Uponor International Sales
Industriestrasse 56, 97437 Hassfurt, Germany

Uponor Supplier and Service Provider Privacy Statement

1. Controller

Uponor Corporation and its affiliates listed in Uponor Corporation’s latest financial review available on https://www.uponorgroup.com/en-en/investors/reports-and-presentations/annual-publications, in parallel, (together “Uponor”).
Ilmalantori 4
FI-00240 Helsinki
FINLAND
 
2. Contact Information

You can reach the data controller at: privacy@uponor.com. In case you wish to make a request relating to your personal data, please use the forms available at https://www.uponorgroup.com/en-en/legal-information/data-protection and on the local Uponor websites.
 
3. Group of Data Subjects

Uponor  processes data on representatives, employees, directors and officers of Uponor’s suppliers, subcontractors, vendors, service providers, partners, joint venture partners, consortium partners and research and development partners (also potential ones) (“Supplier” or “Potential Supplier”).

4. Purpose and Legal Basis of Processing Personal Data

The purposes for processing the personal data are communications to Suppliers and Potential Suppliers, management of Uponor’s relations with its Suppliers and Potential Suppliers, including the processing of personal data of Suppliers and Potential Suppliers for the following purposes:
  • ensuring the performance of Suppliers’ and Potential Suppliers’ obligations towards Uponor and performing Uponor’s obligations towards Suppliers’ and Potential Suppliers’
  • handling, evaluating and enforcing Supplier’s, Potential Supplier’s or Uponor’s obligations or liabilities;
  • exercising Uponor’s rights;
  • upholding and developing the supplier relationships;
  • managing request for quotations and quotations as well as other binding or non-binding documents;
  • establishing a supplier relationship between the Supplier or Potential Supplier, and Uponor;
  • supplier marketing and communication purposes such as for conducting supplier marketing research, direct marketing, automated marketing, informing the Suppliers and Potential Suppliers of new features, new products or launches, and special promotions;
  • managing and handling any product liability matters;
  • developing Uponor’s services and products; and
  • statistical and analytical purposes, including website analytics.
 
Collection and processing of personal data is based on the legitimate interests of Uponor. These interests arise from the relationship from the relationship between the Supplier or Potential Supplier, and Uponor. Additionally, Uponor may send electronic direct marketing to Suppliers and Potential Suppliers based on their consent if such consent is required under the applicable legislation.
The Supplier personal data may be stored as long as Uponor needs it for the above listed purposes, however typically not longer than ten years.
The Potential Supplier personal data may be stored as long as Uponor needs it for the above listed purposes, however typically not longer than two years.
 
5. Content of the Personal Data Processing

Uponor may process especially the following information:
  • Basic information, such as: name, date of birth, e-mail address, telephone number, address, position;
  • Qualification data;
  • Personal identification number (if company business identification number is not available);
  • Information on Supplier projects;
  • Information on products and services ordered from the Suppliers and Potential Suppliers and information on products and services offered by the Suppliers and Potential Suppliers to Uponor;
  • Information on meetings and other activities with the Supplier and Potential Supplier;
  • Information regarding the contents and method of communications (e.g. email, SMS) with the Supplier and Potential Supplier;
  • Preferences of existing Suppliers in recreational activities for the purpose of upholding the relationship with the Suppliers; and
  • Preferences of Potential Suppliers in recreational activities for supplier marketing purposes.
 
6. Regular Sources of Data

The personal data is primarily collected from each data subject themselves, by Uponor personnel or through website or applications. In addition to publicly available sources, personal data may in some situations, as allowed by applicable legislation, be collected from other sources than directly from the data subject, e.g. from Uponor’s subcontractors or service providers.
Uponor informs each data subject of the data processing, including of any third party data sources and data collected from such sources, in accordance with applicable legislation.
The data is entered into the personal data databases by the data subjects, Uponor’s personnel and by Uponor’s subcontractors or service providers.

7. Disclosure and Transfer of Personal Data Outside the EU/EEA Area

Uponor may disclose and transfer personal data outside EU/EEA in accordance with and subject to the limitations imposed by applicable legislation as follows:
  • to companies belonging to the Uponor Group in accordance with a contract entered into between the relevant Uponor entities, incorporating the European Commission’s Standard Contractual Clauses, which ensure that adequate data protection arrangements are in place, as well as
  • to authorized third parties to the extent they participate in the processing of personal data for the purposes stated in this privacy statement. The personal data may be processed by such authorized third parties also outside EU or EEA in accordance with a contract entered into between Uponor and such authorized third party, incorporating the European Commission’s Standard Contractual Clauses or other appropriate safeguards for data transfers as listed in the EU General Data Protection Regulation (2016/679) (GDPR), which ensure that adequate data protection arrangements are in place. Uponor shall oblige such third parties to keep confidential and adequately secure any such transferred personal data; or
  • based on consent; or
  • as otherwise permitted by applicable legislation.
For technical reasons and for reasons related to the use of data, the personal data may be stored on servers of external service providers who may process the data on behalf of Uponor.
Any transfers of personal data shall be made in accordance with the General Data Protection Regulation and any applicable mandatory legislation, as may be amended from time to time.

8. Rights of Data Subjects

Unless any limitations apply, each data subject has the right to access all personal data Uponor has on them. Each data subject also has the right to request that Uponor corrects, erases or stops using any erroneous, unnecessary, incomplete or obsolete personal data. Each data subject may also withdraw any consent previously provided by them, and object to all direct marketing.
Any requests should be sent via the request forms available at https://www.uponorgroup.com/en-en/legal-information/data-protection and on the local Uponor websites. Uponor processes all requests as soon as possible. If dissatisfied with the decision or actions of Uponor, each data subject has the right to lodge a complaint with his/her country's data protection authority.

9. Principles of Securing Personal Data – Technical and Organizational Controls

Uponor shall ensure that sufficient technical and organizational personal data protection measures are implemented and maintained throughout its own organization. Further, Uponor shall ensure that any transfer or disclosure of personal data described in this privacy statement to any third party is subject to Uponor having ensured an adequate level of data protection by agreements or by other means required by law.

Technical controls:
Physical material is stored in locked spaces with restricted access. Any IT systems are secured by means of the operating system’s protection software. Access to the systems requires entering a username and a password and data transfers happen via high encryption channels.

Organizational controls:
Within the organization of Uponor, the use of the personal data is instructed, and access to IT systems including personal data is limited to such persons who are entitled to access them on the basis of their work assignments or role and who are subject to confidentiality obligations regarding the personal data.