This Data Protection Policy describes the purpose, responsibility and organization of the data protection at the Trevian Asset Management Oy.

The Data Protection Policy lays the foundation for procedures and guidelines concerning the data protection which further specify the provisions and guide their application in practice. Data protection is closely linked to the information security which has its principles defined in our Information Security Policy.

Purpose of the data protection policy

Managing data protection is a part of our compliance and risk management. Data protection policy defines the principles, procedures and responsibilities ensuring lawful processing of the personal data and data protection in our operations.

Principles concerning personal data protection

The right to personal data protection is a fundamental right for everyone. The processing is lawful, fair and transparent for a specific purpose and we process personal data to the extent and duration as it is necessary for the specified purpose.

We aim at ensuring the accuracy of the data used and that the data are updated from the person themselves or from reliable sources. When data are no longer necessary for their purpose, data are erased appropriately.

The data protection also refers to every data subject’s right to have an access to the data collected about them, as well as the right to have any inaccurate personal data rectified and any unnecessary data erased.

Ensuring data protection

Data protection is risk-based and the management of the data protection risks are part of our risk management process. We conduct data protection risk assessments during the planning phase of the personal data processing and as a part of risk assessment. In addition, the data protection impact assessments are always conducted in situations determined by law and official guidelines. The results of the abovementioned assessments are used to determine technical and organizational measures to reduce the risk level of personal data processing throughout the life cycle of the data.

We ensure the that the data subjects’ rights will be fulfilled by informing the data subjects about the processing of data and by determining the procedures and guidelines for situations where data subjects wish to exercise their rights.

We ensure the fulfillment of the data protection by documenting the personal data processing practices and by issuing the related instructions. We ensure the sufficient data protection competence of our employees by training and informing them. All new employees are familiarized with our data protection principles during the onboarding process.

As a data controller we may outsource personal data processing to a service provider (processor). We only operate with personal data processors who comply with good processing practices by means of appropriate technical and organizational measures, meet the requirements of the EU General Data Protection Regulation, and can ensure the appropriate management of the data subjects’ rights. We always conclude a written Data Processing Agreement (DPA) with the processor.

Procedure when data breach is suspected

We aim to protect personal data from data breaches whether accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to data. We have defined the process applied to data breaches. All our employees have an obligation to report any suspected or detected data breach without delay according to the specified instructions.

If data protection is suspected to be compromised, the issue is immediately investigated and a risk assessment is conducted. We document all data breaches and inform data protection authority and the person(s) whose data protection is compromised according to the EU General Data Protection Regulation. Data breaches are reported to the information security and data protection team, and depending on the severity of the issue to the Managing Director and the Management Team.

Reponsibilities and organization

The Managing Director and the Management Team of the Trevian Asset Management Oy are responsible for the implementation and securing the needed resources of the data protection. The Management Team has appointed the Data Protection Officer who acts a specialist providing guidance and advice on the data protection topics and issues.

The Data Protection Officer monitors the compliance and confirms the creation and availability of the documents required by the accountability. The Data Protection Officer ensures that regular risk assessments are done and reports to the Management Team. The Data Protection Officer is a touch point for the internal and external stakeholders. The Data Protection Officer’s know-how is continuously updated and the Information Security and Data Protection Team supports his/her work. The Information Security and Data Protection Team holds regular meetings and on an on-demand basis.

The Business Directors function as the owners of the personal data in their respective business areas and teams, and promote the awareness of the data protection, management of data and accountability according to the EU General Data Protection Regulation.

Personal data is processed in each case for the Data Controller’s differing purposes. The responsibility of the implementation of the data protection lies with the management of the business operations and their respective teams. The management is responsible for ensuring the management of data protection is organized clearly and each employee knows their role.

Our employees must comply with the data protection policy. The Business Directors are responsible for the implementation and adequate resourcing of the data protection in their respective business areas and teams including the stakeholders whose data is being managed according to their assignments.

Updating and approvals

We regularly assess our data protection policy and update the content when needed. The Data protection Officer is responsible for the assessments and updates of this policy.

The Data Protection Policy of the Trevian Asset Management Oy is approved by the Board of Directors 22.04.2022.