Privacy Notice – Subcontractors and Independent Experts
Maya Consulting Oy
Last updated: 15.05.2026
Version: 1.0
1. What this notice is about
This notice explains how Maya Consulting Oy (“Maya”, “we”) uses personal data about subcontractors, independent experts and contact persons of subcontractor companies.
2. Controller and privacy contact
Controller: Maya Consulting Oy
Business ID: 3555329-7
Address: Itämerenkatu 3, 00180 Helsinki
Privacy contact:
Email: info@mayaconsulting.fi
3. Who this notice applies to
This notice applies to:
- independent consultants and freelancers who may contract directly with Maya;
- independent consultants and freelancers who may contract directly with Maya;
- consultants, employees, owners or representatives of subcontractor companies;
- potential external experts identified through referrals, professional networks, public sources or earlier business contacts;
- experts whose CV, profile or competence information may be assessed for a customer assignment.
4. What personal data we use
We may process the following types of data, depending on the relationship and assignment context:
| Type of data | Examples |
| Contact details | Name, company, role, email address, phone number, business contact details |
| Professional profile | CV, work history, education, skills, certifications, languages, industry experience, technology experience, project roles and participation |
| Commercial & Assignment data | Availability, preferred roles, location, remote/on-site preference, assignment interests, matching notes, agreed rate, contract terms |
| Communications | Emails, Teams messages, meeting notes and other communications with Maya, customers or stakeholders, CVs and profiles |
| System and access data | User accounts, access rights, login data and audit logs in systems used for this function |
We do not ask for sensitive personal data, such as health information, political opinions, religious beliefs or trade union membership, for this purpose. Please do not include unnecessary sensitive data in CVs, profiles or free-text fields.
If a CV or profile contains sensitive data that we did not ask for, we may redact it from internal or customer-facing copies and ask for an updated version.
5. Where the data comes from
We usually receive the data directly from you, your company or your communications with Maya.
We may also create or receive data from assignment discussions, customer needs, project work, Maya’s sales and delivery work, and the tools used for expert management.
For B2B expert sourcing, we may also use limited professional information from sources such as:
- LinkedIn and other professional networking platforms;
- public company websites;
- public professional profiles;
- conference or event participant information;
- referrals from subcontractors, customers, partners or Maya employees.
If we add you to our expert or subcontractor records based on a referral or public/professional source, we will provide this notice within one month or at the latest when we first contact you, unless an exception under GDPR applies.
6. Why we use the data
We use the data for the following purposes:
| Purpose | What this means in practice | Legal basis |
| Managing the relationship | Keeping in contact and maintaining your profile, CV, skills, availability and relationship status | Contract where you personally contract with Maya; otherwise legitimate interest |
| Assignment matching | Assessing whether your skills and availability fit a customer need | Legitimate interest |
| Proposal preparation and delivery planning | Preparing customer proposals and planning delivery capacity | Legitimate interest |
| Sharing identifiable CVs or profiles with customers | Sending your identifiable CV, profile or expert presentation to a customer for a specific opportunity | Consent |
| Sharing non-identifying profiles | Discussing a potential expert profile with a customer without identifying you | Legitimate interest |
| Contracting | Preparing and performing your subcontractor or assignment agreement (where you contract personally with Maya) | Contract |
| Invoicing and accounting | Invoicing, accounting and tax records | Legal obligation |
| Assignment Administration | Managing assignments where you act through a subcontractor company | Legitimate interest |
| Communications between assignments | Staying in contact between assignments and enabling future collaboration | Legitimate interest |
| Information security and access management | Protecting Maya’s systems, customer data, expert data and business information | Legitimate interest and Security obligations under GDPR |
| Accounting, tax, audit and legal claims | Keeping records required by law and protecting Maya’s legal position | Legal obligation and legitimate interest |
Where we rely on legitimate interest, our interests are to operate Maya’s expert sourcing and consulting delivery model, maintain professional subcontractor relationships, match qualified experts to customer needs, protect systems and information, and manage business and legal risks.
We do not use automated scoring or automated ranking to make decisions about subcontractors or independent experts.
7. Sharing CVs and profiles with customers
We share your identifiable CV, profile or expert presentation with a customer only after you have approved the sharing for the relevant opportunity. This approval is treated as consent.
You can withdraw your consent at any time by contacting Maya. Withdrawal affects future sharing only. It does not affect sharing that took place before the withdrawal.
After a customer has received your identifiable CV or profile, the customer normally uses it for its own purposes, such as evaluating you for an assignment. In that situation, the customer is an independent controller. If you want to exercise your rights against the customer, you should contact the customer directly. Maya can help route the request where appropriate.
At an early opportunity stage, we may share a non-identifying or pseudonymised profile with a customer without naming you. If Maya can still link the profile back to you, it remains personal data for Maya.
8. Do you have to provide the data?
Providing CV, profile, skills, availability and related expert data is not required by law.
However, without enough contact and profile information, we may not be able to:
- assess your suitability;
- contact you about assignments;
- include you in assignment matching;
- present you to customers.
If you enter into an agreement with Maya, some contact, contracting, invoicing and assignment administration data is necessary to manage the agreement and meet legal obligations.
9. Who receives the data
We may share or make data available to:
| Recipient | Why data is shared or made available |
| Maya personnel | Sales, delivery, community management, management, finance and other authorised personnel who need the data for their work |
| Customers | Evaluating an expert for a specific customer opportunity, normally after consent for identifiable CV/profile sharing |
| Service providers | Tools and services used for systems, hosting, collaboration, document storage, support, security and business applications |
| Professional advisers | Legal, accounting, audit or other advisory support where needed |
| Authorities | Where required by law or lawful request |
We use written data processing agreements with processors where required by GDPR. A current list of key processors relevant to this notice is available on request.
10. Where the data is stored and transfers outside the EEA
The main systems used for this processing are listed below. The list may change when Maya’s systems or vendors change.
| System / provider | Main use | Data residency and transfer summary |
| Agileday / Agileday Oy | Expert profiles, CVs, skills, availability, work hours, assignment information, reporting and human review | Agileday states that personal data is stored primarily within the EEA. Some service providers may access or transfer data outside the EEA. These transfers are protected through Standard Contractual Clauses and other safeguards. |
| Microsoft 365 / Microsoft group | Outlook email, Teams communication, SharePoint documents, access management and collaboration | Microsoft 365 (Outlook, Teams, SharePoint) is operated on EU infrastructure under the EU Data Boundary. Microsoft support and engineering may access data from outside the EEA on a limited basis under the EU–US Data Privacy Framework (for transfers to certified US recipients) and the European Commission’s Standard Contractual Clauses. |
| SharePoint / Microsoft 365 | CV exports, customer proposal attachments and related documents | See Microsoft 365 row above. |
| Outlook and Teams / Microsoft 365 | Communication with subcontractors, independent experts, customers and stakeholders | See Microsoft 365 row above. |
Some providers used by Maya are global service providers. This means that personal data may be accessed from or transferred outside the EU/EEA, especially for support, operations or service-provider purposes.
When this happens, Maya uses GDPR-approved safeguards, such as:
- adequacy decisions;
- the EU–U.S. Data Privacy Framework for certified U.S. recipients;
- the European Commission’s Standard Contractual Clauses;
- supplementary technical or organisational measures where required.
11. How long we keep the data
We keep personal data only as long as needed for the purposes described in this notice.
| Data / record | Retention rule |
| Active expert or subcontractor profile | Kept while the relationship is active and the data is relevant for expert sourcing, assignment matching or delivery |
| Inactive expert or subcontractor profile | Deleted or anonymised if there has been no contact or relevant activity for three years |
| CV exports and proposal material | Kept for the related opportunity or assignment and for two years afterwards, unless longer retention is needed for a contract, customer obligation, legal claim or accounting record |
| Communications | Kept while the relationship is active and for three years afterwards. Communications linked to contracts, assignments, invoices, disputes, audits or legal claims may be kept longer |
| Assignment, contract and invoicing records | Kept for the assignment and afterwards as needed for contract management, accounting, tax, audit and legal claims |
| Accounting material | Generally kept for six years from the end of the financial year, as required by Finnish accounting law |
| Legal claims material | Kept as long as needed to establish, exercise or defend legal claims |
| System logs and access records | Operational logs are typically kept for 90 days. Security audit logs and access records are typically kept for up to 12 months, unless longer retention is needed for investigation, audit, legal claim or customer obligation |
12. How we protect the data
We protect personal data with practical organisational and technical measures. These include:
- role-based access rights;
- individual user accounts;
- Microsoft 365 security controls;
- multi-factor authentication according to Maya’s access management policy;
- controlled document storage;
- access based on work need;
- confidentiality obligations;
- vendor due diligence;
- data processing agreements with relevant processors.
Access to Agileday and Microsoft 365 content is granted based on role and need. Employee data and subcontractor/community data are handled with individual access rights.
13. Your rights
You have the following rights under GDPR:
| Right | What it means |
| Access | You may ask whether we process your data and request a copy. |
| Correction | You may ask us to correct inaccurate or incomplete data. |
| Deletion | You may request deletion. We will assess the request under GDPR and explain the outcome, including if some data must be kept for legal, accounting or claims reasons. |
| Restriction | You may ask us to restrict processing in situations defined by GDPR. |
| Objection | You may object to processing based on legitimate interests. We will assess whether we have compelling legitimate grounds to continue. |
| Data portability | Where processing is based on consent or contract and carried out by automated means, you may request the data in a structured, commonly used and machine-readable format. |
| Withdrawal of consent | Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect earlier processing. |
To exercise your rights, contact Maya’s privacy contact. We may ask for additional information to verify your identity. We normally respond within one month.
14. Complaints
If you believe Maya processes your personal data unlawfully, you may contact Maya’s privacy contact first.
You also have the right to lodge a complaint with the Finnish supervisory authority. Contact details are available at Office of the Data Protection Ombudsman Website: https://tietosuoja.fi
15. Changes to this notice
Maya may update this notice when its processing activities, systems, vendors or legal requirements change. The current version is published at https://mayaconsulting.fi/privacy-notice-subcontractors/.