TriGranit Privacy policy

 

Table of Contents

Introduction

Frequently asked questions on personal data

 


Introduction

Purpose

The purpose of this policy is to explain how TriGranit handles your personal data, whether we pursue a relationship with you regularly or occasionally, provide you with a service or receive a service from you, or you are simply visiting our website.

This Privacy policy describes how we collect, use and process your personal data, and how we comply with our legal obligations towards you. Your privacy is important to us and we are committed to protecting and safeguarding your data privacy rights.

Scope

This policy applies to all operating units of the Company, in relevant countries throughout our international network. Each country may approach data privacy in slightly different ways, thus we have country-specific procedures connected to this policy. This allows us to ensure that we are compliant with all applicable data protection regulations, no matter where you are.

In scope of this Privacy policy are the personal data of our Clients, Suppliers and other Business Partners, as well as Website Users and Third Parties whom we may contact.

If you are a member of TriGranit Staff, you are out of scope of this policy and should refer to our internal Data protection and privacy policy, which is available in Employee Handbook.

Governance

All decisions related to personal data protection and privacy activities belong to the exclusive powers of the Company’s management team, which has the discretion to change or amend this policy from time to time, with or without prior notice. Please visit this webpage to stay updated.

In case of any discrepancies between the provisions of this policy and national laws or other local regulations, the latter shall prevail.

If you are dissatisfied with any aspect of our data protection and privacy practices, you have the legal right to address your complaints as described later.

Definitions

Business partner: any commercial party, person or organization, with whom the Company has a business relationship as Client or Supplier

Client: any customer, person or organization, to whom the Company provides services in the course of its business

Company: all legal entities and operating units of TriGranit Group

Data subject: a natural person whose personal data are collected, stored or processed

Erasure: removal or deletion of personal data when there is no compelling reason for a business to continue processing that data

GDPR: General Data Protection Regulation of the European Union

Staff: employee, contractor, trainee, temporary, consultant, leased worker or any other member of the Company’s workforce, who are engaged directly in the business of TriGranit

Supplier: any commercial party, person or organization, who provides services to the Company in the course of its business

Third party: any individual who is not acting or otherwise performing any services for, or on behalf of, TriGranit, including applicants and requestors who voluntarily entrust us with their personal data

Website user: any individual who accesses any of the TriGranit websites

Frequently asked questions on personal data

What kind of personal data do we collect?

Several elements of the personal data we collect from you are required to enable us to fulfil our contractual duties to you or to others. Depending on the type of personal data in question and the grounds on which we may be processing it, should you decline to provide us with such data, we may not be able to fulfil our contractual requirements or, in extreme cases, may not be able to continue with our relationship.

Client data: If you are a TriGranit customer, we need to collect and use information about you or certain individuals at your organization, in the course of providing you with services and/or notifying you of content published by TriGranit which is likely to be relevant and useful to you.

To the extent that you access our website we will also collect certain data from you.

Supplier data: We do not collect much data about Suppliers, we simply need to make sure that our relationship runs smoothly. We may collect contact details within your organization, such as names, telephone numbers and email addresses.

To the extent that you access our website we will also collect certain data from you.

Website user data: We collect a limited amount of data from our Website users which we use to help us to improve your experience when using our website, as well as to help us manage the services we provide. This includes information such as how you use our website, the frequency with which you access our website, your browser type, the location you view our website from, the language you choose to view it in and the times that our website is most popular.

Third party data: ?

How do we collect personal data?

Client data: We collect your personal data either directly from you or from limited external sources, e.g. online and offline media.

To the extent that you access our website or read or click on an email from us, we may also collect certain data automatically or through you providing it to us.

Supplier data: We collect your personal data during the course of our work with you.

To the extent that you access our website or read or click on an email from us, we may also collect certain data automatically or through you providing it to us.

Website user data: We collect your data automatically via cookies when you visit our website.

Third party data: ?

To the extent that you access our website or read or click on an email from us, we may also collect certain data automatically or through you providing it to us.

How do we use personal data?

Client data: The main reason for using information about Clients is to ensure that the contractual arrangements between us can properly be implemented.

Supplier data: The main reasons for using your personal data are to ensure that the contractual arrangements between us can properly be implemented.

Website user data: We use your data to help us to improve your experience of using our website.

Third party data: ?

Protection of personal data

We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold on you from misuse, loss or unauthorized access. We do this by having in place a range of appropriate technical and organizational measures to ensure the security and confidentiality of entrusted personal data.

If you know or suspect any misuse or loss or unauthorized access to your personal data, please let us know immediately.

Retention of personal data

We store personal data for as short as possible and for nor longer than its purpose requires it to be. Retention periods are as follows:

  • Standard retention time for Client, Supplier and Website user data is up to two years. If we have not had any meaningful contact with you for two years, we will delete your personal data from our files and systems, as after this period your data will unlikely be relevant for the purposes for which it was collected.
  • In case of Applicants, Requestors and other third-party data, standard retention time is up to six months.

Standard retention time of personal data can be extended if:

  • requested by relevant legislation
  • requested by contractual obligation
  • requested by police or other prosecution agencies

When we refer to “meaningful contact”, we mean communication between us, either verbal, written or personal. Your receipt, opening or reading of an email or other digital message from us will not count as meaningful contact – this will only occur in cases where you click-through or reply directly.

While we will endeavor to permanently erase your personal data once it reaches the end of its retention period or where we receive a valid request from you to do so, some of your data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that while it still exists on an archive system, this cannot be readily accessed by any of our operational systems, processes or Staff.

Rights of Data Subject

One of the GDPR’s main objectives is to protect and clarify the rights of individuals with regards to data privacy. This means that you retain various rights in respect of your personal data, even once you have given it to us. These are described in more detail below.

If you would like to exercise any of these rights or withdraw your consent to the processing of your personal data where consent is our legal basis for processing your personal data, please contact us. Details of how to contact us can be found on TriGranit’s website, as well as in Annex 1.

When notified, we will seek to deal with your request without undue delay, and in any event within one month, subject to any extensions to which we are lawfully entitled.

Please note that we may keep a record of your communications to help us resolve any issues which you raise.

Right to object

This right enables you to object to us processing your personal data where we do so for one of the following four reasons:

  • our legitimate interests
  • to send you direct marketing materials and
  • for scientific, historical, research, or statistical purposes.

The “legitimate interests” and “direct marketing” categories above are the ones most likely to apply to our Website Users, Clients and Suppliers. If your objection relates to us processing your personal data because we deem it necessary for your legitimate interests, we must act on your objection by ceasing the activity in question unless:

  • we can show that we have compelling legitimate grounds for processing which overrides your interests or
  • we are processing your data for the establishment, exercise or defense of a legal claim.

If your objection relates to direct marketing, we must act on your objection by ceasing this activity.

Right to withdraw consent

Where we have obtained your consent to process your personal data for certain activities, you may withdraw this consent at any time and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case we will inform you of this condition.

Right to access

You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. We may ask you to verify your identity and for more information about your request.

If we provide you with access to the information we hold about you, we will not charge you for this unless your request is “manifestly unfounded or excessive”. If you request further copies of this information from us, we may charge you a reasonable administrative cost where legally permissible.

Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will always tell you the reasons of our decision. Please note that in certain of the jurisdictions in which we operate, we comply with additional local law requirements regarding data subject access requests and may refuse your request in accordance with such laws

Right to erasure

You have the right to request that we erase your personal data in certain circumstances. Normally, the information must meet one of the following criteria:

  • the data are no longer necessary for the purpose for which we originally collected and/or processed them
  • where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing
  • the data has been processed unlawfully i.e. in a manner which does not comply with the GDPR
  • it is necessary for the data to be erased in order for us to comply with our legal obligations as a data controller or
  • if we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.

We would only be entitled to refuse to comply with your request for one of the following reasons:

  • to exercise the right of freedom of expression and information
  • to comply with legal obligations or for the performance of a public interest task or exercise of official authority
  • for public health reasons in the public interest
  • for archival, research or statistical purposes or
  • to exercise or defend a legal claim.

When complying with a valid request for the erasure of data, we will take all reasonably practicable steps to delete the relevant personal data.

Please note that in certain of the jurisdictions in which we operate, we comply with additional local legal requirements regarding data subject right to erasure and may refuse your request in accordance with local laws.

Right to restrict processing

You have the right to request that we restrict our processing of your personal data in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either:

  • one of the circumstances listed below is resolved
  • you consent or
  • further processing is necessary for either the establishment, exercise or defense of legal claims, the protection of the rights of another individual, or reasons of important EU or Member State public interest.

The circumstances in which you are entitled to request that we restrict the processing of your personal data are:

  • where you dispute the accuracy of the personal data that we are processing about you – our processing of your personal data will be restricted for the period during which the accuracy of the data is verified
  • where you object to our processing of your personal data for our legitimate interests – you can request that the data be restricted while we verify our grounds for processing your personal data
  • where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it or
  • where we have no further need to process your personal data, but you require the data to establish, exercise, or defend legal claims.

If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort.

We will notify you before lifting any restriction on processing your personal data.

Right to rectification

You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period for which we hold your data.

If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. Where appropriate, we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to.

Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.

Right to lodge a complaint

You also have the right to lodge a complaint with your local supervisory authority. See contact details in Annex 2.

Legal bases for processing your data

Personal data may not be processed unless there is at least one lawful basis to do so.

Legitimate interests

We can process your data where it is necessary for the purposes of the legitimate interests pursued by the Company, except where such interests are overridden by the interests or fundamental rights or freedoms of you which require protection of personal data.

You have the right to object to us processing your personal data on this basis.

Please note that in certain of the jurisdictions in which we operate, a different legal basis for data processing might apply in certain cases.

Client data: to ensure that we provide you with the best service possible, we store your personal data. We think this is reasonable and we deem these uses of your data to be necessary for our legitimate interests as an organization providing the best services to you.

Supplier data: We use and store the personal data of individuals within your organization in order to facilitate the receipt of services from you as one of our Suppliers. We deem all such activities to be necessary within the range of our legitimate interests as a recipient of your services.

Website user data: ?

Third party data: ?

Consent

In certain circumstances, we are required to obtain your consent to the processing of your personal data regarding certain activities.

Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. In plain language, this means that:

  • you have to give us your consent freely, without us putting you under any type of pressure
  • you have to know what you are consenting to, so we will make sure we give you enough information
  • you should have control over which processing activities you consent to and which you do not or
  • you need to take positive and affirmative action in giving us your consent – we are likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.

We will keep records of the consents that have been given in this way. You have the right to withdraw your consent.

Please note that in certain of the jurisdictions in which we operate, we comply with additional local law requirements regarding consenting to receive marketing materials.

Establishing, exercising or defending legal claims

Sometimes it may be necessary for us to process personal data and, where appropriate and in accordance with local laws and requirements, sensitive personal data in connection with exercising or defending legal claims. GDPR allows this where the processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity.

This may arise for example where we need to take legal advice in relation to legal proceedings or are required by law to preserve or disclose certain information as part of the legal process.