Information about the processing of personal data

The NCC company providing the website you are visiting is normally the personal data controller for such processing of personal data in accordance with this information text.

The NCC company with which your company has a business relationship is normally responsible for managing data in our business portals within the framework of contract management and procurement.

Each NCC company is responsible for Know Your Customer checks, user account management in our business portals, and for reporting violations of NCC’s policies and guidelines, as well as for fulfilling its own legal obligations and for establishing and asserting legal claims.

We collect personal data from:

• You. We collect the personal data that you provide to us, e.g. in connection with the use of our websites and other digital channels or when you contact us.
• Employees. We may collect personal data about you from employees who provide your personal data to us, e.g. in connection with communication or when the employee voluntarily submits your data to us or in connection with the receipt of whistleblowing reports.
• Partners. We may collect your personal data from business partners, e.g. in connection with carrying out an event or other activity together with said business partners. When conducting Know Your Customer (KYC) checks on senior executives of customers and suppliers, data may also be collected from independent companies that assist us with such surveys. We may also obtain information from credit reference agencies.
• Social networking platforms. If you visit our social media channels, we will collect the personal data that you provide to us via these channels, e.g. to answer any questions you ask or to communicate about us, our business, or our services and offers.
• Group companies. The companies within the NCC Group work collaboratively and therefore share information with each other, e.g. when communicating about the management of customer and supplier relationships.
• Third parties. We may also collect personal data about you from third parties who provide your personal data to us, e.g. in connection with communication or an event or other activity, or in connection with the receipt of whistleblowing reports.
• Public data sources. We may collect personal data about you from public sources, such as government agencies and public records, e.g. corporate engagement in order to manage orders and manage the relationship with the firm or organization to which you belong.

The personal data we collect depends on how you interact with us. We only collect the personal data that we need, mainly within the following categories of personal data:

• Identity data. Data that makes it possible to identify you, e.g. your name and, where appropriate, your personal identity number or equivalent.
• Contact details. Information that makes it possible to contact you, e.g. address, email address and telephone number.
• User-generated data. Information about your activity on and use of our websites and digital channels, e.g. clicks and visits to the website, and otherwise your behavior on our websites and in our digital channels.
• Order details. Information about ordered goods or services, e.g. the goods or service, price and delivery or assignment period.
• Billing data. This may include terms of payment, cost center, or reference number, number of hours, staff involved.
• Profile data. Data relating to your profile, e.g. your title, name and address of the firm or organization to which you belong, and department.
• Image and sound material. Information such as a still or moving image of you or a recording of your voice, e.g. photography, video or audio recording.
• Communication. Content of communication with us, e.g. content of emails or responses you provide when you e.g. participate in a survey or provide feedback and comments.
• Technical data. Technical details of the device you use when visiting our website or digital channels, e.g. type of device, version of browser and operating system.

If necessary in order to fulfill the purpose of the processing of personal data, in some cases we may also collect and process other types of personal data.

We use your personal data when you use our website and our digital channels, when we provide our services and products to you, your firm or your organization, when you communicate with us, in order to meet legal requirements and comply with legislation.

Below we list more detailed information about why we use your personal data in different cases. All processing of personal data may not necessarily apply to you; which processing you are covered by will depend on how you interact with us.

Providing information and communicating news

If you subscribe to newsletters, catalogs, press releases and similar information about NCC and its operations, or order such information on an occasional basis, we will process your personal data for the purpose of providing you with the requested subscription or information.
You have the opportunity to communicate with us by asking questions or giving us feedback about our services and operations, e.g. by email or on our websites. If you do so, NCC will process your personal data for the purpose of answering your questions or managing your feedback.

Quotes, purchase inquiries and orders

If you send us a request for a quote or a request to purchase our products or services, e.g. by email or via one of our websites, or if you place an order for products (e.g. asphalt) or services, NCC will process your personal data for the purpose of responding to and managing your request, as well as placing the order and billing.

Managing and responding to your requests and messages in our business portals

Business customers and suppliers at NCC have access to some of our business portals, where you, in your role as a designated contact, can e.g. view and manage ongoing projects and contracts, submit tenders and manage bills. If you, in your role as a designated contact at a business customer or supplier of NCC, use these functions, NCC will process personal data in order to be able to manage the ongoing relationship, and to respond to and evaluate tenders.

Contacting customers for marketing purposes  (only valid in Finland)

NCC collects and processes personal data for the purposes of contacting customers, marketing of NCC’s products and services including targeted email marketing, online advertising, and personal sales calls.

Know Your Customer (KYC) checks of suppliers, partners and business customers, as well as senior executives

When a supplier or a business customer intends to enter into a business relationship with NCC, we process personal data concerning senior executives in the supplier’s or the customer’s business in order to be able to perform KYC checks. Such checks are carried out as part of our standard procedure before entering into contracts with new suppliers and business customers, for the purpose of enabling NCC to make well-informed business decisions.

Creating personal user accounts on our websites and in our business portals

Some of NCC’s websites and business portals enable users to create personal user accounts with login. If you create an account, NCC will process your personal data for the purpose of creating and managing your personal account, creating your login and giving you access to your account.

Handling complaints and fulfilling our warranty obligations regarding our products

If you lodge a complaint with us regarding our products or services, e.g. via one of our websites or via email, NCC will process your personal data for the purpose of investigating, handling and responding to your complaints in order to fulfill our warranty obligations.

Managing your registration for and participation in events, training courses and briefings

If you register for events or training courses, e.g. via one of our websites or email, NCC will process your personal data for the purpose of managing and responding to your expressions of interest and registrations. If you sign up for an event or training course, we will also use your personal data to be able to carry out the event or training course, e.g. to send you an invitation to attend.

Administering expressions of interest in commercial properties

If you submit an expression of interest in commercial properties, e.g. via one of our websites or email, NCC will process your personal data in order to administer and respond to your expression of interest.

Marketing NCC on social media

NCC has active profiles on social media, such as Facebook, Instagram, LinkedIn and YouTube. On these platforms, NCC may publish articles, images and videos for the purpose of marketing NCC.

Following up on the use of, and enabling functionality on our websites and digital channels

It is important for us to understand how our websites and digital channels are used, in order to continuously improve our websites and digital channels. We therefore process your personal data for this purpose, e.g. when we collect and analyze visitor and user statistics on how our website, digital channels and services are being used. In order to enable the functionality of our websites, e.g. to remember your settings, we use your personal data when necessary in order to provide a better user experience on the website.

Creating traffic control plans

If you request the creation of a traffic control plan, e.g. via one of our websites or email, NCC will process your personal data for the purpose of administering your request, communicating with you and determining the traffic control plan.

Providing information about blasting operations and other measures that may affect properties in connection with our construction projects

NCC processes personal data about property owners and other stakeholders in order to provide information about e.g. blasting operations and other measures that may affect properties in connection with our construction projects.

Visitor registration and access to our workplaces

If you visit one of our workplaces, we process your personal data in order to register you as a visitor, manage parking permits and give you access to our premises.

Following up, developing, documenting and improving our business

We process your personal data when we perform overall analyses to follow up, develop and improve our business, business methods and strategies. We also process your data in order to document our operations where appropriate, e.g. to manage and save contracts, decision-making documentation, minutes and presentations.

Ensuring compliance with our guidelines, policies, procedures and applicable legislation, including audits and investigations in connection with this

Where applicable, NCC processes personal data in order to ensure that suppliers, business customers and other organizations with whom NCC has contact (e.g. in collaboration) and its employees, as well as senior executives, comply with and apply our guidelines, policies, procedures (e.g. the NCC Code of Conduct for Suppliers) and applicable legislation. Such processing may include verification of driver’s logs and invoices, as well as anti-corruption and anti-bribery measures, and may take place as a result of a routine action by NCC or if we have reason to suspect misconduct or crime. In exceptional cases, in the event of strong suspicions of a criminal offense, we may conduct investigations, which may include site visits, review of email correspondence and material from CCTV surveillance, as well as interviews with the individuals concerned.

Managing and meeting legal requirements

We use your personal data if necessary for the establishment, assertion and defense of legal claims, e.g. in connection with a dispute or legal proceedings.

Managing whistleblowing reports

NCC processes personal data about individuals mentioned in whistleblowing reports in order to be able to receive, investigate and provide feedback on such reports and to be able to take corrective action.

Fulfilling legal obligations

NCC processes Personal Data for the purpose of fulfilling legal obligations in areas such as taxation and accounting.

We take measures to ensure that the personal data we process is always protected and that our processing is carried out in accordance with applicable data protection rules, as well as our internal guidelines and procedures. Information security and ensuring the appropriate protection of personal data are of the utmost importance to us. We strive to implement security measures in accordance with the ISO 27000 international standard, in order to determine the appropriate level of protection for data, and to prevent and detect disclosure of personal data to unauthorized parties.

Below we describe which recipients we share your personal data with. The recipients with whom we share your personal data will depend on how you interact with us. Unless stated otherwise below, the recipient is responsible for their own processing of your personal data.

Service providers

In order to process personal data, we share personal data with service providers that we have hired. These service providers provide e.g. IT services. When the service providers process personal data on our behalf and in accordance with our instructions, they are data processors for us and we are responsible for the processing of your personal data. Service providers may not use your personal data for their own purposes and they are required by law and contractual obligations with us to protect your data.

Group companies

The companies in the Group work collaboratively and therefore share information with each other. To the extent that Group companies process personal data on our behalf and in accordance with our instructions, e.g. to manage the assignment, they are data processors for us and we are responsible for their processing of your personal data.

Other categories of recipients

NCC may also disclose personal data to recipients outside the NCC Group such as:

Furthermore, NCC may disclose personal data to third parties such as IT suppliers, communication agencies and others who provide services who process personal data in accordance with NCC’s instructions and assignments.

We always strive to store personal data within the EU. In some cases, your personal data is shared with recipients outside the EU/EEA, e.g. service providers hired by us.

To ensure that personal data is protected, we ensure that appropriate safeguards are in place with all service providers who process your personal data outside the EU/EEA, in light of the legislation of the recipient country. We normally enter into data transfer contracts that contain so-called standard contractual clauses for the transfer of personal data.

If you would like more information about the countries outside the EU/EEA to which we transfer your personal data, and the safeguards we have put in place to protect your personal data, please contact us.

NCC retains your personal data for as long as necessary in order to fulfill the purposes set out in this information text, unless a longer retention period is required or permitted by local law to which NCC is subject. We use the following criteria to determine the retention period:

• As long as we have an ongoing relationship with you (either as an individual or in your role as an employee of a firm hired by NCC);
• as long as required by legal obligations to which NCC is subject (such as fiscal and accounting obligations);
• as long as appropriate in light of our legal position (such as applicable provisions in statutes of limitations); and
• as long as necessary for other legitimate business reasons (e.g. follow-up on supplier relationships and documentation of the business).