Privacy statement

Registry name

HELBUS Customer & Marketing Register

stores and processes personal data in accordance with the EU’s GDPR directive. We may occasionally modify this privacy statement – with or without prior announcement – and recommend that you visit this page from time to time to view any modifications that may have been made.


Helsinki School of Business AB

Business ID: 2928098-2

Address: Runeberginkatu 22-24, 00100 Helsinki

Phone: +358 40 501 7627

Registry Officer:

Helsinki School of Business AB

Kari Jääskeläinen, President

kari.jaaskelainen (at)

Purpose of processing personal data:

Our business is legally incorporated, so we also comply with EU regulation on personal data storage. This may be summarised as follows:

  • The information that we store about an individual is legitimate, reasonable and handled with care and transparency. This means you can access your information at any time upon request.
  • Information on individuals is held for specific purposes only. We will not disclose your information to third parties unless there is an appropriate reason for doing so.
  • We store only the minimal amount of information required.
  • We make every effort to ensure that the information stored is accurate.
  • We limit data retention so that all information stored is retained for a defined period only, after which they are either automatically or manually removed unless there is a legitimate reason for prolonged retention
  • All data is stored securely and is backed up where necessary

We collect and store information about potential new customers. The main uses of this information are: direct marketing, telemarketing, internet marketing, reporting, service delivery, customer communication, marketing planning and targeting, analysis, customer service development, payment control, service- and business development, and other similar uses. HELBUS uses personal data for distance selling and direct marketing purposes, as permitted by the Personal Data Act. The collection of new potential customers is based on our business and we collect the information ourselves. We also collect information about potential new customers by purchasing databases, such as applicants for study positions that have given permission for their contact information to be shared.

We also store information about our staff and instructors, and collect applications for personal data through recruitment forms and email. This information is used for recruitment and marketing.

Data content of the register and storage times:

We store minimal information regarding customer relationships, typically including a person’s unique name, company, and contact information, such as email and phone number.

The collected information is:

  • First and last name
  • Title
  • Contacts (such as company name, contact information, etc.)
  • Other textual information related to the customer relationship
  • Marketing authorisation or blacklist request
  • IP address or other identifier
  • Information collected through cookies
  • Information collected from social media channels
  • Website address

Data storage times:

  • Pending student applications: 24 months
  • Withdrawn student applications: 24 months
  • Rejected student applications: 24 months
  • Applications of accepted students who did not enrol: 24 months
  • Applications of accepted students that have enrolled: 6 years
  • Data of students and alumni: 10 years. Beyond this time, only name, email, cohort and evidence related to the award of any qualifications earned are held.

Regular sources of information:

Sources of information include:

  • LinkedIn, Google Analytics, and web forms on the site
  • Personal data is collected directly from individuals or our interaction with them, including by telephone, online service and customer events
  • In addition, in connection with the business, we may use, for example, names extracted from the media

Regulatory delivery of information:

We use third-party services to process and retain information that may contain personal information. However, third parties operate purely as processors of personal data that have the right to process such information only to the extent required by the agreed services, and HELBUS remains the sole registrar of such data.

We will restrict access to personal data by other parties – this in practice means the following:

  • We use email marketing tools. Only name, company and email address are stored.
  • We use a CRM tool to handle new customer relationships, which includes: an individual’s name, contact details, and customer relationship related activities, such as documentations of meetings and other activities, as well as relationship related activities such as report requests from the site
  • We use a billing system, in which we store the minimum amount of data needed for processing, for example: name, contact information of the customer, and customer relationship related activities such as billing and bookkeeping .
  • We use our website to manage customer relationships. The amount of data stored is kept to a minimum. This may include: name, contact details, and relationship-related features such as report requests from the site.
  • We use an admissions system for managing customer relationships. The amount of data stored is kept to a minimum. This may include: name and the information requested for student selection.
  • We use a student management system to manage customer relationships. The amount of data stored is kept to a minimum. This may include: name, contact information, communication, information on the application phase, and follow-up of the studies
  • We use two learning platforms and an online meeting tool to manage customer relationships. These may require: the person’s name, contact information, the information needed to participate and evidence of learning.
  • The information may be disclosed to the authorities within the limits of the applicable law or when required, for example, in order to identify misuse.
  • The University of Northampton has its own systems, the maintenance of which they are responsible for and whose privacy practices they are responsible for.

Transfer of data outside the EU or EEA

We use partners in this computing process for purposes specified in this Privacy Policy and we can, in this context, pass on any personal data we are processing outside the EU or EEA territory, in accordance with current legislation in force. For those countries where there is no guaranteed level of data protection, transfers are based on standard safeguards, such as the standard contractual clauses approved by the European Commission or by the supervisory authority.

Principles of registrar protection

HELBUS has in place appropriate technical and organisational security practices and processes to safeguard personal information against loss, misuse, or other similar illegal access.

Personal data contained in the register is kept confidential. The use of the register is governed by the registry officer and access to personal data is restricted so that the information contained in the register can only be accessed by authorised employees who have the need to access the data stored to perform their work duties. All such personnel information is kept confidential.

The system is protected by security software. Access to the system requires each user from the registry to enter a username and password. The server environment is protected by passwords and an appropriate firewall. The communication between the server and the user’s machine is encrypted. In addition, the controller’s computer network and the hardware on which the registry is located are protected by a firewall and other technical measures. The destruction of personal data is done with data security in mind.

Audit rights

You have the right to have access your own personal information and to have incorrect information corrected. You have the right to request the removal of your personal information at any time, unless our legitimate interest or legal requirement preclude the removal of some personal data. The information shall be provided to the customer in an understandable form and, where appropriate, in writing. Such requests should be made by a personally signed letter to the following address:

Helsinki School of Business AB

 Kari Jääskeläinen

 Runeberginkatu 22-24

 00100 Helsinki

Right to demand correction

The registrar rectifies, removes or supplements any unauthorized, unnecessary, defective or obsolete personal data contained in the register for the purpose of processing on its own initiative or at the request of a registered person. In addition, personal information may be deleted if the customer misuses the service or pursues criminal or other prohibited activities through the service. The data subject must contact the registrar to correct the information. Such requests should be made by a personally signed letter to the following address:

Helsinki School of Business AB

Kari Jääskeläinen

Runeberginkatu 22-24

00100 Helsinki

Other rights related to the processing of personal data

The registrar also has the right to deny the controller the processing of information about himself for the purposes mentioned in this register unless otherwise agreed between the controller and the data subject. Requests for correction of marketing bans (call, printed direct mail, SMS and email) should be made to the registrar.


A cookie is a small file that a website stores on a visitor’s computer and the visitor’s browser each time a visitor visits a site. We use cookies on our website to do what they are supposed to do – to improve user experience or track traffic to HELBUS’ web pages. You can disable cookies or set a browser alert for cookies.

Website analytics and advertising-related cookies

To get more information about website traffic we use third-party analysis tools and advertising.

The HELBUS website uses the Google Analytics web analytics service provided by Google Inc. (“Google”). Google Analytics uses cookies to analyse how users are using the site. Information generated by the cookie about how you use a website (including your IP address) is sent and stored by Google on US servers. Our site uses IP anonymisation. Therefore, Google will shorten / anonymise the last octet of the IP address of citizens of Member States of the European Union and members of the European Economic Area. Only in exceptional cases will the entire IP address be sent and abbreviated in the United States by Google’s servers. Google uses this information on behalf of the web site to evaluate the use of the page, to provide website traffic reports to website vendors and to provide website providers with services related to other websites.

You can block the collection and use of data from Google (cookies and IP addresses) by downloading and installing the browser plug-in available here: en or using equivalent tools.

We also use Google Analytics to analyse data for AdWord and DoubleClick Cookies. You can prevent this data from being processed through Google’s privacy settings here:


Updated 5.3.2018