Information about the processing of personal data - consultants and suppliers
Last updated June 2022
This information text describes the processing of personal data for:
- Consultants who carry out assignments for NCC either via a firm that you own (e.g. sole proprietorship) or via your employer providing consulting services to NCC.
- Temporary workers.
- Employees of subcontractors to NCC
“Personal data” means information that can directly or indirectly identify you as an individual, e.g. your name or IP address.
Who is the data controller for the processing of your personal data?
The company within the NCC Group which has hired you as a consultant or temporary worker or, if you are employed by a subcontractor, the NCC company that hired your employer is the data controller in accordance with this information text.
From which sources do we collect personal data?
We collect personal data from:
- You. We collect the personal data that you provide to us, e.g. in connection with communication.
- Your employer or client. We collect the personal data about you that your employer or client shares with us, e.g. to manage your assignment at NCC.
- Relatives and other close acquaintances. In connection with an accident, illness or similar event, we may collect the personal data about you that a relative or other close acquaintance provides to us.
- Group companies. The companies within the NCC Group work collaboratively and may share information with each other, e.g. in connection with communication.
- Third parties. We may also collect personal data about you from third parties who provide your personal data to us, e.g. in connection with communication.
- Public data sources. In connection with hiring you, we may also collect personal data from public data sources, e.g. from social network platforms or public registers.
Which personal data do we collect?
The personal data we collect depends on how you interact with us. We only collect the personal data that we need, mainly within the following categories of personal data:
- Identity data. Information that makes it possible to identify you, e.g. your name.
- Contact details. Information that makes it possible to contact you, e.g. address, email address and telephone number.
- Remuneration data. Information relating to the remuneration for your assignment, e.g. hourly rate and work performed.
- Billing data. This may include terms of payment, cost center, or reference number, number of hours, staff involved.
- Profile data. Information about your profile, e.g. gender, age, current employer or client.
- Competence data. Information about your competence, e.g. education, professional experience, language skills and certifications.
- Image and sound material. Information such as a still or moving image of you or a recording of your voice, e.g. photography, video or audio recording.
- Communication. Content of your communication with us, e.g. content of emails.
- Log data. Data in logs, e.g. access logs in our IT systems.
- Incident data. Details of an incident that has occurred, e.g. type of incident, time and place of the incident and information about the incident itself.
If necessary in order to fulfill the purpose of the processing of personal data, in some cases we may also collect and process other types of personal data.
For which purposes and on which legal basis do we use your personal data?
The purposes for which we use your personal data include but are not limited to managing the assignment, evaluating and following up on contracts and agreements, managing and documenting our business, communicating, meeting legal requirements and complying with legislation.
Below we list more detailed information about why we use your personal data in different cases. All processing of personal data may not necessarily apply to you; which processing you are covered by will depend on how you interact with us, and whether you are a consultant, temporary worker or an employee of a subcontractor.
Managing the assignment
We use your personal data in order to manage the assignment, e.g. to register basic information about you, to manage user accounts and work tools, as well as to communicate for the same purposes.
|
Personal data |
Legal basis |
|
Contractual fulfillment. If we have entered into the assignment contract with you personally, we will process your personal data for this purpose with the support of the assignment contract. Legitimate interest. If we have entered into the assignment contract with your employer or client, the processing takes place in order to satisfy our and your employer’s or client’s legitimate interest in managing the assignment. The processing of your personal identity number is necessary for the purpose in question, i.e. managing the assignment and confirming your identity. |
Billing
We use your personal data in connection with the billing of completed assignments, e.g. in order to calculate and pay remuneration, as well as to communicate for the same purposes.
|
Personal data |
Legal basis |
|
Contractual fulfillment. If we have entered into the assignment contract with you personally, we will process your personal data for this purpose with the support of the assignment contract. Legitimate interest. If we have entered into the assignment contract with your employer or client, the processing takes place in order to satisfy our and your employer’s or client’s legitimate interest in managing billing. The processing of your personal identity number is necessary for the purpose in question, i.e. managing the assignment and confirming your identity. |
Supervising and assigning work
NCC processes your personal data in order to be able to supervise and assign the contract work that you carry out for us.
|
Personal data |
Legal basis |
|
Contractual fulfillment. If we have entered into the assignment contract with you personally, we will process your personal data for this purpose with the support of the assignment contract. Legitimate interest. If we have entered into the assignment contract with your employer or client, the processing takes place in order to satisfy our and your employer’s or client’s legitimate interest in supervising and assigning your contract work. |
Skills development
NCC processes your personal data in order to offer and carry out skills development, e.g. in connection with voluntary and statutory courses and training courses, and to make sure that you have the necessary professional qualifications.
|
Personal data |
Legal basis |
|
Contractual fulfillment. If we have entered into the assignment contract with your employer or client, the processing takes place in order to satisfy our and your employer’s or client’s legitimate interest in supervising and assigning your contract work. Legitimate interest. If certain professional qualifications are required by law, we process such data in order to fulfill legal obligations. |
Following up and evaluating contracts and relationships
We use your personal data when necessary for following up and evaluating our relationship with you and your employer/client.
|
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in following up and evaluating our contract and our relationship. |
Carrying out meetings, events and other activities
If you participate in a meeting, event or some other activity that we organize, we will use your personal data in order to carry out the meeting, event or activity, e.g. to register your participation, to communicate with you regarding the activity, and to follow up on the meeting, event or activity.
|
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in carrying out meetings, events and other activities. |
Managing our facilities
We use your personal data in order to manage our facilities, e.g. to manage room bookings, fault reports, IT support cases, and for mail and parcel handling. If you visit one of our workplaces, we process your personal data in order to register you as a visitor, manage parking permits and give you access to our premises.
|
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing our facilities. |
Communicating about us and our business
We use your data in order to communicate about us and our business, e.g. to publish information in our digital channels. For participation in advertising activities, we refer to the model agreement in force at any time, which is signed with the individuals concerned prior to photography.
|
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in communicating about us, our business and our services. |
Communication within the framework of the assignment
We use your personal data in order to enable communication in general, and communication between employees and third parties, e.g. to register and display your details in our internal contact registers and to manage e-mails and other messages in our business, e.g. for the administration of our services.
|
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in enabling communication. |
Documenting our business
We use your data to document our business where appropriate, e.g. to manage and store contracts, decision-making documentation, minutes and presentations.
|
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in documenting our business. |
Implementing operational changes
If we implement an operational change, we will process your personal data for the same purpose if necessary, e.g. to conduct negotiations with the trade union organizations concerned.
|
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in implementing operational changes. |
Investigative and security reasons
We use your data for investigative and security reasons, e.g. to manage access to our facilities, and to manage access to and authorisation control for our IT systems. For the same purpose, we process your personal data in connection with logging and following up IT use. Furthermore, we may use your personal data to monitor compliance with our internal policies, procedures and instructions, including investigations in connection therewith. When managing business incidents, such as security incidents, accidents or near-accidents, and when conducting investigations related to such incidents, we may also, if necessary, process your personal data. In exceptional cases, e.g. in the event of strong suspicions of crime, we may conduct investigations, which may include site visits, review of e-mail correspondence and CCTV footage, as well as interviews with the individuals concerned.
|
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to fulfill our legitimate interest in processing personal data for investigative and security reasons. In the event that NCC processes data about criminal offenses (in accordance with Article 10 of the GDPR), such processing will take place in order to satisfy NCC’s legitimate interest in establishing, asserting or defending legal claims. |
Following up and evaluating our business
We use your personal data to compile reports at an overall level and statistics for the purpose of following up and evaluating our business.
|
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in following up and evaluating our business. |
Conducting surveys
If you choose to participate in a survey conducted by us, we will collect the personal data you provide in connection with the survey.
|
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in following up and evaluating our business. |
Ensuring technical functionality and security
We use your personal data in order to ensure the necessary technical functionality and security in our IT systems, e.g. in connection with security logging, troubleshooting and backup.
|
Personal data |
Legal basis |
|
Categories of personal data concerned. |
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in ensuring the necessary technical functionality and security of our IT systems. |
Managing and meeting legal requirements
We use your personal data if necessary for the establishment, assertion and defense of legal claims, e.g. in connection with a dispute or legal proceedings.
|
Personal data |
Legal basis |
|
Only the categories of personal data that are necessary for managing and meeting the legal requirement on a case-by-case basis. |
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in the establishment, assertion and defense of legal claims. |
Managing whistleblowing reports
NCC processes personal data about individuals mentioned in whistleblowing reports in order to be able to receive, investigate and provide feedback on such reports and to be able to take corrective action.
|
Personal data |
Legal basis |
|
corrective action where appropriate. If the NCC company concerned has fewer than 50 employees, the legal basis will be legitimate interest. In the event that NCC is processing data about criminal offenses (in accordance with Article 10 of the GDPR), such processing will take place in order to fulfill legal obligations and to be able to establish, assert and defend legal claims. |
Entry and registration of attendance at construction sites
If you perform work at one of our construction sites, we will process your personal data in order to fulfill our obligations under tax legislation concerning the keeping of personnel registers and to promote a safe working environment.
|
Personal data |
Legal basis |
|
Fulfilling legal obligations and legitimate interests. The processing takes place in order to fulfill legal obligations and our legitimate interest in ensuring a safe and secure working environment. |
How do we protect your personal data?
We take measures to ensure that the personal data we process is always protected and that our processing is carried out in accordance with applicable data protection rules, as well as our internal guidelines and procedures. Information security and ensuring the appropriate protection of personal data are of the utmost importance to us. We strive to implement security measures in accordance with the ISO 27000 international standard, in order to determine the appropriate level of protection for data, and to prevent and detect disclosure of personal data to unauthorized parties.
Which recipients do we share your personal data with?
Below we describe which recipients we share your personal data with. The recipients with whom we share your personal data will depend on how you interact with us. Unless stated otherwise below, the recipient is responsible for their own processing of your personal data.
Service providers
In order to process personal data, we share personal data with service providers that we have hired. These service providers provide e.g. IT services. When the service providers process personal data on our behalf and in accordance with our instructions, they are data processors for us and we are responsible for the processing of your personal data. Service providers may not use your personal data for their own purposes and they are required by law and contractual obligations with us to protect your data.
Your employer or client
In order to manage the assignment, to follow up and evaluate the relationship, in connection with communication and for investigative and security reasons, and to be able to establish, assert and defend legal claims, we share personal data with your employer or client, where appropriate.
| Intended purpose |
Personal data |
Legal basis |
| Managing the assignment |
|
Contractual fulfillment. If we have entered into the assignment contract with you personally, we will process your personal data for this purpose with the support of the assignment contract. Legitimate interest. If we have entered into the assignment contract with your employer or client, the processing takes place in order to satisfy our and your employer’s or client’s legitimate interest in managing the assignment. |
| Following up and evaluating contracts and relationships |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing the assignment. |
| Communication between employees and external personnel |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in communication between employees and third parties. |
| Investigative and security reasons |
|
Legitimate interest. The processing is necessary in order to fulfill our legitimate interest in processing personal data for investigative and security reasons. |
| Managing and meeting legal requirements | Only the categories of personal data that are necessary for managing and meeting the legal requirement on a case-by-case basis |
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing and meeting legal requirements |
Authorities and trade union organizations
In some cases, we share personal data with trade union organizations, e.g. to implement an operational change, or to manage and meet legal requirements (e.g. in connection with a dispute or legal process).
| Intended purpose |
Personal data |
Legal basis |
| Managing and meeting legal requirements. |
Only the categories of personal data that are necessary for managing and meeting the legal requirement on a case-by-case basis. |
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing and meeting legal requirements. |
| Fulfilling legal obligations, e.g. in the area of labor law and taxation |
Only the categories of personal data that are necessary for managing and meeting the legal requirement on a case-by-case basis. |
Legal obligation. The processing is necessary in order for us to fulfill legal obligations, e.g. in the field of labor law and taxation. |
Group companies
The companies in the Group work collaboratively and therefore share information with each other. To the extent that Group companies process personal data on our behalf and in accordance with our instructions, e.g. to manage the assignment, they are data processors for us and we are responsible for their processing of your personal data.
| Intended purpose |
Personal data |
Legal basis |
| Communication between employees and third parties |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in the communication between employees and third parties. |
| Managing and meeting legal requirements |
Only the categories of personal data that are necessary for managing and meeting the legal requirement on a case-by-case basis |
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing and meeting legal requirements. |
Hotels and conference facilities
We share your personal data with hotel and conference facilities, e.g. in connection with carrying out meetings, events and other activities.
| Intended purpose |
Personal data |
Legal basis |
| Carrying out meetings, events and other activities |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in carrying out meetings, events and other activities. |
Other recipients
In some cases, where necessary, we share your personal data with other recipients for certain purposes.
| Intended purpose |
Personal data |
Legal basis |
| Courts, mediators and representatives |
In order to establish, assert and defend legal claims |
In order to satisfy our and your legitimate interest in having disputes settled by competent authorities. |
| Suppliers, customers and partners | Managing our relationship with suppliers, customers and partners |
In order to satisfy our legitimate interest in managing our relationship with suppliers, customers and partners |
| Insurance companies | Establishing, asserting and defending legal claims |
To satisfy our legitimate interest in establishing, asserting and defending legal claims. |
| Potential buyers | Implementing any divestment of all or parts of our business |
In order to satisfy our legitimate interest in implementing any divestment. |
| Credit reference agencies and companies that perform background checks | Conducting credit checks in preparation for the customer/supplier relationship on legal entities, as well as background checks. |
To satisfy our legitimate interest in conducting credit checks in preparation for the customer/supplier relationship with legal entities, as well as background checks |
Where do we process and store the personal data?
We always strive to store personal data within the EU. In some cases, your personal data is shared with recipients outside the EU/EEA, e.g. service providers hired by us.
To ensure that personal data is protected, we ensure that appropriate safeguards are in place with all service providers who process your personal data outside the EU/EEA, in light of the legislation of the recipient country. We normally enter into data transfer contracts that contain so-called standard contractual clauses for the transfer of personal data.
If you would like more information about the countries outside the EU/EEA to which we transfer your personal data, and the safeguards we have put in place to protect your personal data, please contact us, see below for contact details.
How long do we store your personal data?
NCC retains your personal data for as long as necessary in order to fulfill the purposes set out in this information text, unless a longer retention period is required or permitted by local law to which NCC is subject. We use the following criteria to determine the retention period:
- as long as we have an ongoing relationship with you (either as an individual or in your role as an employee of a firm hired by NCC);
- as long as required by legal obligations to which NCC is subject (such as fiscal and accounting obligations);
- as long as appropriate in light of our legal position (such as applicable provisions in statutes of limitations); and
- as long as necessary for other legitimate business reasons (e.g. follow-up on supplier relationships and documentation of the business).