header

GDPR for suppliers

Here you will find information about how we collect and use Personal Data about you.

Introduction

This information about Veidekke Entreprenad AB's, org.no. 556508-6583, (the “Company”) processing of Personal Data applies when:

  • you have a user account on the Company's Supplier Portal (the “Portal”).
  • your Personal Data has been provided by a user of the Portal.
  • The Company has obtained your Personal Data in connection with the Company adding or updating information about your employer/company as a potential supplier to the Company's supplier register (the “Supplier Register”).

This information statement concerning the processing of Personal Data (“Information Statement”) aims to clearly inform what personal information the Company collects and processes, how it is processed, the purpose of the processing, on what legal basis the processing takes place, who may access the information and the rights you and your employees have in connection with the processing. Below is also a description of the measures taken to protect Personal Data and how you can contact us if you have any questions about our processing of Personal Data.

General starting points

Portal

The IT system and the Portal are provided by the Company's subcontractor Primona AB, org. no. 556583-2374 (“Primona”), and in connection with the registration of the User Account on the Portal, the User has been informed of the terms of use that Primona sets for the use of Primona's service. With regard to the Company's potential processing of Personal Data, we also want to provide information about the Company's Personal Data responsibility and processing within the framework of the Portal.

The company processes Personal Data in a number of respects within the framework of the use of the Portal.

The Portal aims to enable and identify potential collaborations regarding future agreements and projects between the Company and users of the Portal. Through the data a user registers about their employer/company on the user account in the Portal, the Company may process Personal Data within the context of the use of the Portal.

The Company processes Personal Data that a user records on their user account in the Portal or is provided by the User in connection with submitting a tender, setting up an alert or taking another action in the Portal. It is the user who specifies what Personal Data should be in the Portal.

The supplier register

The aim of the supplier register is to enable the Company to easily identify partners for future contracts and projects. In order to enter or update information about a potential supplier in the Supplier Register, the Company has obtained data from third parties and from the supplier's website or other material distributed by the supplier. Through the collection of the data, the Company has obtained information about individuals and has entered them as contact persons for the supplier in the Supplier Register. 

If you have been registered as a contact person for a potential supplier in the Supplier Register and you believe that this is incorrect or someone else should be listed as a contact person in your place, you are welcome to contact the Company. There is also the possibility to create a user account in the Portal. By creating a user account in the Portal, you can edit the information held by the Company and obtain information about and participate in the Company's subcontractor procurement.

Common starting points

The Company processes Personal Data as a result of the Company's legitimate interest in the processing which the Company, after a balancing of interests has judged, outweighs opposing interests. For more information on the legal basis for processing, see the heading “Lawful basis and purpose”.

The privacy of you and your employees is important to us at the Company and you should always feel safe when submit information or receive information that another party has provided personal information to us. The Company will always comply with applicable laws on how Personal Data may be processed, including the EU General Data Protection Regulation 2016/679 (GDPR), the Data Protection Act and other applicable legislation.

You may contact us at any time with questions regarding our processing of Personal Data.

Processing

Data controller

The Company is the controller of the Personal Data that the Company collects or receives and processes about you and your employees. This means that it is the Company that makes decisions about the processing of Personal Data. 

Personal data that is processed

Personal data refers to any kind of information that can be attributed directly or indirectly to a natural person who is alive.

Portal

The information collected and processed within the framework of the Portal includes information provided by a user. The Portal thus contains personal information about the user of the Portal and about the employees and contact persons that the user provides information about.

In the context of the use of the Portal, among other things, the following Personal Data may be processed:

  • name
  • e-mail address
  • phone number
  • employer/company
  • any professional role
  • credit information about the company and its representatives;
  • IP address
  • Social security numbers (processed only in cases where the Company needs to process social security numbers in order to fulfil our purposes or where we otherwise have to ensure that we interact with the right person) and other Personal Data obtained by the Company from you within the framework of the various functions of the Portal.

    (known collectively hereinafter as “Personal Data”)

The supplier register

The information collected and processed about you within the Supplier Register includes information that you provide to the Company yourself and information that the Company receives from third parties or your employer/company. Such information includes:

  • name
  • e-mail address
  • phone number
  • employer/company
  • any professional role
  • credit information about the company and its representatives;
  • Social security number (processed only in cases where the Company needs to process social security numbers in order to fulfil our purposes, or where we need to ensure that we interact with the right person)

    (hereinafter known collectively as “Personal Data”)

Personal data not processed

Within the framework of the Portal, the Company does not process any cookies. If the processing of any cookies occurs, this is done so outside the Company's control. A user of the Portal is therefore referred to the Terms and Conditions for Cookies that apply under Primona's Terms of Use in accordance with the above.

Furthermore, the Company does not intend to process certain specific categories of Personal Data, known as sensitive Personal Data (excluding social security numbers) in respect of its suppliers.

Users of the Portal have a responsibility to ensure that this type of Personal Data is not processed in the Portal when the user records Personal Data there. Sensitive Personal Data that is not processed in respect of suppliers includes information about:

  • ethnic origin
  • political views
  • religious or philosophical beliefs
  • membership in a trade union
  • salutation
  • a person's sexual life or sexual orientation
  • genetic data
  • biometric data used to unambiguously identify a person
  • Personal Data relating to criminal convictions as well as violations of the law involving criminal offences.

The Company reserves the right to take the necessary measures at its disposal under applicable legislation for this type of Personal Data processing, including claiming liability for incorrect processing.

Legal basis and purpose

The Personal Data will be processed by the Company based on the Company having concluded that on balance the Company's interest in processing the Personal Data outweighs the interest of the persons concerned that the Personal Data is not processed, a so-called balancing of interests. This is based on the fact that the Company needs to process the Personal Data in order to have effective and efficient communication with and management of potential and existing suppliers.

In addition, within the framework of both the Portal and the Supplier Register, the Company has the opportunity to obtain credit information from a credit reporting company about each company, which also includes a check on the company's representatives. After a balancing of interests, the Company has come to the conclusion that the Company's interest in having the opportunity to check each company's ability to pay outweighs the interest of the persons concerned that the Personal Data is not processed.

The purpose of obtaining the credit information is that it shall form part of the Company's basis for assessing a company's financial conditions and its suitability to participate in future tender procedures.

Portal

It may be assumed that persons whose Personal Data has been provided in the Portal through their positions with their employer/company have the task of being a contact person and/or appearing in documents and data submitted in the Portal.

The purpose of the processing of Personal Data is above all that the Company shall be given the opportunity to contact and communicate with the person concerned regarding issues that arise within the Portal, and be able to assess and evaluate received tenders within the framework of the services in the Portal.

The supplier register

It may be assumed that persons who, in information obtained by the Company from third parties or from the person's employer's website or other material distributed by the employer about the person's role with the employer/company, have voluntarily agreed to act as a contact person for potential customers.

The purpose of processing the Personal Data is for the Company to be given the opportunity to contact the person concerned with inquiries regarding potential contracts and projects where the employer/company may be a supplier to the Company.

Further processing and collection of consent

In cases where the Company needs to process the Personal Data for any purpose other than those listed above, the Company will provide information about this by updating this page.

In the event that the Company and your employer/company enter into an agreement, the Company may process the Personal Data in accordance with the contract agreement and the related separate Information Statement.

Should the Company need to process the Personal Data for any purpose that under applicable law requires your consent, the Company will also obtain consent prior to commencing such processing. Consent to such processing is entirely voluntary.

How do we share the information with other companies?

  • The Company will disclose such Personal Data to third parties that the Company is legally obliged to disclose it to.
  • Personal Data may also be transferred within the Company's group of companies in order to determine whether your employer/company should be contacted for possible collaboration.
  • The Company may also share Personal Data with a number of partners, such as Primona, in order to give the user of the Portal access to the various services in the Portal. The Company uses a number of database and software providers to run and maintain the Portal and the Supplier Register, and to communicate with you. The Company always enters into confidential agreements with such external parties and complies with the requirements of applicable legislation on how the transfer of Personal Data may be carried out and how Personal Data may otherwise be processed. This ensures the security and confidentiality of the Personal Data.
  • In addition to what has been stated above, the Company may disclose Personal Data to third parties to, for example, comply with a court decision/authority order or other legal obligations, as well as to protect the rights, property or to safeguard the security of the Company and its group companies or other. The Company will always endeavour to restrict access to Personal Data as described above and share only information reasonably needed to enable recipients to do their work or provide their services.
  • The Company will also require recipients of Personal Data in accordance with the above paragraphs to protect the Personal Data in accordance with this page and applicable law, and not to use or disclose the Personal Data for any purpose other than the purpose for which it was disclosed.

Transfers to third countries

The Company will not transfer Personal Data to third countries (i.e. a non-EU/EEA country).

Security

At all times, the Company complies with the applicable security requirements for the processing of Personal Data and has taken the organisational and technical security measures necessary to protect the Personal Data against unauthorised access, modification and deletion. Measures taken include encryption, antivirus protection, firewalls and permission restriction, as well as strict permission restriction if necessary. 

Rights

The Company is responsible for ensuring Personal Data is processed in accordance with applicable legislation. It is our duty to only process Personal Data that is accurate, relevant and necessary taking into account our purposes, and the Personal Data subject has the right to verify that this is done.

The Company will, upon request or on its own initiative, correct, de-identify, delete or supplement any information found to be incorrect, incomplete or misleading.

You as an individual have a number of rights under applicable law.

Right to access, rectification, deletion, etc.

You have the right to be informed of which Personal Data the Company processes. You also have the right to have incorrect Personal Data corrected and request the Company to delete some or all of the Personal Data. However, the Company cannot delete Personal Data if there are legal reasons for continued processing.

Right to restrict processing

You have the right, under certain conditions, to have your Personal Data marked so that it may only be processed for certain defined purposes. Among other things, you can request a restriction when you believe that information is incorrect and have requested a correction as above. While the correctness of the data is investigated, the processing of it will be restricted.

The Company will notify you if the investigation has concluded that the processing is to be restricted. The Company will ensure that the necessary corrections or deletion of data as well as restrictions on the processing of data are also made by the companies to which the Company has disclosed the Personal Data.

Right to object

You have the right to object at any time to the processing of your Personal Data based on a balancing of interests. Upon such request, the Company will cease processing such Personal Data on the basis of a balancing of interests. This is unless the Company is unable to demonstrate compelling and justified reasons for continuing to process the Personal Data that outweigh your interest in the termination of the processing, or if there are legal reasons for further processing.

Data portability

You have, under certain conditions, the right to have all Personal Data based on consent or fulfilment of an agreement transferred from the Company to another data controller (a so-called right to data portability) The Company will then send the Personal Data to the person designated by you to be the recipient of the information.

Requests and complaints

The request to exercise any of the rights listed above is made to the Company. The request must be in writing and signed by you as an applicant and sent to the address listed below.

You also have the right to contact the Company or the Swedish Authority for Privacy Protection at any time to make a complaint regarding the Company's processing of Personal Data.

Storage period

The Personal Data will be processed and stored by the Company for the period necessary to fulfill the purposes specified above. Thereafter, the Personal Data will be deleted or anonymised. In determining the period during which the Personal Data will be stored, the Company takes into account in particular the requirements for retention periods arising from law, limitation periods, government recommendations and industry practices.

The Company will also send an inquiry at the required intervals to the contact persons who have been registered in the Portal or the Supplier Register to verify whether the Personal Data held is out of date or incorrect. In connection with this, information is provided on how you can proceed if you want the Company to delete or modify the Personal Data.

In the Portal, an e-mail will be sent out to you after you have been inactive in the Portal for three (3) years. If you do not respond to the message, the information recorded about you in the portal will be deleted within [three weeks] of the message being sent.

If you are registered in the Supplier Register, an e-mail will be sent out to you once every two years. The notice will indicate how you can proceed to delete or modify the Personal Data the Company has registered about you there.

Further information about how long the Company intends to process specific Personal Data is set out in the Company's archiving and data erasing routine, which can be found on the Company's website www.veidekke.se.

Changes

The Company reserves the right to amend this Information Statement. If the Company updates the Information Statement, the Company will inform you by e-mail at the e-mail addresses you have registered for being informed of significant changes and attach the updated version of the Information Statement. The current version of the Information Statement is also available on the Company's website www.veidekke.se.

Contact information

In the event that you have any questions or if anything is unclear in this Information Statement, please contact the Company via the mailing address, e-mail address or telephone number below.

Veidekke Entreprenad AB, org.no: 556550-7307
Address: Box 1503, 172 29 Sundbyberg, Sweden
Tel: 08-635 61 00
E-mail: dataskyddsombudet@veidekke.se