Eficode Privacy Policy
1. Introduction
The companies within the Eficode Group (“Eficode”, “we”, “us”, or “our”), at the direction of the top management, respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share, and protect personal data across our group. It also describes your data protection rights and how you can exercise them under applicable data protection laws, including:
- The EU General Data Protection Regulation (GDPR)
- The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
This policy applies to all websites, services, and operations of Eficode and its subsidiaries.
In the event you and Eficode enter into a written agreement on providing services and the agreement includes specific terms or a Data Processing Agreement (DPA), the personal data processing is agreed upon in more detail in that document and it shall prevail over this Policy.
2. Data controllers and representatives
The data controller responsible for your personal data will be the Eficode Group company you have a direct relationship with. The Eficode Group companies include the following;
| Country | Eficode Group company | Business ID |
| Finland | Eficode Group Oy | 3330243-5 |
| Finland | Eficode Oy | 1971814-3 |
| Sweden | Eficode AB | 556976-1959 |
| Denmark | Eficode A/S | 30987225 |
| Norway | Eficode A/S | 914 758 440 |
| Germany | Eficode Germany GmbH | 12297 |
| Netherlands | Eficode B.V. | 72383836 |
| Switzerland | Eficode Switzerland AG | 537802 |
| Poland | Eficode Poland Sp. Z.o.o. | 0000821709 |
| United Kingdom | Eficode UK Limited | 05643578 |
| USA | Eficode USA, Inc. | 4177603 |
The Eficode Group has a dedicated Data Protection Officer (DPO) that is responsible for overseeing the data processing and data protection activities throughout the group. The Eficode DPO can be contacted at: dataprotection@eficode.com.
3. Scope
This Privacy Policy applies to:
- Visitors to our websites and digital platforms
- Customers, business partners, and suppliers
- Job applicants and employees (for applicants, see Section 9)
- Event attendees, marketing contacts, and research participants
- Users of Eficode’s customer systems (e.g. Eficode ROOT, Service Desks)
4. Personal data we collect
We collect personal data directly from you, automatically through our digital systems, or occasionally from trusted partners.
4.1 Categories of data
Depending on your relationship with us, we may collect:
| Category | Examples | Purpose / Use |
| Identification data | Name, job title, organisation | Contract management, communication |
| Contact data | Email, phone, address | Service provision, billing, customer service |
| Technical data | IP address, device data, cookies | Website operation, analytics, security |
| Professional data | Role, qualifications, CV, LinkedIn | Recruitment, contract management |
| Financial data | Bank details, payment info | Payments, accounting, compliance |
| Research & event data | Demographics, responses, feedback | UX studies, event management |
| Marketing data | Newsletter preferences, click data | Marketing communications and analytics |
We do not knowingly collect data of children under 18 years of age.
5. How we use personal data
We use your data only for legitimate business purposes. These include:
- Providing, operating, and improving our products and services
- Managing contracts and fulfilling orders
- Communicating with you about our services, events, or support
- Conducting recruitment and HR management
- Complying with legal and tax obligations
- Running analytics and maintaining security of our systems
- Marketing and business development (only with consent or legitimate interest)
We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.
6. Lawful basis for processing
We process personal data under the following lawful bases:
- Contract: when processing is necessary to perform a contract or to take steps before entering into one.
- Legitimate interest: for business operations such as customer management, marketing, and network security.
- Consent: when required, e.g., for marketing subscriptions, research participation, or data sharing with partners.
- Legal obligation: to comply with tax, accounting, or employment laws.
7. Data retention
We retain personal data only for as long as necessary for the purpose collected or to comply with applicable legal obligations.
| Data type | Typical retention period |
| Customer & business partner data | Duration of relationship + 6 years |
| Accounting & tax data | Up to 10 years |
| Job applicant data | 2 years (renewable with consent) |
| Marketing contacts | 3 years, extended by each interaction |
| UX/research data | 2 years, extendable for active studies |
| Event data | 3 years or until consent withdrawn |
Data stored for compliance reasons (e.g., accounting, taxation) cannot be deleted until legal obligations expire. As Eficode operates in multiple countries, some retention periods may differ depending on the data controller and legal obligations.
8. Data protection and security
Eficode implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration. These include encryption, access controls, and secure storage.
Eficode is certified to ISO27001 and ISO27701 Information Security Standards, and all service providers acting as processors are subject to written data protection agreements.
Further details on our security practices, documents and policies are available via our Trust Centre.
9. Recruitment and job applicants
The companies within the Eficode Group process applicant data for recruitment and hiring purposes.
We collect:
- Identification and contact information
- Employment and education history
- CVs, cover letters, references, and interview notes
- (If applicable) right-to-work documents, credit or criminal checks, and health or diversity information
Special category data is only processed where required by law or with your explicit consent (e.g., for equality monitoring or workplace adjustments).
Retention for unsuccessful applicants: 6 months to 2 years, depending on the Eficode entity and applicable local laws. The retention time may be extended with the data subject’s consent.
10. Marketing and communications
We may send you marketing communications about Eficode products or services if:
- You have provided consent; or
- You are an existing customer and we rely on legitimate interest.
You may opt out at any time by using the form provided below.
11. Data sharing and international transfers
We share personal data only when necessary and with adequate safeguards.
We may share your data with:
- Eficode Group companies for internal operations, shared IT systems, infrastructure and business applications
- Subcontractors, service providers, and cloud vendors bound by contractual safeguards
- Partners or event sponsors (only with consent of the data subject)
- Regulators, authorities, or courts where legally required
Eficode does not sell personal data.
International transfers
In certain instances, for example when necessary to use certain tools or applications, personal data may be transferred outside the EU/EEA or the UK. Where this occurs, we ensure one of the following mechanisms applies:
- Adequacy decision by the European Commission or UK Secretary of State
- Standard Contractual Clauses (EU SCCs) or UK International Data Transfer Agreement (IDTA)
- Binding Corporate Rules or other recognised safeguard
Eficode does not rely on the EU–US Data Privacy Framework alone for compliance.
Sub-processors
Eficode uses certain trusted third-party service providers (“sub-processors”) to assist in operating our services. These partners process personal data only as necessary to provide their specific functions and are contractually required to protect it in line with applicable privacy legislation and this Privacy Policy. The current list of sub-processors and their purposes is available on our Trust Center, which we update as needed.
12. Data subject rights
Under the applicable privacy legislation, you have the following rights:
- Access – Obtain confirmation and a copy of your data.
- Rectification – Correct inaccurate or incomplete information.
- Erasure (“right to be forgotten”) – Request deletion where legally possible.
- Restriction – Limit how your data is used.
- Portability – Receive your data in a portable format.
- Objection – Object to processing based on legitimate interest or direct marketing.
- Withdraw consent – At any time, for processing based on consent.
Requests can be made via our online form below or by emailing dataprotection@eficode.com.
We respond within one month as required by law.
13. Cookies and tracking
Eficode uses cookies and other similar technologies on its websites for better user experience and content targeting. Cookies are small text files that are placed in the user’s device when the user is visiting Eficode’s website. By connecting information based on cookies and the user’s possible submission of form(s), Eficode creates a personal profile of the user, which helps Eficode offer personalized information and content in different channels. The use of cookies also enables Eficode to remember the user’s preferences and actions, as well as lets Eficode monitor and analyze the usability of the website.
Types of cookies:
- Essential cookies – Required for website functionality
- Analytics cookies – Measure website usage and performance
- Advertising cookies – Customise ads and prevent repetition
Eficode always asks the user’s permission to collect cookie information when they access the Eficode website for the first time with a specific device. Most browsers accept cookies automatically, but the user can always edit their internet browser settings and remove cookies. Users can avoid cookies by changing the settings of the internet browser.
14. Data Protection Authorities
Eficode operates in multiple jurisdictions. You may contact your local authority if you have privacy concerns about Eficode’s data processing activities. The contact details of the data protection authorities are found from the table below.
| Country | Data Protection Authority | Contact Information |
| Finland | Tietosuojavaltuutettu | https://tietosuoja.fi tietosuoja@om.fi |
| Sweden | Integritetsskyddsmyndigheten (IMY) | https://www.imy.se/en/ imy@imy.se |
| Denmark | Datatilsynet | https://www.datatilsynet.dk/english dt@datatilsynet.dk |
| Norway | Datatilsynet | https://www.datatilsynet.no/en |
| Germany | BayLfD | https://www.datenschutz-bayern.de/ poststelle@datenschutz-bayern.de |
| Netherlands | Autoriteit Persoonsgegevens | https://autoriteitpersoonsgegevens.nl/en |
| Switzerland | FDPIC | https://www.edoeb.admin.ch/edoeb/en/home info@edoeb.admin.ch |
| Poland | UODO | https://uodo.gov.pl/en kancelaria@uodo.gov.pl |
| United Kingdom | Information Commissioner’s Office |
https://ico.org.uk/ |
15. Updates to this Policy
We may update this Privacy Policy periodically to reflect legislative or operational changes.
The latest version is always available on our website.
Material changes will be communicated via email or website notification.
