Client Privacy Statement
Client Privacy Statement
Client privacy statement
General
This privacy statement explains key information on how Forvis Mazars in Finland collects and processes your personal data as part of services we deliver.
On occasion we may be acting as a data processor. In those circumstances we process your personal data in accordance with the instructions of the relevant data controller, rather than collecting personal data for our own purposes. Where this occurs, you should consult the privacy statement of relevant data controller.
Data controller
Forvis Mazars in Finland is the data controller for the personal data collected by and provided to us for our own purposes.
Collection of personal data
To enable us to deliver our services and fulfil our business objectives, we may collect your personal data from:
- You directly.
- Your employer or organisation with which you are associated and which has engaged us to provide them with services.
- Our group and network firms.
- Law enforcement or similar agencies.
- Our suppliers.
- The public domain.
- Third parties you authorise us to obtain your personal data from.
We will always only collect the minimum personal data necessary to fulfil any specific objective. Where we ask to be provided with certain personal data and you are unable or unwilling to do so it may affect how we are able to interact with you. If this happens we will explain the potential impact to enable you to consider the next steps.
The personal data we process as a result of delivering our services varies depending on the services. In general, we collect the following categories of personal data:
Category | Examples |
Demographic | Name, email address, postal address, telephone number, contact preferences, jurisdiction. |
Business data | Company / employer name, financial information, business address, sector. |
Employment | Job title, employment duration, payroll-related data. |
Interests | Business and personal interests. |
Internet identifiers | IP addresses, cookies acceptance and information on interaction with our solutions, browser information. |
Marketing preferences | Choices in respect of direct marketing. |
Financial | Bank details, income / expenditure |
Special category | Health data, trade union membership. |
You may choose to provide us with additional personal data, including sensitive / special category personal data. If you choose to provide us with any sensitive / special category personal data, you agree we may process those personal data for the purpose of delivering the requested service or investigating and responding to your enquiry, as applicable in the circumstances.
Basis for processing and use of personal data
We may process your personal data on the following legal bases:
- Contract entry and performance: Where necessary we will use your personal data in order to take steps to enter into a contract for services with you or the company you represent. We may continue to use the data in order to perform our duties under a contract with you and to meet our business needs.
- Our legitimate interests: We process personal data in order to run our business, including managing our relationship with you, meeting and exercising our administrative, accounting, legal and corporate rights and obligations, maintaining and using our security systems and developing our business and services.
- Complying with legal requirements, regulations or a professional body of which we are a member of: We are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.
- Consent: We may ask for your permission to use your personal data.
In the event we ask you to provide us with special category personal data we rely on the following bases for processing:
- Consent: We will generally seek your explicit consent to process your personal data. We will explain at the point of collection why these personal data are required and how we will use them.
- Exercise and defence of legal claims: If strictly necessary we will process your personal data for the purpose of establishing, exercising and defending legal claims.
- Vital interests: If necessary to protect your vital interests or those of others and you are unable to provide your consent, we may process your personal data to protect the relevant vital interests.
All personal data we process may be used by us in an anonymised form to assess and improve the services delivered and for our wider business development activities. We may also use the data for:
- Security, quality and risk management: Personal data may be processed in the context of maintaining security and within the scope of internal quality and risk analysis.
- Direct marketing: We may process personal data for direct marketing purposes to promote and develop our services and to provide you with information we think will be of interest to you. In all cases we will give you the opportunity to opt-out of our direct-marketing activities. Opt-out can be achieved by responding using the unsubscribe options contained within the information you have received or by contacting us.
Disclosures of personal data
On occasion we may transfer or disclose your personal data to other entities of the Forvis Mazars network (which consists of Forvis Mazars Group SC and its member firms, Forvis Mazars US and Forvis Mazars Global), or to third parties for any of the purposes listed above. Third parties include governmental and professional agencies and contracted parties who perform services on our behalf, such as web hosting providers, IT-providers, payment providers, customer relationship management providers.
When we disclose your personal data to third parties who perform services on our behalf, we ensure that such service providers use your data only in accordance with our instructions.
We may also disclose your personal data to third parties where we are required to do so by law, our regulators or for the purposes of, or in connection with any legal proceedings, or otherwise for the purpose of establishing, exercising or defending our legal rights.
We may share personal data with other Forvis Mazars network firms where necessary for administrative purposes and to provide professional services to our clients.
Owing to the global nature of our operations, we may transfer your personal data outside the European Economic Area (EEA) and United Kingdom to countries whose data protection laws may not be as extensive as those in these jurisdictions.
When we transfer data outside the EEA, UK or our jurisdiction, we will only transfer such personal data (i) to a country which the European Commission or Information Commissioner’s Officer (as applicable) considers to have adequate data protection laws; or (ii) where we have put in place an appropriate data transfer mechanism, such as Standard Contractual Clauses, to ensure that your personal data are adequately protected.
Should you make an enquiry through our website which concerns one of the Forvis Mazars network firms we may need to forward the request to them on your behalf.
We do not sell or rent your personal data for any purpose.
Data subject rights
You may exercise a number of rights over your data including:
- Accessing the personal data we hold about you.
- Asking us to correct any of your personal data we hold which are inaccurate.
- Request to have your personal data deleted.
- Withdraw consent to our processing of your personal data (where we process your personal data based on consent).
- Put in place restrictions on our processing of your personal data.
- Objecting to our processing of your personal data.
- Asking us to transfer your data to another controller (data portability).
We will handle all exercise of your data subject rights in accordance with the requirements of applicable privacy law. Should you wish to exercise any of your data subject rights or have any questions about this statement please contact us (details in ‘Contact’ section below).
If you are dissatisfied with the way we have handled your personal data and we are unable to resolve the issue for you, you may take the matter to the Data Protection Ombudsman. Further details can be found via their website at https://tietosuoja.fi/en/home.
Duration of processing
We will hold your personal data on our systems for the longest of the following periods: (i) as long as is necessary for the purpose of which it was collected; (ii) any retention period that is required by law; or (iii) the end of the liability period in which litigation or investigations might arise in respect of our services.
After the applicable retention period(s) have expired, personal data will be deleted or anonymized.
Californian personal data
This section applies specifically to individuals located in California.
Under the California Consumer Privacy Act, residents of California are provided with certain rights regarding their personal information:
1. The right to know, by way of our privacy statement and any specific inquiries you direct to us, the categories of personal information we collect from you, the source(s) of your personal information, what we use that information for, whether it is being disclosed or sold, and if so, to whom;
2. The right to “opt-out” of the sale of your personal information to any third parties;
3. The right to request we stop sharing your personal information with third parties;
4. The right, with some exceptions, to have your personal information deleted from our possession or control;
5. The right to correct inaccuracies in your personal information; and
6. The right to receive equal service and pricing from us, even if you exercise any of your privacy rights.
For all California residents, any such enquiries shall be responded to within forty-five (45) days and at no cost to you. We must verify your identity with respect to such inquiries. Depending on the nature of the personal information at issue, we may require additional measures or information from you as part of that verification.
California Civil Code Section 1798.83 permits California residents who use our website to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. Please note, we do not and will not sell personal information about California residents.
For California residents under age 18 who have publicly posted content or information, you may request and obtain removal of such content or information pursuant to California Business and Professions Code Section 22581, provided you are registered user of any website where this statement is posted. Please be aware that such a request does not ensure complete or comprehensive removal of the content or information you have posted and that the law may not require or allow removal in all instances, even if requested.
To contact us to exercise any of the California rights listed above, please use the contact details at the end of this notice.
The following information applies to all personal data, irrespective of the applicable laws.
Data security
We ensure appropriate technical and organisational controls are in place to protect your personal data from loss, misuse, alteration and unintentional destruction, such as the use of anti-virus, firewalls, secure servers, hard disk encryption software, password protection, physical access controls, two-factor authentication, intrusion and anomaly detection.
Our personnel who have access to your personal data have been trained to maintain the confidentiality of such data. They will only be granted access to your personal data to the extent that they need this information to perform their duties properly. The persons who can consult your data are also bound by strict professional discretion.
Conditions to protect personal data to at least the same standard as we do are cascaded to all our contractors, (sub) processors and suppliers.
Regular monitoring and testing of our security defences is carried out to ensure they continue to be effective against the latest threats.
Data transferred over the internet by us are protected using encryption technologies. No transaction carried out over the internet can ever be guaranteed to be secure.
Contact
Should you have any questions or concerns about this statement, or how we use your personal data, please contact us contact.fi@forvismazars.com.
Changes to this privacy statement
This privacy statement was last updated in July 2025. We may amend it from time to time. Any changes will be published on this page and we recommend you check here regularly to ensure you remain aware of how we process your personal data.