1. Identity and Contact Details of the Controller

Depending on the context of the processing, the data controller will be:
Patria Plc
Arkadiankatu 2
FI-00100 Helsinki, Finland

If required, separate local Patria entities act as controllers for national operations (e.g., recruitment, client delivery, compliance activities).

2. Contact Details for the Data Protection Officer (DPO)

Patria has appointed Data Protection Compliance Manager as follows:

Azahara González
Compliance Manager for Internal Controls
Address
Hatanpään Valtatie 30 FI-33100 Tampere, FINLAND

Other contact information: [email protected]

You may contact the Compliance Manger regarding any queries about this notice or your data-protection rights by emailing [email protected]

3. Purposes and Legal Bases for Processing

We process personal data for the following purposes and legal bases:

Purposes

  • To operate and secure our website, digital services and online platforms
  • To respond to enquiries, contact requests and customer support interactions
  • To manage and fulfil contracts with clients, suppliers, subcontractors, and partners
  • To manage procurement, logistics and supply-chain functions
  • To handle recruitment processes, evaluate applicants, and maintain candidate records
  • To perform compliance activities (e.g., export control, defence-industry regulations)
  • To maintain physical and IT security, including CCTV, access control and audit logs
  • To maintain business continuity, incident management, fraud prevention and investigations
  • To comply with applicable legal obligations, regulatory requirements or lawful requests


Legal Bases

  • Contract necessity (Article 6(1)(b))
  • Legal obligation (Article 6(1)(c))
  • Legitimate interests (Article 6(1)(f)) — including security, fraud prevention, service delivery
  • Consent (Article 6(1)(a)) — used only where required (e.g., marketing, cookies)

For special categories of data (e.g., health, criminal-record data for vetting), processing is carried out only were permitted under Article 9 GDPR and relevant national laws.

a { text-decoration: none; color: #464feb; } tr th, tr td { border: 1px solid #e6e6e6; } tr th { background-color: #f5f5f5; }

4. Categories of Personal Data and Relevant Legal Basis

Category of Data Examples Purpose / Context Legal Basis
Identity Data Name, address, date of birth, national ID, nationality, passport, driver’s licence, place of signature, job title Identification, contracting, security checks, access control Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation; Art. 6(1)(f) legitimate interests
Contact Data Email, phone, postal address Communication, service provision, support, logistics Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests
Professional / Employment Data CV, skills, qualifications, work history, education history, previous professional experience, references, current and previous roles, country of residence Recruitment, contracting with independent consultants, supplier due diligence Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests; Art. 9(2)(b)/(h) if special category HR data
Business & Contract Data Company details, VAT ID, project roles, service records, representative or point-of-contact details; nationality and date of birth of Ultimate Beneficial Owners Contract fulfilment, supplier management, customer administration Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests
Technical & Usage Data IP address, cookies, login logs, device data Website operation, cybersecurity, analytics, fraud prevention Art. 6(1)(f) legitimate interests; Art. 6(1)(a) consent (for cookies where required)
Security and Vetting Data Background checks, criminal-record data (where lawful), export control screening; Security Visitor Registry data (identity details, ID number, visit date, host, contact details) Defence-industry compliance, security clearance, legal obligations; visitor management and site security Art. 6(1)(c) legal obligation; Art. 6(1)(f) legitimate interests; Art. 10 GDPR; applicable national laws (Finland, Germany, Sweden)
Communications Data Emails, enquiry forms, customer messages, logs Customer support, audit trail, dispute resolution Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests
Financial Data Bank account details, payments, invoices, billing records Supplier payments, procurement processes, financial compliance Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation
Compliance & Audit Data Access logs, regulatory filings, audit records, incident logs Legal compliance, defence requirements, accountability Art. 6(1)(c) legal obligation; Art. 6(1)(f) legitimate interests
Special Category Data Health data (recruitment/fitness), biometric data (where used), trade union membership Processed only where strictly required for recruitment, safety, or legal compliance Art. 9(2)(b) employment; Art. 9(2)(h) health/safety; Art. 9(2)(f) legal claims; applicable national laws
Image / CCTV Data CCTV footage, site-access photos (analogue or digital), surveillance area details, date and time of recordings Site security, safety, investigations Art. 6(1)(f) legitimate interests; Art. 6(1)(c) legal obligation (where applicable)
Whistleblowing Data Reporter identity (where provided), allegations, evidence, investigation notes, report credentials, sound files, IP address, technical data; may include special category data depending on report content Compliance with EU Whistleblower Directive, fraud prevention, investigations Art. 6(1)(c) legal obligation; Art. 6(1)(f) legitimate interests; Art. 9(2)(g) substantial public interest (where applicable)
AI‑Processed Data Text inputs, metadata, logs used for AI‑assisted drafting or analysis Analytics, automation support, security monitoring Art. 6(1)(f) legitimate interests; Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation (cybersecurity); Art. 9 GDPR only where required and lawful
Marketing Data Email address, name Collecting stakeholder contact information to send Patria news releases and company surveys Art. 6(1)(f) legitimate interests; Art. 6(1)(a) consent (where applicable)
Others      

 

5. Recipients of Personal Data

We may share personal data with:

  • Patria Group subsidiaries and internal departments
  • Service providers supporting IT, hosting, cloud, security, HR, and operational services
  • Business partners, clients, subcontractors and suppliers involved in fulfilling contracts
  • Authorities and regulators where required by law (e.g., defence, export control, tax authorities)
  • Auditors, consultants, or legal advisors
  • Any other party with your consent or were permitted by law

All third-party processors are subject to contractual obligations ensuring confidentiality, data minimisation, and due diligence compliance.

6. International Transfers


If personal data is transferred outside the EU/EEA, Patria Plc applies appropriate safeguards, such as:

  • European Commission Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Appropriate technical and organisational safeguards

7. Retention Periods

We keep your personal data for as long as is necessary for the performance of the contract between you and us and to comply with our legal obligations. If you no longer want us to use your personal data to provide this service to you, you can request that we erase your personal data and close your account with us. Please note that if you request the erasure of your personal data:

  • We may retain some of your personal data as necessary for our legitimate business interests, such as fraud detection and prevention and enhancing safety
  • We may retain and use your personal data to the extent necessary to comply with our legal obligations.

Because we maintain our records to protect from accidental or malicious loss and destruction, residual copies of your personal data may not be removed from our backup systems for a limited period of time.

8. Data Subject Rights

As an individual, under EU law you have certain rights to apply to us to provide information or make amendments to how we process personal data. These rights apply in certain circumstances and are set out below: 

1. The right to access data relating to you (‘access right’).
2. the right to rectify/correct data relating to you (‘right to rectification’).
3. The right to object to processing of data relating to you (‘right to object’).
4. The right to restrict the processing of data relating to you (‘right to restriction’).
5. The right to erase/delete data relating to you (i.e. the “right to erasure”). and
6. The right to ‘port’ certain data relating to you from one organisation to another (‘right to data portability’).

These rights are not absolute and only apply in certain circumstances.
To exercise these rights, contact [email protected] 
If these rights are restricted due to legal or defence-sector obligations, we will notify you were legally permitted.

9. Contacting Supervisory Authorities

If you have any questions about how we process your personal data, or if you wish to exercise your data protection rights, you can contact our Data Protection Contact at [email protected] 
If you believe that your personal data has not been processed in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) or applicable national data protection law, you also have the right to lodge a complaint with a Supervisory Authority.

In particular, you may contact the Supervisory Authority in the country where:

  • You normally live,
  • You work, or
  • The alleged infringement of data protection law has taken place.

For individuals located in Finland, the competent supervisory authority is:

Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
P.O. Box 800
00531 Helsinki
Finland
Email: [email protected]
Telephone: +358 29 566 6700
Website: www.tietosuoja.fi

Please note that contacting our Data protection Contact does not limit your right to lodge a complaint with a supervisory authority.


For individuals located in The Netherlands the competent supervisory authority is:

Netherlands -Autoriteit Persoonsgegevens
Hoge Nieuwstraat 8, 2514 EL The Hague, The Netherlands Website: https://autoriteitpersoonsgegevens.nl
Phone number: +31 88 1805 250

For individuals located in Belgium, the competent supervisory authority is:

Belgium -Autorité de protection des données
Website: https://www.autoriteprotectiondonnees.be/citoyen
Phone number: +32 (0)2 274 48 00
Email: [email protected]

For individuals located in Sweden, the competent supervisory authority is:

Sweden -Integritetsskyddsmyndigheten Postal address Box 8114, 104 20 Stockholm, Sweden
Phone number: +46 (0)8 657 61 00
Email: [email protected]


Latvia
Address: Elijas iela 17, Riga, LV-1050, Latvia
Phone: +371 6722 3131
Fax: +371 6722 3556
Email: [email protected]
Website: https://www.dvi.gov.lv/

Germany
Die Bundesbeauftragte für den Datenschutz und die
Informationsfreiheit (BfDI)
Husarenstraße 30, 53117 Bonn, Germany
Website: www.insert bfdi.bund.de
Email
Phone number: +49 (0)228-997799-0

10. Use of Artificial Intelligence (AI) Systems

Patria Plc uses Artificial Intelligence (AI) technologies only where appropriate, proportionate and compliant with GDPR and applicable national laws. Patria Plc may use AI systems for:

  • Document drafting assistance (e.g., template creation, summarisation)
  • Translation support
  • Analytics for internal operational efficiency
  • Recruitment assistance tools
  • Predictive maintenance, diagnostics, or modelling relevant to defence and engineering
  • Security monitoring or anomaly detection within IT systems

We do not use AI systems to take decisions that have legal or similarly significant effects on individuals without human involvement.

AI processing may involve:

  • Analysing text inputs (e.g., CV data, support enquiries)
  • Generating summaries or classifications
  • Detecting anomalies for cybersecurity
  • Assisting internal staff with automated suggestions
     

Where AI is used, we apply strict safeguards including:

  • Human oversight at all time
  • Data minimisation (only necessary data is used)
  • Use of anonymisation or pseudonymisation where feasible
  • Vendor compliance checks and DPAs with all AI service providers
  • Prohibition on training external AI models on Patria data

AI processing relies on:

  • Legitimate interests (e.g., operational efficiency, security monitoring)
  • Contract necessity (e.g., providing services to customers)
  • Legal obligation (e.g., compliance screenings)

Automated Decision-Making

AI is not used to take fully automated decisions under GDPR Article 22.

11 Security of Information

Personal data will remain confidential. Patria Plc’s data network or server environment or the cloud services in which the filing systems are located are protected by the necessary technical and organisational measures. Organisational security measures are applied by way of limiting access to data to those persons working for data controller’s organisation who have a role-based need and purpose to process the data.

12. Updates to This Notice

We may update this Privacy Notice periodically. The latest version will always be available on our website.