Privacy Policy

1. Background

Marvel Consulting Group Oy, business identity code: 3017654-1, (“Marvel Consulting”, “we”) is the data controller in relation to the processing of our clients’ and stakeholders’ personal data for purposes stated in this notice. We want to make sure that your personal data is handled appropriately in a manner that respects your privacy. In this notice, we describe how your personal data is processed by us in connection with our customer relationship, communications, business partners and marketing activities and what rights you have with respect to your personal data.

This privacy notice applies to:

  • Clients and client representatives

  • Other individuals involved in our client projects

  • Prospective clients

  • Suppliers and supplier representatives

  • Consultants assigned to our client projects

  • Job applicants

  • Recipients of our newsletters and marketing communications

  • Participants in our events

Please note that we have a separate privacy notice for employees. For cookies, please see our Cookie Policy.

This privacy notice was last updated on 10 April 2026.

This document can be printed for reference by using the print command in the settings of any browser.

Contact details of data controller

Marvel Consulting Group Oy
Linnoitustie 6 A
02600 Espoo
Finland

Email:privacy@marvelconsulting.fi

2. Where do we collect personal data?

We primarily collect personal data from the data subject him/herself when we manage our client assignments and provide legal services. We may collect your personal data in the following ways:

  • Personal data that you give to us, for example, in connection with using our services, concluding agreements with us, communicating with us, subscribing to our newsletters, events or other communications.

  • Personal data that we collect or generate automatically, for example, when you visit our website, we automatically collect some data about you and your visit; or when you use or interact with our IT systems such.

  • Personal data provided by third parties: We may receive personal data from individuals involved in our customer projects.

  • In such cases, we may obtain your personal data from various sources, such as directly from you, your employer or other relevant parties, as part of the preparation, administration, or execution of our customer engagement.

  • Personal data that we collect from other sources, for example, by obtaining information from publicly available sources, such as business information registers and other cooperation partners and service providers that provide such contact details.

3. Data processing: Categories, purpose, legal basis and retention period

The lists below provide details on our data processing activities. Please note that multiple lists may apply to processing of your personal data.

Clients and their representatives

Provision of our services and contract management

Categories of personal data

  • Identity data (such as name, title).

  • Contact data (such as postal address, phone number, and email).

  • Authorization and ownership information (such as information on your authority to represent a legal entity or your status as a beneficial owner)

  • Billing information (such as responsible contact person, account number, and tax-related details).

  • User account data (such as login credentials, user profiles)

  • Usage data and logs (such as session data, error logs)

Purpose of processing

We process your personal data to provide our services to you, or to the organisation that you represent or are employed by.

Legal basis

If you represent a legal entity client or are otherwise involved in our client project, processing is based on our legitimate interests to provide our services. (GDPR Art. (6)(1)(f)).

Storage period

Personal data is retained for at least the duration of the contractual relationship and up to 10 years from the date of completion of the customer project, depending on the nature of the client relationship.

Information necessary for our obligations under Accounting Act is retained for 6 years from the end of the relevant financial year.

IT security and system administration

Categories of personal data

  • Access logs and authentication data (such as User ID, login and logout timestamps, authentication method).

  • Security monitoring data (such as incident detection logs, firewall and network traffic logs).

  • Usage data and logs (such as feature usage, session data, interaction logs, and error logs).

  • Device and technical data (such as IP address, browser type, operating system, and device identifiers).

Purpose of processing

We process personal data for the purposes of (i) ensuring the security and integrity of our IT systems and networks, including monitoring for unauthorised access, security incidents, and potential threats, (ii) managing user access rights and permissions to our systems, and (iii) maintaining, troubleshooting, and administering our IT infrastructure and systems.

Legal basis

Legitimate interest (GDPR Art. 6(1)(f)). The processing is necessary for the purposes of our legitimate interests in ensuring the security, availability, and integrity of our IT systems and networks, and in preventing and detecting unauthorised access or misuse. Where required by applicable law, processing may also be based on a legal obligation (GDPR Art. 6(1)(c)).

Storage period

Access logs and security monitoring data are retained for up to 12 months from the date of collection, unless a longer retention period is required for the investigation of a specific security incident or for compliance with legal obligations or the establishment, exercise, or defence of legal claims. System administration data (such as access rights and role assignments) is retained for the duration of the user's access to our systems and up to 12 months thereafter.

Product usage and development

Categories of personal data

  • Identity data (such as name, title). 

  • Contact details (such as email address, telephone number).

  • User account data (such as login credentials, user profiles, account settings and preferences).

  • Usage data and logs (such as feature usage, session data, interaction logs, and error logs).

  • Device and technical data (such as IP address, browser type, operating system, and device identifiers)

Purpose of processing

We process personal data of end users of our software products for the purposes of (i) managing user accounts and providing access to the software, (ii) product development and improvement, including analysing usage patterns and identifying areas for enhancement, and (iii) analytics to understand how our software is used and to improve user experience.

Legal basis

Legitimate interest (GDPR Art. 6(1)(f)). Processing is necessary for the purposes of our legitimate interests in managing user accounts, improving our software products, and understanding product usage to enhance our services.

Storage period

Personal data is retained for the duration of the user's active account and up to 3 years after the account is deactivated or the last use of the software, unless a longer retention period is required for compliance with legal obligations or the establishment, exercise, or defence of legal claims. Aggregated and anonymised usage data may be retained for longer periods for product development purposes.

Supplier management

Suppliers

Categories of personal data

  • Identity data (such as name, title).

  • Contact details (such as postal address, telephone number and email address).

  • Identification information and documents.

  • Billing details (such as contact person, account number, and tax-related information).

  • Information you provide when communicating with us.

Purpose of processing

We process your personal data to manage our business relationship (or the relationship with the organization you represent), including maintaining contact records, filing contracts, invoicing, as well as processing orders and deliveries.

Legal basis

Legitimate interest (legal persons). The processing of personal data is necessary for the purposes of fulfilling our legitimate interests in managing the business relationship with our suppliers (GDPR Art. (6)(1)(f)).

Storage period

Your personal data will be kept for the duration of the business relationship. After the business relationship ends, we may retain your personal data where necessary to protect our legitimate interests and to comply with our legal obligations (such as statutory retention period for accounting purposes).

Consultants assigned to client projects

Categories of personal data

  • Identity data (such as name, date of birth, nationality, title).

  • Identification information (such as personal identity number)

  • Photograph

  • Contact details (such as postal address, telephone number, email address).

  • Professional data (such as CV/resume, work history, education, certifications, skills, competencies, language skills, and references)

  • Project assignment data (such as client name, project description, role, start and end dates, working hours, and performance evaluations).

  • Billing and compensation details (such as hourly/daily rates, invoicing details, account number, and tax-related information).

  • Information you provide when communicating with us.

Purpose of processing

We process your personal data to manage the consultant relationship, including staffing and resourcing of client projects, matching your skills and availability to client needs, and maintaining records of project assignments.

Legal basis

Legitimate interest (GDPR Art. 6(1)(f)). The processing is necessary for the purposes of our legitimate interests in managing consultant relationships and staffing client projects.

Performance of a contract (GDPR Art. 6(1)(b)) where the consultant has a direct contractual relationship with us.

Storage period

Your personal data will be kept for the duration of the business relationship and up to 10 years after the end of the last client project assignment, depending on the nature of the engagement.

Recruitment process

Job applicants

Categories of personal data

  • Identity data (such as name, date of birth, nationality, title).

  • Identification information (such as personal identity number)

  • Contact details (such as postal address, telephone number, email address).

  • Professional data (such as CV/resume, work history, education, certifications, skills, competencies, language skills, and references).

  • Application data (such as cover letter, salary expectations, availability, and position applied for).

  • Assessment data (such as interview notes, test results, and evaluations).

Purpose of processing

We process your personal data to manage the recruitment process, including receiving and reviewing applications, evaluating candidates, conducting interviews and assessments, and communicating with applicants regarding the status of their application.

Legal basis

Legitimate interest (GDPR Art. 6(1)(f)). The processing is necessary for the purposes of our legitimate interests in managing the recruitment process and evaluating candidates.

Where we retain your personal data for potential future recruitment opportunities, the processing is based on your consent (GDPR Art. 6(1)(a)).

We do not ask for information about your health during the recruitment process. However, if you voluntarily provide information about your health (such as regarding any adjustments to working or interview arrangements), we will process such information based on your explicit consent during the recruitment process (GDOR Art. (9)(2)(a)).

Storage period

Your personal data will be retained for the duration of the recruitment process and up to 12 months after the completion of the recruitment process. 

If you submit an open application, your personal data will be stored for a maximum of two years from the date of submission.

With your consent, we may retain your personal data for up to 24 months for the purpose of considering you for future employment opportunities. You may withdraw your consent at any time by contacting us at privacy@marvelconsulting.fi.

Processing of personal data related to marketing and events

Recipients of newsletters or other marketing communications

Categories of personal data

  • Identity data (such as name, title).

  • Contact details (such as postal address, telephone number, email address).

  • Employment information (such as employer and title).

  • Language preference.

  • Preferences regarding the type of marketing communication.

Purpose of processing

We process your personal data to communicate about our business and market our services. 

Legal basis

The processing is based on our legitimate interest to communicate and market our business, manage and distribute marketing communications, and share relevant information about our firm and initiatives (GDPR Art. (6)(1)(f)). 
This includes, inter alia, highlighting news, events, or engagements of interest to recipients.

Storage period

Your personal data is processed until you choose to unsubscribe or up to 2 years from receiving your personal data.
You can unsubscribe from receiving newsletters or other marketing communications at any time by using the link provided in the communication or by contacting us at privacy@marvelconsulting.fi. We cease all processing of your personal data for the purposes of newsletters and other marketing communications immediately after receiving your deregistration.

Attendees of our events

Categories of personal data

  • Identity data (such as name, title, employer).

  • Contact details (such as postal address, telephone number and email address).

  • Language preference.

  • Food preferences.

  • Photographs, audio and video recordings of events.

Purpose of processing

We process your personal data when you participate in an event organized by us, including registering your attendance and communicating with you regarding the event. The purpose of this processing is to facilitate event organization and management.

Legal basis

Legitimate interest (GDPR Art. (6)(1)(f)).

Legal obligation (GDPR Art. (6)(1)(c)).

For photographs of events: consent (GDPR Art. (6)(1)(a)).

The data subject has given his or her explicit consent to the processing of personal data (Article 9(2)(a) of the GDPR).

We will only process personal data belonging to special categories of personal data (e.g. health data) if you provide such data voluntarily, thus with your explicit consent.

Storage period

Personal data in general is processed until the end of the event and thereafter for 2 years to assess the quality and success of the event and to communicate about our future events and activities.

Information about food preferences is erased within 60 days after an event has taken place.

Information about participation (name, organization and name of the event) is retained for accounting purposes for 6 years from the end of the financial year during which the data was processed.

If the processing is based on your consent, the personal data will only be retained as long as your consent is valid. You can withdraw your consent at any time by contacting us.

Establishing, exercising, and defending legal claims

Categories of personal data

  • Identity data (such as name, title, employer).

  • Contact data (such as postal address, phone number, and email).

  • Any information related to the establishing, exercising, and defending legal claims.

Purpose of processing

We process your personal data for the establishment, exercise or defence of legal claims.

Legal basis

The processing is based on our legitimate interests to establish, exercise and defend legal claims (GDPR Art. (6)(1)(f)).

Storage period

In the event of any legal claim or action, your personal data is retained during the legal process and until the legal process has been finally completed and the obligations associated with it have been fully discharged.

4. Recipients that we share your personal data with

In the course of our business operations, we may share your personal data with the following categories of recipients for the purposes described below.

Service providers

In order to fulfil the purposes of the processing of your personal data, we share personal data with service providers that we have engaged. These service providers provide IT services to us (such as operation, technical support and maintenance of IT systems). The service providers may only process your personal data for these purposes and in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that the service providers carry out on our behalf.

Other recipients

In addition to our service providers, we may share your personal data with the following recipients where necessary for the purposes described below.

Authorities (e.g. the Police and the Tax Agency)

  • Purpose: In order to fulfil any legal obligations to which we are subject, e.g. in connection with requests from authorities or legal claims.

  • Legal basis for the transfer: Legal obligation (GDPR Art. (6)(1)(c)). The processing is necessary to fulfil legal obligations to which we are subject.

Authorities (incl. courts) and legal representatives

  • Purpose: To establish, exercise and defend legal claims.

  • Legal basis for the transfer: Legitimate interest (GDPR Art. (6)(1)(f)). The processing is necessary to fulfil our legitimate interest of disputes and cases being managed by competent courts and legal representatives.

Buyers, sellers and external advisors/other parties involved

  • Purpose: To enable business changes, e.g. sales or mergers of the business or investments in general. In the event of business transaction such as a merger, acquisition, corporate restructuring, sale of assets, or similar corporate event involving the company, the company may transfer the data subject's data to the acquiring entity or other relevant third parties who will become the data controller(s) of such personal data

  • Legal basis for the transfer: Legitimate interest (Art. 6(1)(f) GDPR). The processing is necessary to fulfil our legitimate interest in conducting and executing business changes.

Collaboration partners

  • Purpose: We may share general identity data, contact data, professional data [and event related data] with ourcollaboration partners. For example, if we arrange a joint client event together with our collaboration partners, it is necessary to share personal data for event management purposes.

  • Legal basis for the transfer: Legitimate interest (Art. 6(1)(f) GDPR). The processing is necessary to arrange events.

5. Where we process personal data

Personal data are predominantly processed within the EU/EEA. However, in limited circumstances, some of our service providers may provide some of their services to us from countries outside the EU/EEA. For such cases, we have ensured an adequate level of data protection in accordance with the requirements of EU data protection legislation, including by way of transferring data to countries with an adequacy decision adopted by the European Commission or using, as required, standard contractual clauses (SCCs) adopted by the European Commission (together with appropriate technical and organisational safeguards).

6. Your rights based on the General Data Protection Regulation (GDPR)

Under data protection regulations you have certain rights in relation to the processing of your personal data. We process your personal data to the extent necessary in order to fulfil your rights. Please submit requests for exercising your rights by contacting us at privacy@marvelconsulting.fi.

You have the right to:

  • Access your data. You have the right to access personal data we process about you. You may request a copy of your personal data at privacy@marvelconsulting.fi. We will provide you with the copy unless we have lawful reasons not to share this data or if sharing the data would adversely affect the rights and freedoms of others.

  • Update your personal data. Furthermore, you have the right to request that incorrect or incomplete personal data is corrected or completed.

  • Withdraw your consent at any time. To the extent we rely on your consent to process personal data you have the right to at any time withdraw your consent.

  • Object to processing of personal data. You have the right to object to the processing of your personal data based on a legitimate interest for reasons which concerns your particular situation. In such a situation, we will stop using your personal data where the processing is based on a legitimate interest, unless we can show that the interest overrides your privacy interest or that the use of your personal data is necessary in order to manage or defend legal claims.

  • Delete your personal data. Under certain circumstances, you have the right to request that your personal data is deleted. However, we cannot delete your personal data if we for example are obligated under law to keep the data.

  • Restrict the use of your personal data. You have the right under certain circumstances to request that the processing of your personal data is restricted. If the processing of your personal data has been restricted we may only, besides storing the data, process your personal data with your consent, in order to establish, exercise or defend legal claims or to defend rights of others.

  • Transfer your personal data (data portability). You have the right to request a copy of the personal data that we store about you in a structured, commonly used and machine-readable format (data portability). The right to data portability, compared to the right to access, only comprises such personal data you yourself have provided and which we process based on certain legal grounds, e.g. your consent.

  • Lodge a complaint with supervisory authority. You have right to lodge a complaint with a supervisory authority (contact details for the Finnish Data Protection Authority, Office of Data Protection Ombudsman, can be found here).

7. Automated decision-making and profiling

We do not use automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR, in connection with the processing of your personal data.

8. Changes to this privacy notice

We may occasionally update this information if something changes regarding the processing of your personal data. In such a case we will notify you in an appropriate way. The latest version of the information is always published on this page.