top of page

Privacy policy & template




Third Parties and Storing data

Quarto Legal stores your data in secure locations, such as the protected database of the Company's AWS database in Ireland, and on the highly secured vault 'P-Cloud'. These act as processors for the Company. Please review the privacy policy of these companies for more information on how they handle your data. Cookie and other analytical data is being collected by the Company's domain host 'Wix'. 




The Company will store your data, pursuant to the Finnish taxation laws, for no longer than five years after you have made your last purchase. This type of data includes the type of purchase, the buyer and location of the buyer.


Regarding marketing data, the Company will keep emails from individuals who have not purchased products or services, for no longer than two years. Every year the Company will review their database and request again consent, in the event the individual has been inactive for more than two years.  




The Company may internationally transfer data if the Company makes use of a tool that is necessary for the service which stores data outside the EEA. Such transfer shall be vetted and only done pursuant Chapter V of the GDPR. The Company shall refer to these transfers in this policy. At this very moment the company does not transfer data outside the EEA. 



Automated individual decision-making

The Company does not make use of automated individual decision-making tools.




The Company will ask for your consent to share your brand name on its website. The Company also may ask you for LinkedIn or Google reviews, which it may place as well on its website. If you have any objection to this, please let us know.


Your rights

You, a website visitor, customer or other party, have at all times the right to:

  1. access your data and request copies of all processing activities around your data

  2. rectify processing concerning any information you believe is inaccurate, to which the Company can comply under certain conditions, such as when it is following a legal obligation from a National Authority

  3. request to be forgotten, to which the Company can comply under certain conditions, such as when it is following a legal obligation from a National Authority

  4. request to restrict or object to processing, to which the Company can comply under certain conditions, such as when it is following a legal obligation from a National Authority

  5.  request a structured, commonly used and machine-readable format to transfer the data to another controller or directly to you (portability). 



Changes to the Policy

The Company will keep this privacy policy under review and reserves the right to modify this document. This policy was last updated in October, 2022, and advises you to regularly review this document for the latest updates.



Should you wish to report a complaint or you feel the European Startup Lawyer has not addressed your concerns in a satisfying manner, you may contact the Data Protection Authority Office in Finland, or in the country of your residence.

Quarto Compliance Privacy Policy

This document informs you about privacy issues such as the collection, storage, use and disclosure of Personal Information received from users of this Site, data subjects (customers and their clients) of Quarto Compliance, or Quarto Legal, which is used as a trade name (hereinafter also: the Company).



Quarto Compliance acts as a Data Controller, Data Processor, and could be a third party, which depends on the data processing activities as described below.


If you have questions or comments, you may always contact via mail, phone, or email at:

Quarto Compliance

c/o Steffi Besselink, founder | lawyer | DPO

Finnish Business ID: Y-3142564-2

00520 Helsinki, Finland

Collecting data


From our website visitors, the Company collects personal data such as:


  • Name

  • Business name

  • Email (work-related)

  • Phone number (if provided)

  • Address/ country

  • Purpose for contacting Quarto Legal


We collect this data based on your consent, Article 6 (1) (a) of the European General Data Protection Regulation 2016/679, because you have reached out to us for information or questions or like to be contacted by Quarto Legal.


Regarding customers, the Company collects data such as:


  • Business name, address and country

  • Names of business employees

  • Personal data that you process and is related to our services to you

  • Company's banking information to invoice you

  • Personal data related to your customers or clients when the need arises during the service.


This data is collected based on the contractual obligation from Quarto Compliance to provide you the product and services of GDPR documents, consultation and advice, which stems from Article 6 (1) (b) of the European General Data Protection Regulation 2016/679.


Quarto Compliance collects potential customer representative names and emails it received via: 

  • LinkedIn

  • Via a common professional acquantaince

  • Via an event we both attended 

  • Via other professional avenues where Quarto Compliance has been informed you may have an interest in our services. 

Where Quarto Compliance receives your information, we reach out to you based on the company's legitimate interest. 

Where you respond to our engagement you have provided consent to stay in touch, or remain connected for the purpose of engaging with our services in the future. Ideally, we connect on LinkedIn, so that your information can be removed from our email folders. 

Where you do not engage with us within 1 year, or have expressed not to wish to engage with us, we remove your information from our email and servers. 


Quarto Compliance does not collect personal identifiable cookies. It does review website statistics, which are anonymous cookies, such as number of visits, and the area (such as country or continent) you visited from. 



We use the following sub-processors: 


Wix, Israel

Business email and productivity tools: 

Google Business Suite and Microsoft, European data centres

Quarto Compliance Desk Software: 

AWS European data centres

IT Monitoring of Desk:

Documentation and policies: 

Slite, Belgium 

We refuse to sell any personal information

We only use authorised and vetted sub-processors that can establish data centres in the EU, and have contractual tools and documentation in place for us to prove data protection compliance


Instructions when using as template

1. What is this document going to be about? 

2. Specify, or mention, your roles as Data Controller (deciding the purpose and means of the data), Data Processor (acting on behalf of the Data Controller), or a Third party (a recipient of personal data neither in the position of Data controller, or Data processor.) 


3. Add your company details

Data collection: 

  • What personal data do you collect? 

  • On which legal basis and for what purpose do you use it? 

  • Be as specific as possible: 

    • Consent: data that is provided to you freely and unambiguously ​

    • Contract: data that is collected or processed by you based on a contract

    • Legitimate interest: data that is collected or processed by you due to a specific reason, necessary for your business interest, and in proportion to the data subject rights. 

    • Legal obligation: data that you process because of a law or legal order

    • Vital interest: data that you process based on life or death matters

    • Public interest: data that is processed in the public interest, such as journalism or scientific research. 


Explain the type of marketing funnels you use, and what data is collected in such way. Do you track people? Do you create behavior profiles? Do you keep marketing prospect lists? 


When tracking people, or creating profiles based on website visits, ask consent. For any cookie that is created or shared, that stores or collect personal information you must ask consent via a banner. 

Anonymous cookies do not need consent, but you must inform people about these. 

Note: anonymous information is not subject to GDPR rules anymore, however, data can be considered anonymous when there is no link anymore with the data subject, so that the data subject cannot be re-identified anymore. 


If you have a building secured of video surveillance, add it here to inform people entering or visiting the physical location. 

If you use personal data for research or publications, or demonstrations or events, add and explain here how you collect this data, and for which purposes it is used. 


  • You do not legally need to name all your sub-processors, but you must be able to transparently provide clarity, where personal data is processed, in which location (EU or abroad). 

Securing personal data


We use appropriate technical and organisational security measures, such as, but not limited to: 

  • Only using certified and registered companies for business contracts

  • Contractually committing businesses to secure personal data that is processed

  • We have an authorisation and access-only system to any personal data we process, that is specifically authorised by the founder of Quarto Compliance

  • We process personal data only - as far as possible - in the European Union, or, if there is a necessity for internal transfers, we have the appropriate transfer tools from the GDPR in place. 

  • We have access, user accounts, and login attempts monitored. 

  • Our screens and devices have automatic lock screen after seconds of idle time. 

  • We have safe and secure suggested passwords, do not use passwords more than once, and have where possible, multi-factor authentication for employee or user identification. 

  • Users for Desk software are personally vetted and authorised by the founder who sends a directed invitation email. 

  • No more personal data is stored, collected, or accessed without necessity of the services. 

  • We retain personal data only for legal retention reasons, such as tax- and bookkeeping in Finland, and delete or return information wherever possible to the client. 


Securing personal data: 

You do not need to go into detail as we did here, but you should address if you have secured personal data from unauthorised loss, modification, or access wherever possible. 

These measures include, at least (but you can add any measure that work for you to reduce the risk): 

  • Access controls (limit admin accounts and user accounts as personal data is only need-to-know basis.) 

  • Location, or transferring or storing personal data (aim for EU because other countries may not have the same or equivalent standards of data protection) 

  • Retention (how long do you plan to keep data? Do you plan to return it to the customer, anonymise and archive?) 

Data subject rights

Data subjects have the following data subject rights: 

  • The right to be informed of data processing, and any changes, modifications, or data breaches that have a high risk to your rights and freedoms. 

  • The right to request access for copies of all personal data processed

  • The right to rectify any information that you believe is inaccurate

  • The right to request 'to be forgotten' and have your personal data deleted

  • The right to object or restrict processing of your personal data 

  • The right to object to automated decision-making and be assisted by a human. 

  • The right to request a structured, commonly used and machine-readable formate to transfer personal data to another controller or directly to you ('portability'). 

It may be possible that Quarto Compliance cannot comply to your data subject right request. Where Quarto Compliance is the Data Processor or Third Party, it shall refer you to your Data Controller, without undue delay, and assist your Data Controller to the best of its abilities. 

Where Quarto Compliance is prohibited due to reasons based on a legal obligation from a National Authority, or reasons for public interest or public health, it shall inform you whether this is the case. 

Regardless, Quarto Compliance, shall answer to your request by execution, or failure of execution due to any of the reasons above, within the legal limit of 30 business days. 

Please contact to file such a claim. 

Changes to this policy

This policy was updated in April 2024. Should you wish to report a complaint or you feel Quarto Compliance has not sufficiently addressed your concerns, you may contact the Data Protection Authorities in Finland, or in your country of residence. 

Data subject rights

Mention all data subject rights, and explain if you cannot comply with them, of example, because you have anonymised the data and the data subject cannot be re-identified anymore, if you will return the request to the data controller (and assist to the best of your ability), or any other reason that applies.


Note that for authorities, this is a very important section! 

Add the contact information for data subjects to file a claim, and you must respond within 30 days, which is a legal time frame. 

Time and Authorities

Always add the last review date for updates, and to which authorities the persons can file a claim. This is also a legal requirement, thus do not forget this last part. 

Privacy policies should be updated at least annually. 

bottom of page