Privacy notice
Introduction
Sweco Finland Oy and Sweco PM Oy (“Sweco“, “we“, “us” or “our“) is processing your personal data when you interact with us in various contexts. The controller for the processing described in this privacy notice is the Sweco group entity that has provided you with this privacy notice.
We respect your privacy and protect the personal data we process about you. All processing of personal data is carried out in accordance with the requirements set out in the general data protection regulation (“GDPR“)[1] and other applicable personal data protection legislation.
We may at our own discretion update this privacy notice at any given time (see at the end the date this notice was last updated). If material changes are made, we will provide notice on this website prior to the change becoming effective.
Throughout this privacy notice the term “processing” is used to cover all activities involving your personal data, including e.g. collecting, handling, storing, sharing, accessing, using, transferring and disposing of your personal data. The term “personal data” refers to any information relating to an identified or identifiable natural person.
You may read this notice as a (i) website visitor, (ii) supplier representative or employee, (iii) representative or employee of client or end user, (iv) job candidate, (v) prospective client contact or (vi) government, public authority or international organisation officials or employees. To make this notice more relevant to you, the notice is divided into sections with specific information related to the various roles that you may have when we are processing your personal data.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Website visitors
Website visitors
2.1 How do we collect your personal data?
We collect the data directly from you or data that is generated by you, including your devices, when visiting our website.
2.2 Purposes of the processing of your personal data
2.2.1 Maintain, protect and develop the website
When you are browsing the website, we will process your IP address and browser user agent string to help spam detection. In addition, your personal data may be processed to administrate and improve this website, for our internal records and for statistical analysis. We improve website experience by using Microsoft Clarity to see how you use our site. For more info about the way cookies and tracking are used on our websites, please read our cookie statement or go to manage consent for consent options.
| Categories of personal data | Legal basis |
| · IP address · Browser user agent string (UA)
| Legitimate interest. The processing is necessary to satisfy our legitimate interest to ensure that our website is continuously maintained and updated, and protected against malicious attacks.
Consent. Personal data that is collected for purposes other than for our legitimate interest, will be collected with your consent only.
|
2.2.2 Communicate with you and respond to your questions or feedback
Where we offer you a possibility to communicate with us by asking questions or providing feedback regarding our services and our business, we will process your personal data when you submit a question, comment, feedback or any other message. The purpose of the processing is to be able to communicate with you. Conversations in the chat are saved for quality control.
Conversations in the chat are saved for quality control.
| Categories of personal data | Legal basis |
| · Name · E-mail address · Address (if needed for communication) · Phone number (if provided by you) · Any information included in your message.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to communicate with our website visitors, e.g. to develop our business. |
2.2.3 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
| Categories of personal data | Legal basis |
| · All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
2.2.4 Newsletters
If you sign up for our newsletters, we will process your email address in order to send newsletters to you.
| Categories of personal data | Legal basis |
| · Contact information
| Legitimate interest. The processing is necessary to satisfy our legitimate interest to provide you with requested newsletters and market our business. As this processing is limited to what is necessary in order to fulfil your request and that you at any time may unsubscribe, we have concluded that our legitimate interest in processing your personal data overweighs your interest in not having your personal data processed for such purposes. |
2.3 With whom do we share your personal data?
2.3.1 General
Where necessary in order to achieve the purposes set out in this Section 2, we share your personal data with other entities, authorities or actors. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
2.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 2.2.
2.3.3 Recipients that act as data controllers
The categories of recipients mentioned in the below table will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.
| Recipients | Purpose | Legal basis |
| · Courts and arbitration tribunals · Public authorities · External advisers · Counterparties
| In order to exercise, establish or defend legal claims, see Section 2.2.3. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. |
2.4 For how long to we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein. For example, when processing your personal data for the purpose of maintaining the website, we will anonymize your data as soon as practicably possible and then use anonymized data for further website development. With respect to our communication with you, we will process your personal data for as long as it is relevant depending on the reason for our communication and with respect to our provision of newsletters, we will process your personal data until you opt-out from receiving the newsletters. Chat conversations are retained for three months from the date of conversation.
Suppliers (including agents, subcontractors, vendors, service providers, consultants and other counterparties) representative or employee
Suppliers (including agents, subcontractors, vendors, service providers, consultants and other counterparties) representative or employee
3.1 How do we collect your personal data?
We collect the personal data that you, or the relevant supplier that you represent, have provided us within the scope of our business relationship with the supplier.
3.2 Purposes of the processing of your personal data
3.2.1 Administration of supplier relationship
Your personal data will be processed because we have a legitimate interest of administering the relationship with our suppliers and to be able to manage the overall cooperation and day-to-day activities relating to e.g. orders of products and services.
| Categories of personal data | Legal basis |
| · Contact information · Identity data | Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer our supplier relationships, and facilitate e.g. day-to-day communications. |
3.2.2 Communicate with you
Within the scope of our commercial relationship, we will process your personal data when communicate through various channels. The purpose of the processing is to be able to communicate with you within the scope of the supplier relationship . Calls to our customer service number are recorded to improve and monitor the quality of the service.
| Categories of personal data | Legal basis |
| · Contact information · Identity data · Any information included in our communication with you
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to communicate with our suppliers within the scope of our commercial relationship. |
3.2.3 Subcontractor network
We process your personal data when you join our subcontractor network, which we maintain to meet the expertise needs of future projects and to connect with suitable subcontractors for projects.
| Categories of personal data | Legal basis |
| · Contact information · Identity data · The name of the company you represent · Competence data · Information and/or documents required by the Contractor’s Obligations Act and the Act on Posting of Workers | Legitimate interest. Processing of your personal data is necessary in order to fulfil our legitimate interest in maintaining the subcontractor network.
Legal obligation. Processing of personal information required by Act in the Contractor’s Obligations and the Act on Posting of Workers is necessary to fulfill our legal obligations. |
3.2.4 KYC and other background checks
When a supplier enters into a business relationship with Sweco, we may process personal data regarding persons in management position of the supplier in order to carry out KYC or other background checks. Such controls are part of our standard procedures when procuring suppliers.
| Categories of personal data | Legal basis |
| · Identity data · Contact information · Copy of ID · Financial information, e.g. information retrieved from background checks
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to uphold our Code of Conduct. |
3.2.5 Sanctions screening
Sweco may, before entering into a business relationship, carry out sanctions screening to ensure that Sweco is not entering into a business relationship with anyone that is subject to EU or UN sanctions.
| Categories of personal data | Legal basis |
| · Identity data · Contact information · Potential data retrieved from sanctions screening, which may include criminal data.
| Legal obligation. The processing of personal data is necessary in order to comply with our legal obligations.
Processing of criminal data is in such case carried out by virtue of our legal obligation to process such data.
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest to uphold our Code of Conduct. |
3.2.6 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
| Categories of personal data | Legal basis |
| · All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
3.2.7 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations
We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.
| Categories of personal data | Legal basis |
| · All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings. The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.
|
3.3 With whom do we share your personal data?
3.3.1 General
Where necessary in order to achieve the purposes set out in this Section 3, we share your personal data with other entities, authorities, actors or international organisations. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
3.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 3.2.
3.3.3 Recipients that act as data controllers
The categories of recipients mentioned in the table below will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.
| Recipients | Purpose | Legal basis |
| · Courts and arbitration tribunals · Public authorities · External advisers · Counterparties · International organisations
| In order to exercise, establish or defend legal claims (see Section 3.2.2.), ensure compliance with the law and our contractual obligations. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.
|
| · Clients | Administrating the client relationship, see Section 4.2.1. | To fulfil our legitimate interest in administrating the client relationship, e.g. being able to communicate with the client and provide our services. |
| · International organisations | To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory and international law duties. | To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory and international law duties. |
3.4 For how long to we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are the representative of our supplier or for as long as we have an ongoing business relationship with the company you represent.
Customer service call recordings are retained for three months from the date of recording.
Data related to the subcontractor network will be processed for maximum of two years from the date of joining the network.
When carrying out KYC and background checks we will delete any personal data as soon as possible after we have assessed the result. With respect to sanctions screenings or other legal obligations, we will process personal data for as long as there is a legal obligation to do so.
Employees working on construction sites
Employees working on construction sites
4.1 How do we collect your personal data?
We collect the personal data that you, or your employer organization in relation to construction projects in which Sweco acts as the main contractor.
4.2 Purposes of the processing of your personal data
4.2.1 Management of cooperation
Your personal data will be processed in order for us to fulfill procurement or contract agreements or other similar agreements and to be able to manage the overall cooperation. In addition, your personal data may be processed during the orientation related to the construction project.
| Categories of personal data | Legal basis |
| · Contact information · Identity data · Your position in the company · Photograph · Qualifications, such as work safety card · All information included in our communication with you | Legitimate interest. The processing of personal data is necessary in order to satisfy our legitimate interest to manage cooperation related to construction projects, to provide necessary orientation for the workers, and facilitate daily communication related to the projects.
Legal obligation. The processing of personal data is necessary in order for us to inform about essential matters at the common workplace.
|
4.2.2 Compliance with legal obligations
We process personal data of contractors and persons working on construction sites to fulfill obligations set by the Act on the Contractor’s Obligations and Liability, Act on Posting Workers, Occupational Safety and Health Act, and other related legislation. Depending on the situation, all or some of the following personal data categories may be processed.
| Categories of personal data | Legal basis |
| · Identity data · Contact information · Tax number · Date of birth · Nationality · Copy of the identity document · Information on the right to work and copies of the relevant documents · Information and/or documents required by the Act on the Contractor’s Obligations and Liability and the Act on Posting of Workers · Certificate of refugee status in Finland · List of persons working on the construction site with information required by the Occupational Safety and Health Act · List of posted workers, including information on each posted worker as required by the Act on Posting of Workers, and information on each representative and responsible person of the sending company. | Legal obligation. The processing of personal data is necessary in order to comply with our legal obligations. |
4.2.3 Monitoring of work safety and access control to the construction site
We process personal data of persons working on construction sites in relation to access control and monitoring of the construction site as well as to ensure compliance with work safety obligations.
| Categories of personal data | Legal basis |
| · Access control data, such as system logs and times of movement to and from the construction site · Data collected in connection with monitoring of the construction site, such as photographic and video material · Personal data processed in connection with compliance with work safety obligations and monitoring, such as name and information on qualifications | Legitimate interest. The processing of personal data is necessary in order to know who is present at the construction site on each day and to monitor the construction site to prevent unauthorized persons from entering as well as investigating potential criminal situations.
Legal obligation. is necessary to comply with work safety obligations
|
4.2.4 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
| Categories of personal data | Legal basis |
| · All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
4.2.5 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations
We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.
| Categories of personal data | Legal basis |
| · All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings. The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.
|
4.3 With whom do we share your personal data?
4.3.1 General
Where necessary in order to achieve the purposes set out in this Section 4, we share your personal data with other entities, authorities, actors or international organisations. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
4.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 4.2.
4.3.3 Recipients that act as data controllers
The categories of recipients mentioned in the table below will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.
| Recipients | Purpose | Legal basis |
| · Courts and arbitration tribunals · Public authorities · External advisers · Counterparties · International organisations
| In order to exercise, establish or defend legal claims (see Section 4.2.4.), ensure compliance with the law and our contractual obligations. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.
|
4.4 For how long to we process your personal data?
Your personal data is processed only for as long as necessary for the purposes described herein, which generally is for as long as for the duration of the construction work or project and for a limited period after that to fulfill legal obligations. Data collected to fulfill work safety and taxation obligations is retained for the duration of the project and thereafter for the duration of warranty and liability periods based on agreements or laws and regulations.
Representative or employee of client or end user
Representative or employee of client or end user
5.1 How do we collect your personal data?
We collect the personal data that you, or the client or the end user that you represent, have provided us within the scope of our business relationship with the client or the end user.
5.2 Purposes of the processing of your personal data
5.2.1 Administration of client relationship
Your personal data will be processed because the processing is necessary for executing or fulfilling a contract to which you are a party. Your personal data will or may be processed also because we have a legitimate interest of entering into a contract with the company you represent, executing such contract, administering the relationship with our clients and to be able to manage the overall cooperation and day-to-day activities necessary to provide our products and services.
| Categories of personal data | Legal basis |
| · Contact information · Identity data
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to execute and fulfill a contract with the company that a data subject represents, administer our client relationships, and facilitate e.g. day-to-day communications. |
5.2.2 Provide support services
We will process contact details relating to contact persons representing our clients that contact us for support. Your personal data will be processed because we have a legitimate interest of providing support for our clients and enabling usage of our services.
Calls to our customer service number are recorded to improve and monitor the quality of the service.
| Categories of personal data | Legal basis |
| · Contact information · Identity data
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to provide our supporting services to our clients . |
3.2.3 Webshop orders
We will process your personal data when you place an order in Sweco’s webshop. Your personal data will be processed to enter into a contract, to deliver the service, and to invoice for the service when you are the contact person for the order.
| Categories of personal data | Legal basis |
| · Contact information · Identity data
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to execute and fulfill a contract with the company that a data subject represents. |
5.2.4 Digital services
When you are using our digital services, we will process your IP address and browser user agent string to enable the proper functioning of digital services and help spam detection. We may also process your personal data to identify the authorized users of our digital services based on our customer contracts. In addition, your personal data may be processed to administrate and improve our digital services, for our internal records and for statistical analysis. For more info about the way cookies and tracking are used on our digital services, please read our cookie statement.
| Categories of personal data | Legal basis |
| · Contact information · Identity data · IP address · Browser user agent string (UA)
| Legitimate interest. The processing is necessary to satisfy our legitimate interest to enable the proper functioning of digital services, ensure that our digital services are continuously maintained and updated, and protected against malicious attacks. In addition, the processing is necessary in order to satisfy our legitimate interest in being able to verify the authorised users for contract management reasons, to protect our legal rights and to prevent possible misuse.
Consent. Personal data that is collected for purposes other than for our legitimate interest, will be collected with your consent only.
|
If our digital services contain links to third party websites or services, Sweco shall not take any responsibility for privacy practices or content of such websites or services.
5.2.5 Sanctions screening
Sweco may, before entering into a business relationship, carry out sanctions screening to ensure that Sweco is not entering into a business relationship with anyone that is subject to EU or UN sanctions.
| Categories of personal data | Legal basis |
| · Identity data · Contact information · Potential data retrieved from sanctions screening, which may include criminal data.
| Legal obligation. The processing of personal data is necessary in order to comply with our legal obligations.
Processing of criminal data is in such case carried out by virtue of our legal obligation to process such data.
Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest of upholding our Code of Conduct. |
5.2.6 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
| Categories of personal data | Legal basis |
| · All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
5.2.7 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations
We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.
| Categories of personal data | Legal basis |
| · All information mentioned above and any information included in our communication with you.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings. The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.
|
5.3 With whom do we share your personal data?
5.3.3 Disclosure and transfer of personal data
Where necessary in order to achieve the purposes set out in this Section 5, we share your personal data with other entities, authorities, actors or international organisations. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
5.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 5.2.
5.3.3 Recipients that act as data controllers
The categories of recipients mentioned in the table below will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.
| Recipients | Purpose | Legal basis |
| · Courts and arbitration tribunals · Public authorities · External advisers · Counterparties · International organisations
| In order to exercise, establish or defend legal claims (see Section 5.2.5.), ensure compliance with the law and our contractual obligations. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.
|
| · International organisations | To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory or international law duties. | To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory or international law duties. |
5.4 For how long to we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are the representative of our client or end user or for as long as we have an ongoing business relationship with the company you represent.
Customer service call recordings are retained for three months from the date of recording.
With respect to sanctions screenings or other legal obligations, we will process personal data for as long as there is a legal obligation to do so.
Talent acquisition
Talent acquisition
6.1 How do we collect your data?
We collect your personal data from:
- Yourself, which you submit to us when you apply for one of our positions, e.g. your CV and cover letter.
- External recruiters, that have been involved in the recruitment process and that have provided us with information about you.
- Referees that you have nominated and given us permission to be in contact with.
- LinkedIn Recruiter database when we conduct targeted headhunting.
6.2 Purpose of the processing of your personal data
6.2.1 Managing the recruitment process
Your personal data will be processed by us within the scope of the general management of the recruitment process. Processing activities included in this process are e.g. collection of your personal data, review of CVs and cover letters, conducting interviews, evaluating you as a candidate and communicating with you within the scope of the recruitment process.
Additionally, your information may be used to develop Sweco’s recruitment process by collecting data on the applicant experience, if you have given your consent on the application form to receive the applicant experience survey.
| Categories of personal data | Legal basis |
| Contact information CV Cover letter References Responses to screening questions on the application form Data that is formed during the recruitment process, such as notes from recruitment and data collected during interviews
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in carrying out the recruitment process to ensure that we employ the most suitable candidates, as well as managing the recruitment process.
Consent. We will send you the applicant experience survey only if you have given your consent for it on the application form. |
6.2.2 Job candidate evaluation process
Within the scope of the recruitment, we carry out an evaluation process of potential employees. This may include an assessment of suitability conducted by a collaborating partner.
| Categories of personal data | Legal basis |
| Identity data Skills and education data Evaluation of applicant’s suitability for the position Possible results of a suitability assessment | Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in evaluating the suitability of the job applicant for the open position.
Consent. Processing of your personal information in connection with a suitability assessment is based on your consent. |
6.2.3 Concluding the employment agreement
We will process your personal data in conjunction with the conclusion of the employment agreement with you e.g., when collecting references. Your personal data will also be processed in the employment agreement that we conclude and upon the initiation of the onboarding process. New employees will receive a more detailed internal privacy notice during onboarding.
| Categories of personal data | Legal basis |
| Contact information Social security number Organisational information, such as employer company, employment status, operational department, geographical placement, cost centre, organisation, place of employment Salary Benefits data | Agreement. The processing of your personal data is necessary in order for us to take measures prior to entering into an agreement (the employment agreement) with you. |
6.2.4 Candidate database
If you do not get the job that you have applied for, we may still have an interest in keeping your personal data to contact you in the event of future vacancies that suits your profile. We will only keep your personal data for this purpose if you consent to the processing.
| Categories of personal data | Legal basis |
| Contact information CV Cover letter
| Consent. We will only process your personal data in a candidate database if you provide us with your consent. |
6.2.5 Headhunting
We use the LinkedIn Recruiter platform to conduct targeted headhunting. We process the following personal data to the extent necessary to carry out the headhunting.
| Categories of personal data | Legal basis |
| Contact information Public information from your LinkedIn profile Other information you may provide upon request (e.g. CV)
| Legitimate interest. The processing of your personal data is necessary for us to fulfill our legitimate interest in finding suitable candidates for the recruitment process. |
6.2.6 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
| Categories of personal data | Legal basis |
| All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
6.2.7 Fulfil legal obligations
Besides legal obligations within the field of employment, we will process your personal data for the purposes of fulfilling legal obligations related to work permit checks, including storage of related documentation.
| Categories of personal data | Legal basis |
| Identity data Social security number Work permit documentation | Legal obligation. The processing is necessary to fulfil our legal obligations. |
6.3 With whom do we share your personal data?
6.3.1 General
Where necessary in order to achieve the purposes set out in this Section 0, we share your personal data with other entities, authorities or actors. The categories of recipients mentioned in Section 6.3.2 will process personal data on behalf of us in the capacity as data processors (i.e. such actors will only process your personal data in accordance with our instructions). The categories of recipients mentioned in Section 6.3.3 will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
6.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in this Section 6.
6.3.3 Recipients that act as data controllers
| Recipients | Purpose | Legal basis |
| Courts and arbitration tribunals Public authorities External advisers Counterparties
| In order to exercise, establish or defend legal claims, see Section 6.2.5. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. |
| External recruiters | Managing and facilitating the recruitment process, see Section 6.2.1, as well as conducting the suitability assessment, see section 6.2.2. | To fulfil our legitimate interest in ensuring that the recruitment process is carried out as efficiently as possible and that we can employ the best candidates. |
6.4 For how long will we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are in the recruitment process. However, if you do not get the job you applied for, we will store your personal data for as long as you may submit a legal claim related to the rejection of your application. If you agree to it, we may store your data in our candidate database for future recruitment processes. In such case, your data will be stored for up to two years after the recruitment process has ended.
6.5 More detailed information
We collect the data processed that has been provided by you, or any other representative with the prospect customer, within our process for evaluating, and communicating with, prospect clients.
Prospective client contact
Prospective client contact
7.1 How do we collect your data?
We collect the data processed that has been provided by you, or any other representative with the prospect customer, within our process for evaluating, and communicating with, prospect clients .
7.2 Purposes of the processing of your personal data
7.2.1 Management and administration of prospect clients
We will process your personal data for the purpose of managing and administrating the overall process of approaching and evaluating prospect clients .
| Categories of personal data | Legal basis |
| · Contact information · Identity data
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer and manage prospect clients . |
7.2.2 Marketing communication
We will process your personal data for the purpose of marketing our services to your organization. You will be able to, at any time, opt-out from our marketing communication, in which case we will cease with our communication.
| Categories of personal data | Legal basis |
| · Contact information
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer and manage prospect clients . |
7.2.3 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
| Categories of personal data | Legal basis |
| · All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
7.2.4 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations
We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.
| Categories of personal data | Legal basis |
| · All information mentioned above and any information included in our communication with you.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings. The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.
|
7.3 With whom do we share your personal data?
7.3.1 General
Where necessary in order to achieve the purposes set out in this Section 7, we share your personal data with other entities, authorities, actors or international organisations. The categories of recipients mentioned in Section 7.3.2 will process personal data on behalf of us in the capacity as data processors (i.e. such actors will only process your personal data in accordance with our instructions). The categories of recipients mentioned in Section 6.3.3 will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
7.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in this Section 7.2.
7.3.3 Recipients that act as data controllers
| Recipients | Purpose | Legal basis |
| · Courts and arbitration tribunals · Public authorities · International organisations · External advisers · Counterparties
| In order to exercise, establish or defend legal claims (see Section 7.2.1.), ensure compliance with the law and our contractual obligations. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.
|
| · International organisations | To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory and international law duties. | To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory and international law duties. |
7.4 For how long to we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as we are in contact with you regarding a potential business relationship or if you decide to opt-out from the communication. In general, we will not store your data for longer than one year from our last communication, if we did not enter into a business relationship with the company you represent.
Government, public authority or international organisation officials or employees
Government, public authority or international organisation officials or employees
8.1 How do we collect your personal data?
We collect the personal data that you, or the relevant government, public authority or international organisation that you represent, have provided us within the scope of our professional, commercial or public law relationship.
8.2 Purposes of the processing of your personal data
8.2.1 Administration of professional, commercial or public law relationship
Your personal data will be processed because we have a legitimate interest of administering professional, commercial or public law relationship with an entity you represent and being able to manage the overall cooperation and day-to-day activities relating to e.g. our projects that the public authority or organisation that you represent finance, co-finance or is otherwise involved in.
| Categories of personal data | Legal basis |
| Contact information Identity data | Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer our professional, commercial or public law relationships with an entity that you represent, and facilitate e.g. day-to-day communications. |
8.2.2 Communicate with you
Within the scope of professional, commercial or public law relationship with an entity that you represent, we will process your personal data when communicate through various channels. The purpose of the processing is to be able to communicate with you within the scope of our relationship.
Calls to our customer service number are recorded to improve and monitor the quality of the service.
| Categories of personal data | Legal basis |
| Contact information Identity data Any information included in our communication with you
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to communicate with our suppliers within the scope of our commercial relationship. |
8.2.3 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
| Categories of personal data | Legal basis |
| All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
8.2.4 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations
We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.
| Categories of personal data | Legal basis |
| All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings. The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.
|
8.3 With whom do we share your personal data?
8.3.1 General
Where necessary in order to achieve the purposes set out in this Section 8, we share your personal data with other entities, authorities, actors or international organisations. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
8.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 8.2.
8.3.3 Recipients that act as data controllers
The categories of recipients mentioned in the table below will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.
| Recipients | Purpose | Legal basis |
| Courts and arbitration tribunals Public authorities External advisers Counterparties International organisations
| In order to exercise, establish or defend legal claims (see Section 8.2.3.), ensure compliance with the law and our contractual obligations. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.
|
| International organisations | To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory and international law duties. | To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory and international law duties. |
8.4 For how long to we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are the representative or employee of the respective government, public authority or international organisation or for as long as we have an ongoing professional, commercial or public law relationship with the entity you represent.
Customer service call recordings are retained for three months from the date of recording.
Appropriate safeguards for transfers of personal data outside of the EU/EEA
Appropriate safeguards for transfers of personal data outside of the EU/EEA
We may transfer or disclose personal data to recipients located outside the EU/EEA (third country), mainly in situations where we are using third-party data processors that will process data in a third country.
When we transfer or disclose your personal data to a recipient in a country outside of the EU/EEA, we will always ensure that appropriate safeguards have been taken (such as the EU Commission’s standard contract clauses, including other supplementary safeguards as necessary in each case) to protect the personal data. Further, we are regularly carrying out risk assessments to assess what supplementary measures that needs to be taken to protect the personal data subject to the transfer or disclosure.
We may also transfer your personal data to international organisations, in particular in connection with their investigations or proceedings relating to Sweco projects that these organisations finance or co-finance, or otherwise as needed to fulfil our contractual obligations on those projects or in the course of bidding for projects. In the absence of a decision by the European Commission finding an adequate level of protection in such an international organisation and the impossibility of applying appropriate safeguards, we will transfer your data based on an important public interest derogation under Article 49(1)(d) GDPR. Such transfer will be exceptional and will only occur if it is necessary for important reasons of public interest.
If you would like further details about the processing of your personal data and whether your personal data is transferred to a third country or an international organisation, please contact us on the contact details as set out below under Section 11.
Your rights
Your rights
Under applicable data protection laws, you have certain rights in relation to the processing of your personal data. We process your personal data to the extent necessary in order to fulfil your rights. Please submit requests for exercising your rights by contacting us on the contact details set out in Section 9 below.
You have, under certain circumstances, the right to exercise the following rights:
Access
You may request confirmation whether or not personal data is processed and, if that is the case, access your personal data and additional information such as the purposes of the processing. You are also entitled to receive a copy of the personal data undergoing processing. If the request is made by electronic means the information will be provided in a commonly used electronic format if you do not request otherwise.
Object to certain processing
You have the right to object to the processing of your personal data based on a legitimate interest for reasons which concerns your particular situation. In such a situation, we will stop using your personal data where the processing is based on a legitimate interest, unless we can show that the interest overrides your privacy interest or that the use of your personal data is necessary in order to manage or defend legal claims.
Rectification
You have at any time the right to have inaccurate personal data rectified, as well as, taking into account the purposes of processing, the right to have incomplete personal data completed which relates to you.
Erasure
You may have your personal data erased under certain circumstances, such as when your personal data is no longer needed for the purposes for which it was collected. However, we cannot delete your personal data if we e.g. are obligated under law to keep the data.
Restriction of processing
You may ask us to restrict the processing of your personal data to only comprise storage of your personal data under certain circumstances, such as when the processing is unlawful, but you do not want your personal data erased. If the processing of your personal data has been restricted we may only, besides storing the data, process your personal data with your consent, or in order to establish, exercise or defend legal claims or to defend rights of others.
Withdrawal of consent
You have the right to at any time withdraw your consent to processing of personal data to the extent the processing is based on your consent.
Data Portability
You may ask to receive a machine-readable copy of the personal data processed on the basis of your consent or on the basis that the processing is necessary in order to perform an agreement with you, and which personal data have been provided to us by you (data portability) and ask for the information to be transferred to another data controller (where possible).
Complaints to the supervisory authority
You always have the right to lodge complaints pertaining to the processing of your personal data to the Office of the Data Protection Ombudsman (in Finnish: “Tietosuojavaltuutetun toimisto”).
Contact information
If you have any questions or concerns regarding the processing of your personal data, please contact tietosuoja@sweco.fi.
Contact details of the Controller
Address: Ilmalantori 4, 00240 Helsinki, Finland
Tel: +358 207 393 000