SSAB privacy statement
Last updated March 2020
This Privacy Statement informs about the processing of personal data by SSAB group companies including SSAB AB and its affiliates Tibnor and Ruukki, among others ("SSAB"). It answers the questions of what personal data SSAB collects, uses or shares, for what purposes the data is collected and what rights Users have. The Users can be SSAB’s customers, representatives of corporate customers or potential customers, supplier representatives, other intermediaries and business partners, site visitors or internet and digital users visiting the website or other digital service platforms ("Users").
SSAB's website may contain links to websites and services of third parties. These websites or services are subject to their own privacy statements. SSAB does not take any responsibility of third parties’ privacy statements or the processing of personal data in third parties’ operations. Please pay attention to their respective privacy statements and subsequent changes to them.
1. Data controller
The data controller in accordance with the applicable specific data protection laws is SSAB AB (registration number: 556016-3429, address: P.O. Box 70, SE-101 21 Stockholm, Sweden) for all data processing on a corporate level, for example for marketing and digital service tools provided in SSAB group companies. In addition, SSAB affiliate is regarded to be the controller in separate contractual or other cooperation relationship or in connection with certain statutory personal data processing. Regardless of the data controller in a specific situation, the primary contact for privacy matters in SSAB is: email: data.privacy(at)ssab.com.
SSAB is responsible for ensuring that personal data is processed in compliance with this Statement and applicable data protection laws.
2. Legal basis and purpose of processing personal data
SSAB processes the personal data of Users for various purposes, which are explained below.
2.1 Contractual and other interaction with customers, suppliers and other business partners
The main purpose of processing personal data is to deliver SSAB's products and services, as well as to source services and material for SSAB’s business needs, and provide website and other digital services. The processing of personal data is primarily based on contract, including processing needed prior to entering into a contractual relationship with the company or organization the User is representing, or in some cases also with the User directly.
2.2 Marketing and communications
Users' personal data is used to manage communication with Users and for marketing purposes. In this respect, processing is based on SSAB's legitimate interest to provide Users with relevant and up-to-date information as part of the website as well as through other digital platforms and services. Processing is also based on SSAB's legitimate interest to promote SSAB's latest products and services as well as to personalize the User experience and to evaluate customer satisfaction.
To some extent, in certain regions, marketing via electronic means is based on Users' prior consent, for example for sending marketing messages. Users should refer to section 6 below for further information about marketing communications and Users' rights in this respect.
2.3 Product and services development purposes
SSAB aims to provide high-quality products and services and to give Users relevant information about those products and services. Therefore, SSAB may use personal data to analyze the market, User groups and use of websites for the purpose of developing and improving the quality of the website and SSAB's products and services. This processing is based on SSAB's legitimate interest to grow and develop.
2.4 Information and facility security
SSAB may process technical data, including some personal data for information security and access surveillance purposes and fraud prevention. SSAB maintains also information and facility security measures to safeguard health and safety as well as business information and business assets in order to avoid injuries at its facilities, to prevent property damage and related criminal activities and to ensure the availability of the websites and services. This processing is based on SSAB's legitimate interest to ensure an appropriate level of network, facility and information security and the safety of others.
2.5 Compliance with statutory obligations
Sometimes personal data may be used to comply with a legal obligation. In SSAB’s business operations, this means for example that personal data processing may be needed in order to be in compliance, with i.a. the following statutory requirements: (i) reporting and audit, (ii) Market Abuse Regulation, (iii) sanctions and other compliance screening, (iv) corporate governance requirements and (v) share and shareholder registers (incl. attendance at shareholders’ meetings). In addition, certain personal data may be stored for dispute resolution purposes to be able to establish and defend legal claims.
2.6 Processing of personal data internally within SSAB group
Users' personal data may be processed in other SSAB group companies. In this case, the processing of personal data is based on SSAB's legitimate interest for internal administrative purposes to organize and manage e.g. customer and supplier relationships, marketing as well as information security measures and other business functions within the group in an appropriate and practical way.
3. Collection of data
SSAB may collect personal data through different means, which are explained below.
3.1 Business relationship
SSAB processes personal data for the purpose of maintaining a good business relationship, for example when providing and delivering products or services, maintaining customer communications, sourcing material, products and services for its business needs, or otherwise interacting with business partners or other stakeholders. This personal data is collected directly from Users.
Depending on the Users' interaction, SSAB may collect the following personal data:
- Basic information about the User or the company or organization the User is representing, such as name, email address and phone number;
- Basic information about the User's employer such as, company name, business address, business email address and business phone number;
- Information relating to the business relationship, such as products and services sourced or delivered, the starting and end time of the business relationship;
- Billing and credit information, such as account numbers, payments made and outstanding and bills delivered; and
- Customer communications, including feedback, marketing and campaign history information.
3.2 User's interaction with SSAB on website or otherwise
SSAB may collect personal data when Users contact SSAB's customer service, use website chat, deploy SSAB’s digital service platforms, contact SSAB otherwise, order SSAB's newsletter or participate in surveys or competitions on websites or elsewhere. This personal data is collected directly from the Users.
SSAB may collect personal data that the User has shared with SSAB, such as:
- Basic information about the User, such as name, email address and phone number;
- Basic information about the User's employer, company name, address, email address and phone number;
- Reasons for contacting SSAB and details related to contact; and
- Surveys and competitions participated in.
3.3 Automatically collected data of the use of website and services
SSAB automatically collects and processes the following technical data about the User and the use of the website, products and services provided by SSAB:
- IP address, device ID, device type, operating system used and application settings;
- User activity such as pages viewed and items ‘clicked’ on;
- Timestamps and log data relating to the use of the service; and
- Location/country of origin.
This technical data is collected automatically through the use of website and services.
3.4 Data collected from other sources
SSAB may, from time to time, also collect information from publicly available sources and third parties, such as social networks and marketing companies. For example, SSAB may receive basic information about the User's social network profile, if the User login to SSAB's website or services using a social network account.
4. Sharing of data
SSAB may disclose Users' personal data to the following third parties:
- other SSAB group companies for the purposes listed above;
- trusted service providers, such as suppliers, agents, distributors and marketing service providers for the purposes listed above. To the extent that these trusted service providers act on SSAB's behalf, SSAB remains responsible for the use of Users' personal data;
- when permitted or required by law to comply with requests by competent public authorities such as subpoenas or similarly binding acts;
- if SSAB is involved in a merger, acquisition, or sale of all or a portion of its assets; and
- when SSAB believes in good faith that disclosure is necessary to protect SSAB's rights, protect Users' safety or the safety of others, investigate fraud, or respond to a government request.
5. Transfer of personal data outside of EU/EEA
5.1 Intra-group transfers
As some SSAB group companies are located outside of the EU/EEA, Users' personal data may be transferred outside of EU/EEA, such as to the United States. In this case, SSAB will use the required established mechanisms that allow the transfer outside of the EU/EEA, such as the Standard Contractual Clauses approved by the European Commission.
5.2 Service providers located outside of EU/EEA
SSAB may use subcontractors for the personal data processing set out above. When necessary and to the extent required, personal data may be transferred to a country outside of the EU/EEA. In this case, SSAB will use the required established mechanisms that allow the transfer to subcontractors in those third countries, such as the Standard Contractual Clauses approved by the European Commission. SSAB will rely on the so-called Privacy Shield for those service providers located in the US that are Privacy Shield-certified. For more information about the Privacy Shield framework developed by the US Department of Commerce and the European Commission and the related principles concerning processing of personal data, please see here.
6. Marketing communications
When a User provides SSAB with contact details, for example, in connection with the sale of a product or service, contacts SSAB's customer service, orders a handbook or other materials on the website or participates in competitions or surveys, SSAB may use the User's personal data for marketing purposes and to promote SSAB's latest products and services as well as to personalize the User experience. Pursuant to applicable laws, Users are given the opportunity to give their prior consent or are allowed the opportunity to opt-out of receiving marketing communications from SSAB or other group companies.
SSAB may provide a User with product and service updates, newsletters and other communications about existing or new products and services by email and text message (SMS) if the User has given prior consent or if SSAB is otherwise permitted to do so under applicable law.
A User may unsubscribe from marketing communications at any time by clicking on the "unsubscribe" link located at the bottom of emails.
6.2 Statistics and segregation
SSAB may create User group profiles or segment data for the purpose of creating anonymous, aggregated statistics about the use of SSAB's websites, products and services, such as to estimate the number of Users, viewed pages, email reads and detect which parts of the website Users find the most useful, to identify features that could be improved and to provide context based advertising to User groups. Data collected for these purposes is not used to identify a particular User but to analyze how Users in general or User groups use the website or services.
6.3 Targeted advertising
When SSAB collects or uses information about a User's web browsing for e-marketing purposes, the User has the right to object to this at any time by contacting SSAB. Regarding the right to object, please refer to section 8 below for further information.
7. Retention of personal data
The personal data will be retained only for as long as necessary to fulfill the purposes defined in this Privacy Statement. After that, personal data will be removed except when personal data retention is required by law or rights or obligations by either party.
Here are the main rules for the retention periods:
- Personal data regarding e.g. customers and suppliers will be retained during the business relationship and after that for as long as necessary or required by law or rights or obligations by either party, for example for billing purposes;
- Data collected in connection with customer service, other interaction with SSAB, surveys and competitions will be retained for as long as necessary to manage and handle the matter in question.
- SSAB will delete or anonymize data used for marketing purposes after a reasonable period of time has lapsed from last contact between the User and SSAB, unless data retention is required by law or rights or obligations by either party.
- Should a User have a concern about data retention for marketing purposes, the User should refer to section 8 below for further information about Users' rights in this respect.
8. Privacy rights
A User has the right to access personal data that SSAB holds about him or her.
A User has the right to request their personal data to be corrected, updated or removed at any time. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this Statement and may also be required by law. Therefore, the deletion of such data may not be allowed by applicable law which prescribes mandatory retention periods.
A User has a right to object to processing that is based on a legitimate interest of SSAB on grounds relating to their particular situation at any time. To the extent required by applicable data protection law, Users have a right to restrict data processing.
A user has a right to data portability, i.e. the right to receive the personal data in a structured, commonly used machine-readable format and transmit the personal data to another data controller, to the extent required by applicable law. This applies only to personal data provided by the User based on customer contract or the User's consent.
Please send any requests regarding the above-mentioned rights to SSAB at [data.privacy(at)ssab.com].
If a User thinks there is a problem with the way SSAB is processing the User's personal data, the User has a right to file a complaint to the national data protection authority in the EU/EEA.
SSAB maintains reasonable security measures, including physical, electronic and procedural measures, to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, SSAB limits access to this information to authorized employees and contractors who need to know that information in the course of their work or assignment and to third party service providers who may only process data in accordance with instructions provided by SSAB.
Please be aware that although SSAB endeavors to provide reasonable security measures for personal data, no security system can prevent all potential security breaches.
10. Changes to this privacy statement
SSAB may amend this Privacy Statement and the related information. SSAB recommends that Users regularly access the Privacy Statement to find out about any changes to it. SSAB will always provide the date of the Privacy Statement to allow the Users to see changes. Please note that this Privacy Statement is for information purposes only.
SSAB will inform Users of possible changes by using reasonable and available channels.
11. Contact SSAB
For requests regarding SSAB’s Privacy Statement or personal data SSAB holds about the User in question, please contact SSAB by email at data.privacy(at)ssab.com.