Privacy Policy

Widman & Co values the individual’s personal integrity. This is our privacy policy.

Widman & Co Law Firm Ab (hereinafter referred to as “we”, “our”, or “Widman & Co”) values the individual’s personal integrity and ensures that personal data is processed in a secure, correct and legal manner. We have adopted this policy to inform you about how we handle personal data in our role as data controller.


Name: Widman & Co Law Firm Ab (Business ID: 0773565-9)
Address: PB 180, 22101 Mariehamn
Telephone: +358 18 17 740


“Personal data” refers to information that can be used to identify you or data that can otherwise be linked to you.

Execution of Client Assignments

Widman & Co processes personal data to fulfil contracts with its clients, which means preparing, executing, and administering assignments, conducting mandatory conflict of interest and antimoney laundering checks to protect our and client´s interests, and for accounting and billing purposes. Personal data may also be used for business and method development, market analysis, statistics, and risk management.

The processing of personal data is based on our legitimate interest to fulfil contractual obligations towards our clients and perform assignments according to clients’ instructions, our legitimate interest in developing the business and communication with our contacts, as well as to fulfil legal obligations im-posed on Widman & Co by authorities or by law or regulation.

Widman & Co is subject to the obligations set out in the Lawyers’ Act and other provisions of the law, including the Finnish Bar Association’s guidelines on good legal practice, in applicable parts. In addition, we are subject to the obligations according to the Act on Detecting and Preventing Money Laundering and Terrorist Financing and the economic sanctions prescribed in EU regulations.

Suppliers and Other Business Partners

Besides client assignments, we also have business relationships with other business partners, service providers, and suppliers, and process personal data for their contact persons and/or other representatives.

The processing then takes place based on our legitimate interest to manage the contract, the contractual relationship, fulfil our contractual obligations, and protect our contractual rights. In applicable cases, personal data may also be specified in documents that need to be stored for accounting purposes. The processing is then based on the necessity to fulfil a legal obligation.

Marketing, Events, Seminars, etc.

Widman & Co also processes personal data to develop and offer services to clients, conduct marketing and sales actions, manage contact information, and maintain contact with clients or prospective clients, as well as develop customer relationships. This is based on our legitimate interest in communicating and marketing our services to promote our business, monitor the legal services industry, and improve our professional network to develop our business activities. With consent, personal data can also be processed for direct marketing.


Widman & Co also processes personal data in connection with applications for employment with us. The processing then takes place on the basis of the applicant’s consent, our legitimate interest in processing the personal data required to take steps prior to entering into an employment contract and the fulfilment of the employment contract, as well as based on our obligation to comply with labour law provisions.


We process personal data necessary for the purposes described in section 2 above. The purpose of use determines what type of data we collect in each given situation. The data we process also varies depending on what our services are used for and how they are used, i.e., the data subjects themselves can also influence which information we process.

In Widman & Co’s business, the following information, among others, may be processed:

  • Name and contact information such as first and last name, address, phone number, and email address.
  • Information necessary to prevent money laundering and the financing of terrorism, such as nationality, political background, relationship to a political person, name, number, or other identification document used for identification (approved identification documents are passport, ID card, driver’s license, and KELA photo card, and for foreign customers national passport or ID card issued by an EEA authority).
  • Other demographic information such as social security number.
  • Information about customer relationships such as order, billing, and payment information, customer feedback and customer contacts, and cancellation information.
  • Interest and profiling information such as information about professional interests obtained from the individual themselves.
  • Requested prohibitions of direct marketing.
  • Photographic registers such as photographs from events we organize.
  • Job applications and other information obtained in connection with job applications.
  • Other information collected based on consent.

Furthermore, we may process name, title/profession, age/date of birth, contact details, and other similar identifying information, such as objects of interest, for example, after the end of a customer relationship or when we have received the information via a company, organization, stakeholder, or other cooperation.

In certain assignments, we must process sensitive personal data such as health, union membership, or information about legal offenses. We process sensitive personal data only to the extent required for the assignment or to fulfil our statutory obligations.


We mainly process personal data that we receive directly from our clients upon receiving and handling assignments, for example, when the client or a collaborator sends an email to us or communicates with us through other channels, when someone registers for marketing material, or signs up for an event organized by us.

We may also process personal data that we have received or collected, e.g., from employers, employers’ websites, or other generally accessible and/or public sources (e.g. trade register or population register), or personal data that accumulates from your use of our website. Your own browser and device settings affect what information we can collect from your visit to our website. Please also read our Cookie Policy.

You are not obligated to provide information to us. However, personal data enables us to provide our services to you, enter into a contract with you, communicate with you, and tailor our communication and our services to match your personal preferences. However, certain submitted personal data is a prerequisite for our customer and client relationships. Without such information, we cannot provide our services.


Personal data is stored as long as we have a meaningful business contact or other contact, or as otherwise may be required by law, regulation, or other authoritative sources.

According to the recommendation of the Finnish Bar Association, we are obliged to archive personal data related to client assignments for at least ten years after the assignment has been completed. Information necessary to prevent money laundering and the financing of terrorism is stored in accordance with the Finnish Bar Association’s instructions on the prevention of money laundering and financing of terrorism for 5 years after the client and assignment relationship has ended unless another obliga-tion requires that we store the data for a longer period.

After a recruitment process has been concluded, we store the applicant’s personal data for as long as necessary to fulfil our rights and obligations and respond to any claims, however, no longer than two years after the recruitment decision has been made.

Processing of personal data based on consent is processed for the purpose for which consent was given until the purpose has ceased or until you revoke your consent.

The storage period for personal data obtained through the use of our website is specified in the applicable Cookie Policy.


We do not disclose personal data to third parties other than in cases when:

  • it has been specifically agreed between Widman & Co and the data subject,
  • it is necessary within the scope of a specific assignment to protect the client’s rights,
  • it is necessary for us to fulfil a legal obligation or to comply with authority decisions or court orders,
  • we engage external service providers who perform tasks on our behalf, primarily to update and support Widman & Co’s IT systems, or
  • data is disclosed to courts, authorities, counterparts, and/or counterparty representatives if necessary to protect the client’s rights.

In the event the fulfilment of our contracts entails the transfer of personal data outside the EU/EEA, we ensure that the personal data in question is protected in accordance with applicable data protection legislation.


We use appropriate technical and organizational security measures to protect personal data against unauthorized access, disclosure, destruction, or other unlawful processing. These include firewalls, encryption technology, the use of secure facilities, appropriate access control, controlled granting and monitoring of access rights training of staff involved in the processing of personal data and careful selection, contracting and training of subcontractors.


As a data subject, you have the following rights:

  • Right of access: You have the right to access your personal data processed by Widman & Co. We may refuse access on grounds stated in law. Generally, the exercise of this right is free of charge.
  • Right to rectification: You have the right to request that we correct any inaccurate data about you.
  • Right to erasure: You may also request that we delete your data or ask us to restrict processing on the grounds specified in law. However, there may be legal requirements, contractual obligations, or compelling legitimate interests that prevent us from deleting your personal data.
  • Right to object: You have the right to object to the processing of your personal data for reasons related to your specific situation if our processing of your personal data is based on our legitimate interest. You must specify the particular situation that forms the basis of your objection to the processing.
  • Right to data portability: If you have provided data to us and this data is processed with your consent, you generally have the right to receive the data in a machine-readable format to transfer it to another data controller.
  • Right to complain: You have the right to make a complaint with the competent supervisory authority, The Office of the Data Protection Ombudsman, if you believe that we have not complied with the data protection regulations applicable to our operation.


This Policy may, from time to time, be changed or updated. The latest version of this Policy will always be published on our website. Therefore, please visit our website to stay informed of any updates or changes.

Adopted in April 2024.