Valmet is committed to protecting your privacy. We will process your personal data only in accordance with relevant data protection and privacy legislation and good data processing practices.
In connection with due diligence conducted by Valmet on its third parties and customers in order to comply with various anti-corruption and/or trade sanctions laws and regulations applicable to it or its affiliates, Valmet Oyj will, as the data controller, collect and process personal data of persons related to its customers or third parties, including without limitation, agents, distributors, dealers, commercial consultants, brokers and suppliers. These persons include, among others, third parties and customers’ direct and indirect owners (up to ultimate beneficial owners), key management and persons responsible for Valmet business.
If you are a person related to a customer or third party of Valmet, please read this carefully in order to understand how we process your personal data.
Controller Contact Information:
Vanha Porvoontie 229
01380 Vantaa, Finland
Categories and sources of personal data
We primarily collect personal data from our customers’ or third parties’ representatives or directly from you as data subject. Your personal data may be provided to us by completing the Valmet Due Diligence Questionnaire for Proposed Third Parties or when contacting us. We may also collect your personal data from various information providers, such as compliance databases, as well as from public records and openly available internet sources.
We process the following categories of personal data about you:
Your identification and contact details, such as your full name, email address, telephone number, photo, date of birth and nationality;
Information on you in relation to a third party or customer company or companies, such as your position in the company and ownership of shares in the company or companies;
Employment and education information, such as your education, work experience and other information provided by you in your resume;
Information specifically required for due diligence, such as politically exposed person (PEP) information (e.g. exposure to public offices or positions, i.e. positions in or close to government), sanctioned individuals information, information of any criminal convictions and offences, or investigation of similar activities related to violation of law (where explicitly allowed by applicable legislation) and any other information provided by you in communications with us.
Purposes of processing
We process the personal data of persons related to third parties or customers for the following purposes:
- To comply with anti-corruption and trade sanction laws, regulations and guidance issued by the authorities;
- To verify whether any trade or economic sanctions apply to the third party or customer;
- To assess corruption risks pertaining to the third party or customer;
- To check whether any kind of adverse media has been reported relating to the third party or customer.
Legal basis for processing
We process your personal data only if we have a valid legal basis for doing so. Please find information about the legal basis for our processing purposes below:
The processing of your personal data is based on statutory requirements we must follow, such as trade sanctions and anti-corruption laws, regulations and guidance issued by the authorities. It is our legal obligation to verify whether any trade or economic sanctions apply to the third party or customer.
Processing of your personal data is based on our legitimate interest when it is done for the purposes of assessing corruption risks pertaining to the third party or customer as well as when checking whether any kind of adverse media has been reported relating to the third party or customer.
Transfers and disclosures of personal data
At Valmet, your personal data is processed only by personnel who are authorized to do so based on their responsibilities. Your personal data is processed by third parties only in the following situations which apply to transfers and disclosures of personal data:
We use service providers in order to manage and operate our business. Service providers are needed for a variety of purposes, such as for providing information for conducting due diligence and for providing and hosting our IT systems. These service providers can only process your personal data based on our instructions and use it only for purposes defined by Valmet. Such processing is always regulated by data processing agreements in order to ensure that all our service providers keep your personal data safe and process it only in accordance with applicable legislation.
In cases where your personal data is transferred outside of the European Union (EU) and the European Economic Area (EEA), we ensure the protection of your personal data by using European Commission’s Standard Contractual Clauses. Where applicable, transfers of personal data to service providers outside of the EU and EEA can also be secured by relying on an adequacy decision adopted by the European Commission, or on the EU–U.S. Privacy Shield agreement as a safeguard for data transfer.
Disclosures of personal data
In certain situations, we must disclose your personal data to another controller, who will use that personal data for its own purposes. We may disclose your personal data to our banks, export credit agencies, consultants, legal advisors and government authorities for the purposes of verifying sanctions compliance, obtaining permits or licenses or investigation. We may also disclose your personal data to the customer or supplier related to your transaction for verifying sanctions compliance.
If mergers, acquisitions or corporate restructurings occur in our business operations, your personal data may have to be disclosed to relevant stakeholders.
Sharing data within Valmet group of companies
Additionally, Valmet may disclose and transfer your personal data within the Valmet group of companies. Where such intra-group transfers or disclosures take place, Valmet ensures the security and confidentiality of your personal data by using Intra-Group Data Transfer Agreements.
Valmet uses robust technical and organizational measures to protect the confidentiality, integrity and availability of your personal data. Our information security controls ensure the protection of your personal data from unauthorized viewing, modification, dissemination, or destruction and provide the necessary recovery mechanisms from accidental as well as malicious destruction, alteration or loss. We use role-based access control to ensure that your personal data is processed only by appropriate personnel. Your personal data processed by Valmet is protected with state-of-the-art information security technologies. Protective measures also include data protection related guidelines and procedures trained to employees in order to ensure secure and lawful processing of your personal data.
Retention of your personal data
By default, we store personal data only as long as is necessary for the purposes it was collected for. When personal data is no longer needed for the purpose it was originally collected for it will be deleted or anonymized, unless we have a legal obligation to retain data for a longer period. The retention times for the personal data of persons related to third parties or customers are based the limitation periods within which the authorities may initiate actions against us related to, among others, anti-corruption or trade sanctions legislation. Whereas this time is typically five years, local exceptions may apply.
Your rights as a data subject
As a data subject you have certain rights which help you to control your own personal data. In this section, we provide you information about your rights as a data subject. If you wish to use your rights, please contact us by email at privacy(at)valmet.com.
Right of access
You have the right to obtain confirmation as to whether your personal data is being processed by us and what personal data about you we process. If you wish, you may request for a copy of such data.
Right to rectification
If your personal data is incorrect or incomplete, you have the right to request for rectification or completion of your personal data.
Right to be forgotten
You have the right to request your personal data to be erased. In such a case we will delete your personal data unless we have a legal obligation or other overriding reason to retain your data.
Restriction of processing and right to object
In certain situations, you have the right to request us to restrict the processing of your personal data, for example if personal data concerning you is inaccurate. Based on your particular situation, you may also have the right to object the processing of your personal data, in which case we will evaluate whether there are any compelling legitimate grounds for continuance of processing.
We will do our best to resolve any issue you might have related to our processing of your data through conversations. However, if you consider that our processing infringes your rights as a data subject, you have the right to file a complaint to a competent data protection supervisory authority, depending on the applicable legislation.
Can this Privacy Notice be changed?
There will be updates to this Privacy Notice whenever changes or developments in our business operations require so. You can always access the up-to-date version of the Privacy Notice at www.neles.com/privacy or by contacting your Valmet representative.