You are here

Vendor Contact Data Protection Description

EU GDPR compliant version

Effective Date: 13 September 2017

Data Controllers:

  1. Konecranes Global Corporation, (Finnish Business ID 2711339-8)

Address: Koneenkatu 8 (P.O. 661), 05830 Hyvinkää, Finland

Telephone: +358 20 427 11

 

  1. Konecranes Plc, (Finnish Business ID 0942718-2)

Address: Koneenkatu 8 (P.O. 661), 05830 Hyvinkää, Finland

Telephone: +358 20 427 11

Contact Person in Matters Related to Data File:

Lasse Toivonen (Data Protection Manager)
firstname.lastname@konecranes.com
Mailing address and telephone number as above.

Data File Name:

Vendor Contact Data File

Legal Basis for the Processing and Purposes of Use of the Personal Data:

Processing of personal data (“Contact Data”) is generally based on legitimate interest of the data controllers. Based on defined purposes of uses of Contact Data and relationship between data controllers and Contact Data subjects, the primary legitimate interest of the data controllers is the possibility to conduct justified and legitimate business according to applicable legislation.

Secondarily, for certain data subjects, the processing of Contact Data is based on direct or indirect contractual relationship between data subjects and data controllers.

Purposes of use:

1)     Business development and reporting;

2)     Quality management;

3)     Research and development of KC Group (Konecranes Plc and its affiliated companies) IT infrastructure;

4)     Purchasing activities;

5)     Inventory management and activities;

6)     Manufacturing of products;

7)     Delivery of products;

8)     Vendor and subcontractor management (incl. access to KC Group digital channels and as appropriate to KC Group IT systems and products);

9)     Invoicing, taxation and related financial transactions; and

10)  Ensuring the integrity of KC Group business environment and processes (incl. eventual non-continuous system monitoring for the prevention or inspection of misuse as the case may require).

Data Subjects

Any natural persons representing vendor companies of KC Group.

Data Content

First name;

Last name;

Salutation;

Title;

Company (employer);

Job role;

Street Address;

Postal Code;

City;

State;

Country;

Contact Method;

Telephone number;

Mobile phone number;

Telephone extension;

Fax number;

Email address;

Miscellaneous business information (free text field);

Personal identification number (for some vendors only and only in certain countries: Spain, Portugal and U.S.)

Indicator of access to KC Group digital platforms;

Accepted data protection statement version;

Last data processing activity (time stamp);

Geographical location consent (if any);

Cookie consent;

Data request date (if any);

Regular Sources of Data:

Vendor contact persons themselves, other persons representing the vendor companies of the KC Group, employees and other persons working for or representing KC Group.

Regular Disclosures of Data and Transfer of Data to Countries Outside EU and/or EEA:

Contact Data are not disclosed (to another controller for independent use unless required by the law such as to authorities) regularly except within companies of KC Group and even then at all times in accordance with applicable laws.

Contact Data are transferred outside EU and/or EEA (incl. Switzerland) only as allowed by and in accordance with applicable laws. In case of absence of EU Commission adequacy decisions, EU Commission standard contractual clauses (of type controller to processor, EU Commission decision C(2010)593) are used as appropriate or suitable safeguards for these data transfers. Copies of the standard contractual clauses will be available through the contact details mentioned above. Furthermore, if EU Commission adequacy decisions are applicable we may rely on them.

If Contact Data is transferred to external data processors (subcontractors or vendors), appropriate contractual arrangements (including EU Commission standard contractual clauses, as applicable), as required by the applicable laws, are executed to secure lawful and appropriate processing of personal data.

Contact Data can be transferred to following countries for processing:

o   Australia

o   Austria

o   Bangladesh

o   Belgium

o   Brazil

o   Chile

o   People's Republic of China

o   Czech Republic

o   Denmark

o   Estonia

o   France

o   Germany

o   Greece

o   Hungary

o   India

o   Indonesia

o   Italy

o   Japan

o   Korea

o   Latvia

o   Lithuania

o   Malaysia

o   Mexico

o   Morocco

o   Netherlands

o   New Zealand

o   Norway

o   Peru

o   Philippines

o   Poland

o   Portugal

o   Qatar

o   Romania

o   Russia

o   Saudi Arabia

o   Singapore

o   Slovakia

o   Slovenia

o   South Africa

o   Spain

o   Sweden

o   Switzerland

o   Thailand

o   Turkey

o   Ukraine

o   United Kingdom

o   United Arab Emirates

o   Vietnam

Security Principles of Data File:

Contact Data is protected by technical and organisational measures against accidental and/or unlawful access, alteration, destruction or other processing including unauthorized disclosure and transfer of Contact Data.

Such measures include but are not necessarily limited to proper firewall arrangements, appropriate encryption of telecommunication and messages as well as use of secure and monitored equipment and server rooms. Data security is of special concern when third parties (e.g. data processing subcontractors) providing and implementing IT systems and services are retained.

Data security requirements are duly observed in IT system access management and monitoring of access to IT systems. Access to personal data is available only in the internal networks of KC Group. Personnel processing personal data as part of their tasks is trained and properly instructed in data protection and data security matters.

 

Right to Object Data Processing:

In accordance with the law the data subject has at any time the right to:

  1. Object the processing of Contact Data for the purposes of direct marketing, market research and opinion polls; and
  2. On grounds relating to his or her particular situation, object the processing of his/her Contact Data when lawfulness of processing is based on legitimate interest of the data controllers.

In order to use these rights, the data subject shall contact the above mentioned contact persons in writing (incl. e-mail). However, the request may be declined where allowed or required under the law.

Other Rights of Data Subject:

In accordance with the law the data subject has at any time the right to:

  1. Access the Contact Data on him/her and at request, receive a copy of the Contact Data and related supplementary information concerning Contact Data processing as required by the law;
  2. Request, provided that the purposes of data processing allow:
    1. Inaccurate Contact Data to be rectified;
    2. Incomplete Contact Data to be supplemented; and
    3. Outdated or obsolete Contact Data to be erased.
  3. Be forgotten by us, if:
    1. Contact Data are no longer necessary in relation to the purposes of data processing;
    2. The data subject has objected to the data processing pursuant to reason explained above in point 2 of the section "Right to Object Data Processing" and there are no overriding legitimate grounds for the data processing;
    3. The data subject has objected to the data processing pursuant to reason explained above in point 1 of the section "Right to Object Data Processing"; or
    4. The Contact Data have been unlawfully processed by us;
  4.  Restrict the processing of the Contact Data on him/her if:
    1. Data subject contests the accuracy of the Contact Data;
    2. The processing is unlawful and the data subject opposes the erasure of the Contact Data and requests the restriction instead;
    3. The data controllers no longer need the Contact Data for the purposes of uses, but Contact Data are required by the data subject for the establishment, exercise or defense of legal claims; or
    4. Data subject has objected to processing pursuant to reason explained above in point 2 of the section "Right to Object Data Processing" and pending the verification whether the legitimate interests of the data controller override those of the data subject;
  5. Receive the Contact Data concerning him or her, which he or she has provided to data controllers, in a structured, commonly used and machine-readable format and have the right to transmit those data to other data controller when the processing is necessary for performance of a contract where the data subject is involved; or
  6. Lodge a complaint with a supervisory authority (Finnish Data Protection Ombudsman);

In order to use these rights, the data subject shall contact the above mentioned contact persons in writing (incl. e-mail). However, the request may be declined where allowed or required under the law.

 

Retention Period of the Contact Data:

Generally, to the extent permitted by applicable laws and regulations, data controllers retain Contact Data at most ten (10) years after the last business activity where the data subject has been involved. This retention period is justified due to data controllers' obligations or needs related to e.g. product and service warranties, product liability statutes as well as burdens of proofs in possible litigation situations.

Provision of Contact Data:

It is not statutory for the data subject to provide the Contact Data but certain Contact Data is required to execute or enter into a business activity (such as business contract) with KC Group. Lack of or failure to provide Contact Data prevents or may prevent the business activity (such as business contract) as the case may be.