145, Tallinn, Estonia)

Gofore Spain SL (Registration number B87954749, entro de Empresas UPM Parque Científico y Tecnológico UPM Campus de Montegancedo s/n 28223 Pozuelo de Alarcón, Madrid, Spain)

Gofore Germany GmbH (Registration number HRB 238568, Balanstraße 71a, 81541, Munich, Germany)

eMundo GmbH Germany (Registration number HRB 130424, Hofmannstrasse 25-27, Munich, Bavaria 81379, Germany)

Gofore GmbH Austria (Registration number FN 427301i, Innsbrucker Bundesstraße 71, 5020 Salzburg, Austria)

CONTACT US IN PRIVACY MATTERS

Regardless of which of the above-mentioned companies is the data controller, you can always be in touch through privacy@gofore.com.

GENERAL DESCRIPTION OF OUR DATA PROTECTION PRACTICES

Gofore processes personal data in accordance with applicable legislation, including the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), and this privacy notice.

We take into account the requirements set forth in the data protection legislation in all our business activities and we expect and require the same from our subcontractors and other business partners.

We provide orientation and training for our employees regarding the requirements and guidelines for privacy so that they know how to perform accordingly.

Gofore group companies have joint information systems, processes and service provider for which they act as joint controllers.

WHAT PERSONAL DATA WE PROCESS AND FOR WHAT PURPOSE?

We process the following personal data solely for predefined purposes described below. These purposes are, for example, taking care of customer and partner relationships, marketing, sales and filling our legal obligations.

Customers and business partners

If you are our customer or business partner, we may process the following personal data relevant and ordinary for the purposes for which it is collected, such as:

• First name and surname, and contact details (email address, phone number)
• Organization information including contact details
• Role, areas of interest and services provided
• Information regarding the context, i.e. the agreements and roles between Gofore and business partner
• Other information provided to us (e.g. communications, customer feedback, registration to an event or other meetings and subscription and unsubscriptions to newsletter)

Collected data is used in order for us to manage customer and partnership relations as well as marketing, implementing and developing services and events of Gofore. In addition, we may process the data for purposes of invoicing and verifying the correctness of invoicing, administrational fees and expenses as well as preventing and investigating misuses or crimes. Subcontractor data is also processed in separate systems for the implementation of subcontracting and have their own privacy notice for which more detailed information on processing of personal data is provided.

The personal data is collected primarily within the context of governance and implementation of customer and partner relationship. Such data include also the information that the person chooses to provide us (e.g. when you sign up for an event organized by us or subscribe to our newsletter or when you visit our website). Read more about the cookies we use on our website from our Cookie Policy.

Stockholders, other investors and analysts

If you are a stockholder, other investor or an analyst, we process the data you personally or the community you represent or the national book-entry system have provided us:

• First name and surname
• Email
• Phone number
• Address
• Social security number or other identification number, nationality, number of stocks and voting power, number of book-entry account
• Information of notifications that are delivered to us regarding notable shares of ownership (notification of major holdings)

The information is used primarily for us to fill our legal obligations, such as administering the shareholder register. In addition, the information is used for communications between Gofore, its shareholders, other investors and analysts, in order for us to offer public information as a listed company and execute our legitimate interests. To learn more about how we handle personal information in connection with Gofore shareholder meetings, please go to our shareholder meeting website.

Personal information is being collected directly from shareholders, from the national book-entry system (Euroclear Finland) as well as from other investors and analysts or communities they represent.

Other contacts

If you are in contact with us, for example, to ask about our services, to sign up for an event organised by us, or to order our newsletter, we may process personal data relevant and ordinary for the purposes for which it is collected to the extent we have obtained such data from you:

• First name and surname
• Email address
• Telephone number
• Organisation name and contact details
• Country
• Role and contact details
• Other information you choose to provide us (e.g. web address of LinkedIn profile)

Collected data is used in order for us to process your contact or request as well as keep in contact with you. In addition, the information is used for marketing, executing and developing the services and events of Gofore.

The personal data collected consists primarily of the information that you choose to provide us. In addition, data may consist information about your use of our website through cookies.

WHAT ARE THE GROUNDS FOR PROCESSING PERSONAL DATA?

When we process personal data for the purposes described above, our processing is primarily based on a legitimate interest of Gofore. Legitime interest is mainly the implementation of a contract between Gofore and the company you represent, customer relationship or other relevant relationship. Legitimate interest also applies when the processing of data is done for purposes of marketing and customer acquisition, handling and developing customer relations, as well as other legitimate, business-related actions such as developing services or preemptive measures or investigation of malpractice.

In addition to or instead of the above, in some cases the processing may be based on a consent given to us by you (e.g. when you subscribe to our newsletter or register to our event in our system) or an obligation based on law or other legal matter.

Delivering personal information in the way this privacy notice describes may be based on the mutual agreement between you or the company you represent. Entering an agreement or providing services requires you or the company you represent to deliver certain personal information. Failure in providing the information may lead to Gofore’s inability to fill contractual or other requirements or commitments. Processing personal data may also be compulsory to, for example, deliver communications you have asked for or participate in our events.

FOR HOW LONG DO WE PROCESS PERSONAL DATA?

We process personal data for only as long as required or entitled by applicable legislation. The length of storing the data, therefore, depends on the type of the data and the reason it is used for. Gofore stores personal data at least as long as it is necessary to fill the purpose of processing, for example for filling contractual requirements or for administering the contractual relationship between Gofore and customer.

The length of storing the data is based on the following criteria:

• Personal information is being stored as long as the legitimate interest of Gofore is reasonably applicable. It is defined, for example, based on the communications between Gofore and the one registered. The length of storing personal data for customers and partners is defined based on the agreement between the one registered or the company they represent and Gofore.
• If processing data is based on consent, personal information will be deleted when the one registered cancels the consent they have given
• The length of storing the data may also be based on legislation. For example, book-keeping legislation requires book-keeping material to be stored for six years, and, for example, shareholder information is being stored as long as listed company legislation requires.

We review the necessity of the data stored on a regular basis and erase any data when it no longer needed for the purposes mentioned above in this privacy notice.

YOUR RIGHTS

Gofore acts diligently to ensure that you are able to exercise your rights regarding the processing of your personal data. Please note that your rights depend on the legal grounds of handling information and using your rights require verifying your identit. Within the limits of applicable legislation, you have a right to

• access to your personal data. You may request Gofore to confirm whether we process your personal data, and a copy of your personal data possibly processed by us, by sending us such request at the email address mentioned above in this privacy notice;
• rectification and/or erasure of the data. You may request us to correct your personal data that is erroneous or inaccurate, and further, you may request us to erase your personal data. You can exercise these rights by sending us such request at the email address mentioned above in this privacy notice;
• restrict the processing of your personal data. In certain situations, you may request us to restrict the processing of your personal data by sending us such request at the email address mentioned above in this privacy notice;
• object to the processing of your personal data. You may object to certain processing of your personal data if the processing is based on a legitimate interest of Gofore (e.g. use of your personal data for marketing purposes) by sending us such request at the email address mentioned above in this privacy notice.
• data portability. You may request us to provide you with your data in a structured, commonly used and machinereadable format so that you can transmit your data to another controller by sending us such request at the email address mentioned above in this privacy notice. This right concerns personal data in an electronic format, the processing of which is based on either consent given by you or performance of a contract;
• withdraw your consent. Where the processing is based on a consent given by you, you may withdraw such consent at any time by sending us such request at the email address mentioned above in this privacy notice;
• be informed of the essential elements of the arrangement between joint controllers. You can exercise your rights by sending a request to the address mentioned in this privacy notice; and
• file a complaint with a supervisory authority. If you wish to file a complaint as to how we process your personal data, according to the GDPR, you have a right to file a complaint with the supervisory authority in the member state where you live or work or where an alleged breach of the GDPR has occurred. In Finland, the Data Protection Ombudsman acts as the respective supervisory authority (www.tietosuoja.fi).

PROTECTION OF PERSONAL DATA

Information security and protection of personal data has been organised in accordance with generally accepted and up-to-date practices in the sector in a way that personal data is protected from unauthorised access and processing as well as against unlawful and accidental destruction, loss and corruption. In addition, Gofore constantly improves practices in order to protect data. Information security and related risk management are based on the governance system and related information security policy. The information security policy of Gofore and it´s group companies is in compliance, or corresponds, with the ISO/IEC 27002:2013 standards. For more information on Gofore’s data protection practices, please visit gofore.com/tietoturvapolitiikka/.

Responsibility for the maintenance of information security operations and processing of any deviations lies with an information security group that is being managed by the leader of that information security group.

We process personal data as confidential information and all our users are committed to confidentiality and comply with our guidelines on data protection and information security. Access management of confidential information has been organised through a centralised or system-specific user directory. Only named persons may grant an access and user rights to a data system, provided that the person requesting for an access has been identified and that the person’s need for access to confidential information has been verified. Gofore assesses and reviews access and user rights on a regular basis.

If we outsource processing of personal data to third parties, we make agreements with such third parties as required by the data protection legislation in order for us to ensure that the processing of personal data complies with this privacy note as well as applicable laws, regulations and orders issued by relevant authorities.

TRANSFER OF DATA

We use third-party data systems and services when processing personal data, which means that the third party processes the personal data for us. Examples of such third parties are Microsoft, Oracle, Salesforce and Hubspot. Some of our data processors are outside of the EU or EEA, in which cases we ensure by contracts that the transfer occurs in accordance with the applicable data protection legislation. Data transfers related to these contracts are based on standard clauses approved by the EU Commission or other appropriate safeguards.

Gofore and its subsidiaries are located in the member states of the EU. If the purpose of the processing of personal data requires transfer of data between Gofore and its subsidiary, we may share personal data within the Gofore group in which case, likewise, we will ensure that the processing of personal data complies with the applicable data protection legislation and this privacy notice. If you want additional information on cross-border transfers of personal data or protective measures used in them, please send a request to the address mentioned in the beginning of this privacy notice.

We may deliver limited amount of contact information of our customers to our partners and vice versa, if it is needed in order to offer services, communications or cooperation.

We may deliver personal information within the limits of effective legislation and/or obliged by legislation in cases of, for example, legal reasons, to prepare for legal proceedings or to defend against legal claims. In addition, we may deliver personal data to collection agencies for purposes of collecting receivables, and other service providers within the limits it is required to execute the task.

In case of us selling our business or part of it, or in case we make other corporate restructurings, we may deliver personal information to buyer candidates or their advisors, within the limits of applicable legislation.

UPDATES TO THIS PRIVACY NOTICE

We update this privacy notice when there are changes in the processing of personal data or in the applicable laws of which we need to inform you. In addition, we may update this privacy notice when we develop our website, services or business activities. The most recent version of the privacy notice is available at this website.