Last updated: January 2025
1. Legal basis and purpose of processing personal data
SSAB processes personal data of externals (such as consultants, independent contractors, freelancers and rental labor), sub-contractors and suppliers for various purposes, which are explained below.
| PROCESSING ACTIVITY | LEGAL BASIS | DESCRIPTION |
|---|---|---|
| Work order and assignment management and complying with legal obligations |
Contract │ Legitimate interest │ Legal obligation |
SSAB processes personal data of externals and sub-contractors in order to manage ordered work and assignments. |
| Contractual and other interaction with suppliers |
Contract │ Legitimate interest │ Legal obligation |
SSAB processes personal data to source services and material for SSAB’s business needs. This is to process data for fulfilling its contractual obligations and being able to communicate with its suppliers. Processing is needed prior to entering into a contractual relationship with the company or organization the individual is representing, or in some cases also with the individual directly. |
| Security clearance process | Legal obligation | In some cases, individuals working to SSAB’s account might be subject to a security clearance in order to verify that there are no obstacles to conduct specific work. |
| Complying with obligations related to foreign and leased labor, subcontracted labor and prevention of using undeclared workforce | Legal obligation |
SSAB adheres to legal and regulatory requirements such as those related to
|
| IT Tools and Systems | Legitimate interest | SSAB uses and provides multiple IT tools and systems in order for externals and sub-contractors to conduct their work, including daily and necessary tasks. Such tools include, but are not limited to, email, communication platforms, file storage, ticketing and Business unit specific solutions. These tools can be outsourced platforms, such as MS products and SaaS products. Personal data collected and used in these systems are only used for the legitimate business purposes. |
|
Information and facility management |
Legitimate interest |
SSAB may process technical data, including some personal data for information security and access surveillance purposes and fraud prevention. SSAB maintains also information and facility security measures to safeguard health and safety as well as business information and business assets in order to avoid injuries at its facilities, to prevent property damage and criminal activities and to ensure the availability of the websites and services. This is to ensure an appropriate level of network, facility and information security and the safety of others. |
| Information security |
Legitimate interest |
SSAB maintains information security measures for information security purposes to safeguard business information and business assets, to avoid criminal activities and ensure availability of the services. |
| Product, services and company process development | Legitimate interest |
SSAB aims to provide high-quality products, services and company processes also internally. For this reason, personal data may be used for product, services and process development. |
| Training and awareness |
Legitimate interest │ (Legal obligation) |
SSAB conducts training and awareness for externals and sub-contractors on multiple topics. Some specific training topics may also be legally mandatory to be conducted, such as work safety and first aid. |
| Compliance with statutory obligations | Legal obligation |
Personal data processing may be needed in order to be in compliance, with i.a. the following statutory requirements:
|
PROCESSING ACTIVITY
Work order and assignment management and complying with legal obligations
LEGAL BASIS
Contract │
Legitimate interest │
Legal obligation
Legitimate interest │
Legal obligation
DESCRIPTION
SSAB processes personal data of externals and sub-contractors in order to manage ordered work and assignments.
Expand
Collapse
PROCESSING ACTIVITY
Contractual and other interaction with suppliers
LEGAL BASIS
Contract │
Legitimate interest │
Legal obligation
Legitimate interest │
Legal obligation
DESCRIPTION
SSAB processes personal data to source services and material for SSAB’s business needs. This is to process data for fulfilling its contractual obligations and being able to communicate with its suppliers. Processing is needed prior to entering into a contractual relationship with the company or organization the individual is representing, or in some cases also with the individual directly.
Expand
Collapse
PROCESSING ACTIVITY
Security clearance process
LEGAL BASIS
Legal obligation
DESCRIPTION
In some cases, individuals working to SSAB’s account might be subject to a security clearance in order to verify that there are no obstacles to conduct specific work.
Expand
Collapse
PROCESSING ACTIVITY
Complying with obligations related to foreign and leased labor, subcontracted labor and prevention of using undeclared workforce
LEGAL BASIS
Legal obligation
DESCRIPTION
SSAB adheres to legal and regulatory requirements such as those related to
- - foreign workers
- - workers hired through a leasing or staffing agency
- - subcontracted labor; and
- - prevention of use of undeclared workforce.
Expand
Collapse
PROCESSING ACTIVITY
IT Tools and Systems
LEGAL BASIS
Legitimate interest
DESCRIPTION
SSAB uses and provides multiple IT tools and systems in order for externals and sub-contractors to conduct their work, including daily and necessary tasks. Such tools include, but are not limited to, email, communication platforms, file storage, ticketing and Business unit specific solutions. These tools can be outsourced platforms, such as MS products and SaaS products. Personal data collected and used in these systems are only used for the legitimate business purposes.
Expand
Collapse
PROCESSING ACTIVITY
Information and facility management
LEGAL BASIS
Legitimate interest
DESCRIPTION
SSAB may process technical data, including some personal data for information security and access surveillance purposes and fraud prevention. SSAB maintains also information and facility security measures to safeguard health and safety as well as business information and business assets in order to avoid injuries at its facilities, to prevent property damage and criminal activities and to ensure the availability of the websites and services. This is to ensure an appropriate level of network, facility and information security and the safety of others.
Expand
Collapse
PROCESSING ACTIVITY
Information security
LEGAL BASIS
Legitimate interest
DESCRIPTION
SSAB maintains information security measures for information security purposes to safeguard business information and business assets, to avoid criminal activities and ensure availability of the services.
Expand
Collapse
PROCESSING ACTIVITY
Product, services and company process development
LEGAL BASIS
Legitimate interest
DESCRIPTION
SSAB aims to provide high-quality products, services and company processes also internally. For this reason, personal data may be used for product, services and process development.
Expand
Collapse
PROCESSING ACTIVITY
Training and awareness
LEGAL BASIS
Legitimate interest │
(Legal obligation)
(Legal obligation)
DESCRIPTION
SSAB conducts training and awareness for externals and sub-contractors on multiple topics. Some specific training topics may also be legally mandatory to be conducted, such as work safety and first aid.
Expand
Collapse
PROCESSING ACTIVITY
Compliance with statutory obligations
LEGAL BASIS
Legal obligation
DESCRIPTION
Personal data processing may be needed in order to be in compliance, with i.a. the following statutory requirements:
- - supply-chain auditing
- - sanctions and other compliance screening
- - whistleblowing procedures
Expand
Collapse
2. Collection of personal data
| Personal Data | Examples |
|---|---|
| Contact details | Name, email address and phone number |
| Employer contact details | Company name, business address, country, business email address and business phone number |
| Billing information | In some instances, information related to billing, such as working hours, is collected |
| Information relating to the business relationship | Products and services sourced, the starting and end time of the business relationship, events attended, purchase history, preferences |
| Contractual relationship | Start and end date of contract, any other information processed during the contractual relationship |
Personal Data
Contact details
Examples
Name, email address and phone number
Personal Data
Employer contact details
Examples
Company name, business address, country, business email address and business phone number
Personal Data
Billing information
Examples
In some instances, information related to billing, such as working hours, is collected
Personal Data
Information relating to the business relationship
Examples
Products and services sourced, the starting and end time of the business relationship, events attended, purchase history, preferences
Personal Data
Contractual relationship
Examples
Start and end date of contract, any other information processed during the contractual relationship
Professional information of an individual may also be collected prior of and depending on the type of the contractual relationship. In these cases, information such as CV, qualifications, certifications and work history may be processed.
If the individual receives an SSAB IT account, these types of data may also be processed:
| PERSONAL DATA | EXAMPLES |
|---|---|
| Work-related contact information | Employee number and ID, work email, phone number and address, photograph |
| Work-related devices provided by SSAB | Phone, tablet, computer and serial and/or IMEI number of device and information about SIM cards and user name to SSAB systems |
| Travelling and travel expenses information | Data related to business travels |
| Technical data | Log data and IP address |
| Safety records | Work-related accidents, near-misses and possible disciplinary matters |
PERSONAL DATA
Work-related contact information
EXAMPLES
Employee number and ID, work email, phone number and address, photograph
PERSONAL DATA
Work-related devices provided by SSAB
EXAMPLES
Phone, tablet, computer and serial and/or IMEI number of device and information about SIM cards and user name to SSAB systems
PERSONAL DATA
Travelling and travel expenses information
EXAMPLES
Data related to business travels
PERSONAL DATA
Technical data
EXAMPLES
Log data and IP address
PERSONAL DATA
Safety records
EXAMPLES
Work-related accidents, near-misses and possible disciplinary matters
In some cases, SSAB may need to collect data needed to comply with legal obligations related to foreign and leased labor, sub-contractor labor and prevention of using undeclared workforce. Depending on each country’s legislation, the gathered information may include the following: Tax number, national ID, birth date, nationality, copy of the identity document, A1 certificate and corresponding certificates, information on the right to work and copies of the relevant documents, residence permits, data on salary and working hours, contact data of local representative.
In addition, in some exceptional cases, such as in case of occupational accidents, SSAB might process sensitive data. As a rule, this personal data is collected either directly from the individual, their employer or the contracting party. However, personal data related to an individual's performance and potential disciplinary matters may be collected from other sources, such as from the immediate superior, other employees and witnesses. Furthermore, some compliance-related data may be collected from third parties such as tax authorities or databases concerning fulfilment of legal obligations related to workforce (e.g. in Finland Vastuugroup.fi).
3. Retention of personal data
The personal data related to the collaboration relationship will be retained only for as long as necessary to fulfill the purposes defined in above. Most of engagement related data will be retained during the course of the engagement or as required by retention period provided in the applicable law. Some of those laws demand that the data is kept longer, e.g. data relating to the work contract. When the personal data is no longer required by law or rights or obligations by either party, SSAB will remove externals', and sub-contractors’ personal data. Personal data regarding suppliers will be retained during the business relationship and after that for as long as necessary or required by law or rights or obligations by either party, for example for billing purposes.
Exceptionally, SSAB may retain personal data for a longer period if SSAB has a legitimate reason or an obligation to store the recordings for the purposes of a dispute, criminal investigation or other corresponding reason.
Privacy portal
Go back to the Privacy portal containing general privacy information and other specific privacy notices.