Privacy policy for Retta Oy’s customer register 

Retta Oy produces real estate management and expert services for its customers using the Retta Management auxiliary business name. This document refers to the service provider as Retta Management.  

Retta Management’s business operations require that the company collect certain personal data concerning its customers. In such cases, Retta Management serves as the data controller defined in data protection legislation. The purpose of this document is to inform data subjects about the processing of their personal data. 

When acting on behalf of its customers, Retta Management is a personal data processor as defined in data protection legislation, for example, with regard to the housing companies it hosts, housing leasing and the customer service it provides to its customers on the basis of a service agreement. In these cases, the data controller is a customer of Retta Management (housing company/real estate company/lessor/other customer). In this regard, any data protection requests and enquiries of data subjects should be addressed to the relevant data controller.  

CONTROLLER: Retta Oy (Business ID FI3434128-4) 

What personal data does Retta Management process and for what purpose? 

Customer register 

Retta Management maintains a register of personal customer data to manage the contractual relationship between Retta and the customer and to provide services. In this case, the processing of personal data is based on the contract between Retta Management and the customer.  

The customer registers include the names, email addresses and telephone numbers of each customer’s contact persons and representatives, as well as their position in the customer company. The register may also contain other information necessary to identify the customer, such as information related to the verification of the identity of the company’s representative, as well as information about the company’s board members, authorised signatories and beneficial owners, as well as reports on sanctions or PEPs. The information listed in the Money Laundering Act must be collected and stored as part of due diligence insofar as Retta is subject to the reporting obligation referred to in the Money Laundering Act (provision of business, accounting and brokering services to customers). 

User profiles of registered users of the OmaRetta service are also stored in the customer register. The user profile may include the person’s name, telephone number, address, name of the housing or real estate company and apartment identifier, email address, IP address, personal identity code, bank account number and possibly a profile photograph of the person. In addition, the service contains other information entered into or added to the service by the user themselves. Separate terms of use have been drawn up for the OmaRetta service, and these provide more detailed information, such as various kinds of data collected for the development of services. 

Brokerage records and registers of rental housing applicants/potential tenants 

Retta Management engages in residential rental and real estate brokerage operations. The management of brokerage assignments and the laws regulating brokerage operations (including the Act on Detecting and Preventing Money Laundering and Terrorist Financing) require the collection and processing of certain personal data. This data is included in brokerage assignment registers.   

Rental housing applicants are included in Retta Management’s rent applicant register.  In such cases, the processing of personal data is based on the contractual relationship between the customer and Retta Management as well as statutory obligations in regards to the brokerage records. 

The following information may be collected from landlords and tenant applicants as well as sellers, buyers and buyer candidates: 

Name, date of birth, personal identity code, address, previous address, telephone number, email address, preferred language, nationality, information about political influence (politically exposed person, PEP), whether the customer is subject to international sanctions, whether the customer is on the national list of sanctions (public list maintained by the NBI), identification information about or a copy of the document used for identity verification, information about guardianship or supervision of interests, other information included in the agreement concerning the assignment, information about the brokered property, name of employer or educational institution, profession, length of employment relationship, form of household and information on the people moving into the apartment (name, email and phone), information about any pets, income information, other information included in the application for a rental apartment, credit history information, information related to the purchase offer and its approval, information contained in the rental agreement or the deed, information about rental collateral, statement on the origin of funds, and any other information provided by the customer that is necessary to complete the brokerage assignment. 

People who have filed an application for a rental apartment may be sent information about apartments that meet their criteria by email for three months from the date of application. In such cases, the processing is based on Retta Management’s legitimate interest. The data subject will always have the right to refuse such contact, if they so wish. 

Brokerage assignment registers also include personal data related to the brokered property, such as the names of, and possibly contact information for, the limited liability housing company’s property manager and board members. In such cases, the processing of personal data is based on statutory obligations.  

Assignment Register for the Evaluation and Consulting Service 

When handling assignments, Retta Management processes, for example, the name and contact information of the client or their representative, as well as the personal identity code, insofar as strong identification is also necessary. In addition, we process personal data contained in the property manager’s certificate of the location. With regard to the assignment register of the evaluation and consulting service, the basis for processing personal data is the implementation of the contract.  

How does Retta Management obtain personal data? 

Data is mainly collected from data subjects. Data may also be collected from sources related to the authorities, such as the Trade Register. In addition, information concerning company contact persons is obtained from public sources, such as corporate websites.  

Personal data related to brokerage assignments is mainly obtained from the people concerned. Clients provide personal data when entering into an agreement on an assignment. Personal data concerning tenants is obtained from their applications. Personal information concerning buyers is obtained from their purchase offer or when preparing the deed. In addition, information concerning brokered properties is obtained, for example, from representatives of limited liability housing companies (e.g. a property manager’s certificate, financial statement information) or from registers maintained by the authorities (e.g. land register). The credit history of an applicant for a rental apartment is obtained from the registers of third-party service providers (e.g. Suomen Asiakastieto Oy).  

Retta Management does not carry out profiling or automated decision making on the basis of personal data (except for automated decision making in respect of apartments rented entirely electronically, based on the applicant’s credit information, sanctions list checks and verification of whether the person is of legal age). 

Data processors and disclosure to third parties  

Personal data may be disclosed within the Retta Group for business development purposes.  

Retta Management uses various service providers and thus personal data processors when providing services to its customers, such as our customer relationship management and sales system. 

Personal data may also be disclosed to debt collection agencies. Data may also be disclosed to the authorities as required by law. 

Data contained in brokerage assignment registers may be disclosed to the authorities supervising brokerage operations (Regional State Administrative Agencies) or other authorities (e.g. information about the selection of tenants to the Housing Finance and Development Centre of Finland or a transfer tax report to the Finnish Tax Administration) as required by law. The management of brokerage assignments requires the disclosure of data to the counterparty of the assignment. For example, personal data concerning applicants for rental apartments must be disclosed to the lessor for them to select a tenant, and personal data concerning a potential buyer who has made a purchase offer must be disclosed to the seller for them to make a decision. 

Data is not disclosed to parties outside the European Union or the European Economic Area. 

How long is personal data stored? 

The personal data contained in the customer registers is stored over the duration of the contractual relationship. After the termination of the contractual relationship, personal data is stored for as long as necessary in accordance with the applicable laws, or for as long as necessary because of any legal procedures. 

Offers received, including related personal data, are stored for as long as necessary for the competitive bidding process, which is no longer than two years. 

Legislation requires us retain the personal data required for brokerage records and the Money Laundering Act for customer due diligence for five (5) years from the termination of the assignment/contract. 

How is the data protected? 

The data is protected by means of appropriate technical and organisational measures. Paper documents are stored in a locked facility. Digital material is protected through technical measures, and access rights are only granted to people who need to access the material because of their job or assignment. Retta Management’s employees are under a confidentiality obligation. Employees are provided with training and instructions on the lawful processing of personal data. 

Processors of personal data are required to implement adequate technical and organisational protection measures, as well as a commitment to confidentiality. 

What are the data subject’s rights? 

Data subjects have the right to know whether a data controller is processing personal data concerning them. If the data controller processes such personal data, the data subject has the right to receive a copy of the personal data concerning them. If the personal data is deficient, erroneous, inaccurate or outdated, the data subject has the right to request that the data controller correct the data. 

If the processing of personal data is based on the data subject’s consent or a contractual relationship, the data subject has the right to receive the personal data concerning them in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller. This right only applies to personal data that the data subject has provided to the data controller and that is processed automatically. 

In certain circumstances, the data subject has the right to restrict the processing of their personal data. This is the case when, for example, the accuracy of personal data is contested by the data subject. In such cases, processing will be restricted until it has been confirmed that the data is accurate and its processing is lawful. 

The data subject has the right to request that the personal data concerning them be erased. This right is only applicable when the personal data is no longer needed for the purposes for which it was collected, there are no other legal grounds for its processing and it does not need to be stored to meet the requirements of the law. In other words, data cannot be erased while there is a valid legal basis for its storage. 

If the processing of personal data is only based on the data subject’s consent, they have the right to withdraw their consent at any time. In addition, the data subject has the right to object to the processing of their personal data if its processing is based on the data controller’s legitimate interest. 

The data subject has the right to file a complaint with the Data Protection Ombudsman( if the data subject believes that the data controller fails to meet their obligations or otherwise fails to comply with the applicable data protection laws. 

If you have any questions about personal data processing and data subjects’ rights, please contact us via email. We verify your identify before you submit your information. 

This privacy statement was last updated on 1 Juy 2024.