Who we are and how to contact us

This section explains who is responsible for the processing of your personal data and how to contact us.

Data Controller:

Bluefors Oy (Business ID: 2183219-9) and its subsidiaries

Arinatie 10, 00370

Helsinki, Finland

+358 9 5617 4800

privacy@bluefors.com

Bluefors Oy and our subsidiaries are joint data controllers when we jointly process and share personal data within the Bluefors Group. In general, Bluefors Oy is responsible for operation and security of IT systems and providing policies, guidelines, and instructions regarding the processing of personal data within the Bluefors Group. Each subsidiary is responsible for ensuring that personal data is processed lawfully as described in this Privacy Notice.

You can always use your rights under this Privacy Notice by contacting Bluefors Oy.

How and why we use data

This section describes the purposes of processing and our legal basis for processing your personal data.

We collect and process personal data to manage and administer our existing or potential business relationship with you or your organization (such as taking care of matters concerning different phases of marketing, quotation, sales, and support requests relating to our products and services, or managing our supplier and stakeholder relations). This includes for example communicating with you or your organization and the processing of payments, invoicing, and related activities. We may also process personal data to ensure the safety and security of our employees, visitors, facilities, and assets.

We collect and process personal data as necessary to comply with our legal obligations. This includes processing personal data for trade compliance purposes, complying with our bookkeeping obligations, and providing information to relevant authorities. For information on how we process personal data in relation to whistleblowing reports, please see our specific Whistleblowing Channel Privacy Notice.

When processing your personal data for the purposes described in this Privacy Notice, the legal basis for processing personal data is primarily our legitimate interest (GDPR Article 6.1 f). When processing personal data based on legal obligations, the legal basis for processing your personal data is ensuring compliance with the legal obligations to which we are subject (GDPR Article 6.1 c).

Our legitimate interests to process your personal data are based on our interest to establish, maintain and develop customer and business relationships, to develop, deliver and improve our products and services and to promote and market them. We also have a legitimate interest to ensure the safety and security of our employees, visitors, facilities, and assets.

We also collect and process personal data in connection with our recruitment processes. If you are a job applicant, please see our specific Privacy Policy for Job Applicant Register for further information.

Types of data we process

This section explains which categories of data we process and how we obtain the information.

We process the following types of personal data for the purposes stated in this Privacy Notice:

• name and contact details
• organization and title
• email address
• phone number
• invoicing and billing information
• information relating to meetings and events
• marketing and communications information, including opt-ins and opt-outs
• sanctions screening data (as required and allowed by applicable laws)
• login information, IP-address, and other technical identifiers
• other information that you provide to us

We typically receive the data directly from you or from other representatives of your organization in the course of a business relationship with you or your organization. We may also collect and update the data from public sources or other databases. We also generate certain company and contact information in connection with our correspondence with you or your organization or when you visit our website.

Your rights as a data subject

This section explains the rights you have with respect to your personal data.

• Right to access, rectification, and restriction: You have the right to request access to your personal data. This includes the right to be informed of whether we process your personal data, what personal data is being processed, and the purpose of the processing. You also have the right to request correction of any inaccurate or incomplete personal data. In certain situations, you may also request the restriction of processing of your personal data.

• Right to object: You may object to certain processing of personal data on grounds relating to your particular situation, when we process your personal data based on our legitimate interest.

• Right to erasure: You may request that your personal data be erased if the personal data is no longer necessary for the purposes for which it was collected, the processing is unlawful, or the personal data must be erased to enable us to comply with a legal requirement.

• Right to withdraw your consent: If the processing of your personal data is based on your consent, you have the right to withdraw your consent to such processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

• Right to lodge a complaint with a supervisory authority: If you wish to lodge a complaint with a national supervisory authority regarding our processing of your personal data, you may do so by contacting your local data protection authority. The relevant authority in Finland is the Data Protection Ombudsman.

We are required to ensure that your personal data is kept accurate and up to date. Please inform us of any changes or updates to your information and your preferences by contacting us through the contact details provided above.

With whom and where do we process your data?

This section explains how we may share your personal data, including international transfers.

We share personal data within the Bluefors Group, as well as with authorized service providers who supply IT systems and other services, all of whom are bound by written data processing agreements. Additionally, when permitted by law, your personal data may be disclosed to our partners, for example, in connection with jointly organized events. We may also share personal data with a third party for legal or regulatory reasons if this is necessary to comply with applicable laws or regulations or orders of competent authorities.

We store and process your personal data primarily within the European Economic Area (EEA). Where personal data is transferred to a third party in a country outside the EEA that is not considered to offer an adequate level of protection for personal data, we ensure that we have in place a binding contract with the recipient including the European Commission Standard Contractual Clauses for data transfers.

Retention period and protection of your data

This section describes how long we store your personal data and our measures to protect it.

We retain your personal data as long as necessary for maintaining the business relationship unless otherwise required by law. After the relationship has ended, we retain the personal data for pre-defined time periods. These time periods have been defined based on our legitimate needs and regulatory requirements that we are subject to. Please contact us for further information on retention periods.

We process your personal data in confidence and have implemented the necessary technical and organizational measures to protect your data. We have physical, electronic, and managerial procedures to safeguard and secure the information we collect. Access to personal data is limited to employees and service providers on a need-to-know basis and subject to confidentiality undertakings.

How we use cookies

We use cookies on our website. Please see our Cookie Notice for further information about the cookies and analytics used on our website. You can change your preferences regarding cookies at any time by using the features described in our Cookie Notice.