1. General

This privacy notice describes how Vendo Costa SL and the Vendo chain process the personal data of data subjects. Vendo Costa SL is owned by the nationwide Vendo real estate agency chain. Vendo Costa SL is responsible for steering and managing the Vendo chain.

This notice applies only to the data processing practices of Vendo Costa SL and the Vendo chain, or parties acting on our behalf. Our services may, however, contain links to third-party websites and social media services, but we cannot control the actions of such third parties, nor are we responsible for the privacy practices or content of these third-party services. We recommend that you review the privacy and data protection terms of those services.

This notice is a combined privacy policy and information document in accordance with the Data Protection Act and the European Union General Data Protection Regulation (2016/679/EU).

2. Contact details of the controller and the data protection officer:

Vendo Costa SL / Data Protection Officer
Calle Jaspe Benalmádena
29631 Spain

3. Legal basis for maintaining the register

Within the Vendo chain, the primary legal basis for processing is a contract, including the preparation and performance of the contract. The contractual basis is used to the extent that the collected personal data is needed in order to use Vendo Costa SL’s online services or the services of the Vendo chain.

The Vendo chain also uses the customer’s consent as a legal basis for processing, for example in Vendo’s property alert service (Asuntovahti).

Vendo Costa SL has a legitimate interest in processing customer data in situations where a person entered in the customer register places an assignment with an office belonging to the Vendo chain or is otherwise involved in such an assignment, for example as a party to a transaction, a bidder, a tenant, or an applicant submitting a rental application. The legitimate interest also covers customer data in situations where a person entered in the customer register uses other services offered by the Vendo chain, such as the property alert service.

Vendo Costa SL’s legitimate interest also forms the basis for processing customer data, for example to prevent and investigate fraud or misuse of the Vendo chain’s online services.

4. Processing of customer data within the Vendo chain

Customers of the Vendo chain who are a party to an assignment or who use a service provided by Vendo Costa SL or the Vendo chain are in a customer relationship with Vendo Costa SL. As the controller of the Vendo chain’s customer data, Vendo Costa SL bears the primary responsibility for processing customer data with respect to the software systems in which Vendo Costa SL obliges and/or instructs offices to store customer register data.

For individual assignments (such as the sale/letting of a property) and individual customers (for example, a visitor at a property viewing), Vendo offices also use customer registers other than those that Vendo Costa SL obliges and/or instructs. In these registers, companies store data of both Vendo chain customers and the office’s own customers.

Example of a Vendo chain customer register maintained by an office: archiving of the assignment and related documents.

Example of a register of the office’s own customers: a customer does not want the Vendo chain’s Property Alert (Asuntovahti) but leaves their contact details with the office, which will notify the customer when a suitable property becomes available.

For these other customer registers, the office itself acts as the controller.

5. Purposes of processing personal and customer data and the use of the register

Vendo Costa SL and the Vendo chain process personal and customer data for the handling, administration, analysis, and development of appropriate contacts based on a customer relationship or a comparable relationship. This includes customer communications in various forms, including electronically.

Personal and customer data may also be processed by companies belonging to the Vendo chain and by companies belonging to the same group or financial affiliation as Vendo Costa SL. In such cases, the purpose may be marketing (including direct marketing) as well as various market and opinion surveys. Marketing and surveys may also be carried out electronically. In marketing, the customer profile may also use information obtained from a third party outside the register.

6. Collection of personal and customer data and ensuring data accuracy

As a rule, personal data is collected from the individual themselves via a form, directly into a system, by email, by phone, via a mobile application, or in another similar manner.

Through the operations of companies belonging to the Vendo chain in the ways described above.

Using cookies or other similar technologies from the data subject’s terminal devices.

From other registers of companies belonging to the same group or the same financial affiliation as Vendo Costa SL.

From the Population Information System (VRK), Posti’s address information system, and other similar private and public registers.

Data accuracy is generally ensured by the same measures through which the personal data was originally collected. Data may also be updated from other registers of companies belonging to the same group or financial affiliation as Vendo Costa SL. Data may also be updated from companies and authorities providing services related to personal data.

If the customer relationship or comparable relationship is not active but the customer data has not been deleted, the personal data will be checked when that relationship becomes active again. More information about the schedule for deleting customer data is provided in Section 9, Retention period.

7. Contents of the customer register

The customer register may contain data belonging to the following categories:

a) Basic information:
– Name
– Personal identity code
– Contact details (address, phone number, email address, etc.)
– Language
– Nationality
– When representing a company or similar entity, information concerning the data subject’s position/role

b) Assignment information, when an assignment has been made with Vendo:
– Start date and period of validity of the contract
– Content and terms of the assignment, for example marketing agreements, sales price or rent and related additional information, brokerage fee
– Information concerning the assignment object, for example ownership relationship, method and date of acquisition, possible use as a permanent residence, possible use as a shared home, information concerning a possible tenant and tenancy
– Measures taken during the handling of the assignment, such as arranged viewings, received bids or rental applications and their contents (e.g., the bidder and the bid terms, or the applicant and application details)
– Information concerning the completion of the assignment (sale, lease) (e.g., names and contact details of sellers and buyers or landlords and tenants, subject of the agreement, purchase price or rent, other contract terms, final brokerage fee)

c) Other information:
– Start and end information of the customer relationship or comparable relationship
– Register details concerning the Vendo chain’s electronic services, such as username and password
– Cookies sent to the browsers of customers’ devices and related information, as well as technical information sent by the customer’s device (e.g., browser, browser version, IP address)
– Interests and other information provided by the customer themselves, for example for the Property Alert service
– Other service event data
– Invoicing and debt collection data
– Complaints and feedback and related processing data
– Consent and prohibition information, such as direct marketing consent and opt-out
– Tenant credit information and other financial data for assessing ability to pay rent
– Communications and contact relating to the customer relationship or comparable relationship, including functions, possible call recordings

d) Information required by the Anti-Money Laundering Act:
Name, date of birth, and personal identity code
– Representative’s name, date of birth, and personal identity code
– Full name of the legal entity, registration number, registration date, and registration authority
– Full names, dates of birth, and nationalities of the members of the board or corresponding decision-making body of the legal entity
– Line of business of the legal entity
– Name, date of birth, and personal identity code of the beneficial owners
– Name of the document used to verify identity, document number or other identifier and issuer, or a copy of the document; or, if the customer has been remotely identified, information on the procedure or sources used for verification
– Information about the customer’s activities, the nature and scope of business, financial position, grounds for using the transaction or service, and information on the origin of funds, as well as other necessary information obtained to know the customer as referred to in Section 4(1) of the Anti-Money Laundering Act
– Information related to establishing the origin of funds under Section 4(3) of the Anti-Money Laundering Act, and the necessary information obtained to fulfil enhanced due diligence related to a politically exposed person under Section 13
– For a foreign customer without a Finnish personal identity code, information on the customer’s nationality and travel document details
Change history of the data listed above

8. Requirements based on law or contract

Legislation governing real estate brokerage businesses, including the Act on Real Estate Brokerage Businesses and Rental Apartment Brokerage Businesses (1075/2000) and the Act on Intermediation of Real Estates and Rental Apartments (1074/2000), and the handling of assignments based on them, as well as clarifying customers’ own searches, require the storing, use, and retention of the data listed in Section 7, Contents of the customer register. Among other things, the brokerage business must keep an assignment diary in which, for each assignment, the related personal, object, and event data together with documents are recorded.

Pursuant to Chapter 3, Section 3 of the Act on Preventing Money Laundering and Terrorist Financing (444/2017), customer due diligence information and other personal data required under the Act is recorded, retained, and may be used to prevent, detect, and investigate money laundering and terrorist financing, and for bringing to investigation money laundering and terrorist financing and the offence through which the property or proceeds targeted by money laundering or terrorist financing have been obtained. Customer due diligence information or other personal data obtained solely for the purpose of preventing and detecting money laundering and terrorist financing is not used for a purpose incompatible with those purposes.

9. Retention period

Information and documents related to assignments, as well as related personal data, are generally retained for ten (10) years from the end of the assignment due to obligations and liability issues based on legislation and good brokerage practice related to the assignment.

Data processed under the Anti-Money Laundering Act is retained for five (5) years, unless continued retention of such data is necessary to safeguard a criminal investigation, pending court proceedings, or the rights of the controller or its employees. The need to continue retaining the data and documents will then be assessed no later than three (3) years after the previous assessment of the need for retention (Act on Preventing Money Laundering and Terrorist Financing, 444/2017, Section 4).

Other personal data is deleted once there is no longer a need to retain it. If the collection and retention of personal data has been based solely on the customer’s consent, the personal data will be deleted at the customer’s request.

10. Processors of customer data

In addition to Vendo Costa SL’s employees, customer data may be processed by Vendo’s employees in accordance with applicable data protection legislation. The processing of personal data may be partially outsourced to a third party, in which case contractual arrangements ensure that personal data is processed in accordance with applicable data protection legislation and otherwise appropriately.

11. Disclosure of data

The controller may disclose personal data within the limits permitted and required by applicable legislation, and for the performance of an agreement between the parties or where a relevant connection exists. Personal data may thus be disclosed, for example, to the Regional State Administrative Agency and other authorities, to the banks of the parties to a transaction in connection with the execution of a sale, and at various stages of the assignment to, among others, the property manager and the National Land Survey.

Data may be transferred or disclosed outside the European Union or the European Economic Area in ways permitted by law, if the data is transferred to a country where the European Commission has determined that the level of data protection is adequate, or where an adequate level of data protection can be ensured through contractual arrangements. Transfers outside the EU are kept to a minimum and, where possible, limited to data that is public in any case, such as information visible in a property listing on an Internet website. For example, a property may be marketed on Facebook or similar services. A customer may receive direct marketing via a separate email software (e.g., a CRM), and this software may be located outside the EU. A transfer outside the EU may also occur temporarily in connection with the use of various cloud services, such as OneDrive, iCloud, or Dropbox.

Data is disclosed to authorities in cases required by law.

In addition, the purchase price and other information concerning the subject of the transaction is disclosed to the Central Federation of Real Estate Agencies (KVKL) ry, where the data is stored to the extent required by KVKL’s price monitoring service (HSP) used by real estate agents. Data may be further disclosed from HSP to HSP’s customers. The privacy notice for that service can be found at: http://www.hintaseurantapalvelu.fi/tietosuoja

In connection with outsourcing the controller’s IT administration, personal data processing may also be carried out by the controller’s subcontractors, but only on behalf of the controller. Such subcontractors may include, for example, providers of real estate brokerage systems and marketing systems, as well as parties maintaining property listing portals.

Data may be disclosed to a partner selected by the Vendo chain or an office belonging to it for marketing purposes, provided that the marketing supports the purpose of the customer register.

Vendo Costa SL uses external service providers, for example, to provide and maintain information systems and software and to provide other data processing services. Vendo Costa SL transfers personal data to these external service providers so that they can perform the agreed tasks. Vendo Costa SL has ensured by contract that external service providers process personal data only on the basis of written contractual instructions and only for the purposes defined in this privacy notice.

12. Automated decision-making and profiling

The controller does not carry out profiling targeted at the customer on the basis of personal data, nor does it use automated decision-making.

13. Cookies and browsing tracking

The Vendo chain may collect information about the user’s terminal devices using cookies and other similar technologies. A cookie is a small text file that a website sends to a browser, which stores it on the device. Cookies allow the Vendo chain to recognize the user’s browser, and the information obtained may be used, for example, to count the browsers using our websites and to analyze the use of the website, such as for statistical monitoring. Cookies make it possible to review and track the interests of website users, and on that basis the Vendo chain can develop its websites. The collected data is anonymous, and online actions cannot be linked to a specific person based on it.

Most Internet browsers accept cookies automatically. Users can change their browser settings themselves and disable cookies or prohibit their use.

14. Location data

Location data of the user’s terminal device may be used to provide location-based services, for example to display targeted advertising, if the user has given explicit consent to the use of location data or if the location data has been anonymized.

Location data is determined using available positioning methods, such as GPS and WLAN access points as well as the locations of mobile network base stations. Users may withdraw their consent at any time in the settings of their device and the application.

15. Rights of the data subject

The customer has the right to access the data concerning them that has been stored in the customer register.

The customer must submit the access request to the controller in writing in a form signed by hand or in another correspondingly verified document.

Notwithstanding the above, the customer does not have the right to access data obtained to fulfil the reporting or inquiry obligation laid down in the Anti-Money Laundering Act (Anti-Money Laundering Act, Section 4:3).

However, the Data Protection Ombudsman may, at the customer’s request, review the lawfulness of the processing of such data.

The controller will provide the above-mentioned data to the customer within 30 days of the submission of the access request.

The customer has the right to receive the customer data they have provided themselves transferred to a third party in a structured, commonly used, machine-readable format. The controller will, however, retain the transferred data in accordance with this privacy notice.

If the customer requests more than one copy, Vendo Costa SL may charge a reasonable fee based on administrative costs.

The customer has the right to request from Vendo Costa SL the rectification, erasure, or restriction of processing of personal data concerning the customer themselves. The customer always has the right to object to the processing of personal data for direct marketing.

All requests referred to in this section must be submitted to the data protection officer mentioned in Section 2.

The data subject’s rights related to information technology are also mentioned in Sections 13 and 14 of this notice.

16. Principles of register security

Manual materials and backups relating to the register are stored in locked premises. Digitally stored and processed data is kept in databases protected by firewalls, passwords, and other technical measures.

Access rights to the register are restricted to persons who need access to the data contained in the register in order to perform their work duties or the purposes of processing the register.

17. Right to withdraw consent

If information in the register is based on the customer’s consent, the consent may be withdrawn at any time by notifying the controller’s representative mentioned in this notice. On the basis of the request, all data that does not have to be retained, or cannot be retained, on the basis of law or another legal ground mentioned in this privacy notice will be deleted.

18. Amending the privacy notice

We reserve the right to amend this privacy notice by notifying of it in our services. Changes may be based, for example, on the development of our services or changes in legislation. We recommend that you review the contents of the privacy notice regularly.

19. Disputes

With respect to Vendo Costa SL and the Vendo chain, any disputes will be resolved in the Helsinki District Court under Finnish law.