Vendor and Service Provider Register Privacy Policy

1. Regulator

Uponor Corporation and its subsidiaries listed in The Uponor Corporation's most recent financial statement, available on the Website www.uponorgroup.com/en-en/investors/reports-and-presentations/annual-publications/2020 (hereinafter together “Uponor”)
Äyritie 20
01511 Vantaa
FINLAND

2. Contact Information

Contact information is available at: www.uponorgroup.com/en-en/legal-information/data-protection

3. Name of the Uponor's

personal data register of suppliers and service providers.

4. Group of persons to whom the

data refer Representatives, employees, directors and employees of suppliers, subcontractors, service providers to suppliers, partners, partners of the joint venture, consortium partners and research and development partners (including potential partners) of Uponor (hereinafter referred to as "supplier" or "potential supplier").

5. The purpose of the processing of personal data and the

legal basis for processing Uponor uses this personal data register to communicate to suppliers and potential

suppliers and to manage relations with its suppliers and potential suppliers, including the processing of personal data of suppliers and potential suppliers for the following purposes: • ensuring the implementation of the obligations of suppliers and potential suppliers towards Uponor and the implementation of the obligations towards suppliers' and potential suppliers;'
• addressing, evaluating and enforcing the obligations and responsibilities of suppliers, potential suppliers or Uponor;
• exercise of Uponor's rights;
• maintaining and developing relationships with suppliers;
• management of offers and other binding and non-binding documents;
• establishing a relationship between the supplier or potential supplier and The Uponor;
• marketing and communication purposes with the supplier, such as conducting marketing research for the supplier, direct marketing, automated marketing, informing suppliers or potential suppliers of new features, new products or presentations and specific promotions;
• managing and handling all matters relating to the responsibility of the manufacturer;
• development of Uponor services and products
• statistical and analytical purposes, including website analysis.
The collection and processing of personal data shall be based on the legitimate interests of Uponor. These interests stem from a relationship with the supplier or potential supplier and Uponor. In addition, Uponor may send direct electronic marketing advertisements to suppliers or potential suppliers on the basis of their consent, provided that such consent is required in accordance with applicable law.
Uponor may keep the personal data of suppliers for as long as it needs for the above purposes, but usually no longer than 10 years.
Uponor may keep the personal data of potential suppliers for as long as it needs for the above purposes, but usually no longer than two years.

6. The contents of uponor's personal data register

may process in particular the following types of data in the register of personal data:

• qualification data;
• personal identification number (if the company business identification number is not available);
• information on supplier's projects;
• information on products and services ordered from suppliers or potential suppliers, as well as information on products and services ordered by suppliers or potential suppliers from Uponor;
• information on meetings and other activities related to the supplier or potential supplier;
• information about the content and mode of communication (e.g. by e-mail or SMS) with the supplier or potential supplier;
• interest of existing suppliers in recreational activities for

the purpose of maintaining a relationship with suppliers and • the interest of potential suppliers in recreational activities for marketing purposes for the supplier.

7. Regular data sources

Personal data are collected primarily from each data subject by Uponor's staff or through a website or application. In addition to publicly available sources, personal data may in some cases be collected in sources other than those permitted by applicable law, and not directly from the data subject.
Uponor shall inform each data subject, in accordance with applicable law, of the processing of the data, including any data from third parties and data collected in those sources.
Data for each data subject are entered in the register of personal data by Uponor's staff and Uponor's subcontractors and service providers.

8. The disclosure and transfer of personal data outside the EU or EEA

uponor may disclose and transfer personal data outside the

EU or eea in accordance with applicable law and subject to the limits laid down in applicable law: • companies belonging to the Uponor Group, in accordance with a contract concluded between the relevant Uponor legal entities, which includes the European Commission's standard contractual clauses, ensuring that sufficient data protection mechanisms are in place and for authorised third parties, provided that they cooperate with the processing of personal data for the purposes specified in that register of personal data. These authorised third parties may also process your personal data outside the EU or the EEA in accordance with a contract concluded between Uponor and these authorised third parties, which includes the European Commission's standard contractual clauses, which ensure that sufficient data protection mechanisms are in place. Uponor will require those third parties to maintain the confidentiality of all such personal data transferred and to protect them by appropriate measures;

• by consent
or
• by other means permitted by applicable law.
Personal data may, for technical or reason related to the use of data, be stored on servers of external service providers that can process data on behalf of Uponor. All transfers of personal data must be made in accordance with the General Data Protection Regulation (2016/679) and any applicable binding legislation which may be amended from time to time.

9. Rights of data subjects

If no
other restrictions are applicable, each data subject shall have the right of access to all personal data held by Uponor. Any data subject shall also have the right to send a request to Uponor for rectification, erasure or termination of any incorrect, unnecessary, inaccurate or obsolete personal data. Any data subject may also withdraw any consent he has granted and shall unsue from any direct marketing. All requests must be sent to the address indicated in section 2
above. Uponor processes all requests as soon as possible. If the data subject is not satisfied with Uponor's decision or measures, he or she shall have the right to lodge a complaint with the data protection authority in his country.

10. Principles of protection of personal data

– The possibilities of technical and organisational surveillance
uponor will ensure the implementation and maintenance of appropriate technical and organisational safeguards for the protection of personal data throughout the organisation. In addition, before any transfer or disclosure of personal data described in this register of personal data, Uponor will ensure an adequate level of data protection to any third party by entering into agreements or by other means required by law.

Technical control options:
Physical materials are stored in locked spaces with restricted access.
All IT systems are protected by operating system protection software. To access the systems, you must enter a user name and password, and data transfers are made through heavily encrypted channels.

Organisational control options:
Uponor's organisation defines instructions for the use of personal data, and access to IT systems, including personal data, is only allowed to persons who are entitled to access on the basis of their work assignment or role and who are subject to confidentiality