Prepared 19 April 2021, updated 29 October 2025

Data Controller and Contact Person Responsible for the Register
Johto Advisors Oy
Business ID: 3180478-1

Jaana Pollari
jaana.pollari@johtoadvisors.fi
+358 400 849 609

Registers, Legal Basis and Purpose of Processing Personal Data

Customer register: We collect and process data concerning customers, potential customers and partners. The information is used to maintain and develop customer relationships, for customer communication, marketing and sales.

Project register: We also collect and process personal data of individuals involved in assignments related to executive search, assessment and development services for boards and management teams. The purpose of collecting this data is to carry out client company assignments and manage customer relationships.

No data is used for automated decision-making or profiling.

 

Data Content of the Registers

Customer register: The register may contain the following information: name, position, company, contact details (email, phone number), company website address, IP address of the network connection, information about newsletter subscriptions. Website visitors’ IP addresses and cookies necessary for service functionality are processed based on legitimate interest, e.g. for security purposes and collecting visitor statistics. Where such cookies may be considered personal data, they are handled accordingly. Consent is requested separately for third-party cookies when required.

Project register: The register may contain information necessary for the purposes of use, including:

Applicant’s basic information: name, contact details, gender, date of birth
Applicant’s CV, application, educational background and employment history
Applicant’s job-seeking information: e.g. preferences for the applied position, salary request, details related to starting employment
Information related to interviews, meetings and possible suitability assessments
Contact details of the client company (company, person, position, email, phone) and information and communication related to the customer relationship

 

Regular Sources of Data

Customer register: Information is received directly from the customer through website forms, newsletter subscriptions, email, phone, social media, contracts, customer meetings and other situations in which the customer provides information. Data about contact persons of companies and organisations may also be collected from public sources such as websites, directories and other companies.

Project register: In assignments, information is primarily collected from the individual themselves. In executive search projects, information may also be collected from third-party sources such as official registers based on legitimate interest. Data is disclosed outside the company only when necessary for carrying out the project or for technical solutions. For the customer register, personal data is processed by the newsletter system MailChimp and Google Analytics. For the project register, personal data is processed by assessment providers Cubiks and Paradigm Personality. Our service providers operating in the United States comply with the Privacy Shield principles. Except for transfers to the United States, data is not transferred outside the EU or EEA.

For projects, data is disclosed to the client company based on the individual’s permission in executive search assignments. For board and management assessment services, data is disclosed only to the client company based on consent.

 

Principles of Register Protection

All registers are handled with due care, and data processed via information systems is appropriately protected. Electronic data is stored on servers protected by firewalls, passwords and access rights. Only employees who need the data for their work have access to it. Each employee has personal usernames and passwords as well as a confidentiality agreement. Manual data is stored in locked premises and disposed of securely.

 

Right to Access and Right to Rectify Data

Every individual in the register has the right to access their stored data and request correction of any inaccurate or incomplete information. Requests for access or correction must be sent in writing to the data controller. The data controller may request the requester to verify their identity if necessary. The data controller responds within the timeframe required by the EU General Data Protection Regulation (generally within one month).

 

Other Rights Related to Personal Data Processing

An individual has the right to request the deletion of their personal data from the register (“right to be forgotten”). Registered individuals also have other rights under the EU General Data Protection Regulation, such as the right to restrict processing in certain situations. Requests must be submitted in writing to the data controller. The data controller may ask the requester to verify their identity if needed. Responses are provided within the GDPR-regulated timeframe (generally within one month).