top of page


This is a combined Data Protection Statement and information document in accordance with the Data Protection Act and the General Data Protection Regulation of the European Union (2016/679/EU).




Customer register of Bo companies ("Customer register")

Regional offices:

Bo LKV Helsinki, visiting addresses: Neitsytpolku 12, 00140 Helsinki; Franzeninkatu 22, 00530 Helsinki; Tunturikatu 18, 00100 Helsinki
Bo LKV Espoo; Piispanpiha 1, 02200 Espoo
Bo LKV Vantaa; Silkitehtahantie 5, 01300
Bo LKV Porvoo; Mannerheiminkatu 4 01600 Porvoo
Bo LKV Turku, visiting address: Läntinen Rantakatu 53, 20100 Turku
Bo LKV Tampere, visiting address: Kelloportinkatu, 33100 Tampere
Bo LKV Oulu, visiting address: Kansankatu 53, 90100 Oulu
Bo LKV Lahti, visiting address: Rautatienkatu 20 15110 Lahti
Bo LKV Jyväskylä, visiting address: Yliopistonkatu 32, 40100 Jyväskylä

Saara Murtovaara
Chief Operating Officer
040 764 4317


General information about data processing

To the extent that the Customer Register contains personal data, the data protection act and other applicable laws, decrees, regulations and official instructions concerning the processing of personal data are followed in their processing. Personal information refers to information that can be linked to a specific person. This document describes in more detail the procedures for the collection, processing and transfer of personal data, as well as the rights of the customer, i.e. the data subject.

The purpose of collecting personal data

Contractual, customer or other comparable relationship

The customer register is intended for use by the controller

  • contractual or customer relationship with the client (e.g. seller or lessor);

  • the relationship related to the performance of the assignment with the client's counterparty (e.g. buyer or tenant);

  • contractual relationship with the user of the assessment assignment or other expert service;

  • a relationship based on the marketing permission given by the customer, the purpose of which is e.g. multi-channel marketing communication to the customer, e.g. via e-mail, online, telemarketing or mail.


The controller can also collect information from, e.g., persons present at apartment presentations in order to prevent, monitor and investigate crimes or abuses, or by other means to find out the interests of potential customers or to establish a subsequent customer relationship/provide services and for marketing.

In this statement, the persons mentioned in point a) are referred to as the Customer.


Legislation concerning real estate agencies​

The Act on real estate agencies and rental apartment agencies (1075/2000) and the Act on the agency of real estate and rental apartments (1074/2000) and the processing of assignments based on them and the processing of the Customer's own searches require the storage, use and storage of the information mentioned in the section "Data content of the customer register" below. The agency must e.g. keeps an assignment diary, in which the personal, target and event information and documents related to each assignment are recorded ("Assignment Diary").


Statutory supervision of money laundering​​

In accordance with Chapter 3, Section 3 of the Act on the Prevention of Money Laundering and Terrorist Financing (444/2017, hereinafter referred to as the "Money Laundering Act"), the customer's identification information and other personal data in accordance with the law are stored, stored and can be used to prevent, reveal and investigate money laundering and terrorist financing, as well as to prevent money laundering and terrorist financing and for the investigation of the crime by which the property or the proceeds of crime that are the subject of money laundering or terrorist financing have been obtained. The customer's identification information or other personal information acquired solely for the purpose of preventing and exposing money laundering and terrorist financing will not be used for a purpose that is incompatible with these purposes.

Data storage based on consent

Insofar as the registration right based on the aforementioned laws or circumstances is exceeded, or there is no other legal basis mentioned, the Customer's consent to the recording, processing and storage of personal data will be requested separately. Assignment data is also used for contractual relationships related to evaluation and other professional services and is stored in a manner similar to the Assignment Diary. In addition to the right to registration based on laws or circumstances, or separately, the customer may be asked to consent to the analysis of the provided information and customer behavior for marketing purposes (e.g. direct marketing via e-mail or other similar direct advertising online, by mail or as telemarketing).

Sanctions for not receiving information

If the data controller does not receive the information referred to in points a), b) and c), the customer relationship cannot be started or continued, or enter into another contract or participate in legal action with the Customer. If the apartment presentation does not provide sufficient information to identify the visitor, the presentation to the visitor is not necessarily possible.


Purpose of data use

The information in the customer register can be used for the following main purposes:

  • customer relationship management and development

  • producing, providing, developing, improving and protecting services

  • invoicing, collection and verification of customer transactions

  • advertising targeting

  • analysis and statistics regarding services

  • customer communication, marketing and advertising

  • Targeting the content of marketing and advertising (e.g. e-mail) according to the information and behavior provided by the Customer

  • protecting and safeguarding the rights and/or property of the data controller and other persons and entities related to the services,

  • managing the statutory obligations of the controller, as well as

  • other similar uses



Bo processes information in the Assignment Diary, in the register information regarding the supervision of the Money Laundering Act, and in the customer contact information listing.

The assignment diary and its attachments process, or can process, information belonging to the following groups:

  • Basic customer information, such as full name, address, language

  • the personal identification number and possibly the company identification number of the person acting on behalf of oneself or the company for reliable identification

  • information related to invoicing and collection

  • information related to the customer and the contractual relationship, such as the services offered to the Customer, the date of their use, the date and information of the purchase offer, its acceptance, the rental or sales contract, target information, commission, service seller information and other similar information

  • permission information and prohibitions, such as direct marketing permissions and prohibitions

  • points of interest and other information provided by the Customer himself

  • other event information of the services

  • complaints and their processing information

  • the tenant's credit information and other financial information for the purpose of assessing the ability to pay rent


The following information related to the Customer is processed, or may be processed, in the register data related to the supervision of the Money Laundering Act:

  • name, date of birth and social security number

  • representative's name, date of birth and social security number

  • full name of the legal entity, registration number, date of registration and registration authority

  • the full names, dates of birth and nationalities of the members of the legal entity's board or equivalent decision-making body

  • branch of the legal entity

  • the name, date of birth and social security number of the actual beneficiaries

  • the name of the document used for identity verification, the document number or other identifying information and the issuer or a copy of the document or, if the customer is remotely identified, information about the procedure or sources used for authentication

  • information about the Customer's activities, quality and scope of business, financial status, grounds for using the transaction or service and information about the origin of the funds, as well as other necessary information obtained in order to know the Customer referred to in section 4 subsection 1 of the Money Laundering Act

  • Information related to the investigation of the origin of funds in accordance with Section 4, subsection 3 of the Money Laundering Act, and necessary information acquired in accordance with Section 13 to fulfill the enhanced duty to know related to a politically influential person

  • for a foreign Customer who does not have a Finnish personal identification number, information about the Customer's nationality and information on the travel document


The following Customer-related information is or may be processed in the customer contact information listing:

  • Name, address

  • the purpose of the contact

  • information about contacting the Customer and the time of contact, as well as follow-up measures


The information in the assignment diary is kept for ten (10) years after the end of the assignment.

Information in accordance with the Money Laundering Act is stored for five (5) years, unless the further storage of said information is necessary to protect the rights of a criminal investigation, a pending trial, or the rights of the data controller or its employee. The necessity of further storage of information and documents will then be examined no later than three (3) years after the previous verification of the necessity of storage (Act on the prevention of money laundering and terrorist financing, 444/2017, § 4).

Other personal data is deleted after there is no longer a need to store the personal data. If the collection and storage of personal data is based only on the Customer's consent, the personal data will be deleted at the customer's request.



Personal data is collected from the Customer himself in connection with an assignment agreement, purchase or rental offer and other events related to the assignment, fulfilling reporting obligations and preparing documents, when otherwise using the services of the data controller or otherwise directly from the Customer, for example in apartment and target presentations, from contact forms on the data controller's website, as well as from customer satisfaction surveys and raffles. Personal data can also be collected and updated from e.g. property management offices, the population register and other official registers (such as the mortgage and mortgage register) and credit information registers.


Information based on consent is collected directly from the Customer or with his consent from registers or sources maintained by an authority or a third party.


The controller may disclose personal data within the permitted and mandatory limits of the applicable legislation, as well as for the implementation of an agreement between the parties or when a material connection is fulfilled.

Personal data can thus be disclosed, for example, to the regional administrative agency and other authorities, in connection with the transaction to the banks of the parties to the transaction, and at various stages of the assignment, e.g. for the property manager and land surveying institute, and in cases of disputes, for legal assistants.

Data is not regularly transferred outside the European Union or the European Economic Area. However, data can be transferred or disclosed outside the European Union or the European Economic Area as permitted by law, if the data is transferred to a country where the European Commission has determined that the level of data protection is adequate, or contractual arrangements can guarantee an adequate level of data protection. A transfer outside the EU can also temporarily take place when using various cloud services, such as OneDrive, iCloud or Dropbox.


Information is disclosed to the authorities in cases required by law.

The purchase price and other information about the object of the sale are also handed over to Kiinteistönvälytysala Keskusliitto (KVKL) ry, where the data is stored in KVKL's price tracking service (HSP) used by real estate agents to the extent required by the service. Information about HSP can be passed on to HSP's customers. The Privacy Statement of the service in question can be read at

In connection with the outsourcing of the data management of the data controller, processing of personal data may also take place by subcontractors of the data controller, but then only on behalf of the data controller. Such subcontractors can be, for example, service providers of real estate brokerage systems and marketing systems, as well as entities that maintain apartment sales announcement portals and companies that perform customer satisfaction measurements. The subcontractors of the Bo companies are Almamedia (Kinteistönväälytässysteme KIVI) and the financial management system Procountor, which is part of the Finago companies. The company's Privacy Statement can be found at the link Almamedia's Privacy Statement can be read at  Apartment sale portal Oikotien Register statement can be read from the link . Register statement of the company we use for customer satisfaction surveys:



Access to the register requires a user ID granted by the main user of the Customer Register. The administrator also determines the access level granted to other users. Only those employees of the data controller and employees of subcontractors have access to the information for which it is necessary to perform work-related tasks. The data is collected in the service's databases, which are protected by firewalls, passwords and other technical means. The databases are located in locked and guarded premises and only certain predefined persons can access the information. Customer information is stored electronically. If personal information containing a personal identification number is transferred by Bo, e.g. by e-mail, it is done in a protected manner.

To the extent that personal data is processed on behalf of the data controller by its subcontractor, agreements between the data controller and the subcontractor have taken care of the organization of appropriate protective measures and ensured that the processing of personal data meets the requirements of data protection legislation.


9.1 Checking, obtaining and transferring information

The customer has the right to check what information about him is stored in the Customer Register. The customer must present the inspection request to the controller in writing in a signed form or in a similarly certified document, or by e-mail.

Contrary to what has been said above, the Customer does not have the right to inspect the information acquired in order to fulfill the reporting or reporting obligation stipulated in the Money Laundering Act (§ 4:3 of the Money Laundering Act). However, upon the Customer's request, the Data Protection Commissioner can check the legality of the processing of this data.

The data controller shall deliver the aforementioned information to the Customer within 30 days of submitting the inspection request.


The customer has the right to have customer information about him that he has provided himself transferred to a third party in a structured and commonly used machine-readable format. However, the data controller retains the transferred data in accordance with this privacy statement.

9.2 Correcting incorrect information

The customer has the right to correct information about him/her stored in the personal register to the extent that it is incorrect.

9.3 Objecting to or restricting data processing and deleting data

The customer has the right to object to the processing of data concerning him/herself for direct advertising, distance sales and other direct marketing as well as market and opinion research and the development of the controller's business, as well as to limit the processing of data concerning him/her, as well as the right to have the personal data concerning him/her already registered and stored for the said purpose deleted, even if the basis for the processing of the data is otherwise would be.


9.4 Withdrawal of Consent

If the information in the register is based on the consent given by the Customer, the consent can be revoked at any time by notifying the controller's representative mentioned in this statement. Based on the request, all the information that does not have to be stored, or cannot be stored, will be deleted based on the law or another reason mentioned in this privacy statement.

9.5 Procedure for exercising rights

You can make an inspection, correction or other request by contacting the data controller's customer service using the contact information mentioned in this statement.

9.6. Disagreements

The customer has the right to refer the matter to the Data Protection Commissioner if the data controller does not comply with the customer's rectification or other request.


The controller does not profile the Customer on the basis of personal data or use automatic decision-making.

bottom of page