Effective date: 16 May 2018
As a data controller, Caverion Corporation is required to protect your personal information, and our aim is to make you feel secure when we process your personal data. We protect your privacy in compliance with the EU General Data Protection Regulation as well as all other applicable laws.
We encourage you to read this privacy notice thoroughly.
1. Who is collecting your personal data
When we refer to Caverion in this privacy notice, we mean Caverion Corporation and its affiliates listed in Caverion Corporation’s latest financial statement available. Caverion is a group of companies whose parent company is listed on the Nasdaq Helsinki. Caverion Corporation has its domicile in Helsinki, Finland.
Phone: +358 10 4071
Organisation number: 2534127-4
2. Protecting personal data
We take privacy and security of your personal data seriously. All personal data you provide to Caverion is being stored on secure servers and only employees and third parties who need to access to this information shall have access to your personal data. Those individuals who have access to the personal data are required to maintain the confidentiality of such information. Caverion and our service providers will always take all reasonable measures to make sure your personal data is being protected.
“Caverion” or “us” or “we” or “company”
refer to Caverion Corporation and its affiliates that may process your personal data as mentioned in clause 1 above.
“personal data” or “personal information” refer to all kinds of information that directly or indirectly identify an individual or can be used in combination with other information to identify an individual. Examples of personal information: Name, phone number, email address, date of birth.
“sensitive personal data” or “sensitive personal information” refer to certain special categories of personal data and is information of more sensitive nature of the individual. Examples of personal information: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
“user(s)” or “you” or “data subject” or “person” refer to user(s) of our websites, users of our services or other persons external to Caverion that are providing personal data to Caverion.
“website” refer to website reachable via the following primary URL caverion.com, as well as our country domains, campaign landing pages (e.g. hub.caverion.com) and online recruiting services (e.g. careers.fi/caverion).
4. Information we collect & Purposes of collecting personal data
We will only collect such personal information that is relevant for the purposes described in this privacy notice. We collect information that is (a) provided by you but also (b) information collected automatically or (c) obtained through other external sources. We describe here how we handle personal data of different data subject groups. Note that we sometimes combine information we receive from you, information collected online, information collected offline and information collected from third party sources, always in compliance with applicable laws and regulations pertaining to processing of personal data.
We will use your personal data only for the purposes stated in this privacy notice, unless we receive your consent for other purposes.
5. Lawful basis for the processing
The applicable lawful basis for the processing of personal data depends on the circumstances relating to the relevant processing activities, as further described below:
If the processing of personal data is necessary for one or more specific purposes for which your consent is required, we will state so and obtain your consent, GDPR art. 6(1)(a) serves as the lawful basis for processing operations. We will ask your consent e.g. if we are going to use your photos or videos for marketing purposes or background checks.
5.2. Performance of a contract
If the processing of personal data is necessary for the performance of a contract, such as for providing certain services, to which the data subject is party, GDPR art. 6(1)(b) serves as the lawful basis for processing operations. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services.
5.3. Legal obligation
If the processing of personal data is necessary for complying with a legal obligation, such as for the fulfilment of tax obligations, GDPR art. 6(1)(c) serves as the lawful basis for processing operations.
5.4. Vital interests
If the processing of personal data is necessary for protecting the vital interests of a data subject, such as if a visitor were injured in our premises and his/her information would have to be passed on to medical personnel, GDPR art. 6(1)(d) serves as the lawful basis for processing operations.
5.5. Legitimate interests
If the processing of personal data is necessary for processing operations which are not covered by any of the abovementioned lawful basis, but are deemed permissible for the purposes of the legitimate interests pursued by us, such as marketing activities if it has a minimal privacy impact, GDPR art. 6(1)(f) serves as the lawful basis for processing operations.
6. Disclosure and transfer of personal data
Caverion discloses and transfers information about personal data only with persons and companies who need to handle it. We ensure that the parties we disclose and transfer the information with are properly informed of our use of personal data and commit to comply with the restriction on use of that personal data, including keeping it confidential. Some stakeholders operate outside EU/EEA area, and we always disclose and transfer personal data to countries outside EU/EEA area in accordance with mandatory legislation and this privacy notice. For instance, if they are located in the United States, we can rely on the EU-US Privacy Shield if applicable. We are disclosing and transferring, when needed, the personal data with these stakeholders:
6.1. Companies of Caverion Group
Due to our common IT infrastructure and knowledge sharing within the group, your personal data will be accessible by companies of Caverion Group for the listed purposes. Note that your personal data will be shared also outside the EU/EEA area, with our affiliates (e.g. Russia).
6.2. Suppliers and subcontractors
We are using external service providers for certain parts of business operations, e.g. IT system maintenance.
6.3. Third parties
Below are the purposes of transferring personal data
- Your request or consent: Based on your request or consent we can transfer your personal data.
- Services provided to the company or our employees: We have suppliers that support our business operations, providing services on our behalf.
- Acquisition, demerger or sale of business operations or companies: In case of acquisition, demerger or sale of the companies or other business operations, personal information is one of the transferred assets.
- Information sharing from our collaboration partners: In some rare cases we may transfer your personal data for our collaboration partners to enable them to share information about their services.
- Legal proceedings: When required by law or requirement by court, administrative agency or similar, we sometimes need to transfer your personal data to these parties. We can also share your personal data to seek for advice from lawyers or other professional advisers (banks, lawyers, accountants, potential buyers and vendors).
- Protection of safety, facilities, privacy or rights of our stakeholders
- Carry out other uses of personal data listed in the section “Purposes of collecting the data”
7. Your rights
You, as a data subject, have certain rights concerning your personal data.
7.1. Right to access, correct and object
You can contact us and we will inform what personal data we have collected and processed regarding you and the purposes such data are used for. You have the right to ask to correct any incorrect, incomplete, outdated or unnecessary personal data stored about you by contacting us. You can object to use of certain personal data, including direct marketing, if such data is processed for other purposes than purposes necessary for the performance of our services or for compliance with a legal obligation. You can also object any further processing of personal data after prior given consent. If you object to the further processing of personal data, this may lead to fewer possibilities to use our services.
7.2. Right to deletion and restriction of processing
You can also ask us to delete your personal data from our systems. We will comply with such request unless we have a legitimate ground not to delete the data. After the data has been deleted, we may not be able to delete immediately all residual copies from our active servers and backup systems. Such copies shall be deleted as soon as reasonably possible. Even though you can request us to restrict processing of certain personal data; this may however lead to fewer possibilities to use our website and other services.
7.3. Right to data portability
You have the right to receive personal data provided by you to us in a structured, commonly used and machine-readable format when the data is processed automatically and is processed based on consent or fulfilment of contract or steps preparatory to a contract.
These rights (7.1.-7.3.) can be exercised by using the Data Subject Request form. We can request the provision of additional information necessary to confirm your identity. We can also reject requests that are unreasonably repetitive, excessive or manifestly unfounded. After receiving all the required information of your request (incl. validation of identity), we’ll start the processing of your request. We’ll do our best effort to process your request within a period of one (1) month. If we for some reason cannot process your request within the planned schedule, we will inform you about the delay as soon as possible within that one (1) month period. The maximum delivery time of the request will be three (3) months. It’s worth noting that if you request access, rectification, restriction or deletion of personal data, we might in some cases not be required to do so according to applicable law.
If the personal data you have given us is based on your consent, you have the right to withdraw that consent at any time. You can opt-out your digital marketing consent here.
If you have given consent for visual materials (images, videos) or contents (blog posts, articles), you can withdraw your consent here. Note that processing your personal data is necessary for us to provide you our products and services. Withdrawing your consent may lead to a situation where we cannot necessarily provide you our services.
If you are not satisfied with the decision or actions of Caverion, you have always right to lodge a complaint to local data protection authority.
8. Cookies and Beacons
9. Retention of personal data
We have the right to store your personal data as long as needed for legitimate purpose or as long as required by law. The criteria used to determine the period of storage of personal data is the respective statutory retention period and legitimate purpose. We sometimes need to keep your personal data after the end of the employment relationship to comply with our legal obligations and/or to resolve possible disputes. The information and the length of the storage time vary depending on the data in question and applicable law. Detailed retention times can be provided upon request. We continuously erase and/or anonymise your personal data when it is no longer relevant for the purposes for which we are processing it.
10. Changes to privacy notice
We reserve the right to review, modify and update this privacy notice from time to time. If we make such changes, we will record the date of the amendment or modification to this privacy notice. Please review this privacy notice regularly and especially before submitting any personal data to us. In case of updates to this privacy notice, we will not alert our users for all the updates but if there are really important changes to the privacy notice or how we use your information, we will utilise commercially reasonable efforts to provide appropriate notification to you.