Privacy Statement - Customers, Partners and Vendors
Last updated on 15/5/2024
Kalmar Corporation (“We” or “Kalmar”), recognizes the importance of protecting individuals’ privacy and personal data and processing it in accordance with the applicable privacy laws. It is the purpose of this Privacy Statement (“Statement”) to communicate the ways we process personal data in connection with managing our customer, partner and vendor relationships. This data may concern the personnel, agreement partners or shareholders of the customer that are related to the relationship and in dispute resolution also other persons that are on the opposing party or otherwise involved in the matter.
We comply with the General Data Protection Regulation (EU) 2016/679 (GDPR) as well as with any other applicable data protection legislation. Should any applicable mandatory laws or regulations be in conflict with this Statement, we will respect such laws and regulations over any conflicting parts in this Statement. If you have any questions or inquiries concerning this Statement and/or the collection and processing of your personal data, please contact us at privacy@kalmarglobal.com.
Contact Information of the data controller
Data controller, and therefore the legal entity responsible for collection and use of personal data under this privacy policy is Kalmar Corporation. The contact information of the data controller are the following:
Kalmar Oyj
Business ID: 3424222-7
Address: Itämerenkatu 25, 00180 Helsinki, Finland
Please contact us at privacy@kalmarglobal.com if you have any questions in regards to the protection of your personal data or if you wish to exercise your legal rights.
In regards to detailed data processing activities, individual Kalmar affiliate companies may also operate as data controllers, either independently or jointly with Kalmar Corporation. The contact information of the individual Kalmar affiliate companies are available at https://www.kalmarglobal.com/contacts/Locations/.
Purposes of processing personal data
Our primary purpose is to collect information about our customers who are other businesses and not individual data subjects or people. However, we may collect and process your personal data for the following purposes:
- To provide services to our customers;
- To manage our customer, vendor and partner relationships;
- To execute the legal obligation to prevent, detect and investigate bribery, corruption, money laundering and financing of terrorism and to bring money laundering, terrorist financing and the crime by which the property or criminal benefit that is the subject of money laundering or terrorist financing has been obtained, under investigation (hereinafter “KYC/KYP process”)
- To execute obligations related to sanctions;
- To comply with other applicable legal or regulatory requirements and internal policies, documentation and requirements;
- To handle inquiries, complaints and claims from third parties; and
- To handle inspections and inquiries of supervisory authorities and for the purposes of external audits.
Categories of personal data
We may collect and process the following categories of personal data:
- Name
- Business contact information, such as email address and phone number
- Title and position in the company
Furthermore, for the purposes of KYC/KYP process, we may collect and process additionally the following categories of personal data:
- Social security number;
- Nationality;
- Information on why the individual is a beneficial owner;
- Date of birth;
- Gender;
- Personal contact details, such as home address, email address and phone number;
- Country of residence;
- Photo;
- Employment and education history;
- Criminal and regulatory history;
- Ownership of shares; and
- Any status as or relation to a politically exposed person.
We always screen companies and contact persons against the European Union (EU), Office of Foreign Assets Control (OFAC), and the United Nations (UN) sanctions lists.
The sources from which we gather your personal data
We collect the personal data either directly from you, through your employer company or the company to which you are otherwise related to, or through publicly available sources such as social media channels. We may also collect your personal data from public authorities, Kalmar affiliated companies and other third party relations, depending on the type of the services provided. Examples of third party sources include:
- Registers held by governmental agencies
- Financial sanction lists
- Registers held by credit-rating agencies and other commercial information providers providing information on e.g. beneficial owners and politically exposed persons.
Legal basis of processing personal data
We collect and process your personal data based on one or more of the following legal bases:
1. On the basis of a contract;
One legal basis to process your personal data is to collect and verify the data prior to entering into a contractual relationship with the customer, partner or vendor. We also process personal data to document and complete tasks to fulfil contractual obligations, such as to provide our services to the customer.
2. On the basis of a legal obligation to which Kalmar is subject;
Processing of personal data also takes place to fulfil our obligations under applicable legislation, other regulations or authority decisions. Examples of legal obligations include: KYC/KYP processes, prevention of money laundering and terrorist financing, bookkeeping regulations, reporting to tax authorities and supervisory authorities and other obligations related to service or product specific legislations.
3. On the basis of the consent of a data subject;
We may collect and process your personal data on the basis of your consent. Examples of such situations include processing of special categories of personal data. Information about the purpose, processing activity, categories of personal data and your right to withdraw your consent will be provided when you are asked to give us your consent. Please note that in case you have provided your consent to the processing of your personal data, you can always withdraw the consent at any given time.
4. On the basis of the legitimate interests of Kalmar.
We also collect and process your personal data when necessary to advance our legitimate interests provided that those legitimate interests are not overridden by your interests or fundamental rights and freedoms. The legitimate interests pursued by Kalmar include the following: To take care of business risks, to ensure an effective delivery of services to our customers, to manage the customer, partner or vendor relationship, to ensure effective delivery of services from our vendors for the purposes specified above in Section “Purposes of Processing”, and possible establishment, exercise or defence of legal claims.
These purposes are necessary for the operation of our business in an efficient manner and therefore require the collection and processing of your personal data. We note that the rights of individuals may sometimes override the legitimate interests of a data controller. However, we have made sure that a fair balance is made between the rights of data subjects and the legitimate interests of individuals. To receive more information on the legitimate interests assessment, please contact us at privacy@kalmarglobal.com.
Disclosures of personal data
We may share your personal data with our service providers and business partners that operate and process personal data as data processors on our behalf. These data processors may include IT, technology and tools providers hosting and maintaining our data. Your personal data may be also shared with public authorities, insurance companies and our professional service advisors, such as auditor and legal advisors.
We are committed to applying adequate measures to make sure your personal data is secured reasonably and effectively in all instances, including granting access to personal data only to persons who have a reasonable requirement to access the data to be able to perform tasks they are required to do.
Third country transfers
We may transfer your personal data outside the European Union and/or the European Economic Area. In order to ensure adequate protection of any such transferred data, the following conditions apply:
- The EU Commission has decided that there is an adequate level of protection in the country in question; or
- other appropriate safeguards have been taken, for example the use of the Standard Contractual Clauses approved by the EU Commission or the data processor has valid Binding Corporate Rules (BCR) in place; or
- there are exceptions in special situations, such as to fulfil a contract with you or your consent to the specific transfer.
In any case, we will always ensure that your personal data is adequately protected as required by applicable laws and regulations. To receive more information on the applicable legal transfer mechanism, please contact us at privacy@kalmarglobal.com.
Retention of personal data
We retain the personal data for only as long as that data is necessary for the purposes we have collected it, or if we are required to retain that data for longer periods in order to comply with applicable laws. Therefore, we will retain your personal data for as long as it is necessary for the performance of a contract, or as long as required by retention requirements in applicable laws and regulations. In situations where we keep your personal data for other purposes than those related to the performance of a contract, such as for bookkeeping and anti-money laundering purposes, we retain the personal data only in case it is necessary due to legal or regulatory requirements for the respective purposes.
Please note that the data retention obligations will differ within Kalmar due to differences in local laws. In general, Kalmar will store customer, vendor and partner data for ten years after the end of the respective relationship to establish, exercise and defend against legal claims and to demonstrate compliance with legal and regulatory obligations upon request by authorities. The retention period applied to the personal data in a specific case will, however, depend on the purpose of processing. Examples of different purposes together with applicable retention periods are listed below:
- Information stored for KYC/KYP processes are retained for a minimum of five years after termination of the business relationships or the performance of the individual transaction
- Information stored for bookkeeping purposes is stored due to legal requirement for up to ten years
We will delete or upon notice correct any incorrect or inaccurate data. We are committed to applying our internal data retention policies, as they are in force from time to time.
Our information security practices
Personal data may be stored either in hardcopy or electronic form. We recognise our obligation to safeguard the sensitive nature of all personal data. We are, therefore, committed to applying protective measures to secure against the unauthorized access, modification, collection, copying, use, and disclosure of any personal data. These measures include: (i) limiting the access and uses of information to those Kalmar personnel, contractors and suppliers and persons who, for in order to be able to perform their relevant tasks need to have, on a fair and lawful basis, access to personal data; (ii) use of physical and electronic access codes and passwords to control and restrict access; (iii) training and raising awareness on relevant employees and other personnel about data protection and privacy; (iv) applying updates and at-minimum-industry standard technical security measures.
Rights of the data subjects
As a data subject you have the right to ask us to tell you what data we at any given time store about it. Subject to local applicable laws you also have the right to:
- Request to access your personal data we are keeping about you
- Request correction of incorrect or incomplete data
- Request us to erase your personal data if you deem that it should be erased, subject to applicable laws and our retention criteria
- Request us to restrict the use of your data or object to our processing of your personal data;
- Object to us in processing your personal data;
- Request us to move your personal data over to you or to another data controller in accordance with the applicable law;
- If we have requested and you have given us your consent to process your personal data, you may have the right to withdraw that consent in accordance with applicable laws; and
- Lodge a complaint with a relevant data protection authority if you deem that we have processed your personal data in violation of the applicable data protection laws.
We will review such requests and execute them to the fullest extent possible in accordance with applicable laws. If you want to review or verify personal data about you, or to have it corrected or request its erasure, or to restrict or object to the processing of your personal data, or to request a copy of such data, you may exercise your rights by contacting us at privacy@kalmarglobal.com.
You will not have to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the data or to exercise any of your other rights. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Changes to this Statement
We reserve the right to update this Statement at any time and encourage you to review this Statement from time to time for any amendments.