Last updated July 2022
This Privacy Statement informs about the processing of personal data by SSAB group companies including SSAB AB and its affiliates Tibnor and Ruukki, among others ("SSAB"). It answers the questions of what personal data SSAB collects, uses or shares, for what purposes the data is collected and what rights persons have. The persons whose information is processed can be SSAB’s customers, representatives of corporate customers or potential customers, supplier representatives, other intermediaries and business partners, shareholders, site visitors or internet and digital users visiting the website or other digital service platforms or other persons having a connection to SSAB ("Users").
SSAB also processes personal data of its consumer customers and contacts in the course of Ruukki and Plannja business activities. For this purpose, we have a separate B2C Privacy Statement which you can find at www.ruukki.com/b2cprivacy
SSAB's website may contain links to websites and services of third parties. These websites or services are subject to their own privacy statements. SSAB does not take any responsibility of third parties’ privacy statements or the processing of personal data in third parties’ operations. Please pay attention to their respective privacy statements and subsequent changes to them.
The data controller responsible for the SSAB group’s personal data processing activities is SSAB AB (registration number: 556016-3429, address: P.O. Box 70, SE-101 21 Stockholm, Sweden). This includes accountability for all data processing on a corporate level, for example for marketing and digital service tools provided in SSAB group companies. SSAB is responsible for ensuring that personal data is processed in compliance with this Statement and applicable data protection laws.
In addition, SSAB affiliate can be regarded as the data controller in separate contractual or other cooperation relationship or in connection with certain statutory personal data processing and compliance with local legal requirements of an individual legal entity part of the SSAB group. SSAB group companies also share personal data for administrative purposes and to facilitate the business operations of the group and the individual legal entities. The information of SSAB group companies and affiliates can be found in the latest Annual Report at https://www.ssab.com/en/company/investors/reports-and-presentations and at https://www.ssab.com/en/company/about-ssab/our-business. Regardless of the data controller in a specific situation, the primary contact for privacy matters in SSAB is: email: data.privacy(at)ssab.com.
SSAB processes the personal data of Users for various purposes, which are explained below.
The main purpose of processing personal data is to deliver SSAB's products and services, as well as to source services and material for SSAB’s business needs, and provide website and other digital services. The processing of personal data is primarily based on contract, including processing needed prior to entering into a contractual relationship with the company or organization the User is representing, or in some cases also with the User directly.
Users' personal data is used to manage communication with Users and for marketing purposes. In this respect, processing can be based on SSAB's legitimate interest to provide Users with relevant and up-to-date information as part of the website as well as through other digital platforms and services. Processing can also be based on SSAB's legitimate interest to promote SSAB's latest products and services as well as to personalize the User experience and to evaluate customer satisfaction.
In certain regions, marketing via electronic means is based on Users' prior consent, for example for sending marketing messages. Users should refer to section 6 below for further information about marketing communications and Users' rights in this respect.
SSAB may process technical data, including some personal data for information security and access surveillance purposes and fraud prevention. SSAB maintains also information and facility security measures to safeguard health and safety as well as business information and business assets in order to avoid injuries at its facilities, to prevent property damage and criminal activities and to ensure the availability of the websites and services. This processing is based on SSAB's legitimate interest to ensure an appropriate level of network, facility and information security and the safety of others. SSAB also processes information about visitors to its facilities. This processing of visitor information is based on SSAB’s legitimate interest to enable external visits to its facilities and business premises.
Sometimes personal data may be used to comply with a legal obligation. In SSAB’s business operations, this means for example that personal data processing may be needed in order to be in compliance, with i.a. the following statutory requirements: (i) reporting and audit, (ii) Market Abuse Regulation, (iii) sanctions and other compliance screening, (iv) whistleblowing procedures, (v) corporate governance requirements and (vi) share and shareholder registers (incl. attendance at shareholders’ meetings). In addition, certain personal data may be stored for dispute resolution purposes to be able to establish and defend legal claims.
Users' personal data may be processed in other SSAB group companies. In this case, the processing of personal data can be based on contractual obligation or SSAB's legitimate interest for internal administrative purposes to organize and manage e.g. customer and supplier relationships, marketing as well as information security measures and other business functions within the group in an appropriate and practical way.
SSAB may collect personal data through different means, which are explained below.
SSAB processes personal data for the purpose of maintaining a good business relationship, for example when providing and delivering products or services, maintaining customer communications, sourcing material, products and services for its business needs, or otherwise interacting with business partners or other stakeholders. This personal data is mostly collected directly from Users.
Depending on the Users' interaction, SSAB may collect the following personal data:
SSAB may collect personal data when Users contact SSAB's customer service, use website chat, deploy SSAB’s digital service platforms, contact SSAB otherwise, order SSAB's newsletter or participate in surveys or competitions on websites or elsewhere. This personal data is collected directly from the Users.
SSAB may collect personal data that the User has shared with SSAB, such as
SSAB collects and processes the following technical data about the User and the use of the website, products and services provided by SSAB:
SSAB may, from time to time, also collect information from publicly available sources and third parties, such as social networks and marketing companies. For example, SSAB may receive basic information about the User's social network profile, if the User login to SSAB's website or services using a social network account.
SSAB may disclose Users' personal data to the following third parties:
As some SSAB group companies are located outside of the EU/EEA, Users' personal data may be transferred outside of EU/EEA, such as to the United States. In these circumstances , SSAB will use the required established mechanisms for the transfer outside of the EU/EEA, including the Standard Contractual Clauses approved by the European Commission. Please contact data.privacy(at)ssab.com for more information about the applicable safeguards for international data transfer in question.
SSAB may use subcontractors for the personal data processing set out above. When necessary and to the extent required, personal data may be transferred to a country outside of the EU/EEA. In this case, SSAB will use the required established mechanisms that allow the transfer to subcontractors in those third countries, such as the Standard Contractual Clauses approved by the European Commission and additional safeguards to protect the transferred personal data. Please contact data.privacy(at)ssab.com for more information about the applicable safeguards for international data transfer in question.
When a User provides SSAB with contact details, for example, in connection with the sale of a product or service, contacts SSAB's customer service, orders a handbook or other materials on the website or participates in competitions or surveys, SSAB may use the User's personal data for marketing purposes and to promote SSAB's latest products and services as well as to personalize the User experience. Pursuant to applicable laws, Users are given the opportunity to give their prior consent or are allowed the opportunity to opt-out of receiving marketing communications from SSAB or other group companies.
SSAB may provide a User with product and service updates, newsletters and other communications about existing or new products and services by email and text message (SMS) if the User has given prior consent or if SSAB is otherwise permitted to do so under applicable law.
A User may unsubscribe from marketing communications at any time by clicking on the "unsubscribe" link located at the bottom of emails.
SSAB may create User group profiles or segment data for the purpose of creating aggregated statistics about the use of SSAB's websites, products and services, such as to estimate the number of Users, viewed pages, email reads and detect which parts of the website Users find the most useful, to identify features that could be improved and to provide context based advertising to User groups. Data collected for these purposes is not used to identify a particular User but to analyze how Users in general or User groups use the website or services.
When SSAB collects or uses information about a User's web browsing for e-marketing purposes, this will be based either on User’s consent or SSAB’s legitimate interest. If the processing of information about User is based on a legitimate interest, the User has the right to object to this at any time by contacting SSAB. Regarding the right to object, please refer to section 8 below for further information.
The personal data will be retained only for as long as necessary to fulfill the purposes defined in this Privacy Statement. After that, personal data will be removed except when personal data retention is required by law or rights or obligations by either party.
Here are the main rules for the retention periods:
A User has the right to access personal data that SSAB holds about him or her.
A User has the right to request their personal data to be corrected, updated or removed at any time. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this Statement and may also be required by law. Therefore, the deletion of such data may not be allowed by applicable law which prescribes mandatory retention periods or if there is an overriding interest to keep processing the data for the intended purpose.
A User has a right to object to processing that is based on a legitimate interest of SSAB on grounds relating to their particular situation at any time. In addition, whenever the processing of personal data is based on User’s consent, a User has the right to withdraw the consent at any time. The way in which Users can exercise their right to object or withdraw their consent depends on the processing purpose and activity in question. These rights can be at all times exercised also by contacting SSAB by email at firstname.lastname@example.org. To the extent required by applicable data protection law, Users have a right to restrict data processing.
A user has a right to data portability, i.e. the right to receive the personal data in a structured, commonly used machine-readable format and transmit the personal data to another data controller, to the extent required by applicable law. This applies only to personal data provided by the User based on customer contract or the User's consent.
Please send any requests regarding the above-mentioned rights to SSAB at data.privacy(at)ssab.com. Any requests related to the exercise of privacy rights will be responded within one month or within the applicable regulatory time limit.
If a User thinks there is a problem with the way SSAB is processing the User's personal data, the User has a right to file a complaint to the national data protection authority in the EU/EEA.
SSAB maintains reasonable security measures, including physical, electronic and procedural measures, to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, SSAB limits access to this information to authorized employees and contractors who need to know that information in the course of their work or assignment and to third party service providers who may only process data in accordance with instructions provided by SSAB.
Please be aware that although SSAB endeavors to provide reasonable security measures for personal data, no security system can prevent all potential security breaches.
SSAB may amend this Privacy Statement and the related information. SSAB recommends that Users regularly access the Privacy Statement to find out about any changes to it. SSAB will always provide the date of the Privacy Statement to allow the Users to see changes. Please note that this Privacy Statement is for information purposes only.
SSAB will inform Users of any substantial changes by using reasonable and available channels.
For requests regarding SSAB’s Privacy Statement or personal data SSAB holds about the User in question, please contact SSAB by email at data.privacy(at)ssab.com.