Privacy Notice for Business Customers, Suppliers and Leads

1 Controller

YIT Corporation (business ID 0112650-2) and other companies in YIT Group
Contact information of the head office:

P.O. Box 36, Panuntie 11
00621 Helsinki
Finland
Tel. +358 020 433 111

YIT Corporation is responsible for processing of personal data at group level for the purposes and on the legal basis defined in this policy, e.g. group level marketing and sales; sourcing, financial and other administration and business management; customer and supplier relationship management; and analysis and development of products, services, customer and supplier relationships and businesses.

Each company in YIT Group is responsible for processing of personal data for its own purposes on the legal basis defined in this policy, e.g. for the performance of a contract or the management of the customer or supplier relationship. For such purposes, it can process personal data which has been collected for the same purposes by other companies in the group.

2 Contact points in privacy questions

You can always contact us by filing this form or by email to privacy@yit.fi.

You can also contact our local service points in each country of YIT´s operations:

GDPR contact  person
Marjo Hiltunen, Lawyer
marjo.hiltunen@yit.fi
Puh. +358 40 614 9403

Person in charge of the register matters:
Marjo Hiltunen, Lawyer
marjo.hiltunen@yit.fi
Puh. +358 40 614 9403

3 legal basis for and purpose of the processing of personal data

The legal basis for processing personal data are:

  1. Performance of a contract between the Controller and its business customer, supplier or business partner (Company) as well as fulfilment of requests of the data subject prior to entering into a contract, e.g. requests for information or quotation, newsletter subscriptions or purchase orders
  2. Management of customer, supplier, partner or other similar relationship as the legitimate interest of the Controller
  3. Controller´s legitimate interest for direct marketing of products and services to the contact persons of the business customers
  4. Compliance with Controller´s legal obligations imposed by national legislation in each country of operation
  5. Consent of the data subject when it is necessary for locating the data subject or collecting data about the use of Controller´s Internet or mobile services by the means of cookies, advertising ids or other similar tracking technology for the purposes defined in this policy

Personal data are processed for following purposes:

  • delivery of products and services
  • creation, management and development of customer, supplier or other account and relationship between the Controller and the Company
  • development of products, services and businesses
  • communication with the Company, including customer and supplier feedback and satisfaction surveys;
  • opinion polls, surveys and marketing research, promotional sweepstakes and contests
  • targeting and performance of direct marketing of the products and services of the Controller and its business partners by mail, phone and digitally (including newsletters)
  • targeting and performance of digital advertising (advertising in internet and mobile services)
  • detection, prevention and investigation of fraud and other criminal offences, PEP screening
  • analyzing, profiling, segmentation, and statistics for the purposes explained above

 

Data subjects and categories of personal data

The Controller processes personal data of the contact persons of its prospective, current, and former business customers, suppliers and business partners. Following categories of personal data are processed for the purposes described above:

  • Basic information of the data subject, e.g: name, title and profession, position in the Company, daa about the Company, employment related contact data (postal address, e-mail address, phone number), year of birth, gender, native and service language, preferred way of communication;
  • Marketing data, e.g: positions and activities in business and public service; professional preferences and interests; other interests and information provided by the data subject; marketing efforts performed; participation to events; marketing permissions and consents (opt-in), restrictions and bans (opt-out);
  • User data of digital services, e.g: registration data required for a digital account, such as username, nickname, password and any other identifier; information about the service use, such as use and browsing information of  the service properties through the digital account of the user; information collected using cookies and other similar technologies, such as the Controller´s websites and pages browsed by the user, the device model, individual device and/or cookie identifier, the channel through which the service is accessed (web browser, mobile browser, application), browser version, IP address, session identifier, session time and duration, screen resolution and operating system; location data, such as coordinates calculated using GPS, WLAN connection points or mobile network base stations if the user has given his or her express permission for this purpose.
  • Data related to contacts and communication, e.g. feedback and contact requests, emails, digital forms, chat discussions, phone call recordings
  • Data about the use of social media, eg: The Controller´s website may include Social Media Features, such as the Facebook Like button and Share button. The Controller can receive a comment or link that the user share from the Controller´s website on Facebook. The Controller can also receive user´s public profile data on Facebook, and any information that Facebook user shares with the Controller´s services. Your interactions with these Features are governed by the privacy policy of the company providing it, for example Facebook: https://www.facebook.com/about/privacy and LinkedIn: LinkedIn https://www.linkedin.com/legal/preview/privacy-policy
  • Profile and analysis data, e.g: marketing segments and profiles derived from the above described data and data from regular sources by using analytics and patterns such as calculating possible interests of the Company/data subject or otherwise segmenting the Company/data subject to a specific group of companies/data subjects.

Only basic data and marketing data as defined above are processed for the purposes of direct marketing to the contact persons of prospective or former customers.

 

5 Regular Sources of Information

Personal data are collected directly from the data subject when the data subject is registering or using a web site or other service; sending request for contact or information or filling in a form; purchasing or ordering, contracting, participating events, otherwise interacting with the Controller personally, by phone or digitally. Personal data can also be collected and updated from the websites of the Companies, public and private company and business registers, public authorities, postal operators, public telephone directories, direct marketing and other data brokers, and other similar public and private registers.

Disclosure and transfer of data

Controller may disclose personal data to other companies, whose products or services the Controller markets and sells to the customers for example to landlords of business premises and providers of services related to the premises.

Data will not be disclosed to other external parties except when it is necessary to comply with the legal or contractual obligations of the Controller.

Controller may outsource ICT, marketing, communication and other functions to third party suppliers, vendors, or other sub-contractors. In such case the Controller may transfer personal data to these sub-contractors to the extent necessary for the provision of their services. These sub-contractors will process personal data on behalf of the Controller and must comply with the Controller´s instructions and this privacy policy. Controller will ensure through contractual measures that the personal data is processed in compliance with the legislation.

Personal data will not be regularly transferred outside the European Union or the European Economic Area. However, if any transfer outside the EU or EEA is necessary, the Controller will ensure that the country to which the data is transferred is approved as having a sufficient level of privacy protection by the European Commission, or by using standard contractual clauses approved by the European Commission.

Data Protection and retention

Access to personal data will be permitted only to persons who need to process data as a part of their employment or other duties. Digital data is protected by firewalls, passwords and other technical means. All data is kept in locked premises secured with physical access control.

Personal data will be retained as long as it is necessary for the purposes.  After the relationship between the Controller and the Company has ended or after the Controller gets informed that the data subject no longer is a contact person of the Company, the personal data will be deleted with following exceptions:

  • User data of digital services and data related to contacts and communication shall be retained for five years after the above explained events
  • Anonymized data can be retained permanently.
  • Basic data and marketing data of the data subject can be retained permanently for direct marketing purposes.
  • When retention is permitted by legislation in force. (Note that data related to the Company is not personal data and can be retained by the Controller e.g. correspondence, purchase orders, data about the use Controller´s products and services when performed as a representative of the Company.)

 

Access, rectification and other rights of the data subject

Data subjects have the right to know what kind of personal data has been collected and processed by the Controller. Upon the data subject´s request, we will rectify, remove or supplement any incorrect, unnecessary, incomplete or outdated personal data.

Data subjects are entitled to prohibit the use of the data for direct advertising, telemarketing and other forms of direct marketing, as well as to prohibit the use of the data for use in questionnaires and market research.

Data subjects may also withdraw consents they have given, object to or restrict processing of their data in cases defined by law, and the right to complain to the supervisory authority.

The requests can be submitted to contact persons defined in section 2 above. The Controller may need to ask additional information to confirm the identity of the data subject.