Privacy Policy for Private Customer and Marketing Register

1 Controller

YIT Corporation (business ID 0112650-2) and other companies in YIT Group
Contact information of the head office:

P.O. Box 36, Panuntie 11
00621 Helsinki
Tel. +358 020 433 111

YIT Corporation is responsible for processing of personal data at group level for the purposes and on the legal basis defined in this policy, e.g. group level marketing and sales; financial and other administration and business management; customer relationship management; and analysis and development of products, services, customer relationship and businesses.

Each company in YIT Group is responsible for processing of personal data for its own purposes on the legal basis defined in this policy, e.g. for the performance of a contract or the management of the customer relationship with the data subject. For such purposes, it can process personal data which has been collected for the same purposes by other companies in the group.


2 Contact points in privacy questions

You can always contact us by filling this form or by email to

You can also contact our local service points in each country of YIT´s operations: 

GDPR contact person: 

Tarmo Nikkilä, Legal Council
P.O. Box 36, Panuntie 11
00621 Helsinki
Puh. +358 40 821 1214 

Person in charge of the register matters:

Johanna Lehto, Development Manager
P.O. Box 36, Panuntie 11
00621 Helsinki
Puh.+358 40 849 8386


3 Legal basis for and purpose of the processing of personal data 

The legal basis for processing personal data of consumer customers´ (i.e. data subjects) are:

  1. Fulfilment of requests of the data subject prior to entering into a contract, e.g. requests for information or quotation, newsletter subscriptions or purchase orders
  2. Performance of a contract between the data subject and the Controller
  3. Customer relationship as the legitimate interest of the Controller
  4. Legitimate interest for direct marketing
  5. Compliance with legal obligations imposed by national legislation in each country of operation
  6. Consent of the data subject when it is necessary for
    a. sending digital direct marketing
    b. locating the data subject
    c. collecting data about the use of Controller´s Internet or mobile services by the means of cookies, advertising ids or other similar tracking technology for the purpose defined in this policy
    d. other purposes specified by law

Personal data are processed for following purposes:

  • creation, management and development of customer account and relationship
  • marketing, offering, brokering, performance and development of various housing services
  • renting apartments directly by the Controller or by offering rental agency services
  • credit scoring, and invoicing, monitoring and collection of payments
  • customer communication, including customer feedback and satisfaction surveys;
  • targeting and performance of direct marketing by mail, phone and digitally as well as digital advertising (advertising in internet and mobile services)
  • opinion polls, surveys and marketing research
  • promotional sweepstakes and contests
  • development of products, services and businesses
  • detection, prevention and investigation of fraud and other criminal offences
  • analyzing, profiling, segmentation, and statistics for the purposes explained above



Data subjects and categories of personal data

The Controller processes personal data of its prospective, current, and former customers. Following categories of personal data are processed for the purposes described above:

  • Basic information of the data subject, e.g: name, national identity number, customer id, year of birth, gender, native language, title and profession, postal address, e-mail address, phone number, preferred way of communication;
  • Marketing data, e.g: marketing efforts performed; preferences and interests e.g. related to types of housing, apartments, and features, residential areas and locations; size of household, type of housing; number of apartments owned by the data subject; other interests and information provided by the data subject; marketing permissions and consents (opt-in), restrictions and bans (opt-out);
  • Customer account data, e.g: term of customer relationship and the way of creation and termination of the relationship; data of product or service contracts, purchase orders, suspensions and cancellations, and deliveries; customer feed-back and claims, recorded customer service calls; responses to customer and market surveys and research; other interactions; data of invoicing, payment, debt collection, and creditworthiness;
  • User data of digital services, e.g: registration data required for a digital account, such as username, nickname, password and any other identifier; information about the service use, such as use and browsing information of  the service properties through the digital account of the user; information collected using cookies and other similar technologies, such as the Controller´s websites and pages browsed by the user, the device model, individual device and/or cookie identifier, the channel through which the service is accessed (web browser, mobile browser, application), browser version, IP address, session identifier, session time and duration, screen resolution and operating system; location data, such as coordinates calculated using GPS, WLAN connection points or mobile network base stations if the user has given his or her express permission for this purpose.
  • Data from the use of social media, eg: The Controller´s website may include Social Media Features, such as the Facebook Like button and Share button. The Controller can receive a comment or link that the user share from the Controller´s website on Facebook. The Controller can also get data included in the user´s public profile on Facebook, and any information that Facebook user shares with the Controller´s services. Your interactions with these Features are governed by the privacy policy of the company providing it, for example
  • Customer and user analysis data, e.g: user/customer and marketing segments and profiles derived from the above described data and data from regular sources by using analytics and patterns such as calculating possible interests of the user/customer or otherwise segmenting the user/customer to a specific group of users.

National identity numbers are processed only for purposes permitted by law when it is important to identify the data subject for example in the sale or rental of apartments; granting of credit, or debt collection.

Only basic data and marketing data as defined above are processed for the purposes of direct marketing.


Regular Sources of Information

Personal data are collected directly from the data subject when the data subject is registering or using a service; sending request for contact or information or filling in a form; purchasing or ordering, contracting, participating events, otherwise interacting with the Controller personally, by phone or digitally. Personal data can also be collected and updated from census, vehicle and other public authorities, credit information registers, postal operators, public telephone directories, direct marketing and other data brokers, and other similar public and private registers.


Disclosure and transfer of data

Controller may disclose personal data to other companies, whose products or services the Controller markets and sells to the data subjects for example to landlords and providers of housing services.

Data will not be disclosed to other external parties except when it is necessary to comply with the legal or contractual obligations of the Controller.

Controller may outsource ICT, marketing, communication and other functions to third party suppliers, vendors, or other sub-contractors. In such case the Controller may transfer personal data to these sub-contractors to the extent necessary for the provision of their services. These sub-contractors will process personal data on behalf of the Controller and must comply with the Controller´s instructions and this privacy policy. Controller will ensure through contractual measures that the personal data is processed in compliance with the legislation.

Personal data will not be regularly transferred outside the European Union or the European Economic Area. However, if any transfer outside the EU or EEA is necessary, the Controller will ensure that the country to which the data is transferred is approved as having a sufficient level of privacy protection by the European Commission, or by using standard contractual clauses approved by the European Commission.


Data Protection and retention

Access to personal data will be permitted only to persons who need to process data as a part of their employment or other duties. Digital data is protected by firewalls, passwords and other technical means. All data is kept in locked premises secured with physical access control.

After the customer relationship personal data will be retained until contractual as well as legal rights and obligations have been fulfilled and to the end of retention and liability periods based on for example Housing Transactions Act, Consumer Protection Act and Accounting Act.

After the customer relationship the Controller may keep anonymized data as well as the above described basic data (excluding national identity number) and marketing data of the data subject for direct marketing purposes.


8 Access, rectification and other rights of the data subject

Data subjects have the right to know what kind of personal data has been collected and processed by the Controller. Upon the data subject´s request, we will rectify, remove or supplement any incorrect, unnecessary, incomplete or outdated personal data.

Data subjects are entitled to prohibit the use of the data for direct advertising, telemarketing and other forms of direct marketing, as well as to prohibit the use of the data for use in questionnaires and market research.

Data subjects may also withdraw consents they have given, object to or restrict processing of their data in cases defined by law, and the right to complain to the supervisory authority.

The requests can be submitted to contact persons defined in section 2 above. The Controller may need to ask additional information to confirm the identity of the data subject.