Privacy notice
Effective date: 16 May 2018 As a data controller, Caverion Corporation is required to protect your personal information, and our aim is to make you feel secure when we process your personal data. We protect your privacy in compliance with the EU General Data Protection Regulation as well as all other applicable laws. We encourage you to read this privacy notice thoroughly. 1. Who is collecting your personal data When we refer to Caverion in this privacy notice, we mean Caverion Corporation and its affiliates listed in Caverion Corporation’s latest financial statement available. Caverion is a group of companies whose parent company is listed on the Nasdaq Helsinki. Caverion Corporation has its domicile in Helsinki, Finland. Contact information Caverion Group Legal & Compliance function Torpantie 2, 01650 Vantaa Phone: +358 10 4071 Email: communications@caverion.com Organisation number: 2534127-4 2. Protecting personal data We take privacy and security of your personal data seriously. All personal data you provide to Caverion is being stored on secure servers and only employees and third parties who need to access to this information shall have access to your personal data. Those individuals who have access to the personal data are required to maintain the confidentiality of such information. Caverion and our service providers will always take all reasonable measures to make sure your personal data is being protected. We use appropriate technical, administrative and organizational security measures to protect personal data against unauthorized access, disclosure, destruction or other unauthorized processing. The servers are located in the EU or they are GDPR compliant by separate agreements. Network services are protected by a HTTPS connection, which encrypts communications. 3. Definitions “Caverion” or “us” or “we” or “company” refer to Caverion Corporation and its affiliates that may process your personal data as mentioned in clause 1 above. “personal data” or “personal information” refer to all kinds of information that directly or indirectly identify an individual or can be used in combination with other information to identify an individual. Examples of personal information: Name, phone number, email address, date of birth. “sensitive personal data” or “sensitive personal information” refer to certain special categories of personal data and is information of more sensitive nature of the individual. Examples of personal information: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. “user(s)” or “you” or “data subject” or “person” refer to user(s) of our websites, users of our services or other persons external to Caverion that are providing personal data to Caverion. “website” refer to website reachable via the following primary URL caverion.com, as well as our country domains, campaign landing pages (e.g. hub.caverion.com) and online recruiting services (e.g. careers.fi/caverion). 4. Information we collect & Purposes of collecting personal data We will only collect such personal information that is relevant for the purposes described in this privacy notice. We collect information that is (a) provided by you but also (b) information collected automatically or (c) obtained through other external sources. We describe here how we handle personal data of different data subject groups. Note that we sometimes combine information we receive from you, information collected online, information collected offline and information collected from third party sources, always in compliance with applicable laws and regulations pertaining to processing of personal data. We will use your personal data only for the purposes stated in this privacy notice, unless we receive your consent for other purposes. Privacy notice 4.1. Website users Privacy notice 4.2. Customers Privacy notice 4.3. Candidates Privacy notice 4.4. External workforce Privacy notice 4.5. Vendors Privacy notice 4.6. Building visitors 5. Lawful basis for the processing The applicable lawful basis for the processing of personal data depends on the circumstances relating to the relevant processing activities, as further described below: 5.1. Consent If the processing of personal data is necessary for one or more specific purposes for which your consent is required, we will state so and obtain your consent, GDPR art. 6(1)(a) serves as the lawful basis for processing operations. We will ask your consent e.g. if we are going to use your photos or videos for marketing purposes or background checks. 5.2. Performance of a contract If the processing of personal data is necessary for the performance of a contract, such as for providing certain services, to which the data subject is party, GDPR art. 6(1)(b) serves as the lawful basis for processing operations. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. 5.3. Legal obligation If the processing of personal data is necessary for complying with a legal obligation, such as for the fulfilment of tax obligations, GDPR art. 6(1)(c) serves as the lawful basis for processing operations. 5.4. Vital interests If the processing of personal data is necessary for protecting the vital interests of a data subject, such as if a visitor were injured in our premises and his/her information would have to be passed on to medical personnel, GDPR art. 6(1)(d) serves as the lawful basis for processing operations. 5.5. Legitimate interests If the processing of personal data is necessary for processing operations which are not covered by any of the abovementioned lawful basis, but are deemed permissible for the purposes of the legitimate interests pursued by us, such as marketing activities if it has a minimal privacy impact, GDPR art. 6(1)(f) serves as the lawful basis for processing operations. 6. Disclosure and transfer of personal data Caverion transfers personal data only to persons and companies who need it to perform their duties. We ensure that the parties we transfer personal information to, are properly informed of the purpose of the processing, and we ensure the lawful processing of the personal data through contractual arrangements. We also ensure that the recipients of personal data commit to comply with the restriction on use of that personal data, including keeping the personal information confidential. In case personal data is transferred outside EU/EEA, such transfers are either made to a country that is deemed to provide a sufficient level of privacy protection by the European Commission or transfers are carried out by using appropriate safeguards such as EU commissions standard contractual clauses, and identify need for supplementary measures. 6.1. Companies of Caverion Group Due to our common IT infrastructure and knowledge sharing within the group, your personal data will be accessible by companies of Caverion Group for the listed purposes. Note that your personal data will be shared also outside the EU/EEA area, with our affiliates. 6.2. Suppliers and subcontractors We are using external service providers for certain parts of business operations, e.g. IT system maintenance. 6.3. Third parties We will share the data other partners or stakeholders. We also use cookies and web beacons on our websites and therefore share information with third parties collecting the data. Read our Cookie notice . Below are the purposes of transferring personal data Your request or consent: Based on your request or consent we can transfer your personal data. Services provided to the company or our employees: We have suppliers that support our business operations, providing services on our behalf. Acquisition, demerger or sale of business operations or companies: In case of acquisition, demerger or sale of the companies or other business operations, personal information is one of the transferred assets. Information sharing from our collaboration partners: In some rare cases we may transfer your personal data for our collaboration partners to enable them to share information about their services. Legal proceedings: When required by law or requirement by court, administrative agency or similar, we sometimes need to transfer your personal data to these parties. We can also share your personal data to seek for advice from lawyers or other professional advisers (banks, lawyers, accountants, potential buyers and vendors). Protection of safety, facilities, privacy or rights of our stakeholders Carry out other uses of personal data listed in the section “Purposes of collecting the data” 7. Your rights You, as a data subject, have certain rights concerning your personal data. 7.1. Right to access, correct and object You can contact us and we will inform what personal data we have collected and processed regarding you and the purposes such data are used for. You have the right to ask to correct any incorrect, incomplete, outdated or unnecessary personal data stored about you by contacting us. You can object to use of certain personal data, including direct marketing, if such data is processed for other purposes than purposes necessary for the performance of our services or for compliance with a legal obligation. You can also object any further processing of personal data after prior given consent. If you object to the further processing of personal data, this may lead to fewer possibilities to use our services. 7.2. Right to deletion and restriction of processing You can also ask us to delete your personal data from our systems. We will comply with such request unless we have a legitimate ground not to delete the data. After the data has been deleted, we may not be able to delete immediately all residual copies from our active servers and backup systems. Such copies shall be deleted as soon as reasonably possible. Even though you can request us to restrict processing of certain personal data; this may however lead to fewer possibilities to use our website and other services. 7.3. Right to data portability You have the right to receive personal data provided by you to us in a structured, commonly used and machine-readable format when the data is processed automatically and is processed based on consent or fulfilment of contract or steps preparatory to a contract. These rights (7.1.-7.3.) can be exercised by using the Data Subject Request form . We can request the provision of additional information necessary to confirm your identity. We can also reject requests that are unreasonably repetitive, excessive or manifestly unfounded. After receiving all the required information of your request (incl. validation of identity), we’ll start the processing of your request. We’ll do our best effort to process your request within a period of one (1) month. If we for some reason cannot process your request within the planned schedule, we will inform you about the delay as soon as possible within that one (1) month period. The maximum delivery time of the request will be three (3) months. It’s worth noting that if you request access, rectification, restriction or deletion of personal data, we might in some cases not be required to do so according to applicable law. 7.4. Consents If the personal data you have given us is based on your consent, you have the right to withdraw that consent at any time. You can opt-out your digital marketing consent here . If you have given consent for visual materials (images, videos) or contents (blog posts, articles), you can withdraw your consent here . Note that processing your personal data is necessary for us to provide you our products and services. Withdrawing your consent may lead to a situation where we cannot necessarily provide you our services. 7.5. Complaints If you are not satisfied with the decision or actions of Caverion, you have always right to lodge a complaint to local data protection authority. 8. Cookies and Beacons We use cookies and beacons on our websites. Please see our Cookie notice . 9. Retention of personal data We have the right to store your personal data as long as needed for legitimate purpose or as long as required by law. The criteria used to determine the period of storage of personal data is the respective statutory retention period and legitimate purpose. We sometimes need to keep your personal data after the end of the employment relationship to comply with our legal obligations and/or to resolve possible disputes. The information and the length of the storage time vary depending on the data in question and applicable law. Detailed retention times can be provided upon request. We continuously erase and/or anonymise your personal data when it is no longer relevant for the purposes for which we are processing it. 10. Changes to privacy notice We reserve the right to review, modify and update this privacy notice from time to time. If we make such changes, we will record the date of the amendment or modification to this privacy notice. Please review this privacy notice regularly and especially before submitting any personal data to us. In case of updates to this privacy notice, we will not alert our users for all the updates but if there are really important changes to the privacy notice or how we use your information, we will utilise commercially reasonable efforts to provide appropriate notification to you.