PRIVACY STATEMENT
1. INTRODUCTION
Sweco (“Sweco Ireland Limited), “we“, “us” or “our“) is processing your personal data when you interact with us in various contexts. The controller for the processing described in this privacy notice is the Sweco group entity that has provided you with this privacy notice.
We respect your privacy and protect the personal data we process about you. All processing of personal data is carried out in accordance with the requirements set out in the general data protection regulation (“GDPR“)[1] and other applicable personal data protection legislation.
We may at our own discretion update this privacy notice at any given time (see at the end the date this notice was last updated). If material changes are made, we will provide notice on this website prior to the change becoming effective.
Throughout this privacy notice the term “processing” is used to cover all activities involving your personal data, including e.g. collecting, handling, storing, sharing, accessing, using, transferring and disposing of your personal data. The term “personal data” refers to any information relating to an identified or identifiable natural person.
You may read this notice as a (i) website visitor, (ii) supplier representative or employee, (iii) client representative or employee, (iv) job candidate, (v) prospective client contact or (vi) government, public authority or international organisation officials or employees. To make this notice more relevant to you, the notice is divided into sections with specific information related to the various roles that you may have when we are processing your personal data.
2. WEBSITE VISITORS
2.1 How do we collect your personal data?
We collect the data directly from you or data that is generated by you, including your devices, when visiting our website.
2.2 Purposes of the processing of your personal data
2.2.1 Maintain, protect and develop the website
When you are browsing the website, we will process your IP address and browser user agent string to help spam detection. In addition, your personal data may be processed to administrate and improve this website, for our internal records and for statistical analysis. For more info about the way cookies and tracking are used on our websites, please read our cookie statement.
Categories of personal data | Legal basis |
· IP address · Browser user agent string (UA)
| Legitimate interest. The processing is necessary to satisfy our legitimate interest to ensure that our website is continuously maintained and updated, and protected against malicious attacks.
Consent. Personal data that is collected for purposes other than for our legitimate interest, will be collected with your consent only.
|
2.2.2 Communicate with you and respond to your questions or feedback
Where we offer you a possibility to communicate with us by asking questions or providing feedback regarding our services and our business, we will process your personal data when you submit a question, comment, feedback or any other message. The purpose of the processing is to be able to communicate with you.
Categories of personal data | Legal basis |
· Name · E-mail address · Address (if needed for communication) · Phone number (if provided by you) · Any information included in your message.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to communicate with our website visitors, e.g. to develop our business. |
2.2.3 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
Categories of personal data | Legal basis |
· All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
2.2.4 Newsletters
If you sign up for our newsletters, we will process your email address in order to send newsletters to you.
Categories of personal data | Legal basis |
· Contact information
| Legitimate interest. The processing is necessary to satisfy our legitimate interest to provide you with requested newsletters and market our business. As this processing is limited to what is necessary in order to fulfil your request and that you at any time may unsubscribe, we have concluded that our legitimate interest in processing your personal data overweighs your interest in not having your personal data processed for such purposes. |
2.3 With whom do we share your personal data?
2.3.1 General
Where necessary in order to achieve the purposes set out in this Section 2, we share your personal data with other entities, authorities or actors. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
2.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 2.2.
2.3.3 Recipients that act as data controllers
The categories of recipients mentioned in the below table will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.
Recipients | Purpose | Legal basis |
· Courts and arbitration tribunals · Public authorities · External advisers · Counterparties
| In order to exercise, establish or defend legal claims, see Section 2.2.3. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. |
2.4 For how long to we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein. For example, when processing your personal data for the purpose of maintaining the website, we will anonymize your data as soon as practicably possible and then use anonymized data for further website development. With respect to our communication with you, we will process your personal data for as long as it is relevant depending on the reason for our communication and with respect to our provision of newsletters, we will process your personal data until you opt-out from receiving the newsletters.
3. SUPPLIERS (INCLUDING AGENTS, SUBCONTRACTORS, VENDORS, SERVICE PROVIDERS, CONSULTANTS AND OTHER COUNTERPARTIES) REPRESENTATIVE OR EMPLOYEE
3.1 How do we collect your personal data?
We collect the personal data that you, or the relevant supplier that you represent, have provided us within the scope of our business relationship with the supplier.
3.2 Purposes of the processing of your personal data
3.2.1 Administration of supplier relationship
Your personal data will be processed because we have a legitimate interest of administering the relationship with our suppliers and to be able to manage the overall cooperation and day-to-day activities relating to e.g. orders of products and services.
Categories of personal data | Legal basis |
· Contact information · Identity data | Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer our supplier relationships, and facilitate e.g. day-to-day communications. |
3.2.2 Communicate with you
Within the scope of our commercial relationship, we will process your personal data when communicate through various channels. The purpose of the processing is to be able to communicate with you within the scope of the supplier relationship.
Categories of personal data | Legal basis |
· Contact information · Identity data · Any information included in our communication with you
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to communicate with our suppliers within the scope of our commercial relationship. |
3.2.3 KYC and other background checks
When a supplier enters into a business relationship with Sweco, we may process personal data regarding persons in management position of the supplier in order to carry out KYC or other background checks. Such controls are part of our standard procedures when procuring suppliers.
Categories of personal data | Legal basis |
· Identity data · Contact information · Copy of ID · Financial information, e.g. information retrieved from background checks
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to uphold our Code of Conduct. |
3.2.4 Sanctions screening
Sweco may, before entering into a business relationship, carry out sanctions screening to ensure that Sweco is not entering into a business relationship with anyone that is subject to EU or UN sanctions.
Categories of personal data | Legal basis |
· Identity data · Contact information · Potential data retrieved from sanctions screening, which may include criminal data.
| Legal obligation. The processing of personal data is necessary in order to comply with our legal obligations.
Processing of criminal data is in such case carried out by virtue of our legal obligation to process such data.
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest to uphold our Code of Conduct. |
3.2.5 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
Categories of personal data | Legal basis |
· All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
3.2.6 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations
We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.
Categories of personal data | Legal basis |
· All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings. The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.
|
3.3 With whom do we share your personal data?
3.3.1 General
Where necessary in order to achieve the purposes set out in this Section 3, we share your personal data with other entities, authorities, actors or international organisations. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
3.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 3.2.
3.3.3 Recipients that act as data controllers
The categories of recipients mentioned in the table below will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.
Recipients | Purpose | Legal basis |
· Courts and arbitration tribunals · Public authorities · External advisers · Counterparties · International organisations
| In order to exercise, establish or defend legal claims (see Section 3.2.2.), ensure compliance with the law and our contractual obligations. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.
|
· Clients | Administrating the client relationship, see Section 4.2.1. | To fulfil our legitimate interest in administrating the client relationship, e.g. being able to communicate with the client and provide our services. |
· International organisations | To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory and international law duties. | To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory and international law duties. |
3.4 For how long to we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are the representative of our supplier or for as long as we have an ongoing business relationship with the company you represent. When carrying out KYC and background checks we will delete any personal data as soon as possible after we have assessed the result. With respect to sanctions screenings or other legal obligations, we will process personal data for as long as there is a legal obligation to do so.
4. CLIENT REPRESENTATIVE OR EMPLOYEE
4.1 How do we collect your personal data?
We collect the personal data that you, or the client that you represent, have provided us within the scope of our business relationship with the client.
4.2 Purposes of the processing of your personal data
4.2.1 Administration of client relationship
Your personal data will be processed because we have a legitimate interest of administering the relationship with our clients and to be able to manage the overall cooperation and day-to-day activities necessary to provide our products and services.
Categories of personal data | Legal basis |
· Contact information · Identity data
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer our client relationships, and facilitate e.g. day-to-day communications. |
4.2.2 Provide support services
We will process contact details relating to contact persons representing our clients that contact us for support. Your personal data will be processed because we have a legitimate interest of providing support for our clients and enabling usage of our services.
Categories of personal data | Legal basis |
· Contact information · Identity data
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to provide our supporting services to our clients . |
4.2.3 Sanctions screening
Sweco may, before entering into a business relationship, carry out sanctions screening to ensure that Sweco is not entering into a business relationship with anyone that is subject to UK EU or UN sanctions.
Categories of personal data | Legal basis |
· Identity data · Contact information · Potential data retrieved from sanctions screening, which may include criminal data.
| Legal obligation. The processing of personal data is necessary in order to comply with our legal obligations.
Processing of criminal data is in such case carried out by virtue of our legal obligation to process such data.
Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest of upholding our Code of Conduct. |
4.2.4 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
Categories of personal data | Legal basis |
· All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
4.2.5 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations
We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.
Categories of personal data | Legal basis |
· All information mentioned above and any information included in our communication with you.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings. The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.
|
4.3 With whom do we share your personal data?
4.3.1 Disclosure and transfer of personal data
Where necessary in order to achieve the purposes set out in this Section 4, we share your personal data with other entities, authorities, actors or international organisations. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
4.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 4.2.
4.3.3 Recipients that act as data controllers
The categories of recipients mentioned in the table below will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.
Recipients | Purpose | Legal basis |
· Courts and arbitration tribunals · Public authorities · External advisers · Counterparties · International organisations
| In order to exercise, establish or defend legal claims (see Section 4.2.3.), ensure compliance with the law and our contractual obligations. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.
|
· International organisations | To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory or international law duties. | To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory or international law duties. |
4.4 For how long to we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are the representative of our client or for as long as we have an ongoing business relationship with the company you represent. With respect to sanctions screenings or other legal obligations, we will process personal data for as long as there is a legal obligation to do so.
5. TALENT ACQUISITION
5.1 How do we collect your data?
We collect your personal data from:
- Yourself, which you submit to us when you apply for one of our positions, e.g. your CV and cover letter.
- Publicly available sources, e.g. when carrying out background checks.
- External recruiters, that have been involved in the recruitment process and that have provided us with information about you.
5.2 Purposes of the processing of your personal data
5.2.1 Managing the recruitment process
Your personal data will be processed by us within the scope of the general management of the recruitment process. Processing activities included in this process are e.g. collection of your personal data, review of CVs and cover letters, conducting interviews, evaluating you as a candidate and communicating with you within the scope of the recruitment process.
Categories of personal data | Legal basis |
· Contact information · CV · Cover letter · Internal notes related to evaluating you as a candidate
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in carrying out the recruitment process to ensure that we employ the most suitable candidates. |
5.2.2 Job candidate evaluation process
Within the scope of the recruitment, we carry out an evaluation process of potential employees. This may include background checks including and, where permitted under national legislation, criminal background check. The evaluation process may also include scanning of social media activity and other footprints on the internet.
Categories of personal data | Legal basis |
· Identity data · Contact data · Skills data · Activity on social media and the Internet
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in carrying out background checks to ensure that we employ appropriate candidates.
We will not process any criminal data. Any criminal background checks will be subject to a manual process. |
5.2.3 Concluding the employment agreement
We will process your personal data in conjunction with the conclusion of the employment agreement with you e.g., when collecting references. Your personal data will also be processed in the employment agreement that we conclude and upon the initiation of the onboarding process. New employees will receive a more detailed internal privacy notice during onboarding.
Categories of personal data | Legal basis |
· Contact information · Social security number · Organisational information, such as employer company, employment status, operational department, geographical placement, cost centre, organisation, place of employment · Salary · Benefits data · References
| Agreement. The processing of your personal data is necessary in order for us to take measures prior to entering into an agreement (the employment agreement) with you. |
5.3.4 Candidate database
If you do not get the job that you have applied for, we may still have an interest in keeping your personal data to contact you in the event of future vacancies that suits your profile. We will only keep your personal data for this purpose if you consent to the processing.
Categories of personal data | Legal basis |
· Contact information · CV · Cover letter
| Consent. We will only keep your personal data in a candidate database if you provide us with your consent. We will, annually, ask you to renew your consent if you want to remain registered in the candidate database. |
5.2.5 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
Categories of personal data | Legal basis |
· All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
5.2.6 Fulfil legal obligations
Besides legal obligations within the field of employment, we will process your personal data for the purposes of fulfilling legal obligations related to work permit checks, including storage of related documentation.
Categories of personal data | Legal basis |
· Identity data · Social security number · Work permit documentation | Legal obligation. The processing is necessary to fulfil our legal obligations. |
5.3 With whom do we share your personal data?
5.3.1 General
Where necessary in order to achieve the purposes set out in this Section 5, we share your personal data with other entities, authorities or actors. The categories of recipients mentioned in Section 5.3.2 will process personal data on behalf of us in the capacity as data processors (i.e. such actors will only process your personal data in accordance with our instructions). The categories of recipients mentioned in Section 5.3.3 will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
5.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in this Section 5.
5.3.3 Recipients that act as data controllers
Recipients | Purpose | Legal basis |
· Courts and arbitration tribunals · Public authorities · External advisers · Counterparties
| In order to exercise, establish or defend legal claims, see Section 5.2.5. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. |
· External recruiters | Managing and facilitating the recruitment process, see Section 5.2.1. | To fulfil our legitimate interest in ensuring that the recruitment process is carried out as efficiently as possible and that we can employ the best candidates. |
· External background check companies | Conducting the vetting process, see Section 5.2.2. | To fulfil our legitimate interest in carrying out a vetting process before employing an individual to ensure that we employ appropriate candidates. |
· Reference persons | Taking references before deciding to conclude the employment agreement, see Section 5.2.3. | Necessary as a measure to conclude the employment agreement with you. |
5.4 For how long will we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are in the recruitment process. However, if you do not get the job you applied for, we will store your personal data for as long as you may submit a legal claim related to the rejection of your application. If you agree to it, we may store your data in our candidate database for future recruitment processes. In such case, your data will be stored for up to one year after the recruitment process has ended.
5.5 More detailed information
For more detailed information about the way your personal data is handled in your specific recruitment or talent acquisition process, please go to the information available via your local talent acquisition or recruitment channel.
6. PROSECTIVE CLIENT CONTACT
6.1 How do we collect your data?
We collect the data processed that has been provided by you, or any other representative with the prospect customer, within our process for evaluating, and communicating with, prospect clients .
6.2 Purposes of the processing of your personal data
6.2.1 Management and administration of prospect clients
We will process your personal data for the purpose of managing and administrating the overall process of approaching and evaluating prospect clients .
Categories of personal data | Legal basis |
· Contact information · Identity data
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer and manage prospect clients . |
6.2.2 Marketing communication
We will process your personal data for the purpose of marketing our services to your organization. You will be able to, at any time, opt-out from our marketing communication, in which case we will cease with our communication.
Categories of personal data | Legal basis |
· Contact information
| Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer and manage prospect clients . |
6.2.3 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
Categories of personal data | Legal basis |
· All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
6.2.4 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations
We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.
Categories of personal data | Legal basis |
· All information mentioned above and any information included in our communication with you.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings. The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.
|
6.3 With whom do we share your personal data?
6.3.1 General
Where necessary in order to achieve the purposes set out in this Section 6, we share your personal data with other entities, authorities, actors or international organisations. The categories of recipients mentioned in Section 6.3.2 will process personal data on behalf of us in the capacity as data processors (i.e. such actors will only process your personal data in accordance with our instructions). The categories of recipients mentioned in Section 6.3.3 will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
6.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in this Section 6.
6.3.3 Recipients that act as data controllers
Recipients | Purpose | Legal basis |
· Courts and arbitration tribunals · Public authorities · International organisations · External advisers · Counterparties
| In order to exercise, establish or defend legal claims (see Section 6.2.1.), ensure compliance with the law and our contractual obligations. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.
|
· International organisations | To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory and international law duties. | To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory and international law duties. |
6.4 For how long to we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as we are in contact with you regarding a potential business relationship or if you decide to opt-out from the communication. In general, we will not store your data for longer than one year from our last communication, if we did not enter into a business relationship with the company you represent.
7. GOVERNMENT, PUBLIC AUTHORITY OR INTERNATIONAL OFFICIALS OR EMPLOYEES
7.1 How do we collect your personal data?
We collect the personal data that you, or the relevant government, public authority or international organisation that you represent, have provided us within the scope of our professional, commercial or public law relationship.
7.2 Purposes of the processing of your personal data
7.2.1 Administration of professional, commercial or public law relationship
Your personal data will be processed because we have a legitimate interest of administering professional, commercial or public law relationship with an entity you represent and being able to manage the overall cooperation and day-to-day activities relating to e.g. our projects that the public authority or organisation that you represent finance, co-finance or is otherwise involved in.
Categories of personal data | Legal basis |
· Contact information · Identity data | Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer our professional, commercial or public law relationships with an entity that you represent, and facilitate e.g. day-to-day communications. |
7.2.2 Communicate with you
Within the scope of professional, commercial or public law relationship with an entity that you represent, we will process your personal data when communicate through various channels. The purpose of the processing is to be able to communicate with you within the scope of our relationship.
Categories of personal data | Legal basis |
· Contact information · Identity data · Any information included in our communication with you
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to communicate with our suppliers within the scope of our commercial relationship. |
7.2.3 Establish, exercise and defend legal claims
For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.
Categories of personal data | Legal basis |
· All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process. |
7.2.4 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations
We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.
Categories of personal data | Legal basis |
· All information mentioned above.
| Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings. The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.
|
7.3 With whom do we share your personal data?
7.3.1 General
Where necessary in order to achieve the purposes set out in this Section 7, we share your personal data with other entities, authorities, actors or international organisations. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.
7.3.2 Data processors acting on behalf of us
In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 7.2.
7.3.3 Recipients that act as data controllers
The categories of recipients mentioned in the table below will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.
Recipients | Purpose | Legal basis |
· Courts and arbitration tribunals · Public authorities · External advisers · Counterparties · International organisations
| In order to exercise, establish or defend legal claims (see Section 3.2.2.), ensure compliance with the law and our contractual obligations. | To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute. To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.
|
· International organisations | To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory and international law duties. | To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory and international law duties. |
7.4 For how long to we process your personal data?
Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are the representative or employee of the respective government, public authority or international organisation or for as long as we have an ongoing professional, commercial or public law relationship with the entity you represent.
8. APPROPRIATE SAFEGUARDS FOR TRANSFERS OF PERSONAL DATA OUTSIDE OF THE EU/EEA EU/EEA
We may transfer or disclose personal data to recipients located outside the UK/EU/EEA (third country), mainly in situations where we are using third-party data processors that will process data in a third country.
When we transfer or disclose your personal data to a recipient in a country outside of the UK/EU/EEA, we will always ensure that appropriate safeguards have been taken (such as the EU Commission’s standard contract clauses, including other supplementary safeguards as necessary in each case) to protect the personal data. Further, we are regularly carrying out risk assessments to assess what supplementary measures that needs to be taken to protect the personal data subject to the transfer or disclosure.
We may also transfer your personal data to international organisations, in particular in connection with their investigations or proceedings relating to Sweco projects that these organisations finance or co-finance, or otherwise as needed to fulfil our contractual obligations on those projects or in the course of bidding for projects. In the absence of a decision by the European Commission finding an adequate level of protection in such an international organisation and the impossibility of applying appropriate safeguards, we will transfer your data based on an important public interest derogation under Article 49(1)(d) GDPR. Such transfer will be exceptional and will only occur if it is necessary for important reasons of public interest.
If you would like further details about the processing of your personal data and whether your personal data is transferred to a third country or an international organisation, please contact us on the contact details as set out below under Section 9.
9. YOUR RIGHTS
Under applicable data protection laws, you have certain rights in relation to the processing of your personal data. We process your personal data to the extent necessary in order to fulfil your rights. Please submit requests for exercising your rights by contacting us on the contact details set out in Section 9 below.
You have, under certain circumstances, the right to exercise the following rights:
Access
You may request confirmation whether or not personal data is processed and, if that is the case, access your personal data and additional information such as the purposes of the processing. You are also entitled to receive a copy of the personal data undergoing processing. If the request is made by electronic means the information will be provided in a commonly used electronic format if you do not request otherwise.
Object to certain processing
You have the right to object to the processing of your personal data based on a legitimate interest for reasons which concerns your particular situation. In such a situation, we will stop using your personal data where the processing is based on a legitimate interest, unless we can show that the interest overrides your privacy interest or that the use of your personal data is necessary in order to manage or defend legal claims.
Rectification
You have at any time the right to have inaccurate personal data rectified, as well as, taking into account the purposes of processing, the right to have incomplete personal data completed which relates to you.
Erasure
You may have your personal data erased under certain circumstances, such as when your personal data is no longer needed for the purposes for which it was collected. However, we cannot delete your personal data if we e.g. are obligated under law to keep the data.
Restriction of processing
You may ask us to restrict the processing of your personal data to only comprise storage of your personal data under certain circumstances, such as when the processing is unlawful, but you do not want your personal data erased. If the processing of your personal data has been restricted we may only, besides storing the data, process your personal data with your consent, or in order to establish, exercise or defend legal claims or to defend rights of others.
Withdrawal of consent
You have the right to at any time withdraw your consent to processing of personal data to the extent the processing is based on your consent.
Data Portability
You may ask to receive a machine-readable copy of the personal data processed on the basis of your consent or on the basis that the processing is necessary in order to perform an agreement with you, and which personal data have been provided to us by you (data portability) and ask for the information to be transferred to another data controller (where possible).
Complaints to the supervisory authority
You always have the right to lodge complaints pertaining to the processing of your personal data to the Data Protection Commission 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland. Website: https://www.dataprotection.ie/
10. CONTACT INFORMATION
If you have any questions or concerns regarding the processing of your personal data, please contact:
Local Privacy Officer
Sweco
Leeds – Head Office
Grove House
Mansion Gate Drive
Leeds
LS7 4DN
England
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).