Privacy Notice | September 2022

Welling Lagerstedt & Honkanen Attorneys Ltd (“WLH”) values your privacy and we are committed to protecting your privacy and personal data. In this Privacy Notice we explain how we collect and process personal data of our clients and other individuals relating to our client assignments, our potential clients, service providers and other business contacts as a data controller.

We process personal data in accordance with all laws that apply to the protection of personal data, including the GDPR (the European Union’s General Data Protection Regulation (EU 2016/679 “Data Protection Laws”). We process personal data for the purposes of e.g., identifying our client, checking for conflicts, handling assignments, managing client relationships and marketing efforts.

We have a legal obligation to ensure that your information is kept accurate and up to date and do our best to ensure that your personal data is processed lawfully and in a transparent manner. You may help us to comply with this obligation by reviewing and updating your contact details as well as your marketing preferences by contacting us at


Legal Basis and Purpose of Processing Data
Our main duty as a law firm is to provide legal services to our clients, and this is the main purpose for which we process personal data. We also use personal data to develop our services and to manage our business relationship with our clients.

This processing of personal data is based on our legitimate interest as a law firm and a data controller when providing professional legal services.

We also process personal data to ensure that we comply with our legal obligations under applicable laws or guidelines issued by the Finnish Bar Association ( relation to anti-money laundering obligations and knowing our clients’ procedures as well as conducting conflict of interest checks).

We may also process your personal data based on your consent for one or more specific purposes. If we process your personal data based on your consent, you have the right, at any time, to withdraw your consent to that processing. Please note, that if you withdraw your consent to processing of necessary personal data, we may not be able to continue our business relationship or continue providing services to you.

Your personal data will not be subject to automated decision making.


How We Collect Personal Data
We collect personal data primarily from the data subject him/herself directly through emails and other communication and documentation in connection with our business operations e.g., when performing and managing assignments from our clients.

We obtain personal data e.g., through the know-your-client process and by conducting conflict of interest checks or when we communicate with or meet the data subjects. We collect personal data that relates to e.g., identification, which includes personal data such as basic identifying information, contact details and matter-related background information provided to us directly by our clients (either natural persons or companies), their representatives or their counterparties.

We may also process personal data obtained from counterparties or their counsels, government agencies, credit information service providers and publicly available records and sources and commercial databases as well as personal data that accumulates from your use of our website. We also collect personal data when we manage our marketing activities and communicate with the data subjects for the purposes of marketing such as sending invitations to our seminars and events or sending out our newsletters or other news relating to our services and firm.

We may process personal data of the following categories:

  • Basic information such as your name, title, address, phone number and email address as well as association with the client entity, such as work tasks and title, personal identification number, where appropriate.
  • Identification information about our private clients, company representatives and beneficial owners as well as identification information as provided for in the Finnish Act on Preventing Money Laundering and Terrorist Financing (444/2017), e.g., name, date of birth, passport copy, and citizenship, personal identification number as well as information to determine the client’s financial status and level of political influence.
  • Client information, including information concerning the contractual relation between the client and us; personal data that is received while we manage the assignment and provide our services or that we need for invoicing.
  • Information provided to us for the purposes of attending meetings and events (e.g. name, email address, dietary requirements).
  • Information about whether you have consented to or opted out of receiving direct marketing.
  • Automatically collected data through our website cookies as described below and e.g. information about whether you have opened and read an email we have sent you.


Disclosures of Your Data
We will not disclose your personal data to any third parties unless we are required to do so either by applicable law, in order to assert or defend against legal claims, or for providing services to our clients. The only employees with access to your personal data will be those employees who need to process your personal data.

We may need to allow certain access to your personal data to our external service providers who process data on our behalf (data processors) to enable these third-party providers to perform services to WLH. All such service providers must comply with our instructions and applicable written data processor agreements and any other agreements that are in place between WLH and its third-party providers and must implement appropriate technical and organizational measures for the protection of your personal data.


Transfers of Your Data
We primarily process personal data on servers located within the EU/EEA.

However, we may need to transfer your personal data from a location within the EU/EEA to a third country.

Regarding transfers of personal data to countries where the local data protection legislation does not provide an adequate level of data protection, we will implement appropriate measures under the GDPR to ensure that your personal data remains protected and secure. Such international transfers of personal data will be based on the standard contractual clauses approved by the European Commission.


Data Security
We have implemented and maintain appropriate technical and organizational security measures to protect your personal data against accidental, unlawful or unauthorized access, use, disclosure, alteration, destruction or loss. We have, for example, put in place internal security policies and procedures for the protection of personal data and our systems comply with the applicable industry standards. Your personal data will be processed only by such personnel who have a need to access it for the purpose for which it was collected. Upon expiry of the applicable retention period, we will securely destroy your personal data in accordance with applicable laws and regulations.


Retention time
How long we retain specific personal data depends on the personal data concerned and the purposes for its processing. We will only retain your personal data for as long as necessary for the purpose we collected it for, in order to perform our contractual obligations or for complying with the rules of the Finnish Bar Association or other legal requirements applicable to us, or in order to manage the business relationship between us and the data subject or the entity represented by the data subject. In order to assert or defend against legal claims, we may retain certain data until the end of the relevant statutory limitation period or until the claim has been settled. Retained data will be stored separately and will not be processed for any other purpose.

The retention periods are determined in accordance with the following criteria:

  • Related personal data will be retained for as long as our legitimate interest can reasonably be considered valid. The validity of this legitimate interest is determined by, for example, communications between us and the data subject.
  • Ultimately, we will retain the personal data of our clients’ representatives for the entire duration of the contract we have concluded with the data subject or with an organisation represented by the data subject.
  • Statutory retention periods and the retention periods defined in the Finnish Bar Association’s rules may also apply. For instance, the Finnish Act on Preventing Money Laundering and Terrorist Financing requires for identifying information regarding our clients to be retained for a period of five years following the end of our regular client relationship.
  • Related personal data will be deleted if the data subject withdraws their consent or objects to the processing of their personal data for direct marketing purposes.

When your personal data is no longer needed, your personal data will be destroyed in a secure way or irrevocably anonymized. Please contact us at if you would like further information about specific retention periods for your personal data.


Individual Rights
Pursuant to the GDPR, data subjects have the following rights regarding their personal data:

  • Right of access: You have the right to request access to the personal data relating to you. This includes e.g. the right to be informed of whether or not personal data about you is being processed, what personal data is being processed, and the purpose of the processing.
  • Right to rectification: You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. You may also request the completion of any incomplete personal data relating to you.
  • Right to object: You are entitled to object to certain processing of your personal data, and we may be obliged to comply with your request unless we can demonstrate compelling legitimate grounds for further processing of such personal data.
  • Right to opt out of marketing communications: Each of our marketing emails includes instructions on how you can opt out (unsubscribe) of future marketing, but you can also opt out at any time by contacting us as specified above.
  • Right to erasure: You may request the erasure of your personal data, and we are obliged to comply with your request e.g. in the event that the relevant personal data is no longer required for the purposes for which it was collected, or where we have unlawfully processed the relevant personal data.
  • Right to restrict processing: Under certain statutory situations, we may be obliged to restrict the processing of your personal data.
  • Right to withdraw your consent: In cases where we have been processing your personal data based on your consent, you have the right to withdraw your consent to such processing at any time.
  • Right to data portability: In certain cases, you have the right to receive any personal data we process in a structured, commonly used and machine-readable format, where this is technically feasible.

If you wish to exercise your rights, you can contact us at We will use all reasonably available resources to respond to any such request without undue delay.

Please note, that due to the statutory obligation of confidentiality and other obligations applicable to us either by law or by the rules of the Finnish Bar Association, we may be prohibited from disclosing or deleting your personal data and may prevent you from exercising certain data subject rights in respect of personal data relating to our client assignments, and the data subject must provide identification in order to exercise the said rights.

Where we have reasonable doubts concerning the identity of the natural person making the request referred to below, we may request you to provide additional information that we require to confirm your identity.

If you consider the way in which we process your personal data to be in breach of the applicable legislation, you may lodge a complaint with the national supervisory authority regarding our processing of your personal data. If you are located in Finland, your local data protection authority is the Data Protection Ombudsman (Tietosuojavaltuutettu) (


Our website uses cookies to analyze how the site is used, including the number of visitors, how you found your way to our website and the pages you visit as well as the total time you spend on our website. Cookies also help us improve the quality of your browsing experience.

Cookies are text files that are placed on your computer that allow your computer to be recognized by our website. The cookies on our website may be used by and delivered to you by us or by third-party web analytics services, such as Google Analytics, Hotjar and Vuture.

The cookies collect information in an anonymous form, and we do not use this data to identify our website visitors even if the technologies used would make such identification possible. You can choose whether you wish to accept cookies when entering our website and may delete existing cookies by selecting the appropriate settings on your browser. If you wish to do so, please refer to your browser’s user guide to find out how to adjust your browser’s preferences to control cookies.


If you have any questions concerning the processing of your personal data, or if you would like to exercise any of your data subject rights, please contact us at


This Privacy Notice was updated in September 2022, and we may, from time to time, update and amend this Privacy Notice reflecting any changes in our processing procedures or changing legal requirements. We kindly ask you to review this Privacy Notice from time to time for possible changes as unless otherwise provided in mandatory applicable legislation, we may not personally notify the data subjects of any such changes.

Scroll to Top