
Privacy statement for consumer customers (B2C)
Last updated January 2024
This Privacy Statement informs about the processing of personal data of consumers in connection with sales and marketing of Ruukki and Plannja products and services for consumer customers. It answers the questions of what personal data we collect, use or share, for what purposes the data is collected and what rights persons have.
You can find more information about how SSAB/Ruukki, processes personal data of corporate customers, potential corporate customers, supplier representatives, other intermediaries and business partners, site visitors or internal and digital users visiting the website or other digital service platforms at https://www.ssab.com/en/privacy-statement.
1. DATA CONTROLLER
The data controller responsible for consumer customers’ and potential consumer customer’s personal data is primarily the local Ruukki/Plannja company. The local Ruukki/Plannja company is regarded as the data controller in the contractual or other cooperation relationship with you or in connection with certain statutory personal data processing and compliance with local legal requirements of an individual legal entity.
Regardless of the data controller in a specific situation, the primary contact for privacy matters in SSAB and Ruukki is our Data Protection Officer, who can be contacted at: data.privacy(at)ssab.com.
2. LEGAL BASIS AND PURPOSE OF PROCESSING PERSONAL DATA
We process the personal data of consumer customers, potential consumer customers and website visitors (together referred to as “Customers”) for various purposes, which are explained below.
2.1 Contractual and other interaction with Customers
The main purpose of processing personal data is to deliver our products and services, as well as to source services and material for our business needs, and provide website and other digital services. The processing of personal data is primarily based on contract, including processing needed prior to entering into a contractual relationship to which the data subject is a party. In some cases, the processing is based on our legitimate interest to process data for being able to communicate with customers and potential customers, or for other purposes necessary to establish or mange the business relationship, including for example any required checks for credit worthiness.
2.2 Marketing and communications
Customers’ personal data is used to manage customer communications and for marketing purposes. In this respect, processing can be based on Ruukki's legitimate interest to provide existing Customers with relevant and up-to-date information as part of the website as well as through other digital platforms and services. Processing can also be based on Ruukki's legitimate interest to promote Ruukki's latest products and services as well as to personalize the existing Customers’ user experience and to evaluate customer satisfaction. In certain regions, marketing via electronic means is based on prior consent, for example for sending marketing messages. A Customer should refer to section 6 below for further information about marketing communications and individual rights in this respect. In most cases when it concerns consumer Customers, marketing activities are based on consent with certain exceptions.
2.3 Product and services development purposes
2.4 Compliance with statutory obligations and legal proceedings
Sometimes personal data may be used to comply with a legal obligation. In Ruukki’s business operations, this means for example that personal data processing may be needed in order to be in compliance, with statutory requirements that relate i.a. to bookkeeping, reporting and audit or whistleblowing procedures. In addition, certain personal data may be stored for dispute resolution purposes to be able to establish and defend legal claims.
2.5 Processing of personal data internally within SSAB group
In addition to the legal entity that the Customer has been interacting with, the Customer’s personal data may also be processed by other companies belonging to SSAB group. In this case, the processing of personal data can be based on contractual obligation or SSAB's or Ruukki’s legitimate interest for internal administrative purposes to organize and manage e.g. customer and supplier relationships, marketing as well as information security measures and other business functions within the group in an appropriate and practical way.
3. COLLECTION OF DATA
Ruukki may collect personal data through different means, which are explained below.
3.1 Business relationship
Ruukki processes personal data for the purpose of maintaining a good business relationship, for example when providing and delivering products or services, maintaining Customer communications, sourcing material, products and services for its business needs, or otherwise interacting with business partners or other stakeholders. This personal data is mostly collected directly from Customers themselves.
- Basic information about the Customer, such as name, email address and phone number, home address, delivery address, social security or identification number (depending on country);
- Information relating to the contractual relationship, such as products and services sourced or delivered, photographs related to delivery of products/services, the starting and end time of the business relationship, information required to prepare an offer, warranty information, contractual information;
- Billing and credit information, such as account numbers, invoicing details, payments made and outstanding and bills delivered; and
- Customer communications, including feedback, marketing and campaign history information.
3.2 User's interaction with Ruukki on website or otherwise
- Basic information, such as name, postal address, email address and phone number; information needed to make an offer to the Customer
- Reasons for contacting Ruukki and details related to contact; and
- Surveys and competitions participated in.
3.3 Automatically collected data of the use of website and services
Ruukki collects and processes the following technical data about the website visitors and the use of the website, products and services provided by Ruukki:
- IP address, device ID, device type, operating system used and application settings;
- User activity such as pages viewed and items ‘clicked’ on;
- timestamps and log data relating to the use of the service; and
- location/country of origin.
3.4 Data collected from other sources
In some cases, the Customer contacts Ruukki’s reseller directly to order the products or services. We may receive data from resellers in circumstances where it may be required to process the Customers’ information in order to fulfil the contract. Some information may also be collected by our contractors in connection with the delivery of products and services.
4. SHARING OF DATA
Ruukki may disclose or transfer Customers' personal data to the following third parties which may act on Ruukki's behalf as data processors or as independent data controllers, depending on the case:
- other SSAB group companies for the purposes listed above;
- trusted service providers or Ruukki partners, such as suppliers, agents, distributors and marketing service providers for the purposes listed above. This also includes contractors that require certain information in order to assist in providing the product or service. To the extent that these trusted service providers act on Ruukki's behalf, and not as independent data controllers, Ruukki remains responsible for the use of Customers' personal data.;
- when permitted or required by law to comply with requests by competent public authorities such as subpoenas or similarly binding acts;
- if Ruukki is involved in a merger, acquisition, or sale of all or a portion of its assets; and
- when Ruukki believes in good faith that disclosure is necessary to protect Ruukki's rights, investigate fraud or other violations of law, or respond to a government request.
5. TRANSFER OF PERSONAL DATA OUTSIDE OF THE EU/EEA
5.1 Intra-group transfers
As some SSAB group companies are located outside of the EU/EEA, Customers’ personal data may be transferred outside of EU/EEA, such as to the United States. In these circumstances, we will use the required established mechanisms for the transfer outside of the EU/EEA, including the Standard Contractual Clauses approved by the European Commission. Please contact data.privacy(at)ssab.com for more information about the applicable safeguards for international data transfer in question.
5.2 Service providers located outside of the EU/EEA
6. MARKETING COMMUNICATIONS
6.1 eMarketing
6.2 Statistics and segregation
6.3 Targeted advertising
7. RETENTION OF PERSONAL DATA
- Personal data regarding Customers will be retained during the business relationship and after that for as long as necessary or required by law or rights or obligations by either party, for example for billing, bookkeeping or warranty purposes;
- Data collected in connection with customer service, other interaction with SSAB, surveys and competitions will be retained for as long as necessary to manage and handle the matter in question.
- Ruukki will delete or anonymize data used for marketing purposes after a reasonable period of time has lapsed from last contact between the Customer and Ruukki, unless data retention is required by law or rights or obligations by either party.
- Should a Customer have a concern about data retention for marketing purposes, the Customer should refer to section 8 below for further information about Customer's rights in this respect.
8. PRIVACY RIGHTS
9. SECURITY
10. CHANGES TO THIS PRIVACY STATEMENT
Ruukki may amend this Privacy Statement and the related information. Ruukki recommends that Customers regularly access the Privacy Statement to find out about any changes to it. Ruukki will always provide the date of the Privacy Statement to allow the Customers to see changes. Please note that this Privacy Statement is for information purposes only.
Ruukki will inform Customers of any substantial changes by using reasonable and available channels.
11. DATA PROTECTION OFFICER’S CONTACT DETAILS
Our global Data Privacy Organization supports with any data protection and data privacy related requests or any other questions, concerns, comments or complaints.
SSAB Group has also nominated a Group Data Protection Officer (DPO) who performs the following tasks:
- informs and advises SSAB organization and its employees about obligations pursuant to the EU General Data Protection Regulation (GDPR) and to other Union or Member State data protection provisions in relation to the data processing carried out by SSAB,
- monitors compliance with the GDPR and with other Union or Member State data protection provisions and with SSAB’s policies related to the protection of personal data,
- takes care of assignment of responsibilities, data protection awareness and training of employees involved in processing operations, and the related audits, and
- provides advice on data protection impact assessments and monitoring their performance.
The DPO also co-operates with the supervisory authority and acts as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, regarding any other matter.
Our Data Privacy Organization and the Group Data Protection Officer (DPO) can be contacted at data.privacy(at)ssab.com.