Data Protection - Vendors

Effective date: 1 May 2020

Updated 5 February 2024

The purpose of this Vendor Contact Data Protection Notice is to provide persons representing our vendor companies with information of their personal data processing and protection. This Data Protection Notice provides a general description of such personal data processing. Therefore, all details provided in this Vendor Contact Data Protection Notice may not apply to your case in particular. Generally, we process your basic personal data, such as your contact information, to conduct business with the company you represent.

What personal data of mine is processed?

As a rule:

  •  your essential personalization information;
  •  information of the company you represent;
  •  your contact details;

Depending on your activity:

  •  technical identifiers;
  •  behavioural data (e.g. how you have used our digital services);

Examples of data attributes include:

For Chinese vendor contacts, below personal data will be processed:

Who is responsible for processing my personal data?

Konecranes Plc (established in Finland and being the parent company of Konecranes Group) has the overall responsibility and supreme decision-making power. Konecranes Global Corporation (established in Finland) has the limited responsibility for Konecranes Group centralized IT systems/applications (incl. subcontracting) as well as international transfers of personal data outside EU/EEA.

You can contact us by sending an email to

For Chinese vendor contacts, please note:

What permits the use of my personal data?

We have a lawful right to process your personal data based on our legitimate interest to conduct business with the company you represent.

For Chinese vendor contacts, normally the legal basis for processing their personal data is consent. While under the relevant laws, we do not require your consent to process your personal data when:

Why is my personal data processed?

Generally, we need to process your personal data in order to enable successful direct and indirect business transactions with the company you represent - such as sending of orders and receipt of products and services  (direct) as well as development of our internal processes and systems to support these transactions (indirect).
In detail, we use your personal data for the following purposes:
1) Business development and reporting;
2) Quality management;
3) Production, management, maintenance and research and development of processes, IT services and infrastructure;
4) Purchasing activities;
5) Inventory management and activities;
6) Manufacturing of products;
7) Delivery of products;
8) Vendor and subcontractor management (incl. access to KC Group digital channels and as appropriate to KC Group IT systems and products);
9) Invoicing, taxation and related financial transactions;
10) Ensuring the integrity of KC Group business environment and processes (incl. system/security monitoring for the prevention or inspection of misuse as the case may require);
11) Background studies of vendors (incl. vendor contacts as necessary);
12) Organizing events;
13) Archiving of non-active personal data in the scope of other purposes of uses and defined retention rules; and
14) Ensuring personnel safety (incl. vendor contacts);
15) Fulfilling and/or defending the rights and obligations of the company;

For China vendor contacts –

The processing purpose of your personal data are:

The processing purposes of your sensitive personal data are:

For individual vendors, the processing purposes of your sensitive personal data are:

The necessity of our processing of your sensitive personal data:

The impact of our processing of your sensitive personal data on data subjects’ personal rights and interests: Misuse of the personal data by a third party, resulting in damage to data subject’s privacy and personal dignity or suffering damages to bodily or property safety in case of accidental leakage of such sensitive personal data.

The processing method of your personal data (including sensitive personal data) includes collection, storage, usage, transmission, provision, and deletion.

How do I benefit from my personal data processing?

Our use of your personal data enables and supports you for its part in fulfilling your employment duties related to business transactions between us and the company you represent.

What rights do I have?

You have always the right to:

  • Object the processing of your personal data on the grounds of our legitimate interest; and
  • Opt-out from receiving any of our direct marketing messages and materials

At any time, you have also the right to:

  • Verify the accuracy of your personal data;
  • At your request, have your incomplete, inaccurate or outdated personal data amended, modified or erased; and
  • Under certain circumstances, restrict the processing of your personal data;
  • Under certain circumstances, be forgotten by us; and
  • Lodge a complaint with a supervisory authority.

You can exercise these rights by sending us email to or by filling out the form in

For Chinese vendor contacts, the data subjects also have the below legal rights under China data protection laws:

What adverse effects might the processing cause to me? How are these effects mitigated?

As required by mandatory data protection laws, we have completed a thorough analysis concerning the risks potentially caused by our Vendor Contact Data processing to your rights and freedoms.

As with any data processing, certain risks are possible also in ours relating mainly to

  • the level of  confidentiality of your personal data;
  • general data security matters; and
  • your inability to access our systems and services.

However, levels of these risks have been recognized to be low and having a remote possibility only. Moreover, we mitigate these risks actively

  • continuously training our personnel,
  • providing and developing detailed instructions; and
  • implementing and enhancing our data security practices.

From where is my data collected and obtained?

We collect your personal data:

  • directly from you e.g. when you register to our digital services or participate in a sales meeting or have a phone call with us;
  • from your superiors or colleagues;
  • from our own employees or business partners; and
  • to a limited extend by observing your behaviour in our digital services.

Does my personal data leave from EU/EEA?

Yes, depending on the case we may transmit your personal data outside EU/EEA:

  • inside our group of companies but also to our external business partners who provide services to us.

Your personal data may be transferred to following countries for processing:

Who else processes my personal data?

We use reliable subcontractors to provide us e.g. with IT services enabling our personal data processing - these services include, without limitation, provision of different infrastructure, software and applications utilized routinely in contact data processing within global groups of companies.



Who else will receive my personal data?

As a rule, we do not disclose your data out of our effective control except if so required by the law in case a court or the police or other law enforcement agency has asked us for it.

Additionally, your data may be disclosed in a limited manner to our trusted business partners.

How is my data secured?

Your personal data is protected by technical and organizational measures against accidental and/or unlawful access, alteration, destruction or other processing including unauthorized disclosure and transfer of your personal data.

Such measures include but are not necessarily limited to proper firewall arrangements, appropriate encryption of telecommunication and messages as well as use of secure and monitored equipment and server rooms. Data security is of special concern when third parties (e.g. data processing subcontractors) providing and implementing IT systems and services are retained.

Data security requirements are duly observed in IT system access management and monitoring of access to IT systems. Personnel processing your personal data as part of their tasks is trained and properly instructed in data protection and data security matters.

How long is my personal data kept and used?

At most ten (10) years after the last business activity where you have been involved.

Additionally, as the case may require, we may have to extend your personal data retention on the grounds of establishment, exercise or defence of legal claims or execution of our internal investigations.

For China vendor contacts –

Is it not possible to do business without processing my personal data?

It is not statutory to provide your personal data, but certain personal data is required to execute or enter into a business activity (such as business contract) with us.