Kewatec Privacy Statement

Kewatec’s customers and potential customers
Kewatec’s employees and job applicants

We value your privacy

Every person values privacy, also our customers and employees. However, it would not be possible to operate our business without collecting some amount of personal data. As a data controller, we collect and process personal data, especially relating to our employees and our customers’ contacts, and project team members. The same goes for potential customers and job applicants. Personal data is all data relating to an identified or identifiable person, such as name, email, social security id, and photo.

Kewatec processes personal data relating to its customers, potential customers, employees, and job candidates by this privacy statement and applicable laws, so please read this carefully. We may also make changes to this statement due to changes in our operations or applicable laws.

Data controller

The data controller relating to the processing of personal data under this privacy policy is (hereinafter also ”Kewatec”, “us” or “we”):

Oy Kewatec Ab

Business ID: 1988445-9
Isokarintie 1
FI-67900 Kokkola
www.kewatec.fi
Puhelin: +358 20 778 0660
Sposti:

Privacy matters are handled by Suvi Säätelä, who is Kewatec’s Data Protection Officer. You can use the above contact details also for privacy-related questions and requests.

For what purposes does Kewatec collect personal data? What is the legal basis for processing personal data?

We collect, store and process personal data relating to customers and employees only for predefined purposes. We also always make sure that there is at least one legal basis for processing personal data. The main purposes and the applicable legal basis for processing personal data are:

Marketing and customer communications

We may perform digital marketing, email marketing, and communications, personalized marketing content and social media advertising targeted to potential and existing customers. For these purposes, we need to collect and process personal data. Marketing may also be based on automated decisions and profiles created for social media campaigns, search engine marketing, and website content. The legal basis for this processing is mainly our legitimate interest. A person has however a right to object direct marketing at any point. It is also possible that some direct marketing is based on consent (e.g. newsletters).

Developing our business

We may also use personal data for developing our business relating to the development of marketing services. The legal basis for this processing is our legitimate interest.

Fulfilling legal obligations

We may also use personal data for fulfilling legal obligations (e.g. bookkeeping, employment contracts act, tax laws).

Human resources management

Personal data relating to employees are mainly collected and used for human resources management purposes, payment of salaries, fulfilling other rights and obligations relating to employment contracts, and meeting legal requirements relating to employment. The legal basis for this processing may be fulfilling a contract between Kewatec and the employee, consent as well as fulfilling legal obligations relating to employment.

Recruiting and job applicants

In recruitment situations, we process personal data mainly for preparing and concluding an employment contract and based on the job applicant’s consent. Based on consent we may receive job applicant data also from other sources than from the person itself.

What personal data does Kewatec collect? From which sources?

We collect, store and use personal data mainly relating to our customer contacts (including potential customers), employees, and job candidates.

Customers and potential customers

We collect personal data relating to customers and potential customers mainly from the person itself. Relating to potential customers we also collect prospecting data, mainly from LinkedIn and corporate websites. An important source of data is also our website and its online forms. We also collect data by using Google Analytics. Data is also collected and generated during customer relationships, but mainly concerning the companies and organizations. Data about potential customers may also be received through seminars organized with business partners.

Typically we collect and process the following personal data relating to customers:

• First name
• Last name
• Email address
• Title
• Contact details
• Work phone
• Employer, its contact details, and business ID
• Contact person at Kewatec
• Customer level and lifecycle phase
• Language
• Legal basis for processing personal data (contract, consent, legitimate interest)
• Kewatec tasks (call / email / references / meeting)
• Notes (call/meeting / other Kewatec tasks)
• Call details (when and about what)
• Meeting details (when and about what)
• Sales history
• Email correspondence
• Marketing opt-in’s / opt-out’s

Similar, but more limited data may also be received from prospecting potential customers through LinkedIn or corporate websites.

Employees

Personal data relating to employees is received primarily from the employee and with her consent also from other sources. We may also process data that is generated during the employment relationship.

Typically we collect and process the following personal data relating to employees:

• Name
• Data required for withholding taxes
• Social security ID
• Salary data
• Work time tracking
• Contact details
• Data relating to sick leaves
• Employment contract
• Possible personal data contained in the whistle blow reports and information necessary for the investigation of the alleged misconduct

Job applicants

Personal data relating to job applicants is received primarily from the applicant and with her consent also from other sources. (such as LinkedIn, references, and possible suitability tests).

Typically we collect and process the following personal data relating to job applicants:

• Name and basic contact details
• Education, experience, skills, and work history
• Application and cv
• References (with consent)
• LinkedIn profile (with consent)
• Possible suitability test results (with consent)

Who processes personal data at Kewatec and is it transferred to anyone?

People within our organization have access to their data to perform their work tasks. Access to HR data and whistle blow data is more limited than customer data, as most of our staff perform customer work but only a limited group of people have HR or whistle blow responsibilities.

We may also subcontract some personal data processing, such as the cloud services used for storing data. Most of the data we store is in electronic form only. We use subcontractors, especially in the following matters: marketing automation, CRM, accounting and bookkeeping, website hosting and analytics, email marketing, and project management.

In these situations, we make sure we have a written contract with the services provider with minimum data processing provisions and also otherwise that the confidentiality of personal data is secured and data is processed and transferred lawfully.

We may also provide personal data to a third party for fulfilling contractual obligations or due to a legal obligation or requirement by an authority. We may also provide personal data to a third party if we are involved in a business sale or restructuring.

Does Kewatec transfer personal data outside the EU?

Personal data is primarily processed inside the EU, but as data is stored and processed mainly in electronic form in cloud services, some of the service providers we use may locate outside the EU. These include Google, Mailchimp, and HubSpot. If personal data is transferred outside the EU, we make sure that (1) the transferee is located in a country with adequate safeguards (as decided by the EU commission from time to time), (2) the transfer occurs by using model clauses published by the EU commission. Whistle blow data is stored and processed only inside the EU.

How long is personal data stored?

We will not store personal data for a longer period than is necessary for its purpose or required by contract or law. The retention periods for personal data may vary based on its purpose, legal basis for processing data, and the situation. The retention periods may also be based on laws (e.g. accounting, tax laws, employment contracts act, whistleblowing). If consent was the only basis for processing personal data, the data may be deleted after a person withdraws her consent. We may also delete the data based on a person’s request if we do not have a legal basis for processing personal data that would override the request. We may also update data from time to time and delete outdated and incorrect data.

How does Kewatec store and secure the data?

Personal data is stored primarily in electronic form and it is secured by general industry standards and practices. We consider and keep personal data confidential. We use only such services providers for data storage and processing that have a good reputation in terms of data security. Access to personal data is also protected with user-specific logins, passwords, user rights, and in case of whistle blow data with two-factor authentication. We do not sell or rent personal data for marketing purposes. Our premises are also safe and secure. The whistleblowing channel does not store IP addresses or other data that could identify the reporter.

Is it mandatory to provide personal data to Kewatec? What happens if you don’t provide it?

In many situations, it is not mandatory to provide us with personal data. This concerns especially personal data relating to potential customers and job applicants. However, we need some amount of personal data especially in customer relationships to conclude and fulfill contracts. Potential customers provide us usually their basic contact details (email address) and other data, that we need for responding to a contact request. Relating to employment we also need to process at least the minimum personal data required to fulfill employment contracts and legal obligations relating to employment.

Does our website use cookies and what are they?

We use cookies on our website to provide the best possible user experience for our website visitors. Cookies are small text files that are placed on a web user’s computer and are designed to hold a modest amount of data particular to a user and a website. Cookies give us information on how users use our website. We may use cookies to develop our website and services, analyze website use as well as target and optimize marketing efforts. If you do not wish to receive cookies, you may set your web browser to disable them. Please note that most browsers accept cookies automatically. If you disable cookies, you should understand that certain services on our website may not function correctly.

What rights do you have regarding personal data relating to you?

Withdraw your consent

If we process personal data based on your consent, you can at anytime withdraw your consent by notifying us, for instance by contacting us using the contact details provided above.

Access to data

You have the right to be confirmed if we are processing your data and also to know what data we have about you. In addition, you have the right to some supplemental information described in the law about the processing activities.

In the case of data collected from the whistleblowing channel and investigations related to it, we may have significant other reasons that would override your rights.  

Right to have errors corrected

You have the right to request that we correct any inaccurate or outdated personal data we have about you.

In the case of data collected from the whistleblowing channel and investigations related to it, we may have significant other reasons that would override your rights.

Right to prohibit direct marketing

You have the right to request that your data is not processed for direct marketing purposes by contacting us using the contact details provided above.

Right to object processing

If we process your data based on public interest or our legitimate interest, you have the right to object to the processing of your data, to the extent that there is no such significant other reason that would override your rights or the processing is not necessary for handling legal claims. Please notice that in this situation we may not be able to serve you anymore.

Right to restrict processing

In certain situations, you have the right to require that we restrict the processing of your data.

Right to data portability

If we process your data based on your consent or fulfilling of a contract, you have the right to require the transfer of the data you have provided us to another services provider in a commonly used electronic format.

How can you use your rights?

You can execute and use your rights by contacting us, for instance by using the contact details provided above. Remember also that we need to verify your identity. If you consider that the processing of your data is not lawful, you can always also make a notification to the supervising authority (tietosuojavaltuutettu).

Can this privacy statement be updated?

We may make updates to this privacy policy when our operations change or develop. Also, changes in the law may make it necessary to update this privacy policy. The changes become valid once we have published them in the form of an updated privacy policy. Therefore, please visit this page and read this privacy policy from time to time.